Quantifying the financial impact of it security breaches on business processes

With the rise of the number of security breaches affecting organizations nowadays, it has become crucial for companies to accurately measure the costs of such incidents and mitigate them in order quantify their risk exposure and direct IT security investments. However, with the absence of standardized cost calculation methods, the task of quantifying the internal costs of security breaches as well as the costs of managing them is one of the difficulties of security risk analysis. Due to the fact that companies consider the time spent by employees during the reparation process of an affected IT resource as idle, overestimations of the costs of security breaches and lost productivity, represented by the system downtime from employees´ perception, occur. For these reasons, this study suggests a new approach for measuring the negative economic impact associated with such security attack events. This study proposes a method which assumes that alternative tasks that do not rely on the affected IT resource are performed; hence, the employees´ time is not considered as completely idle and consequently the total costs decrease. Early results have shown that our suggested method renders smaller total costs than companies´ method when calculating the costs of information security breaches due to the decrease in the idle time; whereas cost components due to delayed work products are typically not captured at all. Our results have also shown how recovery procedures, in terms of dissolving of work task queues, are performed in case of information security breaches.