Limited Print and Electronic Distribution Rights
This document and trademark(s) contained herein are protected by law. This representation of RAND
intellectual property is provided for noncommercial use only. Unauthorized posting of this publication
online is prohibited. Permission is given to duplicate this document for personal use only, as long as it
is unaltered and complete. Permission is required from RAND to reproduce, or reuse in another form, any of
its research documents for commercial use. For information on reprint and linking permissions, please visit
www.rand/pubs/permissions.
The RAND Corporation is a research organization that develops solutions to public policy challenges to help make
communities throughout the world safer and more secure, healthier and more prosperous. RAND is nonprofit,
nonpartisan, and committed to the public interest.
RAND’s publications do not necessarily reflect the opinions of its research clients and sponsors.
Support RAND
Make a tax-deductible charitable contribution at
www.rand/giving/contribute
www.rand
For more information on this publication, visit www.rand/t/RR2299
Published by the RAND Corporation, Santa Monica, Calif.
Copyright 2018 RAND Corporation
R is a registered trademark.
iii
Preface
Cyber incidents have been increasing in frequency and cost in recent years, with some
resulting in hundreds of millions of dollars in losses. There is marked variability from study to
study in the estimated direct and systemic costs of cyber incidents, which is further complicated
by the considerable variation in cyber risk across countries and industry sectors. In many cases,
comparing research studies is complicated by a lack of transparency in methodologies,
assumptions, and data sets used. The goal of this research was to produce a transparent
methodology for estimating present and future global costs of cyber risk, acknowledging the
considerable uncertainty in the frequencies and costs of cyber incidents. A companion Excel tool
implements the methodology described in this document.1 This research was sponsored by the
William and Flora Hewlett Foundation and the CyberCube unit of the Symantec Corporation and
will be of interest to researchers and policymakers involved with cyber risk assessment and
mitigation.
RAND Science, Technology, and Policy
The research reported here was conducted in the RAND Science, Technology, and Policy
program, which focuses primarily on the role of scientific development and technological
innovation in human behavior, global and regional decisionmaking as it relates to science and
technology, and the concurrent effects that science and technology have on policy analysis and
policy choices. The program covers such topics as space exploration, information and
telecommunication technologies, and nano- and biotechnologies. Program research is supported
by government agencies, foundations, and the private sector.
RAND Justice, Infrastructure, and Environment (JIE) conducts research and analysis in civil
and criminal justice, infrastructure development and financing, environmental policy,
transportation planning and technology, immigration and border protection, public and
occupational safety, energy policy, science and innovation policy, space, telecommunications,
and trends and implications of artificial intelligence and other computational technologies.
Questions or comments about this report should be sent to the project leader, Paul Dreyer
(Paul_Dreyer@rand). For more information about RAND Science, Technology, and Policy,
see www.rand/jie/stp or contact the director at stp@rand.
1 Dreyer, 2018.
iv
Contents
Preface ........ iii
Figures........ vi
Tables ........ vii
Summary .. viii
Acknowledgments ... x
Abbreviations ......... xi
Symbols .... xii
Chapter 1: Introduction ....... 1
Summary of Existing Global Cyber Cost Estimate Research and Results 1
Report Objective and Outline ........3
Chapter 2: Modeling the Costs of Cyber Risk ........ 4
Model Structure .....4
Direct Costs at the Sector and Country Levels ......5
From Direct to Systemic Costs ......6
Projecting Future Costs .....9
Chapter 3: Model Parameters ........ 10
Sets ..........10
Country (C) .....10
Industry Sectors (I) ......10
Financial Exposures (E) ..........11
Perils (P) ..........12
Mapping Notable Cyber Incidents to Sets ...........13
Relations Between Sets ...15
Country-Specific Sector Weights (wci) ...........15
Sector-Exposure Relationship (Ycie) ...16
Exposure-Peril Relationship (Xciep) .....20
Alternative Method for Directly Estimating Potential Economic Damage .........21
Chapter 4: Case Studies .... 24
Global Cost of Cyber Crime ........26
Cost of Cyber Crime in the Netherlands (1.27 Percent of GDP) 28
Sample Case Study: Lloyd’s Business Blackout .32
Sensitivity to the Choice of Probability Distribution Functions .33
Chapter 5: Conclusion and Next Steps ..... 35
Appendix A: Estimating the Global Cost of Cyber Risk Calculator User Manual .......... 37
Appendix B: Review of Model Assumptions ....... 41
Appendix C: Module Y2 Sector-Exposure Relationship .. 43
v
Appendix D: Advisen Data ........... 45
Appendix E: Characterizing Attackers and Perils46
Appendix F: Potential Expert Elicitation Format . 47
References . 49