Implementation of means for enhancing cyber resilience, such as those discussed in the preceding chapters, costs money. Is this a worthwhile investment? This chapter provides an economic perspective on how to choose the most economically appropriate approaches to improving cyber resilience. These considerations are rather complex. For example, property damage, except for destruction of data, has thus far been a relatively minor cost of cyber threats, in contrast to instances of significant loss of functionality of a cyber system itself or the system it helps operate. The latter translates into loss of output (sales revenue and profits) and loss of employment, and is often referred to as business interruption (BI). Thus, in addition to pre-event mitigation, post-disaster strategies that enable a system to rebound more efficiently and quickly offer the prospects of greatly reducing BI. Moreover, there are numerous resilience tactics that comprise a strategy on both the cyber service provider side and customer side, many of which are relatively inexpensive. The latter include backup data storage and equipment, substitutes for standard cyber components, conserving on cyber needs, and recapturing lost production once the cyber capability is restored. This chapter describes the analysis based on basic principles of economics and is couched in a benefit-cost analysis (BCA) framework as an aid to decision-making. This chapter goes beyond the conceptual level and offers estimates of the costs and effectiveness of various mitigation and resilience tactics.
- Cyber threats
- Economic impacts
This is a preview of subscription content, access via your institution.
Tax calculation will be finalised at checkout
Purchases are for personal use onlyLearn about institutional subscriptions
In this chapter, we do not address aspects of cybercrime.
The value of an asset is the discounted flow of net future returns from its operation. Hence, for ordinary property damage, the stock and flow measures represent the same thing, and, at first pass, including both would involve double-counting. The situation is, however, complicated in the case of most hazards. This is a controversial subject, but we take the view that it is appropriate to include both the stock and flow measures in the case of damaged property, but only where the latter is confined to the opportunity costs of delays in restoring production because of the repair and reconstruction process.
Indirect effects can also be associated with stock losses or property damage (e.g., earthquakes causing damage from fires, hazardous materials leakages, and buildings made more vulnerable to subsequent weather damage). However, except in extreme cases, such as the 2011 Japanese earthquake and tsunami followed by the Fukushima nuclear reactor accident, these indirect stock effects are likely to be relatively small when compared with the flow-induced indirect losses.
Some further clarification is in order. First, the current line of demarcation between direct and indirect effects is somewhat arbitrary, specifically, the convention of counting business losses due to cut-off from utility lifelines as direct effects. There is equal justification for considering these to be first-round indirect effects. The advantage to including these as direct losses is that it emphasizes the key role of utilities and infrastructure in the economy, and emphasizes their prominent role in contributing to losses. Also, it helps ensure that these effects will be taken into account, because most analysts are not able to or do not bother to consider what are termed “indirect” effects.
Note that we allow for the addition of capital stocks (plants and equipment) and flows of services emanating from them for reasons spelled out in footnote 8.
Certain types of malware detection programs include a quarantining function as a response to intrusions that coincides more so with the next alternative: coordinated defense
Diversity is only considered effective when done correctly by security professionals. Unintended or ad hoc diversity quite often creates gaps, increasing intruder access points, and can significantly decrease cyber security (Russell, 2015).
Some excess capacity is often planned for, in order to enhance normal business flexibility or to accommodate downtime for maintenance; these aspects should not be credited to disaster resilience.
This option is not currently allowed under net-neutrality laws. However, given the recent proposed changes to those laws, and the success of these premiums in other domains, such as electricity service provision, it is worth considering.
Similar to excess capacity, some instances of input isolation, where some production activities are separated from the need for one or more inputs, are inherent in the system and should likewise not be credited to resilience unless it is expressly done for that purpose.
BCA refers to the assessment of all relevant benefits and costs of a deliberate course of action. In its broadest form, BCA is typically applied to public policy and public actions , such that the relevant aspects include benefits and costs to society as a whole, including joint-product benefits and externalities, both market and nonmarket (see, e.g., Boardman et al., 2011). As such, it typically applies to decisions made by government agencies on the part of their constituents (society as a whole in their jurisdiction). The term BCA, however, is often applied to calculations of individual businesses and households regarding investment and other resource allocation decisions. In these cases, the relevant costs are typically just private costs, for instance, those incurred or received only by the decision-maker. In this article, we use the term BCA broadly to include both private- and public-sector decision-making. Most of the principles of BCA are relatively straightforward, and we only elaborate on them when they are complicated and relevant to issues discussed in this article.
The order-of-magnitude estimates stem from a simple back-of-the-envelope calculation. Electricity and water inputs represent less than 5% each on average of total production costs of nearly all businesses in the economy. Assuming that rates of return (or profit rates in general) are reasonably equal across all business enterprises, again on average, this means that net revenue losses are more than 20 times higher for the economy than for the utility supplier. Moreover, this number increases when indirect (multiplier or general equilibrium) effects are taken into account.
Here, MB2 pertains to a different case than the multi-threat resilience benefits discussed in the previous paragraph. We have chosen not to insert a separate MB curve to avoid cluttering the figure. Strictly speaking, only resilience tactics that have this characteristic (mainly supply-side ones) would have their MB segments raised. This would make for a likely non-monotonically increasing or decreasing MB curve and would complicate the identification of an optimum.
Aamir, M., Beyeler, W. E., Kelic, A., & Mitchell, M. (2013). Timeframe for investing in cyber security does matter: A brand value argument. No. SAND2013-2305C. Sandia National Laboratories (SNL-NM), Albuquerque, NM (United States).
Applied Technology Council. (1991). Seismic vulnerability and impacts of disruption of lifelines in the coterminous United States. Report ATC-25. Redwood, CA: Applied Technology Council.
Amazon Web Services. (2017a). Amazon simple storage services (S3) pricing. Retrieved March 28, 2017. https://aws.amazon.com/s3/
Amazon Web Services. (2017b). Amazon elastic compute cloud (EC2) pricing. Retrieved March 28, 2017. https://aws.amazon.com/ec2/
Agrawal, A. (2015). Cost of putting up a honeypot 24×7. Ann Arbor: The Honeynet Project. Retrieved from: http://honeynet.org.in/cost-putting-honeypot-24x7/
Amantini, A., Choras, M., D'antonio, S., Egozcue, E., Germanus, D., & Reinhard, H. (2012). The human role in tools for improving robustness and resilience of critical infrastructures. Cognition, Technology & Work, 14(2), 143–155.
Barker, K., & Santos, J. (2009). Measuring the efficacy of inventory with a dynamic input–output model. International Journal of Production Economics, 126(1), 130–143.
Boardman, A., Greenberg, D., Vining, A., & Weimer, D. (2011). Cost-benefit analysis: Concepts and practice. Upper Saddle River: Pearson-Prentice Hall.
Bodeau, D., & Graubart, R. (2011). Cyber resiliency engineering framework. Bedford: The MITRE Corporation. Retrieved from: http://www.mitre.org/sites/default/files/pdf/11_4436.pdf
The Bro Project. (2015, September). Bro Manual. Retrieved from: https://www.bro.org/sphinx/index.html
Bruneau, M., Chang, S., Eguchi, R., Lee, G., O’Rourke, T., Reinhorn, A., Shinozuka, M., Tierney, K., Wallace, W., & von Winterfeldt, D. (2003). A framework to quantitatively assess and enhance seismic resilience of communities. Earthquake Spectra, 19, 733–752.
Bruschi, J., Rumsey, P., Anliker, R., Chu, L., & Gregson S.. (2011). Best practice guide for energy-efficient data center design. Washington, DC: Department of Energy. http://energy.gov/sites/prod/files/2013/10/f3/eedatacenterbestpractices.pdf
Chen, B. (2013). F.C.C. Seeks Ways to keep phones alive in a storm. New York Times, February 5. Retrieved from:http://bits.blogs.nytimes.com/2013/02/05/f-c-c-revisits-communications-failures-after-hurricane-sandy/
Chongvilaivan, A. (2012). Thailand's 2011 flooding: Its impact on direct exports and global supply chains, ARTNeT Working Paper Series, No. 113. https://www.econstor.eu/dspace/bitstream/10419/64271/1/715937650.pdf
Cisco. (2015, March). IP addressing and subnetting for new users. Retrieved from: http://www.cisco.com/c/en/us/support/docs/ip/routing-information-protocol-rip/13788-3.pdf
Cisco Systems. (2017). Cisco anyconnect secure mobility client: Much more than a VPN. Retrieved March 28, 2017, http://www.cisco.com/c/en/us/products/security/anyconnect-secure-mobility-client/index.html
Cochrane, H. (1997). Forecasting the economic impact of a mid-west earthquake. In B. Jones (Ed.), Economic consequences of earthquakes: Preparing for the unexpected. Buffalo: MCEER.
CSRIC. (2015). Cybersecurity risk management and best practices, March. Retrieved from: https://transition.fcc.gov/pshs/advisory/csric4/CSRIC_IV_WG4_Final_Report_031815.pdf
Cutter, S. (2016). The landscape of disaster resilience indicators in the USA. Natural Hazards, 80, 741–758.
CyberSheath Services International. (2014). The role of privileged accounts in high profile breaches, May. Retrieved from: http://lp.cyberark.com/rs/cyberarksoftware/images/wp-cybersheath-role-of-privileged-accounts-6-2-14-en.pdf
de Crespigny, M. (2012). Building cyber-resilience to tackle threats. Network Security, 2012(4), 5–8.
Dell. (2015a). Datacenter UPS, http://accessories.us.dell.com/sna/category.aspx?c=us&l=en&s=bsd&cs=04&category_id=7071
Dell. (2015b). Dell poweredge servers, http://www.dell.com/us/business/p/servers?~ck=bt
Department of Homeland Security (DHS). (2015, May). Homeland security information network – critical infrastructure. https://www.dhs.gov/critical-infrastructure-0
Devon IT. (2014). Thin client use cases, Devon Inc, King of Prussia, PA. Retrieved from: http://www.devonit.com/wp-content/uploads/2014/02/dit-whitepaper-tc-uses.pdf
Dixon, P., Rimmer, M., Rose, A., Wittwer, G., & Heatwole, N. (2017). Economic consequences of terrorism and natural disasters: The computable general equilibrium approach. In CREATE handbook on decision and risk analysis of terrorism (pp. 158–192). New York, NY: Cambridge.
Farrow, S. (2016). Cybersecurity: Integrating information into the microeconomics of the consumer and the firm. Journal of Information Security, 7(5), 281.
Federal Emergency Management Agency (FEMA). (2013). Multi-hazard loss estimation methodology (HAZUS®MH MR4) http://www.fema.gov/library/viewRecord.do?id=3726
Gallaher, M., Link, A., & Rowe, B. (2008). Cyber security: Economic strategies and public policy alternatives. Cheltenham: Edward Elgar Publishing.
Garg, A., Curtis, J., & Halper, H. (2003). Quantifying the financial impact of IT security breaches. Information Management & Computer Security, 11(2), 74–83.
Gordon, L. A., & Loeb, M. P. (2002). The economics of information security investment. ACM Transactions on Information and System Security (TISSEC), 5(4), 438–457.
Heinz Center for Science, Economics and the Environment. (2000). The hidden costs of coastal hazards: Implications for risk assessment and mitigation. Washington, DC: Island Press.
Holling, C. (1973). Resilience and stability of ecological systems. Annual Review of Ecology and Systematics, 4, 1–23.
IT Dashboard. (2015). DHS - Homeland Security Information Network (HSIN). https://itdashboard.gov/investment?buscid=134
Kajitani, Y., & Tatano, H. (2009). Estimation of lifeline resilience factors based on empirical surveys of Japanese industries. Earthquake Spectra, 25(4), 755–776.
Khasymski, A., & M. Rafique. (2015). Realizing accelerated cost-effective distributed RAID. In A. Khasymski & M. Rafique (Eds.), Handbook on data centers (pp. 729–752), New Paltz: Springer. http://link.springer.com/chapter/10.1007/978-1-4939-2092-1_25
Kim, Y., Kolesnikov, V., & Thottan, M. (2012). Resilient end-to-end message protection for large-scale cyber-physical system communications. In Y. Kim, V. Kolesnikov, & M. Thottan (Eds.), Smart grid communications (SmartGridComm), 2012 I.E. third international conference (pp. 193–198). Murray Hill: IEEE. Retrieved from: http://ieeexplore.ieee.org/xpls/abs_all.jsp?arnumber=6485982
Lave, L., & Balvanyos, T. (1998). Risk analysis and Management of dam Safety. Risk Analysis, 18(4), 455–462.
Liebert Corporation. (2004). Choosing the right UPS for small and midsize Data Centers: A cost and reliability comparison. Liebert Corporation, Columbus, OH. http://www.upsystems-inc.com/sites/default/files/resources/cost-and-reliability.pdf
LogRhythm. (2014). Security analytics suite – Network behavior anomaly detection, May. Retrieved from: https://www.logrhythm.com/Portals/0/resources/LR_Security_Analytics_Suite_Network_Behavior_Anomaly_Detection.pdf
MacKinnon, L., Bacon, L., Gan, D., Loukas, G., Chadwick, D., & Frangiskatos, D. (2013). Cyber security countermeasures to combat cyber terrorism. In B. Ahkgar & S. Yates (Eds.), Strategic intelligence management (pp. 234–261). Waltham: Butterworth-Heinemann.
Mileti, D. (1999). Disasters by design: A reassessment of natural hazards in the United States. Washington, DC: Joseph Henry Press.
Mileti, D. (1999). Disasters by Design: A Reassessment of Natural Hazards in the United States. Washington, DC: Joseph Henry Press.
Multihazard Mitigation Council (MMC). (2005). Natural hazard mitigation saves: An independent study to assess the future savings from mitigation activities. Washington, DC: Report to U.S. Congress on behalf of the National Institute of Building Sciences.
Newegg. (2017). Network attached storage (NAS) products. Retrieved March 28, 2017. https://www.newegg.com/Network-Attached-Storage-NAS/Category/ID-241
National Research Council. (1999). The impacts of natural disasters: A framework for loss estimation. Washington, DC: National Academy of Sciences Press.
National Research Council (NRC). (2012). Disaster resilience: A national imperative. Washington, DC: National Academies Press.
NIST. (2014). Framework for improving critical infrastructure cybersecurity, February. Retrieved from:http://www.nist.gov/cyberframework/upload/cybersecurity-framework-021214.pdf
Novak, H., & Likarish, D. (2013). Results from a SCADA-based cyber security competition. In D. Hart (Ed.), Proceedings of the 8th international conference on information warfare and security: ICIW 2013, Reading: Academic Conferences Limited. Retrieved from: http://search.proquest.com.libproxy2.usc.edu/docview/1549245873?accountid=14749
Pagliery, J. (2015). The inside story of the biggest hack in history CNN, August 5. Retrieved from: http://money.cnn.com/2015/08/05/technology/aramco-hack/index.html
Papadakis, I. (2006). Financial performance of supply chains after disruptions: An event study. Suuply Chain Management, 11(1), 25–33. http://libproxy.usc.edu/login?url=http://search.proquest.com.libproxy1.usc.edu/docview/216866096?accountid=14749
Park, J., Cho, J., & Rose, A. (2011). Modeling a major source of economic resilience to disasters: Recapturing lost production. Natural Hazards, 58(2), 163–182.
Peplink. (2017). Peplink router products. Retrieved March 28, 2017. https://www.peplink.com/
Pimm, S. L. (1984). The complexity and stability of ecosystems. Nature, 307(26), 321–326.
Richtel, M. (2009). Inauguration crowd will test cellphone networks, New York Times, January 18. Retrieved from: http://www.nytimes.com/2009/01/19/technology/19cell.html
Rose, A. (2004a). Economic principles, issues, and research priorities in hazard loss estimation. In Y. Okuyama & S. E. Chang (Eds.), Modeling spatial and economic impacts of disasters. Berlin Publishing: Springer.
Rose, A. (2004b). Defining and measuring economic resilience to disasters. Disaster Prevention and Management, 13(4), 307–314.
Rose, A. (2009a). A framework for analyzing the total economic impacts of terrorist attacks and natural disasters. Journal of Homeland Security and Emergency Management, 6(1), 9.
Rose, A. (2009b). Economic Resilience to Disasters, Community and Regional Resilience Institute Report No. 8, Oak Ridge National Laboratory, Oak Ridge, TN, 2009. Retrieved from: http://www.resilientus.org/publications/research-reports/
Rose, A. (2015). Macroeconomic consequences of terrorist attacks: Estimation for the analysis of policies and rules. In C. Mansfield & V. K. Smith (Eds.), Benefit transfer for the analysis of DHS policies and rules. Cheltenham: Edward Elgar.
Rose, A. (2017). A methodology for incorporating cyber resilience into computable general equilibrium models, center for risk and economic analysis of terrorism events (CREATE). Los Angeles: University of Southern California.
Rose, A., & Miller, N. (2018). Measurement of cyber resilience, center for risk and economic analysis of terrorism events (CREATE). Los Angeles, CA: University of Southern California.
Rose, A., & Miernyk, W. (1989). Input-output analysis: The first fifty years. Economic Systems Research, 1, 229–271.
Rose, A., & Wei, D. (2013). Estimating the economic consequences of a port shutdown: The special role of resilience. Economic Systems Research, 25(2), 212–232.
Rose, A., Oladosu, G., Lee, B., & Beeler Asay, G. (2009). The economic impacts of the 2001 terrorist attacks on the world trade center: A computable general equilibrium analysis. Peace Economics, Peace Science, and Public Policy, 15, Article 6.
Rose, A., Porter, K., Tierney, K., et al. (2007). Benefit-cost analysis of FEMA hazard mitigation grants. Natural Hazards Review, 8, 97–111.
Russell, M. (2015). Personal communication 15, 2015. Boston: SimSpace.
Samuelson, T. (2013). After sandy, Questions linger over cellphone reliability, NPR, April 29. Retrieved from: http://www.npr.org/sections/alltechconsidered/2013/04/29/179243218/after-sandy-questions-linger-over-cellphone-reliability
Sander, T., & Tschudin, C. (1998). On software protection via function hiding. In D. Aucsmith (Ed.), Information hiding (pp. 111–123). Portland, Oregon: Springer Berlin Heidelberg.
SANS. (2015). The critical security controls for effective cyber defense. Retrieved from: https://www.sans.org/media/critical-security-controls/CSC-5.pdf
Schulze, W., Brookshire, D., Hageman, R., & Tschirhart, J. (1987). Benefits and costs of earthquake resistant buildings. Southern Economic Journal, 53(4), 934–951.
Sheffi, Y. (2005). The resilient enterprise. Cambridge: MIT Press.
Simões, P., Cruz, T., Gomes, J. & Monteiro, E. (2013, July). On the use of honeypots for detecting cyber attacks on industrial control networks. European conference on information warfare and security: 263–XIII. Reading: Academic Conferences International Limited, July 2013.
Smith, T. (2001). Hacker jailed for revenge sewage attacks. The Register, October 31. Retrieved from: https://www.theregister.co.uk/2001/10/31/hacker_jailed_for_revenge_sewage/
Comcast Representative (Spiceworks). (2012). Reply to: Anyone using comcast ethernet network service for their WAN infrastructure? Spiceworks community forum, Retrieved March 28, 2017. https://community.spiceworks.com/topic/277954-anyone-using-comcast-ethernet-network-service-for-their-wan-infrastructure
Squatriglia, C. (2008). Polish teen hacks his City’s trams, chaos ensues, Wired, January 11. Retrieved from: https://www.wired.com/2008/01/polish-teen-hac/
Swaine, J. (2008, August). Georgia: Russia conducting cyber war. The Telegraph, August 11. Retrieved from: http://www.telegraph.co.uk/news/worldnews/europe/georgia/2539157/Georgia-Russia-conducting-cyber-war.html
Tierney, K. (1997). Impacts of recent disasters on businesses: The 1993 Midwest floods and the 1994 Northridge earthquake. In B. Jones (Ed.), Economic consequences of earthquakes: Preparing for the unexpected. National Center for Earthquake Engineering Research: Buffalo.
Tierney, K. (2007). Businesses and disasters: Vulnerability, impacts, and recovery, Handbook of Disasters. Heidelberg: Springer.
Verizon. (2015). Satellite Phone FAQs. http://www.vzwsatellite.com/faqs
Webb, G., Tierney, K., & Dahlhamer, J. (2000, May 1). Businesses and disasters: Empirical patterns and unanswered questions. Natural Hazards Review, 1(2), 83–90. http://ascelibrary.org/doi/abs/10.1061/(ASCE)1527-6988(2000)1:2(83)
Wein, A. (2015). Personal communication.
Xie, W., Li, N., Wu, J. D., & Hao, X. L. (2014). Modeling the economic costs of disasters and recovery: Analysis using a dynamic computable general equilibrium model. Natural Hazards and Earth System Sciences, 14, 757–772.
Yayla, Alper, A., & Hu, Q. (2011). The impact of information security events on the stock value of firms: The effect of contingency factors. Journal of Information Technology, 26(1), 60–77.
Zetter, K. (2013). Legal experts: Stuxnet attack on Iran was illegal ‘act of force Wired, March 25. Retrieved from: https://www.wired.com/2013/03/stuxnet-act-of-force/
Zetter, K. (2014). Hacker lexicon: What is an air gap? Wired, December 8. Retrieved from: http://www.wired.com/2014/12/hacker-lexicon-air-gap/
Zolli, A., & Healy, A. M. (2012). Resilience: Why things bounce back. New York: Free Press.
Editors and Affiliations
© 2019 Springer International Publishing AG, part of Springer Nature
About this chapter
Cite this chapter
Rose, A., Miller, N., Eyer, J., Banks, J. (2019). Economic Effectiveness of Mitigation and Resilience. In: Kott, A., Linkov, I. (eds) Cyber Resilience of Systems and Networks. Risk, Systems and Decisions. Springer, Cham. https://doi.org/10.1007/978-3-319-77492-3_14
Publisher Name: Springer, Cham
Print ISBN: 978-3-319-77491-6
Online ISBN: 978-3-319-77492-3