The framework for calculating the direct cost of an incident is rather straightforward. The following information needs to be available:
• Number of hours spent in dealing with an incident
• Hourly wage of the people involved in handling an incident • Number of people affected by an incident
• Hourly wage of the people affected by an incident
• How long the affected people were unable to use computer resources • Overtime and equipment and software purchased to deal with an incident If you know all this information, it is a simple matter of multiplying and adding these quantities. If you do this for all incidents within a certain time period, dividing the grand total with the number of incident can give you the cost estimate for a single incident. The framework is simple enough, but the numbers are still hard to come by. One of the biggest obstacles is to account for all the time spent handling an incident and also the number of people affected by it and how long they were not productive. In other words, you are missing the key information.
In reality, the organization can estimate the missing pieces after the IRT is established and starts handling incidents, but what you want is an idea of how much an incident can cost before the IRT is established. Now look at the three examples that provide this estimate.
I-CAMP II Study
The I-CAMP II study focused on the university environment. It had three objectives: [...¡First the study provides guidelines to cost analyze IT-incidents in the academic environment. Through the use of a template, IT personnel are able to identify true costs and follow a guide in analyzing them....
Second, the study analyzes the status of the databases of the participating institu- tions and their categorization schemes for classifying incidents. It also begins the examination of the frequencies of occurrence for specific types of incidents in three different periods of time (periods of high, medium, and low academic activity). Finally, the study provides a categorization scheme as a guide to encourage more incident data gathering and to encourage consistency in the classification process. We will look only at the results related to the first goal: determining the price of an incident.
During the course of the I-CAMP II study, 15 incidents from 18 U.S. universities were analyzed. The universities that were part of the study experienced more than 15 inci- dents, and selected incidents were chosen specifically for the purpose of the I-CAMP II study. They are not an indication of how many incidents actually occurred in an individ- ual university.
One of the challenges of the study was to estimate the amount of money that affected students' loss because of an incident. Although finding this cost was easy for the staff, because their wages are known, there is no "student wage" that can be used. This student wage is required for the cost framework because students are likely to be affected by an incident (that is, unable to use computer and network).
The way the I-CAMP study approached the issue of student's wage was to divide an aver- age cost of studying ($10,000 USD) with the number of study hours per semester (672 hours)2. Dividing these two values gives a price of 1 hour of study The price is $15.00 per hour. What is then assumed is that, if students are unable to study because of an inci- dent, they "lose" $15.00 for every hour not studying. It is important to note that this is not a loss in a direct sense; that is, neither the students nor the university will earn less money or lose actual money It is a virtual hourly wage created only to enable us to calcu- late a cost of an incident. Table 2-2 provides information of an average cost of an incident depending on an incident type.
Table 2-2 Average Cost of an Incident in a University Environment
Incident Type Number of Occurrences Cost per Incident in USD
Compromised Access 2 1800
Hacker Attack 3 2100
Harmful Code 3 980
Denial-of-Service 2 22,350
Copyright Violation 5 340
This table shows that a cost of an average incident is approximately $3950 USD. The I- CAMPII was finished in 2000, and the cost figure was valid at that time. Today that fig- ure will be somewhat higher if you adjust it for inflation—approximately $5500 USD in 2010 with inflation of 3.5%.
The different types of incidents have different price tags. In the university environment, denial-of-service (DoS) attacks are the most expensive, whereas the copyright violations are the least expensive. This is probably because DoS attacks affect many students, whereas the Recording Industry Association of America (RIAA) cease and desist notices about the copyrighted material are handled by a single member of the IRT staff and, pos- sibly affect only a few students.
Even though some of the numbers might seem low, it would be wrong to be tempted not to react to an incident. Some can have legal ramifications (for example, copyright viola- tion), whereas others can compromise your intellectual property (for example, system penetration). Recall that Stoll Clifford managed to uncover a spy ring only because of a billing discrepancy of $0.75 USD.
2 12 hours/week per class, 4 class per term, 3.5 months in a semester, and 4 weeks in a month. Multiplying all these values yields the number of studying hours per semester.