A global concern, a common cause 

These ‘known unknowns’ mean that the true scale of economic damage directly attributable to cyber crime cannot be determined through publicly available sources such as news reports and social media posts. Nor are there any official data repositories. 

That said, some academic institutions have developed sophisticated databases that make the researcher’s job easier. (Our report is largely based on data from one of these institutions.) Such databases define what constitutes a cyber attack and standardise the collection of information from across multiple sources. Although the picture of cyber attacks by country remains incomplete, the damage they do on a global scale is coming into sharper focus and more detail is being added all the time.

To some extent, the size of a country's economy can be correlated to the number of cyber attacks it experiences. By using a standardised definition of a ‘cyber attack’ and tracking multiple variables that act as proxies for the development of a digital economy and for economic performance, we can chart a rise in the number of both exploitive and disruptive cyber attacks since 2014. Exploitive attacks are much more frequent than simply disruptive ones – and more harmful.

The existing data suggests that the US continues to be the most common target for attacks; this may be the case, or it might indicate that US companies are more likely to report cyber incidents than are companies in other countries. Both answers are probably true to some extent. 

Looking at industries, the public sector is the most likely to be attacked, followed by the healthcare, information services, and education sectors. These industries all need to handle large volumes of potentially valuable personal information, which lures financially motivated threat actors.

The financial sector has invested heavily in cyber security in recent years, explaining the relatively low volume of successful attacks against it. 

We can now say with certainty that the expansion of the digital economy in recent years – across developed, emerging and frontier economies – has been accompanied by an upward trend in the number of cyber incidents. It is also clear that how damaging these incidents are depends on the affected country’s: 

• level of digital adoption;
• degree of cyber security maturity; and
• culture of open cooperation between the private sector, government departments, regulators and enforcement agencies – or the absence of such a culture.

Our aim with this initial report was to estimate the impact of cyber attacks on the growth of digital economies. We also wanted to understand the impact of cyber attacks on a country’s economic development as measured by GDP. 

This is not a trivial task. Multiple elements must be considered, and our initial study demonstrates the need for further analysis and research.

For example, the analysis we have conducted so far leads us to believe that the more digitised a country is, the more cyber attacks it suffers. We found that an increase of one unit in the level of digital development is linked to an increase in cyber attacks of about 0.035%. This implies that businesses in highly digitised markets are more likely to experience cyber attacks.

We established that an increase in the frequency of cyber attacks of just 1% is associated with an average decrease in GDP of 0.011%. This implies that the average cyber attack tends to cost an economy US$50m.

Details of the techniques we adopted to explore our two central hypotheses, along with additional details of the data used and regressions’ findings, are set out in the full paper.