The 2017 cybersecurity survey released by Zurich Insurance Group Ltd., shows that only 62 percent of risk professionals said that their board of directors recognized cyber risk as a significant threat to the organization, down from 83 percent a year ago. The report comes just as Dr. Zhenhua Chen from The Ohio State University and Adam Rose from the University of Southern California released a preliminary report of their research examining the major economic consequences of a cyber-attack in terms of GDP and employment.
Guest Column by Phil Renaud, Executive Director, The Risk Institute at The Ohio State University. Dr. Chen is a research fellow of the Risk Institute and assistant professor of city and regional planning at Ohio State. Chen believes that cyber-attacks continue to pose an extreme threat to the U.S. and that major security breaches in private industry and government are on the rise. Although these attacks haven’t yet caused major cross-sectorial damage, the potential is there because cyber-attacks can shut down industrial facilities, critical utilities and infrastructure systems, interfere with military operations, and compromise national security. Chen argues that this isn’t just supposition, we’ve already seen it happen. In Ukraine, for example, hackers successfully blacked out a portion of the nation’s capital for about an hour. As reported by Wired, cybersecurity researchers discovered “disturbing evidence” that the Kiev attack was almost certainly a dry-run for a much larger attack using “most evolved specimen of grid-sabotaging malware ever observed” outside of a controlled setting.
Chen’s research focuses on answering three questions: (i) what are the economic consequences of cyber-attack measured in terms of GDP and employment; (ii) how do the consequences vary when the attacks are targeted among different critical infrastructure sectors, such as manufacturing and cyber sectors; and (iii) what is the potential of various cyber-resilience tactics to reduce losses? Chen’s overall research objective is to improve risk management for cyber-threats among both private and public sectors through better understanding of the economic consequence of cyber-attacks and the benefits of various cyber resilience tactics in reducing these consequences.
Through an extensive literature review, Chen and his team identified that although a plethora of studies have attempted to identify the economic impact of cyber-attacks, there is a lack of a systematic approach to evaluate economic impacts of cyber-attacks in terms of GDP and employment changes. They also realized that while several studies have addressed pre-disaster approaches to risk reduction (e.g.: mitigation), very few studies have addressed post-disaster approaches to recovering cyber capabilities (i.e., resilience).
Chen has developed two attack scenarios to assess the direct costs and identify post-attack resiliency options. The first is a hypothetical cyber-attack scenario that assumes the supervisory control and data acquisition (SCADA) system of the auto-manufacturing sector in Michigan is disrupted by a cyber-attack for ten days. The second scenario pertains to a disruption of cyber sectors used by a broad range of industries in the event of a natural disaster such as an earthquake. This kind of research will be critical making the field of cybersecurity more resilient in the future.
Phil Renaud
Email: renaud19@osu.edu
Chen’s research focuses on answering three questions: (i) what are the economic consequences of cyber-attack measured in terms of GDP and employment; (ii) how do the consequences vary when the attacks are targeted among different critical infrastructure sectors, such as manufacturing and cyber sectors; and (iii) what is the potential of various cyber-resilience tactics to reduce losses? Chen’s overall research objective is to improve risk management for cyber-threats among both private and public sectors through better understanding of the economic consequence of cyber-attacks and the benefits of various cyber resilience tactics in reducing these consequences.
Through an extensive literature review, Chen and his team identified that although a plethora of studies have attempted to identify the economic impact of cyber-attacks, there is a lack of a systematic approach to evaluate economic impacts of cyber-attacks in terms of GDP and employment changes. They also realized that while several studies have addressed pre-disaster approaches to risk reduction (e.g.: mitigation), very few studies have addressed post-disaster approaches to recovering cyber capabilities (i.e., resilience).
Chen has developed two attack scenarios to assess the direct costs and identify post-attack resiliency options. The first is a hypothetical cyber-attack scenario that assumes the supervisory control and data acquisition (SCADA) system of the auto-manufacturing sector in Michigan is disrupted by a cyber-attack for ten days. The second scenario pertains to a disruption of cyber sectors used by a broad range of industries in the event of a natural disaster such as an earthquake. This kind of research will be critical making the field of cybersecurity more resilient in the future.
Phil Renaud
Email: renaud19@osu.edu
RSS Feed