Skip to main content

Cyber-attacks are costly, but a lack of data and transparency makes it much harder to put a figure on the damage they do to a nation’s economy, as we found when creating our report, Calculating the cost of cyber attacks: An economic analysis of the worldwide impact. In many – if not most – parts of the world, a culture of non-disclosure around cyber security breaches still prevails. Company directors fear the legal, regulatory and reputational consequences of reporting a successful attack. Such cases of ‘hushed up’ cyber incidents are greatly outnumbered by those that go unreported because the victim simply does not know it has been attacked

Your cyber expert
Kevin Groves
Kevin Groves

Sales Director | Cyber Risk

kgroves@thomasmurray.com

These ‘known unknowns’ mean that the true scale of economic damage directly attributable to cybercrime cannot be determined through publicly available sources such as news reports and social media posts. Nor are there any official data repositories. 

That said, some academic institutions have developed sophisticated databases that make the researcher’s job easier. (Our report is largely based on data from one of these institutions.) Such databases define what constitutes a cyber-attack and standardise the collection of information from across multiple sources. Although the picture of cyber-attacks by country remains incomplete, the damage they do on a global scale is coming into sharper focus and more detail is being added all the time.

To some extent, the size of a country's economy can be correlated to the number of cyber-attacks it experiences. By using a standardised definition of a ‘cyber-attack’ and tracking multiple variables that act as proxies for the development of a digital economy and for economic performance, we can chart a rise in the number of both exploitive and disruptive cyber-attacks since 2014. Exploitive attacks are much more frequent than simply disruptive ones – and more harmful.

The existing data suggests that the US continues to be the most common target for attacks; this may be the case, or it might indicate that US companies are more likely to report cyber incidents than are companies in other countries. Both answers are probably true to some extent. 

Looking at industries, the public sector is the most likely to be attacked, followed by the healthcare, information services, and education sectors. These industries all need to handle large volumes of potentially valuable personal information, which lures financially motivated threat actors.

The financial sector has invested heavily in cyber security in recent years, explaining the relatively low volume of successful attacks against it. 

We can now say with certainty that the expansion of the digital economy in recent years – across developed, emerging and frontier economies – has been accompanied by an upward trend in the number of cyber incidents. It is also clear that how damaging these incidents are depends on the affected country’s: 

  • level of digital adoption;
  • degree of cyber security maturity; and
  • culture of open cooperation between the private sector, government departments, regulators and enforcement agencies – or the absence of such a culture.

Our aim with this initial report was to estimate the impact of cyber-attacks on the growth of digital economies. We also wanted to understand the impact of cyber-attacks on a country’s economic development as measured by GDP. 

This is not a trivial task. Multiple elements must be considered, and our initial study demonstrates the need for further analysis and research.

For example, the analysis we have conducted so far leads us to believe that the more digitised a country is, the more cyber-attacks it suffers. We found that an increase of one unit in the level of digital development is linked to an increase in cyber-attacks of about 0.035%. This implies that businesses in highly digitised markets are more likely to experience cyber-attacks.

We established that an increase in the frequency of cyber-attacks of just 1% is associated with an average decrease in GDP of 0.011%. This implies that the average cyber-attack tends to cost an economy US$50m.

Details of the techniques we adopted to explore our two central hypotheses, along with additional details of the data used and regressions’ findings, are set out in the full paper.

Cyber Risk

Cyber Risk

We bring the best of our collective experience, energy and creative power to fiercely safeguard our clients and fortify their communities.

Learn more

We safeguard clients and their communities

Petroleum Development Oman Pension Fund

Petroleum Development Oman Pension Fund

“Thomas Murray has been a very valuable partner in the selection process of our new custodian for Petroleum Development Oman Pension Fund.”

ATHEX

ATHEX

"Thomas Murray now plays a key role in helping us to detect and remediate issues in our security posture, and to quantify ATHEX's security performance to our directors and customers."

Communities Logo 02

Northern Trust

“Thomas Murray provides Northern Trust with a range of RFP products, services and technology, delivering an efficient and cost-effective solution that frees our network managers up to focus on higher Value activities.”