 |
Top 10 Mistaken Methods of Estimating the Cost of Cyber Attacks |
Source: Scott Borg, Director and Chief Economist, U.S. Cyber Consequences Unit
|
Macro or Micro? (cont.)
The Economics of Cybersecurity
Since some of the firm's projects are mandated-Australia's third-largest bank must meet many internal and international compliance rules-and a finite amount of money is available, Karvounaris tries to keep expenditures down for all but the top-priority risks. Issues that fall into lower-risk categories are often dealt with through operational changes and improvements aimed at reducing the likelihood of occurrence. For example, the company recently started a risk assessment related to Internet banking. While risks existed, the company knew they could mitigate them by delaying payments to batch processing, which would give employees more time to spot fraud. Increasing customer education can help, too, by making it more likely that customers will spot problems and report them promptly.
A little of this, a little of that
TDC Solutions, a subsidiary of TDC Group, is one of the largest Nordic DSL providers. With a client base of 15.5 million customers, the company uses multiple metrics to evaluate cybersecurity issues from a financial standpoint, explains the company's vice president of online services, Per Rasmussen.
One of TDC's main areas of concern is providing security for its residential and business customers. According to Rasmussen, these constituents represent the unique problem of servicing users who have little-if any-control from a regulatory standpoint. "Looking a few years back, we've seen a tremendous increase in different kinds of problems customers are experiencing related to IT security in their homes and offices, from handling spam and viruses to handling large numbers of PCs and so on," Rasmussen says. "Even though we could take the approach of saying, 'This has nothing to do with our Internet-access products; figure out how to solve the problem yourself,' we want to provide a premium service to our customers. Therefore, we want to ensure we help our customers with the problems that occur in relation to their broadband access."
As a result, TDC Solutions uses quantifiable metrics, such as how many security-related calls come into its call centers and what it costs to handle each call; as well as soft metrics, such as the public relations value of handing security issues for customers, like wireless security or filtering child pornography within its own network.
Hard metrics help prove an investment is wise, Rasmussen says, but soft metrics help the company uncover current and future revenue streams. Symantec's Brightmail AntiSpam and Antivirus products play a big part in that. "One thing we had a few considerations around when we first decided to introduce spam and virus filtering, was whether we should make this a service our customers paid for as an add-on, or just give it free to everybody. At first, we felt there was such revenue volume that it made sense to take it in as well," he explains. "But I'm convinced our decision to just give it to all of our customers for free has gained a far better return on investment, even though we had to pay more to get coverage for all customers. The decrease in calls in our centers has been dramatic. If I put dollars to the value of the positive press coverage we got, it has been far more valuable than expected."
Cart
PRINT THIS PAGE
