The Economics of IT Risk and Reputation
Embed Size (px)
Transcript of The Economics of IT Risk and Reputation
The economics of IT risk and reputationWhat business continuity and IT security really mean to your organisation
Global Technology ServicesResearch Report
Findings from the IBM Global Study on the Economic Impact of IT Risk
About the studyThe IBM Global Study on the Economic Impact of IT Risk is the largest independent research study conducted to date to measure the financial and reputational consequences of business disruptions caused by business continuity or IT security failures. The studya follow-on to the 2013 IBM Reputational Risk and IT Studywas sponsored by IBM and independently conducted by Ponemon Institute in July 2013.
Ponemon Institute surveyed 1,069 business continuity specialists and 1,247 IT security practitioners representing 20 industries and 37 countries. Most of the combined group of 2,316 respondents are in the IT organisation and report directly to the CIO or head of
corporate IT. Respondents at the manager level represent the largest segment (33 percent), followed by directors (23 percent) and supervisors (19 percent). More than half of the respondents are in larger-sized organisations with more than 5,000 full-time equivalent employees.
Participation was limited to IT professionals whose job focus is either business continuity, IT security or both, with decision-making or performance-related responsibilities. Although most participants are focused on only one of the IT disciplines, their survey responses were remarkably similarwith only a few instances of slight but statistically relevant differences. Therefore, for the purpose of this analysis and report we have combined the data from the two sample groups.
The IBM Global Study on the Economic Impact of IT Risk, independently conducted by Ponemon Institute, gathered information from 2,316 business continuity and IT security professionals from around the world.
North America 49%1,125
Europe/Middle East 26%597
Asia Pacific 15%353
Latin America 10%241
Less than 500 8%
500 to 1,000 15%
10,001 to 25,000 15%
25,001 to 75,000 9%
1,001 to 5,000 23%
5,001 to 10,000 25%
More than 75,000 4%
Location (37 countries) Company sizes
Healthcare 11%IT and technology 9%
C-level executive 11%
Industries Job titles
Public sector 14%
Consumer goods 7%
Energy and utilities 5%
All others 16%
Administrative 2%Contractor 2%
Contents 3 Introduction 4 Quantifying the economic impact of disruptions to business and IT operations 6 The reputational risk and IT connection 8 Understanding the threat landscape 11 Building the case for business continuity and IT security investments 13 Barriers to success 15 Conclusion and observations
WHAT WOULD YOU DO?
If reputation and brand are important, make IT risk management a priority.
Business continuity management supervisor, French consumer products company
IntroductionWhen the normal course of operations is disrupted as a result of IT system failures and cyber attacks, the economic and reputational costs can be devastating. Even scant minutes of downtime can be costly. In the context of this paper, IT risk is the risk associated with the use, ownership, operation and influence of IT within an organisation. Such risks include human error, system failures, security breaches and disruptions to data centre operations such as power failures and natural disasters.
Understanding the financial consequences of a disruption can be valuable to determining the resources that should be invested in preventing or minimising such incidents. It also can be critical in making the business case to the C-suite for elevating the priority of business continuity and IT security activities.
In this study, we measure the financial consequences or total cost resulting from an organisations inability to provide an acceptable level of service in the face of faults or challenges to normal operations. We also measure and quantify the reputational consequencesthe cost of damage to a companys image or brand value as a result of poor controls, failed processes, IT downtime, data theft and compliance violations.
The voice of business continuity and IT security
In this survey we asked two optional open-ended questions: What steps should your organisation or industry take to reduce risks to your organisation posed by IT operations? and Looking ahead, what are the changes or trends in the IT landscape that will most increase reputation risk for your organisation? The responses we received were thoughtful and thought-provokingand a number of common themes emerged. Throughout this paper we will share responses that reflect those common concerns under one of two headings: What would you do? and Where is the risk?
Risk Management 3
Quantifying the economic impact of disruptions to business and IT operationsA very important objective of this research is to determine the cost to organisations when there is a disruption or compromise to business processes or IT services. Respondents were asked to estimate the costs based on three discrete levels: minor, moderate and substantial.
Duration. Minor, moderate and substantial disruptions are classified according the amount of downtime. As shown in Figure 1, the average minor incident is 19.7 minutes, while a substantial incident can be 442.3 minutes or almost a full eight-hour day of down or idle time. However, some expect that substantial disruptions could last more than two days.
Likelihood. According to Figure 2, 69 percent of respondents anticipate that they will experience at least one or more minor disruptions in the next 24 months, while 23 percent say one or more substantial disruptions could occur over the same time period. In other words, respondents believe their organisations are three times more likely to experience a minor incident than a substantial incident.
Cost. Respondents were asked to consider all direct cash outlays, direct labour expenditures, indirect labour costs, overhead costs and lost business opportunities for six cost categories: Cost of users idle time and lost productivity because
of downtime or system performance delays Cost of forensics to determine the root
causes of disruptions or compromise
Cost of technical support to restore systems to an operational state
Cost associated with reputation and brand damage Revenues lost because of system availability problems Cost associated with compliance or regulatory failure
Figure 3 reports the average cost per minute of minor, moderate and substantial disruptions to business and IT operations. The cost per minute of minor disruptions is much higher than the per minute cost of substantial disruptions (US$53,223 versus US$32,229)reflecting that the costs for users idle time, forensics and technical support are spread over fewer minutes of downtime (see also Figure 5).
Figure 4 reports the average total costs that could be incurred as a result of disruptions to business or IT operations. Even a minor disruption can cost a business more than US$1 million, and a substantial incident can escalate to more than US$14 million. However, some respondents say costs of a severe incident could climb to more than US$100 million. The estimate is based on the six cost categories described above. From the perspective of economic impact, the most significant threats are human errors, cyber breaches and data loss.
It is important to note that while the average cost of a minor incident is low relative to a substantial incident, the high frequency of minor disruptions can mean significant financial consequences for an organisation over time.
4 The economics of IT risk and reputation
Risk Management 5
Average minutes of down or idle time for minor, moderate and substantial disruptions
Likelihood of one or more disruptions to business and IT operations over
the next 24 months
Estimated average cost per minute of disruption
(down or idle time)
Estimated average total cost of disruption to business and IT
operations over the next 24 months
Figure 1. Average minutes of down or idle time for minor, moderate and substantial disruptions
Figure 2. Likelihood of one or more disruptions to business and IT operations over the next 24 months
Figure 3. Estimated average cost per minute of disruption (down or idle time)
Figure 4. Estimated average total cost of disruption to business and IT operations over the next 24 months
6 The economics of IT risk and reputation
The reputational risk and IT connectionIf there is any doubt about the importance of an effective business continuity or IT security program, consider the financial impact a disruption can have on reputation and brand value. Figure 5 summarises the allocation of costs determined by assigning 100 points for minor, moderate and substantial disruptions. As can be seen, the costs associated with reputation and brand damage increase in proportion to the severity of the incident. Accordingly, reputation damages represent only 2 points for minor versus 37 points for substantial disruptions to business and IT operations.
The top three costs for all three levels of disruptions (combined) are (1) cost of users idle time,