Managing the financial impact of cybersecurity incidents

Bederna, Zsolt; Szádeczky, Tamás

doi:10.35467/sdq/159625

Artykuł - szczegóły

Tytuł artykułu

Managing the financial impact of cybersecurity incidents

Autorzy

Bederna Zsolt , Szádeczky Tamás

Wybrane pełne teksty z tego czasopisma

http://securityanddefence.pl

Identyfikatory

DOI

10.35467/sdq/159625

Warianty tytułu

Języki publikacji

Abstrakty

The complex relationships of economic actors and the high dependency on information and communication technologies make it necessary for all relevant entities to develop protection. This protection should include preventive and reactive controls in a risk-proportionate manner in relation to the business value protected. We aimed to develop a solution to support cybersecurity-related business decisions with financial analytics. The risk-based approach helps management find the optimum solution with minimal costs, where protection prevents some incidents from occurring, while the risks associated with other incidents are accepted in an informed way. The security industry developed a number of apparatuses to find the optimum security controls that enforced the fiscal aspects, which typically contain solutions used in planning. However, the actual expenditure often differs from the planned budget for several reasons, one of which is the occurrence of security incidents. We used the common methodology toolset for financial analysis (NPV, NFV, risk assessment). We developed novel metrics based on these that can be used in cybersecurity management. Within the framework thus defined, the article discusses the economic context of the effects of incidents involving Meta (previously Facebook) services from 2016 to 2020. This paper introduces the ‘Effect of incidents’ metric to measure the impact of unplanned incidents’ on actual expenditure compared to the planned budget and the ‘Incidence of incident recognition’ metric to measure deviations of an incident’s impact as perceived by owners relative to the effect on the value of the assets. The paper also proves the applicability of those metrics using the example of Meta.

Słowa kluczowe

economic analysis economic impact cybersecurity cyber security incidents

Wydawca

Akademia Sztuki Wojennej

Czasopismo

Security and Defence Quarterly

Rocznik

2023

Tom

Vol. 41, No. 1

Strony

15--35

Opis fizyczny

Bibliogr. 49 poz., rys., tab.

Twórcy

autor

Bederna Zsolt

bederna.zsolt@stud.uni-obuda.hu

Doctoral School for Safety and Security Sciences, Obuda University, Bécsi út 96/B, 1034 Budapest, Hungary

https://orcid.org/0000-0003-0444-7275

autor

Szádeczky Tamás

szadeczky@mail.muni.cz

Czech CyberCrime Centre of Excellence C4e, Masaryk University, 9 Zerotinovo nam., 601 77, Brno, Czech Republic
Department of Management and Business Economics, Budapest University of Technology and Economics, Muegyetem rkp. 3, 1111 Budapest, Hungary

https://orcid.org/0000-0001-7191-4924

Bibliografia

1. Ahn J.H. (2016) ‘The impact of the banking competition in funding and lending markets on lending technology’, Revue Economique, 67(6), pp. 1117–1139. doi: 10.3917/reco.pr2.0069.
2. Armitage S. (1995) ‘Event study methods and evidence on their performance’, Journal of Economic Surveys, 9(1), pp. 25–52. doi: 10.1111/j.1467-6419.1995.tb00109.x.
3. Beccarini A. (2007) ‘Investment sensitivity to interest rates in an uncertain context: is a positive relationship possible?’, Economic Change and Restructuring, 40(3), pp. 223–234. doi: 10.1007/s10644-007-9025-1.
4. Breusch T.S. and Pagan A.R. (1979) ‘A simple test for heteroscedasticity and random coefficient variation’, Econometrica, 47(5), p. 1287. doi: 10.2307/1911963.
5. Brotby W.K. (2009) Information security management metrics. New York, NY: Auerbach Publications.
6. Business Insider (2018) Facebook just announced it was hacked, and almost 50 million users have been affected. Available at: https://.businessinsider.com.au/facebook-security-attack-affecting-50-million-users-2018-9 (Accessed: 2 January 2023).
7. Business Insider (2019) Facebook understood how dangerous the Trump-linked data firm Cambridge Analytica could be much earlier than it previously said. Here’s everything that’s happened up until now. Available at: https://.businessinsider.com/cambridge-analytica-a-guide-to-the-trump-linked-data-firm-that-harvested-50-million-facebook-profiles-2018-3 (Accessed: 2 January 2020).
8. CNBC (2018) Here are the scandals and other incidents that have sent Facebook’s share price tanking in 2018. Available at: https://.cnbc.com/2018/11/20/facebooks-scandals-in-2018-effect-on-stock.html (Accessed: 6 March 2021).
9. CNBC (2019) Facebook stock rises on better-than-expected revenue and earnings. Available at: https://.cnbc.com/2019/10/30/facebook-fb-q3-2019-earnings.html (Accessed: 2 January 2023)
10. Coin News (2021) Current US inflation rates: 2000–2021. Available at: https://.usinflationcalculator.com/inflation/current-inflation-rates/ (Accessed: 6 March 2021).
11. Competition Bureau Canada (2020) Facebook to pay $9 million penalty to settle competition bureau concerns about misleading privacy claims. Available at: https://.canada.ca/en/competition-bureau/news/2020/05/facebook-to-pay-9-million-penalty-to-settle-competition-bureau-concerns-about-misleading-privacy-claims.html (Accessed: 8 January 2021).
12. Damodaran A. (2021) Historical returns on stocks, bonds and bills: 1928–2020. Available at: http://pages.stern.nyu.edu/~adamodar/ (Accessed: 9 July 2021).
13. Bernard J., Golden D. and Nicholson M. (2020) ‘Reshaping the cybersecurity landscape’, Deloitte Insights. Deloitte Development LLC. Available at: https://.fsisac.com/hubfs/DI_2020-FS-ISAC-Cybersecurity.pdf (Accessed 20 March 2021).
14. Ernst&Young (2020) How does security evolve from bolted on to built-in? Available at: https://assets.ey.com/content/dam/ey-sites/ey-com/en_gl/topics/advisory/ey-global-information-security-survey-2020-report-single-pages.pdf (Accessed: 26 September 2020).
15. Facebook (2017) Form 10-K 2016. Available at: https://investor.fb.com/financials/?section=annualreports (Accessed: 6 March 2021).
16. Facebook (2018) Form 10-K 2017. Available at: https://investor.fb.com/financials/?section=annualreports (Accessed: 6 March 2021).
17. Facebook (2019a) Form 10-K 2018. Available at: https://investor.fb.com/financials/?section=annualreports (Accessed: 6 March 2021).
18. Facebook (2019b) FTC agreement brings rigorous new standards for protecting your privacy. Available at: https://about.fb.com/news/2019/07/ftc-agreement/ (Accessed: 8 November 2020).
19. Facebook (2019c) Keeping passwords secure. Available at: https://about.fb.com/news/2019/03/keeping-passwords-secure/ (Accessed: 10 August 2020).
20. Facebook (2020) Form 10-K 2019. Available at: https://investor.fb.com/financials/?section=annualreports (Accessed: 6 March 2021).
21. Facebook (2021) Form 10-K 2020. Available at: https://investor.fb.com/financials/?section=annualreports (Accessed: 6 March 2021).
22. Federal Reserve Bank of St. Louis (2021) Interest Rates, Government Securities, Government Bonds for United States. Available at: https://fred.stlouisfed.org/series/INTGSBUSM193N# (Accessed: 01 February 2023).
23. Federal Trade Commission (2019) FTC imposes $5 billion penalty and sweeping new privacy restrictions on Facebook. Available at: https://.ftc.gov/news-events/press-releases/2019/07/ftc-imposes-5-billion-penalty-sweeping-new-privacy-restrictions (Accessed: 10 August 2020).
24. Financial Content (2021) Yahoo (NQ:). Available at: https://markets.financialcontent.com/stocks/quote/historical?Symbol=537%3A453745&Year=2018&Range=432&Month=3%0A (Accessed: 7 January 2021).
25. Flexera (2021) State of tech spend report. Available at: https://info.flexera.com/SLO-REPORT-State-of-Tech-Spend (Accessed: 14 March 2021).
26. de Geest L.R. and Stranlund J.K. (2019) ‘Defending public goods and common-pool resources’, Journal of Behavioral and Experimental Economics, 79, pp. 143–154. doi: 10.1016/J.SOCEC.2019.02.006.
27. Gordon L.A. and Loeb M.P. (2002) ‘Economic aspects of information security’, ACM Transactions on Information and System Security, 5(4), pp. 438–457.
28. Hall L., Futela S. and Gupta D. (2016) IT key metrics data 2017: key industry measures, Gartner Research Report.
29. Hamburgischen Beauftragten für Datenschutz und Informationsfr (2019) Tätigkeitsbericht datenschutz 2019. Available at: https://datenschutz-hamburg.de/assets/pdf/28_Taetigkeitsbericht_Datenschutz_2019_HmbBfDI.pdf (Accessed: 6 March 2021).
30. Information Commissioner’s Office (2019) Statement on an agreement reached between Facebook and the ICO. Available at: https://ico.org.uk/about-the-ico/news-and-events/news-and-blogs/2019/10/statement-on-an-agreement-reached-between-facebook-and-the-ico (Accessed: 10 August 2020).
31. International Business Times (2019) Facebook stock suffers biggest drop of 2019, loses $37B in 4 trading days. Available at: https://.ibtimes.com/facebook-stock-suffers-biggest-drop-2019-loses-37b-4-trading-days-2776826 (Accessed: 6 March 2021).
32. Markets Insider (2019) Facebook shares drop sharply after unearthed emails reportedly show Mark Zuckerberg is aware of “problematic privacy practices” (FB). Available at: https://markets.businessinsider.com/news/stocks/facebook-stock-price-reaction-to-zuckerberg-reportedly-aware-privacy-issues-2019-6-1028274446 (Accessed: 1 March 2021).
33. MarketWatch (2018) Facebook stock drops roughly 20%, loses $120 billion in value after warning that revenue growth will take a hit. Available at: https://.marketwatch.com/story/facebook-stock-crushed-after-revenue-user-growth-miss-2018-07-25 (Accessed: 6 March 2021).
34. MSCI (2021) MSCI ACWI index (USD). Available at: https://.msci.com/documents/10199/8d97d244-4685-4200-a24c-3e2942e3adeb (Accessed: 7 January 2021).
35. Olovsson T. (1992) A structured approach to computer security, Chalmers University of Technology, Gothenburg. Gothenburg: Chalmers University of Technology.
36. Rabin M. (1998) ‘Psychology and economics’, Journal of Economic Literature, 36(1), pp. 11–46.
37. Roettgers J. (2019) ‘Mark Zuckerberg says Facebook will spend more than $3.7 billion on safety, security in 2019’, Variety, 5 February. Available at https://variety.com/2019/digital/news/facebook-2019-safety-speding-1203128797/ (Accessed: 6 March 2021)
38. Romanosky S. (2016) ‘Examining the costs and causes of cyber incidents’, Journal of Cybersecurity, 2(2), pp. 121–135. doi: 10.1093/cybsec/tyw001.
39. Ruan K. (2017) ‘Introducing cybernomics: a unifying economic framework for measuring cyber risk’, Computers and Security, 65, pp. 77–89. doi: 10.1016/j.cose.2016.10.009.
40. Sharpe W.F. (1964) ‘Capital asset prices: a theory of market equilibrium under conditions of risk’, The Journal of Finance, 19(3), pp. 425–442. doi: 10.1111/j.1540-6261.1964.tb02865.x.
41. Sklavos N. and Souras P. (2006) ‘Economic models and approaches in information security for computer networks’, International Journal of Network Security, 2(1), pp. 14–20.
42. Statista (2022) IT budgets & investments. Available at: https://.statista.com/study/71560/it-budgets-and-investments/ (Accessed: 1 February 2023).
43. Sun W., Ding Z. and Xu X. (2021) ‘A new look at returns of information technology: firms’ diversification to IT service market and firm value’, Information Technology and Management, 22(1), pp 13–31. doi: 10.1007/s10799-021-00322-y.
44. Techcrunch (2019) ‘A huge database of Facebook users’ phone numbers found online’, 4 September.
45. The Verge (2019) ‘Facebook, Instagram, and WhatsApp are still down for some users around the world’, 13 March.
46. Tsvetanov T. and Slaria S. (2021) ‘The effect of the Colonial Pipeline shutdown on gasoline prices’, Economics Letters, 209, p. 110122. doi: 10.1016/J.ECONLET.2021.110122.
47. Tversky A. and Kahneman D. (1981) ‘The framing of decisions and the psychology of choice’, Science, 211(4481), pp. 453–458. doi: 10.1126/science.7455683.
48. Wheeler E. (2011) Security risk management. Syngress. doi: 10.1016/C2010-0-64926-1.
49. Yahoo! Finance (2021) S&P 500 (^GSPC). Available at: https://finance.yahoo.com/quote/%5EGSPC/history?p=%5EGSPC%0A (Accessed: 7 January 2021).

Uwagi

Opracowanie rekordu ze środków MEiN, umowa nr SONP/SP/546092/2022 w ramach programu "Społeczna odpowiedzialność nauki" - moduł: Popularyzacja nauki i promocja sportu (2022-2023).

Typ dokumentu

Bibliografia

Identyfikator YADDA

bwmeta1.element.baztech-205c5e4d-2b74-4338-91e8-6342debe4820