back to article Cyber-crime cost calculation studies are rubbish: ENISA

ENISA, the European Union Agency For Network And Information Security, has taken a look at “cost of cyber attack” studies and reckons they're not much good. The agency is far too polite to put it that way, but in this report, it says there's no consistent approach to trying to quantify the cost of attacks on what it calls …

  1. Pascal Monett Silver badge

    Mistaken approach

    ENISA has misunderstood the goal of these "studies". They are not made to explain an actual cost, they are made to push the hysterical fear agenda to scare punters into investing into security (any kind, doesn't matter as long the contract is in the tens of thousands) and therefor need to publish big numbers because that's more impressive than saying that a typical cybercrime will actually cost an admin a day/week of work to ferret out and lock down the affected parts.

    Even if your admin is paid in gold bars, you won't hit a number that is anywhere near the million mark, so not impressive enough.

    1. Rich 11

      Re: Mistaken approach

      Even if your admin is paid in gold bars

      Chance would be a fine thing...

    2. Kumar2012

      Re: Mistaken approach

      "Even if your admin is paid in gold bars, you won't hit a number that is anywhere near the million mark, so not impressive enough." --- While no doubt scary numbers are used to drum up sales, by no means is the cost of a breach limited to only the recovery efforts. It comes down to what data or systems were affected, what industry you are in and how to quantify that in a meaningful monetary sense.

    3. Mark 85

      Re: Mistaken approach

      It's possible also that companies that get hit inflate the "damage" to their insurance companies. I've seen it happen with physical plant/office damage so why not cyber-damage?

  2. Tim 11

    what does "per company" mean?

    Since the average (mean) company turnover in the UK is less than $1m (due to the fact that the vast majority of companies are very small), I suspect Chirgwin is somewhat misquoting the figures. Presumably they only apply to companies over a certain size?

    1. Will Godfrey Silver badge
      Angel

      Re: what does "per company" mean?

      Good Grief!

      Next you'll be suggesting that people are cherry-picking the data points to inflate the costs so they can unethically charge more for recovery.

      I can't believe anyone would do that!

    2. Oh Bother

      Re: what does "per company" mean?

      "Presumably they only apply to companies over a certain size?".

      Most likely as the report is specific to CII "Critical Information Infrastructure ".

      The definition of CII is taken from the Council Directive 2008/114/EC on the identification and designation of European Critical Infrastructures and the assessment of the need to improve their protection:‘’ICT systems that are Critical Infrastructures for themselves or that are essential for the operation of Critical Infrastructures (telecommunications, computers/software, Internet, satellites, etc.) “

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like