Information Technology Reference
In-Depth Information
Estimating Cyberattack Recovery Costs
Cyberattacks are now so common that it is possible to predict the approximate
costs for stopping attacks, assessing and repairing damages, notifying clients of
any missing data, and beefing up security so that the same kinds of attacks can't
happen again.
My Software Risk Master (SRM) tool began to estimate cyberattack recovery
costs starting in 2012, and no doubt other commercial parametric estimating tools
will soon include similar estimates. SRM also predicts the probable number of lat-
ent security flaws in deployed applications.
Latent security-flaw predictions are based on a combination of factors that in-
clude programming languages, development methodologies, use of pre-test in-
spections and static analysis, team experience, and the nature of the application
itself. CMMI levels are a minor factor as well. (The initials CMMI stand for “cap-
ability maturity model integrated,” which is a software practice evaluation method
developed by the SEI and now widely used.)
Insurance Against Cybertheft and Cyberattack Damages
In the 1990s, insurance companies began to receive new kinds of claims from cor-
porate clients about damages from hacking and data theft. The existing policies
from that decade did not have any explicit language for these losses, so some com-
panies paid the claims and some did not.
By about 2000, the insurance industry recognized that these claims were in-
creasing rapidly, and it began to offer new forms of cybertheft and cyberattack
policies. These did not sell as well as expected because the costs of the damages
varied widely, and there were not effective algorithms for underwriters to use.
According to a study presented at a Cyber Liabilities insurance conference in
April 2012, about 72% of U.S. companies do not currently have any cyber liability
insurance in place. The authors of the study were Peter Foster, David Molitano,
and Brad Gow from various insurance companies.
Of the 28% that do have insurance, about half have small policies that probably
won't cover more than a fraction of the total costs for a major attack.
The Cyber Security Agency of the European Union, the European Network and
Security Agency, published a similar report that cited fairly low cyberattack insur-
ances throughout the European Union.
Search WWH ::
Custom Search