The economics of IT risk and reputationWhat business continuity and IT security really mean to your organisation

Global Technology ServicesResearch Report

Risk Management

Findings from the IBM Global Study on the Economic Impact of IT Risk

About the studyThe IBM Global Study on the Economic Impact of IT Risk is the largest independent research study conducted to date to measure the financial and reputational consequences of business disruptions caused by business continuity or IT security failures. The study—a follow-on to the 2013 IBM Reputational Risk and IT Study—was sponsored by IBM and independently conducted by Ponemon Institute® in July 2013.

Ponemon Institute surveyed 1,069 business continuity specialists and 1,247 IT security practitioners representing 20 industries and 37 countries. Most of the combined group of 2,316 respondents are in the IT organisation and report directly to the CIO or head of

corporate IT. Respondents at the manager level represent the largest segment (33 percent), followed by directors (23 percent) and supervisors (19 percent). More than half of the respondents are in larger-sized organisations with more than 5,000 full-time equivalent employees.

Participation was limited to IT professionals whose job focus is either business continuity, IT security or both, with decision-making or performance-related responsibilities. Although most participants are focused on only one of the IT disciplines, their survey responses were remarkably similar—with only a few instances of slight but statistically relevant differences. Therefore, for the purpose of this analysis and report we have combined the data from the two sample groups.

The IBM Global Study on the Economic Impact of IT Risk, independently conducted by Ponemon Institute, gathered information from 2,316 business continuity and IT security professionals from around the world.

North America 49%1,125

Europe/Middle East 26%597

Asia Pacific 15%353

Latin America 10%241

Less than 500 8%

500 to 1,000 15%

10,001 to 25,000 15%

25,001 to 75,000 9%

1,001 to 5,000 23%

5,001 to 10,000 25%

More than 75,000 4%

Location (37 countries) Company sizes

Banking 19%

Healthcare 11%IT and technology 9%

Industrial 9%

Director 24%

Staff/technician 10%

Supervisor 19%

C-level executive 11%

Industries Job titles

Public sector 14%

Retail 10%

Consumer goods 7%

Energy and utilities 5%

All others 16%

Manager 31%

Administrative 2%Contractor 2%

Contents 3 Introduction 4 Quantifying the economic impact of disruptions to business and IT operations 6 The reputational risk and IT connection 8 Understanding the threat landscape 11 Building the case for business continuity and IT security investments 13 Barriers to success 15 Conclusion and observations

WHAT WOULD YOU DO?

If reputation and brand are important, make IT risk management a priority.

– Business continuity management supervisor, French consumer products company

IntroductionWhen the normal course of operations is disrupted as a result of IT system failures and cyber attacks, the economic and reputational costs can be devastating. Even scant minutes of downtime can be costly. In the context of this paper, IT risk is the risk associated with the use, ownership, operation and influence of IT within an organisation. Such risks include human error, system failures, security breaches and disruptions to data centre operations such as power failures and natural disasters.

Understanding the financial consequences of a disruption can be valuable to determining the resources that should be invested in preventing or minimising such incidents. It also can be critical in making the business case to the C-suite for elevating the priority of business continuity and IT security activities.

In this study, we measure the financial consequences or “total cost” resulting from an organisation’s inability to provide an acceptable level of service in the face of faults or challenges to normal operations. We also measure and quantify the reputational consequences—the cost of damage to a company’s image or brand value as a result of poor controls, failed processes, IT downtime, data theft and compliance violations.

The voice of business continuity and IT security

In this survey we asked two optional open-ended questions: ‘What steps should your organisation or industry take to reduce risks to your organisation posed by IT operations?’ and ‘Looking ahead, what are the changes or trends in the IT landscape that will most increase reputation risk for your organisation?’ The responses we received were thoughtful and thought-provoking—and a number of common themes emerged. Throughout this paper we will share responses that reflect those common concerns under one of two headings: ‘What would you do?’ and ‘Where is the risk?’

Risk Management 3

Quantifying the economic impact of disruptions to business and IT operationsA very important objective of this research is to determine the cost to organisations when there is a disruption or compromise to business processes or IT services. Respondents were asked to estimate the costs based on three discrete levels: minor, moderate and substantial.

Duration. Minor, moderate and substantial disruptions are classified according the amount of downtime. As shown in Figure 1, the average minor incident is 19.7 minutes, while a substantial incident can be 442.3 minutes or almost a full eight-hour day of down or idle time. However, some expect that substantial disruptions could last more than two days.

Likelihood. According to Figure 2, 69 percent of respondents anticipate that they will experience at least one or more minor disruptions in the next 24 months, while 23 percent say one or more substantial disruptions could occur over the same time period. In other words, respondents believe their organisations are three times more likely to experience a minor incident than a substantial incident.

Cost. Respondents were asked to consider all direct cash outlays, direct labour expenditures, indirect labour costs, overhead costs and lost business opportunities for six cost categories:• Cost of users’ idle time and lost productivity because

of downtime or system performance delays• Cost of forensics to determine the root

causes of disruptions or compromise

• Cost of technical support to restore systems to an operational state

• Cost associated with reputation and brand damage• Revenues lost because of system availability problems• Cost associated with compliance or regulatory failure

Figure 3 reports the average cost per minute of minor, moderate and substantial disruptions to business and IT operations. The cost per minute of minor disruptions is much higher than the per minute cost of substantial disruptions (US$53,223 versus US$32,229)—reflecting that the costs for users’ idle time, forensics and technical support are spread over fewer minutes of downtime (see also Figure 5).

Figure 4 reports the average total costs that could be incurred as a result of disruptions to business or IT operations. Even a minor disruption can cost a business more than US$1 million, and a substantial incident can escalate to more than US$14 million. However, some respondents say costs of a severe incident could climb to more than US$100 million. The estimate is based on the six cost categories described above. From the perspective of economic impact, the most significant threats are human errors, cyber breaches and data loss.

It is important to note that while the average cost of a minor incident is low relative to a substantial incident, the high frequency of minor disruptions can mean significant financial consequences for an organisation over time.

4 The economics of IT risk and reputation

Risk Management 5

Minor SubstantialModerate

Average minutes of down or idle time for minor, moderate and substantial disruptions

Minor SubstantialModerate

Likelihood of one or more disruptions to business and IT operations over

the next 24 months

19.7

111.8

442.3 69%

37%

23%

Minor SubstantialModerate

Estimated average cost per minute of disruption

(down or idle time)

Minor SubstantialModerate

Estimated average total cost of disruption to business and IT

operations over the next 24 months

$53,210

$38,065$32,229

$1,046,454

$4,257,357

$14,255,468

Figure 1. Average minutes of down or idle time for minor, moderate and substantial disruptions

Figure 2. Likelihood of one or more disruptions to business and IT operations over the next 24 months

Figure 3. Estimated average cost per minute of disruption (down or idle time)

Figure 4. Estimated average total cost of disruption to business and IT operations over the next 24 months

6 The economics of IT risk and reputation

The reputational risk and IT connectionIf there is any doubt about the importance of an effective business continuity or IT security program, consider the financial impact a disruption can have on reputation and brand value. Figure 5 summarises the allocation of costs determined by assigning 100 points for minor, moderate and substantial disruptions. As can be seen, the costs associated with reputation and brand damage increase in proportion to the severity of the incident. Accordingly, reputation damages represent only 2 points for minor versus 37 points for substantial disruptions to business and IT operations.

The top three costs for all three levels of disruptions (combined) are (1) cost of users’ idle time, (2) cost of forensics and (3) cost of technical support. It is interesting to note that while leadership is believed to be most concerned

about revenue loss because of system availability problems, it ranks near the bottom of allocated cost in the eyes of IT professionals.

WHAT WOULD YOU DO?

‘We should change orientation from reactive to proactive and have a more mature risk management strategy in place.’

– IT security director, German technology company

Figure 5. For each of the three levels of disruption (minor, moderate, and substantial), respondents were asked to use a 100-point scale to apportion total cost across these six cost categories.

35Cost of users' idle time and lost productivity because

of downtime or system performance delays

Cost of forensics to determine the root causesof disruptions

Cost of technical support to restore systemsto an operational state

Cost associated with reputation and brand damage

Revenues lost because of system availability problems

Cost associated with compliance or regulatory failure

36 15

25 20 9

28 17 7

2 11 37

4 12 22

5 4 10

Minor Moderate Substantial

Allocation of total costs

Risk Management 7

Drawing from the minor, moderate and substantial cost allocations indicated previously, we estimate the reputation and brand-related damages that result from all three levels of disruption. Figure 6 shows that reputational cost associated with substantial disruption is almost US$5.3 million. In contrast, reputational costs associated with minor disruptions are relatively negligible.

Minor SubstantialModerate

Estimated reputation-related costs resulting from disruption to business or IT operations over the next 24 months

$20,929$468,309

$5,274,523

WHAT WOULD YOU DO?

‘Develop a coherent strategy that aligns information risk with enterprise risk.’

– Business continuity director, Canadian financial services company

Reputational threats: perception versus realityNot so clear cut is the source of IT threats to reputation. We asked recipients to rank seven common threats in terms of reputational impact on their organisations. As Figure 7 shows, data breach and disaster top the rankings of threats respondents think pose the greatest reputational risk, with IT system failure placing third and human error sixth.

Figure 6. Estimated reputation-related costs resulting from disruption to busi-ness or IT operations over the next 24 months

Figure 7. Common threats ranked in terms of reputational impact

5.5

Data breach/data theft

Natural or manmadedisasters

IT system failure

Data loss (backup/restore failure)

Cyber security breach/advanced persistent threats

Human error

5.2

4.3

4.0

3.8

2.6

1.2Third-party partner security

breach or system failure

Common threats ranked in terms of reputational impact

When respondents were asked whether their organisations had actually experienced damages to reputation or brand value and from what cause, the threat ranking is quite different. As Figure 8 shows, the most significant threats to reputation based on experience over the last two years are incidents that involve IT system failures and human errors, followed by cyber security breaches. Natural or manmade disasters are far less likely to cause reputation or brand damages.

8 The economics of IT risk and reputation

66%

IT system failure

Human error

Cyber security breach

Data loss from failedbackup/restore

Natural or manmadedisasters

Third-party security breachor IT system failure

57%

46%

39%

23%

19%

Threats that impact reputation and brand value experienced over the past 24 months

Understanding the threat landscapeOur survey also probed the threat landscape more broadly to determine how closely what IT practitioners think will happen matches their actual experience. Overall, respondent perceptions about the likelihood of threats occurring are largely consistent with reported instances of events—with human error taking the top spot in terms of likelihood, number of disruptions experienced and projected financial impact.

Figure 9 shows how respondents ranked seven common threats in terms of the likelihood of occurrence in their organisations. While these business continuity and IT security professionals rank human error as the leading potential threat, IT system failure, data breach and third-party partner security breach or system failure are almost equal leading contenders.

Figure 8. Threats that caused impact to reputation and brand value over the past 24 months (percentage of “yes” response)

Figure 9. Common threats ranked in terms of likelihood of occurrence

5.6

Human error

IT system failure

Data breach/data theft

Third-party partner securitybreach or system failure

Cyber security breach/advanced persistent threats

Data loss (backup/restore failure)

5.2

5.0

5.0

4.0

2.3

0.0Natural or manmade

disasters

Common threats ranked in terms of likelihood of occurrence

Overall, IT professionals are very accurate when it comes to understanding the general threat landscape. According to Figure 10, respondents report that in the past two years they have experienced on average more than nine business disruptions due to human error—coinciding with the ranking of the leading perceived threat to business and IT operations and IT security. In fact, actual occurrence of incidents caused by human error far exceeds projections. Data loss due to failed backup/restore is also more common than projected—and is slightly ahead of cyber security breaches.

Risk Management 9

Figure 10. Average number of actual disruptions over the past 24 months caused by six common threats

9.5

Human error

IT system failure

Third-party partner securitybreach or system failure

Data loss from failedbackup/restore

Cyber security breach

Natural or manmadedisasters

5.5

5.4

4.5

4.2

1.9

Average number of actual disruptions over the past 24 months caused by six common threats

Figure 11. Common threats ranked in terms of economic impact

When evaluating threats in terms of potential economic impact on an organisation, Figure 11 shows that respondents are consistent in their ranking of human error as the leading threat. However, participants believe cyber security breaches and data theft pose a much greater risk of economic impact than reputational impact (see also Figure 7).

4.7

Human error

Cyber security breach/advanced persistent threats

Data breach/data theft

Data loss (backup/restore failure)

IT system failure

Third-party partner securitybreach or system failure

3.9

3.8

3.6

3.4

2.7

1.0Natural or manmade

disasters

Common threats ranked in terms of economic impact

10 The economics of IT risk and reputation

The role of third-party partners: a closer look Just how much of a threat do vendors and third parties pose to respondents’ companies? According to 41 (21+20) percent of respondents (Figure 12), vendor-related mishaps represent a main source of disruption to business and IT operations experienced over the past 24 months.

1%

Zero

<25%

26 to 50%

51 to 75%

76 to 100%

21%

37%

20%

21%

Percentage of disruptions to business and IT operations caused by third parties

over the past 24 months

One reason may be standards. According to Figure 13, not all vendors and other third parties are required to comply with the same business continuity and IT security requirements that respondents’ companies adhere to. Thirty-one percent of respondents say their companies do not require vendors and other third parties to comply with their business continuity requirements, and 40 percent say their companies do not require partner compliance with their own IT security standards.

Figure 12. Percentage of disruptions to business and IT operations caused by third parties over the past 24 months

Figure 13. Do vendors and other third parties comply with the same requirements deployed within your organisation?

Yes

No

Unsure

Do vendors and other third parties comply with the same requirements deployed

within your organisation?

58% 42%

31% 40%

11% 17%

Business continuity requirements

IT security requirements

Risk Management 11

Building the case for business continuity and IT security investmentsBusiness continuity and IT security professionals strongly believe that their disciplines play an important role in their organisations’ success. Figure 14 reveals an unanticipated finding of this research: fully 89 percent of respondents say that protecting intellectual property is a very important objective of their IT role. We believe this reflects the increasingly digital nature of intellectual property itself and the vulnerability of intellectual property to cyber attack or loss due to IT failures.

Maximising employee productivity (72 percent), minimising regulatory or legal non-compliance (70 percent) and enhancing brand value and reputation round out the top four very important objectives advanced by business continuity and IT security activities. Based on previous IBM studies, the fact that in 2013 fully 65 percent of respondents rate enhancing brand value as “very important” confirms that recognition of the relationship between IT risk and reputation risk is continuing to grow among IT professionals.

WHERE IS THE RISK?

‘What frightens me is the increased use of social media that can expose corporate IP and damage reputations.’

– IT security supervisor, United States professional services company

Figure 14. Business objectives advanced by business continuity and IT security management activities

89%Protecting intellectual

property

Maximising employeeproductivity

Minimising non-compliancewith laws

Enhancing brand valueand reputation

Expanding into newglobal markets

Minimising customerdefection

72%

70%

65%

48%

21%

14%Maximising customer

acquisition

Business objectives advanced by business continuity and IT security

management activities

9%Increasing revenues and

positive cash flow

12 The economics of IT risk and reputation

The potential damage to reputation and brand value is also now recognised as an incentive for organisations to fund business continuity and IT security programs. Figure 15 reveals that preventing productivity losses, system downtime and compliance failures and reputation damages are the factors that contribute most to securing budget commitments.

44%

Productivity loss

System or applicationdowntime

Compliance/regulatoryfailure

Reputation damage

Information loss or theft

Performance degradation

37%

34%

30%

22%

17%

Factors that contribute the most to securing budget commitments for business

continuity and IT security

WHERE IS THE RISK?

‘Elevating IT risk management issues requires C-suite support, and this is difficult to accomplish.’

– IT security manager, Argentinean services company

While respondents recognise the importance of minimising IT risks because of potential threats to reputation and brand, they don’t believe their leaders hold that same perception. Figure 16 reports only 32 percent of respondents say their company’s leaders recognise that IT risks affect brand image and 35 percent say it impacts reputation. Half (50 percent) of respondents believe their organisation’s leaders do not recognise that IT risks affect revenues.

Figure 15. Factors that contribute the most to securing budget commit-ments for business continuity and IT security

Figure 16. Do organisational leaders recognise the economic and reputa-tional impact of disruption to business and IT operations? (strongly agree and agree responses combined)

50%Leaders recognise that IT

risks affect revenues

Leaders recognise that ITrisks affect reputation

Leaders recognise that ITrisks affect brand image

35%

32%

Organisational leaders strongly agree or agree that disruptions to business and IT operations

have economic and reputational impact

Risk Management 13

Barriers to successRespondents say that the most significant barriers to achieving highly effective business continuity and IT security management programs are funding deficits, emergence of disruptive technologies, lack of knowledgeable staff and business process complexity (Figure 17).

37%

Lack of funding

Disruptive technologies(mobility, cloud)

Lack of expert orknowledgeable staff

Complexity of businessprocesses

Insufficient planning andpreparedness

Silos and turf thinking

32%

28%

19%

17%

17%

Barriers to achieving a highly effective business continuity or IT security program

While planning, preparedness, silos and territorial thinking were only cited by 17 percent of respondents, answers to two other questions suggest that these factors may indeed play a stronger role in the success or failure of business continuity and IT security programs. According to Figure 18, a majority of respondents state their companies do not have a formal strategy for business continuity or IT security management across the enterprise (and this impacts the effectiveness of these IT operations).

Figure 17. Barriers to achieving a highly effective business continuity or IT security program

Figure 18. Organisational approach to business continuity and IT security strategy

17%Formal strategy applied

consistently

Formal strategy, but is notapplied consistently

Informal or "ad hoc"strategy

We don't have a strategy

27%

26%

31%

Organisational approach to business continuity and IT security

14 The economics of IT risk and reputation

The results summarised in Figure 19 indicate respondents are unable to achieve a high level of collaboration. The fact that 44 percent believe collaboration between their function and other business or IT functions is either poor or non-existent suggests that silos and turf thinking play a stronger role in hindering success than IT professionals are willing to recognise.

24%

Collaboration is excellent

Collaboration is adequate,but can be improved

Collaboration is poor or non-existent

Cannot determine

31%

44%

2%

Collaboration between business continuity, IT security and other business or IT functions

Our research findings also suggest that there is no clear best practice when it comes to overall responsibility for preventing disruptions to IT operations. The most likely candidate, the chief information officer (CIO), was named by only 28 percent of the respondents (Figure 20). The next largest segment, business unit leader, is outside of the IT organisation all together, and the third ranked choice is “no one person” at 11 percent. This fragmentation of responsibility may also be a barrier to success.

Figure 20. Ownership of overall responsibility for directing efforts to ensure that IT operations are not disrupted

28%Chief information

officer (CIO)

Business unit leader

Data centre manager

Business continuitymanager

Disaster recovery manager

Chief information securityofficer (CISO)

20%

10%

7%

6%

5%

11%No one person has overall

responsibility

Overall responsibility for directing efforts to ensure that IT operations are not disrupted

Figure 19. Degree of collaboration between business continuity, IT security and other business or IT functions

Risk Management 15

Conclusion and observationsThe economic impact of business continuity and IT security failures can be significant, ranging on average from US$1 million for a minor disruption lasting 20 minutes to more than US$14M for a substantial disruption lasting close to 8 hours. Minor disruptions are more likely to happen than substantial ones—yet the price tag for even a single minor event is liable to outweigh the cost of prevention.

Business continuity and IT security professionals recognise that the costs associated with reputation and brand damage resulting from substantial events is also significant. On average, they estimate that reputation-related costs alone will exceed US$5 million over the next 24 months. While 65 percent of survey respondents think business continuity and IT security management can enhance brand value and reputation, less than 35 percent think that upper management shares this view.

This means business continuity and IT security professionals need to build a stronger business case for investments in IT controls that can help prevent downtime, data loss, cyber security breaches and the resulting loss of productivity and damage to reputation. One place to start is with a rigorous assessment of the actual root causes at work in the organisation, then connecting spend with potential financial consequences that can be averted. This approach can provide a foundation for establishing business-related metrics to measure effectiveness and provide further budget justification.

Putting IT risk prevention into the business language of cost-benefit analysis can not only help elevate the discussion but also help educate leadership on the sources of risk. This is particularly important given that the greatest single cause of both disruption and economic impact is human error—which is not an issue that IT alone can address. While IT can invest in processes such as change management or automated data backup that can help reduce the opportunity for human error, educating end users and developing a security-aware and -compliant culture requires an enterprise-wide effort with top-down leadership.

For more informationTo learn more about how IBM can help you protect your organisation’s reputation by strengthening IT risk management, contact your IBM representative or IBM Business Partner, or visit the following website:ibm.com/services/riskstudy/uk

Join the business continuity conversation

Join the IT security conversation

LimitationsThere are inherent limitations to survey research that need to be carefully considered before drawing inferences from the presented findings. The following items are specific limitations that are germane to most survey-based research studies.

Non-response bias: The current findings are based on a sample of survey returns. We sent surveys to a representative sample of business continuity management, IT and IT security practitioners in numerous countries, resulting in a large number of usable returned responses. Despite non-response tests, it is always possible that individuals who did not participate are substantially different in terms of underlying beliefs from those who completed the survey.

Sampling-frame bias: The accuracy of survey results is dependent upon the degree to which our sampling frames are representative of individuals who are business continuity management, IT or IT security practitioners within the sample of countries selected.

Self-reported results: The quality of survey research is based on the integrity of confidential responses received from respondents. While certain checks and balances were incorporated into our survey evaluation process including sanity checks, there is always the possibility that some responders did not provide truthful responses.

IBM United Kingdom LimitedPO Box 41, North HarbourPortsmouth, Hampshire PO6 3AUUnited Kingdom

IBM Ireland LimitedOldbrook House24-32 Pembroke RoadDublin 4

IBM Ireland registered in Ireland under company number 16226.

IBM, the IBM logo and ibm.com are trademarks of International Business Machines Corp., registered in many jurisdictions worldwide. Other product and service names might be trademarks of IBM or other companies. A current list of IBM trademarks is available on the web at “Copyright and trademark information” at ibm.com/legal/copytrade.shtml

The content in this document is current as of the initial date of publication and may be changed by IBM at any time. Not all offerings are available in every country in which IBM operates.

© Copyright IBM Corporation 2013

Please Recycle

RLW03022-GBEN-00