Resilience is Answer to Major Cyber-attack

Researchers from The Ohio State University measure economic consequences of cyber attacks

In survey results released by Business Insurance last Thursday, risk management professionals believe that their bosses and boards aren’t taking cybersecurity as seriously as they did last year. The report comes just as Dr. Zhenhua Chen from The Ohio State University and Adam Rose from the University of Southern California released a preliminary report of their research examining the major economic consequences of a cyber-attack in terms of GDP and employment.

The survey, the seventh annual released by Zurich Insurance Group Ltd., shows that 62 percent of risk professionals said that their board of directors recognized cyber risk as a significant threat to the organization, down from 83 percent a year ago.

“Cyber-attacks continue to pose an extreme threat to the U.S. — major security breaches in private industry and government are on the rise,” says Dr. Zhenhua Chen, a research fellow of The Risk Institute and assistant professor at The Ohio State University. “These attacks haven’t yet caused major cross-sectorial damage, but the potential is there.”

Cyber-attacks can shut down industrial facilities, critical utilities and infrastructure systems, interfere with military operations, and compromise national security. And it isn’t just supposition, we’ve already seen it happen.

In Ukraine last December, hackers successfully blacked out a portion of the nation’s capital for about an hour. As reported by Wired, cybersecurity researchers discovered “disturbing evidence” that the Kiev attack was almost certainly a dry-run for a much larger attack using “most evolved specimen of grid-sabotaging malware ever observed” outside of a controlled setting.

Chen’s research focuses on answering three questions: 1) what are the economic consequences of cyber-attack measured in terms of GDP and employment? 2) How do the consequences vary when the attacks are targeted among different critical infrastructure sectors, such as manufacturing and cyber sectors? 3) What is the potential of various cyber-resilience tactics to reduce losses?

Chen’s overall research objective is to improve risk management for cyber-threats among both private and public sectors through better understanding of the economic consequence of cyber-attacks and the benefits of various cyber resilience tactics in reducing these consequences.

As a result of an extensive literature review, Chen and his team identified that although a plethora of studies have attempted to identify the economic impact of cyber-attacks, there is a lack of a systematic approach to evaluate economic impacts of cyber-attacks in terms of GDP and employment changes. They also realized that while several studies have addressed pre-disaster approaches to risk reduction (e.g.: mitigation), very few studies have addressed post-disaster approaches to recovering cyber capabilities (e.g.: resilience).

Chen has developed two attack scenarios to assess the direct costs and identify post-attack resiliency options. The first is a hypothetical cyber-attack scenario that assumes the supervisory control and data acquisition (SCADA) system of the auto-manufacturing sector in Michigan is disrupted by a cyber-attack for ten days. The second scenario pertains to a disruption of cyber sectors used by a broad range of industries in the event of a natural disaster such as an earthquake.

Zhenhua Chen is a research fellow at The Risk Institute. The Risk Institute at The Ohio State University’s Fisher College of Business exists to bridge the gap between academia and corporate America. By combining the latest research with the real-world expertise of America’s most forward-thinking companies, the Risk Institute isn’t just reporting risk management’s current trends — it’s creating tomorrow’s best practices.