Managing the financial impact of cybersecurity incidents

The complex relationships of economic actors and the high dependency on information and communication technologies make it necessary for all relevant entities to develop protection. This protection should include preventive and reactive controls in a risk-proportionate manner in relation to the business value protected. We aimed to develop a solution to support cybersecurity-related business decisions with financial analytics. The risk-based approach helps management find the optimum solution with minimal costs, where protection prevents some incidents from occurring, while the risks associated with other incidents are accepted in an informed way. The security industry developed a number of apparatuses to find the optimum security controls that enforced the fiscal aspects, which typically contain solutions used in planning. However, the actual expenditure often differs from the planned budget for several reasons, one of which is the occurrence of security incidents. We used the common methodology toolset for financial analysis (NPV, NFV, risk assessment). We developed novel metrics based on these that can be used in cybersecurity management. Within the framework thus defined, the article discusses the economic context of the effects of incidents involving Meta (previously Facebook) services from 2016 to 2020. This paper introduces the ‘Effect of incidents’ metric to measure the impact of unplanned incidents’ on actual expenditure compared to the planned budget and the ‘Incidence of incident recognition’ metric to measure deviations of an incident’s impact as perceived by owners relative to the effect on the value of the assets. The paper also proves the applicability of those metrics using the example of Meta.