Addressing the gap in measuring the harm of cyberattacks

Event report

The current cyber threat landscape is increasingly complex, with ransomware and data breaches representing the main cyberattacks, followed by an increase in distributed denial of service (DDoS) cyberattacks in conflict zones such as in Ukraine. As a complex landscape, policymakers need to understand it and base their policy development efforts on empirical assessments of the impact of cyberattacks. To this extent, it is crucial to not only assess the economic impact of cyberattacks, but also their societal one. 

When it comes to cyberattacks, we have witnessed a significant lack of data regarding where, how, and why these attacks happen, but most importantly the societal impact of these attacks on individuals and vulnerable communities. Indeed, while much effort has been focused on documenting cyberattacks and their economic impact, less attention has been paid to documenting the harm of cyberattacks on people, communities, and societies. To this extent, there is an increasing need to develop a ‘harm methodology’ with quantitative and qualitative indicators meant to measure, show, and be the basis for empirical analysis of the societal harm and impact of cyberattacks. We need a taxonomy of cyber harm where all stakeholders can contribute with information to notify the next steps in developing effective legislation, in pushing the private sector in increasing security standards, as well as in informing civil society to help victims. Measuring harm to individuals, especially psychological harm, for instance, can hardly be easily quantifiable and requires important efforts by all actors in ensuring an effective measurement and translation in quantifiable terms. If we are able to show how cyberattacks pose a threat to the security and safety of individuals, we can hope that more resources are invested into remediation and redress. Human security should indeed be seen as a continuation of national and critical security.

The effects of cyberattacks are localised so it is hard to bring them to the global agenda where it requires global support. Measuring harm needs to be part of a bigger project with all parties involved where silos are broken: governments introducing new legislation, the private sector creating new security standards, and civil society supporting victims. Further communities to be involved in the assessment and follow-up actions are economists and mathematicians, for their expertise in creating a model that quantifies qualitative variables; policymakers who will develop related legislations; the private sector as it is the one providing technology and services; and academia that is in the position to evaluate successful practice.

Finally, to ensure that assessing the societal harm of cyberattacks is impactful, it is essential to change the focus from simple analysis to concrete actions.

By Stefania Grottola

The session in keywords