Pinpointing EU Cyberattack Costs Daunting, Agency Finds

Bloomberg Law: Privacy & Data Security brings you single-source access to the expertise of Bloomberg Law’s privacy and data security editorial team, contributing practitioners,...

George R. Lynch

Aug. 10 — Measuring the true economic impact of security incidents on critical information infrastructures (CIIs) is extremely difficult, the European Union Agency for Network and Information Security (ENISA) concluded in a report released Aug. 10.

CIIs are “systems that provide the resources on which all functions of society depend upon, of which a possible incapacitation or destruction, would have a significant effect on the security, economy and/or health of society as a whole,” the report said.

Studies on the economic impact of cybersecurity attacks on CII lack a unified and standardized approach because business factors often drive the development of the studies rather than the needs of stakeholders, the report said. As a result, there is great difficulty in determining the real economic impact of cybersecurity incidents to the EU.

Lack of Common Approach

ENISA conducted a systematic review to determine the total cost for a full recovery from a cybersecurity incident on CII by analyzing 17 studies that examined the different economic impacts of cybersecurity incidents.

The report is ENISA's attempt to make up for the lack of a common approach in past studies that examined cybersecurity incidents from different perspectives, only looking at certain industries, using different metrics or only including certain types of incidents.

“The aim of the study is to assess the economic impact of incidents that affect CIIs in EU, based on existing work done by different parties, and set the proper ground for the future work of ENISA in this area,” the report said.

The main finding of the study include:

  •  finance, information and communications technology and energy sectors appear to suffer the most expensive cybersecurity incidents;
  •  the most common type of attack, which also counts for approximately half of the annual cost of cybercrime, are denial of service and distributed denial of service (DDoS) attacks and malicious insider attacks;
  •  insider attacks are the most expensive type of attack, followed by DDoS and web-based attacks;
  •  individual EU countries lose as much as 1.6 percent of gross domestic product per year in cybersecurity incidents, and some studies measure the average dollar amount that companies lose per year, with differing results and other studies estimate the total cost to the global economy; and
  •  data are the most affected assets.

The information systems of countries will become even more integrated over the next decade, making the need to identify the costs of cybersecurity even more important, the report said.

To contact the reporter on this story: George R. Lynch in Washington at

To contact the editor responsible for this story: Donald G. Aplin at

For More Information

The report, “The cost of incidents affecting CIIs,” is available at

Copyright © 2016 The Bureau of National Affairs, Inc. All Rights Reserved.

Request Bloomberg Law Privacy and Data Security