Estimating the Global Cost of Cyber Risk

Methodology and Examples

Paul Dreyer, Therese Marie Jones, Kelly Klima, Jenny Oberholtzer, Aaron Strong, Jonathan W. Welburn, Zev Winkelman

ResearchPublished Jan 15, 2018

There is marked variability from study to study in the estimated direct and systemic costs of cyber incidents, which is further complicated by the considerable variation in cyber risk in different countries and industry sectors. This report shares a transparent and adaptable methodology for estimating present and future global costs of cyber risk that acknowledges the considerable uncertainty in the frequencies and costs of cyber incidents. Specifically, this methodology (1) identifies the value at risk by country and industry sector; (2) computes direct costs by considering multiple financial exposures for each industry sector and the fraction of each exposure that is potentially at risk to cyber incidents; and (3) computes the systemic costs of cyber risk between industry sectors using Organisation for Economic Co-operation and Development input, output, and value-added data across sectors in more than 60 countries. The report has a companion Excel-based modeling and simulation platform that allows users to alter assumptions and investigate a wide variety of research questions. The authors used a literature review and data to create multiple sample sets of parameters. They then ran a set of case studies to show the model's functionality and to compare the results against those in the existing literature. The resulting values are highly sensitive to input parameters; for instance, the global cost of cyber crime has direct gross domestic product (GDP) costs of $275 billion to $6.6 trillion and total GDP costs (direct plus systemic) of $799 billion to $22.5 trillion (1.1 to 32.4 percent of GDP).

Topics

Document Details

Citation

RAND Style Manual
Dreyer, Paul, Therese Marie Jones, Kelly Klima, Jenny Oberholtzer, Aaron Strong, Jonathan W. Welburn, and Zev Winkelman, Estimating the Global Cost of Cyber Risk: Methodology and Examples, RAND Corporation, RR-2299-WFHF, 2018. As of September 8, 2024: https://www.rand.org/pubs/research_reports/RR2299.html
Chicago Manual of Style
Dreyer, Paul, Therese Marie Jones, Kelly Klima, Jenny Oberholtzer, Aaron Strong, Jonathan W. Welburn, and Zev Winkelman, Estimating the Global Cost of Cyber Risk: Methodology and Examples. Santa Monica, CA: RAND Corporation, 2018. https://www.rand.org/pubs/research_reports/RR2299.html.
BibTeX RIS

This research was sponsored by the William and Flora Hewlett Foundation and the Symantec Corporation and conducted by the Science, Technology, and Policy Program within RAND Justice, Infrastructure, and Environment.

This publication is part of the RAND research report series. Research reports present research findings and objective analysis that address the challenges facing the public and private sectors. All RAND research reports undergo rigorous peer review to ensure high standards for research quality and objectivity.

This document and trademark(s) contained herein are protected by law. This representation of RAND intellectual property is provided for noncommercial use only. Unauthorized posting of this publication online is prohibited; linking directly to this product page is encouraged. Permission is required from RAND to reproduce, or reuse in another form, any of its research documents for commercial purposes. For information on reprint and reuse permissions, please visit www.rand.org/pubs/permissions.

RAND is a nonprofit institution that helps improve policy and decisionmaking through research and analysis. RAND's publications do not necessarily reflect the opinions of its research clients and sponsors.