Download eBook for Free

FormatFile SizeNotes
PDF file 1.5 MB

Use Adobe Acrobat Reader version 10 or higher for the best experience.

There is marked variability from study to study in the estimated direct and systemic costs of cyber incidents, which is further complicated by the considerable variation in cyber risk in different countries and industry sectors. This report shares a transparent and adaptable methodology for estimating present and future global costs of cyber risk that acknowledges the considerable uncertainty in the frequencies and costs of cyber incidents. Specifically, this methodology (1) identifies the value at risk by country and industry sector; (2) computes direct costs by considering multiple financial exposures for each industry sector and the fraction of each exposure that is potentially at risk to cyber incidents; and (3) computes the systemic costs of cyber risk between industry sectors using Organisation for Economic Co-operation and Development input, output, and value-added data across sectors in more than 60 countries. The report has a companion Excel-based modeling and simulation platform that allows users to alter assumptions and investigate a wide variety of research questions. The authors used a literature review and data to create multiple sample sets of parameters. They then ran a set of case studies to show the model's functionality and to compare the results against those in the existing literature. The resulting values are highly sensitive to input parameters; for instance, the global cost of cyber crime has direct gross domestic product (GDP) costs of $275 billion to $6.6 trillion and total GDP costs (direct plus systemic) of $799 billion to $22.5 trillion (1.1 to 32.4 percent of GDP).

Table of Contents

  • Chapter One


  • Chapter Two

    Modeling the Costs of Cyber Risk

  • Chapter Three

    Model Parameters

  • Chapter Four

    Case Studies

  • Chapter Five

    Conclusion and Next Steps

  • Appendix A

    Estimating the Global Cost of Cyber Risk Calculator User Manual

  • Appendix B

    Review of Model Assumptions

  • Appendix C

    Module Y2 Sector-Exposure Relationship

  • Appendix D

    Advisen Data

  • Appendix E

    Characterizing Attackers and Perils

  • Appendix F

    Potential Expert Elicitation Format

This research was sponsored by the William and Flora Hewlett Foundation and the Symantec Corporation and conducted by the Science, Technology, and Policy Program within RAND Justice, Infrastructure, and Environment.

This report is part of the RAND Corporation research report series. RAND reports present research findings and objective analysis that address the challenges facing the public and private sectors. All RAND reports undergo rigorous peer review to ensure high standards for research quality and objectivity.

Permission is given to duplicate this electronic document for personal use only, as long as it is unaltered and complete. Copies may not be duplicated for commercial purposes. Unauthorized posting of RAND PDFs to a non-RAND Web site is prohibited. RAND PDFs are protected under copyright law. For information on reprint and linking permissions, please visit the RAND Permissions page.

The RAND Corporation is a nonprofit institution that helps improve policy and decisionmaking through research and analysis. RAND's publications do not necessarily reflect the opinions of its research clients and sponsors.