Information Security Matters: Cyber Impact Analysis

Cyber Impact Analysis
Author: Steven J. Ross, CISA, CDPSE, AFBCI, MBCP
Date Published: 1 September 2024
Read Time: 7 minutes
Related: Using Risk Tolerance to Support Enterprise Strategy

I think we can all agree that being on the receiving end of a cyberattack is not a good thing. Whether it is merely a theft of data (merely!?) or an attack that renders information systems inaccessible, cyberattacks are downright bad.

For those with a penchant for precision, just how bad are they? Are all cyberattacks equally bad? (I do not think so.) And what are the metrics of badness? One frequently quoted yardstick1 is data breaches, defined as “an incident that results in the confirmed disclosure—not just potential exposure—of data to an unauthorized party.”2 Another is the number of records disclosed.3 And, of course, there is the question of how much an attack costs the victim.4

For the most part, published reports on these different ways of measuring the impact of cyberattacks do so in the aggregate. This gives security professionals some basis for planning and budgeting. Still, it does not answer the question I have often heard from senior executives: “If it happened to us, what would the impact be?”

Business Impact Analysis

Business continuity managers have long performed business impact analyses (BIAs), which serve as the foundation for planning recovery from various business disruptions. For many years, the scenario for such analyses was the unavailability of office premises. The number of people who worked at home during the COVID-19 pandemic undermined the findings of many of those studies. Factories, restaurants, busses, and other workplaces where personnel had to be in order to work were not as frequently considered.

When all applications and all data were housed in an enterprise’s own data center, the loss of that site meant that all data processing ceased until systems could be recovered at an alternate location. That is often not the case today because the systems are located in more places.

Many BIAs have assessed the impacts of the unavailability of applications,5 as might be caused by a cyberattack. The basis of those previous studies was the destruction or unavailability of an organization’s data center. While these are still valid analyses, they do not address the threat of cyberattacks. Data backups, replication, and alternate data centers can resolve the missing application problem with outages measured in hours. However, recovery from destructive attacks and ransomware is usually measured in days.

There are simply more things to do in order to recover fully. Software, databases, and their backups must be cleansed of malware. Lengthy dwell time for the pernicious software necessitates rolling forward generations of backups to recover databases as close to the present as possible. And since the location(s) of the malware may be unknown, a great deal of software must be scanned and be given either a clean bill of health or cleaned up.

It Gets Complicated

When all applications and all data were housed in an enterprise’s own data center, the loss of that site meant that all data processing ceased until systems could be recovered at an alternate location. That is often not the case today because the systems are located in more places. Some applications may remain on-premises, but others may be in a colocation facility, or in the cloud, or several clouds, or at a third party’s software-as-a-service data center, which may also be in a cloud or…

The dispersal of applications and their associated infrastructure means it is unlikely that all of them will be attacked simultaneously. While technicians (the organization’s own or the vendors’) are busy recovering the systems that were attacked, the business can continue operations with those that were unaffected. However, interfaces among systems in various venues may have enabled the spread of malware from one to another. Thus, even the systems that were ostensibly untouched must undergo rigorous scanning. This takes time and may disrupt processing. When the systems that were attacked are recovered, the interfaces must also be re-established.

Moreover, not all applications are of equal importance to an enterprise’s bottom line or its mission. Every organization in every industry has its own “killer” applications. In manufacturing it is often enterprise resource planning; in insurance, it is the policy system; in retail, the inventory application; in pension funds, the membership rolls. Incapacitating these applications can effectively bring an organization to its knees.

Knowledge is Power

An organization can wait until it is victimized to determine how badly it will be affected. I maintain that knowing in advance, or at least having a reliable approximation of the impact of a potential attack, is a more prudent way to manage a business. To what extent will operations be interrupted without the applications they rely on? How much money will be lost or not earned? How many customers will remain loyal and wait out the disruption? How many customers will be lost? How severely will the organization’s reputation be tarnished? In the case of public sector agencies, how will society be harmed?

And then there is the ultimate question for private sector companies: How long can the business be without key systems until its share price faces an unacceptable decline, or worse, is no longer viable?6

Impact and Investment

The answers to these and other related questions will set the parameters for investment in prevention, detection, and recovery from cyberattacks. The investments in recovery, in particular, need to be directed at both mitigating the impact of an attack and shortening the time needed to recover the affected systems. The former requires a detailed understanding of how a business uses its information systems to make money, serve customers, pay its people, and keep everything well controlled. Obtaining that understanding might come from process flows and financial statements. However, the most effective way, I have found, is to ask the responsible managers: “Which applications do you rely on? And if you did not have them, what would you do?”

In some cases, these managers will reply with wonderfully ingenious alternative means of conducting business. But in many others, so I have found, they will say that after a certain amount of time without their systems (immediately? a day? a week?) operations will cease until the applications are restored. Determining that “drop dead” point should be a specific objective of a cyber impact analysis.

There are many means for reducing recovery time. They include retaining many generations of backups, routine scanning of software and data for incursions, an “air gap” environment for analysis and testing, and practice – lots of practice – for rapid recovery. These are costly, particularly since they necessitate personnel to carry them out and equipment for the people to work with.

So, while the badness of cyberattacks is well established, there is a need to answer some basic questions: How bad would an attack be? What is the differentiation of badness depending on the nature of an attack? Where will the pain be felt the most strongly and where might it barely be felt at all? And most importantly: What can be done to ease, if not eliminate, the pain?

Endnotes

1 Sorry, but as an American, I just cannot get myself to type meterstick.
2 Verizon, “2023 Data Breach Investigations Report,” https://www.verizon.com/business/resources/T8f8/reports/2023-data-breach-investigations-report-dbir.pdf
3 Security Magazine, “Over 22 Billion Records Exposed in 2021, ” 10 February 2022,
https://www.securitymagazine.com/articles/97046-over-22-billion-records-exposed-in-2021#:~:text=There%20were%204%2C145%20publicly%20disclosed,5%25%20fewer%20than%20in%202020.
4 IBM Security/Ponemon Institute, Cost of a Data Breach Report 2023 https://www.ibm.com/reports/data-breach?utm_content=SRCWW&p1=Search&p4=43700077724064006&p5=e&gad_source=1&gclid=Cj0KCQjwzt OwBhD7ARIsAPDKnkB8HWLjyFbYDP38GrH3ZRUxLlJfGKhu4wtPOun8wXRHVGftUrWOGOcaAn8rEALw_wcB&gclsrc=aw.ds
5 I am not aware of any BIA that addressed the exfiltration of information, but I would like to hear from anyone who has performed one of these.
6 Knight, R.F.; Pretty, D.J.; “Reputation & Value: The Case of Corporate Catastrophes,” Oxford Metrica, 2001, https://www.oxfordmetrica.com/public/CMS/Files/488/01RepComAIG.pdf. Although this document is somewhat dated, the research of Knight and Pretty has, in my opinion, made the case for the impact of a crippling cyberattack – certainly a catastrophe – on corporate fortunes.

STEVEN J. ROSS | CISA, CDPSE, AFBCI, MBCP

Is executive principal of Risk Masters International LLC. He has been writing one of the Journal’s most popular columns since 1998. Ross was inducted into the ISACA® Hall of Fame in 2022. He can be reached at stross@riskmastersintl.com.