SlideShare a Scribd company logo

The Economics of IT Risk and Reputation

IBM Security
IBM Security

What business continuity and IT security really mean to your organization. Get the latest on security: http://securityintelligence.com

Business
1 of 16
Download to read offline
The economics of IT risk and reputation What business continuity and IT security really mean to your organisation Global Technology Services Research Report Risk Management Findings from the IBM Global Study on the Economic Impact of IT Risk
About the study The IBM Global Study on the Economic Impact of IT Risk is the largest independent research study conducted to date to measure the financial and reputational consequences of business disruptions caused by business continuity or IT security failures. The study—a follow-on to the 2013 IBM Reputational Risk and IT Study—was sponsored by IBM and independently conducted by Ponemon Institute® in July 2013. Ponemon Institute surveyed 1,069 business continuity specialists and 1,247 IT security practitioners representing 20 industries and 37 countries. Most of the combined group of 2,316 respondents are in the IT organisation and report directly to the CIO or head of corporate IT. Respondents at the manager level represent the largest segment (33 percent), followed by directors (23 percent) and supervisors (19 percent). More than half of the respondents are in larger-sized organisations with more than 5,000 full-time equivalent employees. Participation was limited to IT professionals whose job focus is either business continuity, IT security or both, with decision-making or performance-related responsibilities. Although most participants are focused on only one of the IT disciplines, their survey responses were remarkably similar—with only a few instances of slight but statistically relevant differences. Therefore, for the purpose of this analysis and report we have combined the data from the two sample groups. The IBM Global Study on the Economic Impact of IT Risk, independently conducted by Ponemon Institute, gathered information from 2,316 business continuity and IT security professionals from around the world. North America 49% 1,125 Europe/Middle East 26% 597 Asia Pacific 15% 353 Latin America 10% 241 Less than 500 8% 500 to 1,000 15% 10,001 to 25,000 15% 25,001 to 75,000 9% 1,001 to 5,000 23% 5,001 to 10,000 25% More than 75,000 4% Location (37 countries) Company sizes Banking 19% Healthcare 11% IT and technology 9% Industrial 9% Director 24% Staff/technician 10% Supervisor 19% C-level executive 11% Industries Job titles Public sector 14% Retail 10% Consumer goods 7% Energy and utilities 5% All others 16% Manager 31% Administrative 2% Contractor 2%
Contents 3 Introduction 4 Quantifying the economic impact of disruptions to business and IT operations 6 The reputational risk and IT connection 8 Understanding the threat landscape 11 Building the case for business continuity and IT security investments 13 Barriers to success 15 Conclusion and observations WHAT WOULD YOU DO? If reputation and brand are important, make IT risk management a priority. – Business continuity management supervisor, French consumer products company Introduction When the normal course of operations is disrupted as a result of IT system failures and cyber attacks, the economic and reputational costs can be devastating. Even scant minutes of downtime can be costly. In the context of this paper, IT risk is the risk associated with the use, ownership, operation and influence of IT within an organisation. Such risks include human error, system failures, security breaches and disruptions to data centre operations such as power failures and natural disasters. Understanding the financial consequences of a disruption can be valuable to determining the resources that should be invested in preventing or minimising such incidents. It also can be critical in making the business case to the C-suite for elevating the priority of business continuity and IT security activities. In this study, we measure the financial consequences or “total cost” resulting from an organisation’s inability to provide an acceptable level of service in the face of faults or challenges to normal operations. We also measure and quantify the reputational consequences—the cost of damage to a company’s image or brand value as a result of poor controls, failed processes, IT downtime, data theft and compliance violations. The voice of business continuity and IT security In this survey we asked two optional open-ended questions: ‘What steps should your organisation or industry take to reduce risks to your organisation posed by IT operations?’ and ‘Looking ahead, what are the changes or trends in the IT landscape that will most increase reputation risk for your organisation?’ The responses we received were thoughtful and thought- provoking—and a number of common themes emerged. Throughout this paper we will share responses that reflect those common concerns under one of two headings: ‘What would you do?’ and ‘Where is the risk?’ Risk Management 3
Quantifying the economic impact of disruptions to business and IT operations A very important objective of this research is to determine the cost to organisations when there is a disruption or compromise to business processes or IT services. Respondents were asked to estimate the costs based on three discrete levels: minor, moderate and substantial. Duration. Minor, moderate and substantial disruptions are classified according the amount of downtime. As shown in Figure 1, the average minor incident is 19.7 minutes, while a substantial incident can be 442.3 minutes or almost a full eight-hour day of down or idle time. However, some expect that substantial disruptions could last more than two days. Likelihood. According to Figure 2, 69 percent of respondents anticipate that they will experience at least one or more minor disruptions in the next 24 months, while 23 percent say one or more substantial disruptions could occur over the same time period. In other words, respondents believe their organisations are three times more likely to experience a minor incident than a substantial incident. Cost. Respondents were asked to consider all direct cash outlays, direct labour expenditures, indirect labour costs, overhead costs and lost business opportunities for six cost categories: • Cost of users’ idle time and lost productivity because of downtime or system performance delays • Cost of forensics to determine the root causes of disruptions or compromise • Cost of technical support to restore systems to an operational state • Cost associated with reputation and brand damage • Revenues lost because of system availability problems • Cost associated with compliance or regulatory failure Figure 3 reports the average cost per minute of minor, moderate and substantial disruptions to business and IT operations. The cost per minute of minor disruptions is much higher than the per minute cost of substantial disruptions (US$53,223 versus US$32,229)—reflecting that the costs for users’ idle time, forensics and technical support are spread over fewer minutes of downtime (see also Figure 5). Figure 4 reports the average total costs that could be incurred as a result of disruptions to business or IT operations. Even a minor disruption can cost a business more than US$1 million, and a substantial incident can escalate to more than US$14 million. However, some respondents say costs of a severe incident could climb to more than US$100 million. The estimate is based on the six cost categories described above. From the perspective of economic impact, the most significant threats are human errors, cyber breaches and data loss. It is important to note that while the average cost of a minor incident is low relative to a substantial incident, the high frequency of minor disruptions can mean significant financial consequences for an organisation over time. 4 The economics of IT risk and reputation
Risk Management 5 Minor SubstantialModerate Average minutes of down or idle time for minor, moderate and substantial disruptions Minor SubstantialModerate Likelihood of one or more disruptions to business and IT operations over the next 24 months 19.7 111.8 442.3 69% 37% 23% Minor SubstantialModerate Estimated average cost per minute of disruption (down or idle time) Minor SubstantialModerate Estimated average total cost of disruption to business and IT operations over the next 24 months $53,210 $38,065 $32,229 $1,046,454 $4,257,357 $14,255,468 Figure 1. Average minutes of down or idle time for minor, moderate and substantial disruptions Figure 2. Likelihood of one or more disruptions to business and IT operations over the next 24 months Figure 3. Estimated average cost per minute of disruption (down or idle time) Figure 4. Estimated average total cost of disruption to business and IT operations over the next 24 months
6 The economics of IT risk and reputation The reputational risk and IT connection If there is any doubt about the importance of an effective business continuity or IT security program, consider the financial impact a disruption can have on reputation and brand value. Figure 5 summarises the allocation of costs determined by assigning 100 points for minor, moderate and substantial disruptions. As can be seen, the costs associated with reputation and brand damage increase in proportion to the severity of the incident. Accordingly, reputation damages represent only 2 points for minor versus 37 points for substantial disruptions to business and IT operations. The top three costs for all three levels of disruptions (combined) are (1) cost of users’ idle time, (2) cost of forensics and (3) cost of technical support. It is interesting to note that while leadership is believed to be most concerned about revenue loss because of system availability problems, it ranks near the bottom of allocated cost in the eyes of IT professionals. WHAT WOULD YOU DO? ‘We should change orientation from reactive to proactive and have a more mature risk management strategy in place.’ – IT security director, German technology company Figure 5. For each of the three levels of disruption (minor, moderate, and substantial), respondents were asked to use a 100-point scale to apportion total cost across these six cost categories. 35 Cost of users' idle time and lost productivity because of downtime or system performance delays Cost of forensics to determine the root causes of disruptions Cost of technical support to restore systems to an operational state Cost associated with reputation and brand damage Revenues lost because of system availability problems Cost associated with compliance or regulatory failure 36 15 25 20 9 28 17 7 2 11 37 4 12 22 5 4 10 Minor Moderate Substantial Allocation of total costs
Risk Management 7 Drawing from the minor, moderate and substantial cost allocations indicated previously, we estimate the reputation and brand-related damages that result from all three levels of disruption. Figure 6 shows that reputational cost associated with substantial disruption is almost US$5.3 million. In contrast, reputational costs associated with minor disruptions are relatively negligible. Minor SubstantialModerate Estimated reputation-related costs resulting from disruption to business or IT operations over the next 24 months $20,929 $468,309 $5,274,523 WHAT WOULD YOU DO? ‘Develop a coherent strategy that aligns information risk with enterprise risk.’ – Business continuity director, Canadian financial services company Reputational threats: perception versus reality Not so clear cut is the source of IT threats to reputation. We asked recipients to rank seven common threats in terms of reputational impact on their organisations. As Figure 7 shows, data breach and disaster top the rankings of threats respondents think pose the greatest reputational risk, with IT system failure placing third and human error sixth. Figure 6. Estimated reputation-related costs resulting from disruption to busi- ness or IT operations over the next 24 months Figure 7. Common threats ranked in terms of reputational impact 5.5 Data breach/data theft Natural or manmade disasters IT system failure Data loss (backup/ restore failure) Cyber security breach/ advanced persistent threats Human error 5.2 4.3 4.0 3.8 2.6 1.2 Third-party partner security breach or system failure Common threats ranked in terms of reputational impact
When respondents were asked whether their organisations had actually experienced damages to reputation or brand value and from what cause, the threat ranking is quite different. As Figure 8 shows, the most significant threats to reputation based on experience over the last two years are incidents that involve IT system failures and human errors, followed by cyber security breaches. Natural or manmade disasters are far less likely to cause reputation or brand damages. 8 The economics of IT risk and reputation 66% IT system failure Human error Cyber security breach Data loss from failed backup/restore Natural or manmade disasters Third-party security breach or IT system failure 57% 46% 39% 23% 19% Threats that impact reputation and brand value experienced over the past 24 months Understanding the threat landscape Our survey also probed the threat landscape more broadly to determine how closely what IT practitioners think will happen matches their actual experience. Overall, respondent perceptions about the likelihood of threats occurring are largely consistent with reported instances of events—with human error taking the top spot in terms of likelihood, number of disruptions experienced and projected financial impact. Figure 9 shows how respondents ranked seven common threats in terms of the likelihood of occurrence in their organisations. While these business continuity and IT security professionals rank human error as the leading potential threat, IT system failure, data breach and third- party partner security breach or system failure are almost equal leading contenders. Figure 8. Threats that caused impact to reputation and brand value over the past 24 months (percentage of “yes” response) Figure 9. Common threats ranked in terms of likelihood of occurrence 5.6 Human error IT system failure Data breach/data theft Third-party partner security breach or system failure Cyber security breach/ advanced persistent threats Data loss (backup/ restore failure) 5.2 5.0 5.0 4.0 2.3 0.0 Natural or manmade disasters Common threats ranked in terms of likelihood of occurrence
Overall, IT professionals are very accurate when it comes to understanding the general threat landscape. According to Figure 10, respondents report that in the past two years they have experienced on average more than nine business disruptions due to human error—coinciding with the ranking of the leading perceived threat to business and IT operations and IT security. In fact, actual occurrence of incidents caused by human error far exceeds projections. Data loss due to failed backup/restore is also more common than projected—and is slightly ahead of cyber security breaches. Risk Management 9 Figure 10. Average number of actual disruptions over the past 24 months caused by six common threats 9.5 Human error IT system failure Third-party partner security breach or system failure Data loss from failed backup/restore Cyber security breach Natural or manmade disasters 5.5 5.4 4.5 4.2 1.9 Average number of actual disruptions over the past 24 months caused by six common threats Figure 11. Common threats ranked in terms of economic impact When evaluating threats in terms of potential economic impact on an organisation, Figure 11 shows that respondents are consistent in their ranking of human error as the leading threat. However, participants believe cyber security breaches and data theft pose a much greater risk of economic impact than reputational impact (see also Figure 7). 4.7 Human error Cyber security breach/ advanced persistent threats Data breach/data theft Data loss (backup/ restore failure) IT system failure Third-party partner security breach or system failure 3.9 3.8 3.6 3.4 2.7 1.0 Natural or manmade disasters Common threats ranked in terms of economic impact
10 The economics of IT risk and reputation The role of third-party partners: a closer look Just how much of a threat do vendors and third parties pose to respondents’ companies? According to 41 (21+20) percent of respondents (Figure 12), vendor-related mishaps represent a main source of disruption to business and IT operations experienced over the past 24 months. 1% Zero <25% 26 to 50% 51 to 75% 76 to 100% 21% 37% 20% 21% Percentage of disruptions to business and IT operations caused by third parties over the past 24 months One reason may be standards. According to Figure 13, not all vendors and other third parties are required to comply with the same business continuity and IT security requirements that respondents’ companies adhere to. Thirty-one percent of respondents say their companies do not require vendors and other third parties to comply with their business continuity requirements, and 40 percent say their companies do not require partner compliance with their own IT security standards. Figure 12. Percentage of disruptions to business and IT operations caused by third parties over the past 24 months Figure 13. Do vendors and other third parties comply with the same requirements deployed within your organisation? Yes No Unsure Do vendors and other third parties comply with the same requirements deployed within your organisation? 58% 42% 31% 40% 11% 17% Business continuity requirements IT security requirements
Risk Management 11 Building the case for business continuity and IT security investments Business continuity and IT security professionals strongly believe that their disciplines play an important role in their organisations’ success. Figure 14 reveals an unanticipated finding of this research: fully 89 percent of respondents say that protecting intellectual property is a very important objective of their IT role. We believe this reflects the increasingly digital nature of intellectual property itself and the vulnerability of intellectual property to cyber attack or loss due to IT failures. Maximising employee productivity (72 percent), minimising regulatory or legal non-compliance (70 percent) and enhancing brand value and reputation round out the top four very important objectives advanced by business continuity and IT security activities. Based on previous IBM studies, the fact that in 2013 fully 65 percent of respondents rate enhancing brand value as “very important” confirms that recognition of the relationship between IT risk and reputation risk is continuing to grow among IT professionals. WHERE IS THE RISK? ‘What frightens me is the increased use of social media that can expose corporate IP and damage reputations.’ – IT security supervisor, United States professional services company Figure 14. Business objectives advanced by business continuity and IT security management activities 89% Protecting intellectual property Maximising employee productivity Minimising non-compliance with laws Enhancing brand value and reputation Expanding into new global markets Minimising customer defection 72% 70% 65% 48% 21% 14% Maximising customer acquisition Business objectives advanced by business continuity and IT security management activities 9% Increasing revenues and positive cash flow
12 The economics of IT risk and reputation The potential damage to reputation and brand value is also now recognised as an incentive for organisations to fund business continuity and IT security programs. Figure 15 reveals that preventing productivity losses, system downtime and compliance failures and reputation damages are the factors that contribute most to securing budget commitments. 44% Productivity loss System or application downtime Compliance/regulatory failure Reputation damage Information loss or theft Performance degradation 37% 34% 30% 22% 17% Factors that contribute the most to securing budget commitments for business continuity and IT security WHERE IS THE RISK? ‘Elevating IT risk management issues requires C-suite support, and this is difficult to accomplish.’ – IT security manager, Argentinean services company While respondents recognise the importance of minimising IT risks because of potential threats to reputation and brand, they don’t believe their leaders hold that same perception. Figure 16 reports only 32 percent of respondents say their company’s leaders recognise that IT risks affect brand image and 35 percent say it impacts reputation. Half (50 percent) of respondents believe their organisation’s leaders do not recognise that IT risks affect revenues. Figure 15. Factors that contribute the most to securing budget commit- ments for business continuity and IT security Figure 16. Do organisational leaders recognise the economic and reputa- tional impact of disruption to business and IT operations? (strongly agree and agree responses combined) 50% Leaders recognise that IT risks affect revenues Leaders recognise that IT risks affect reputation Leaders recognise that IT risks affect brand image 35% 32% Organisational leaders strongly agree or agree that disruptions to business and IT operations have economic and reputational impact
Risk Management 13 Barriers to success Respondents say that the most significant barriers to achieving highly effective business continuity and IT security management programs are funding deficits, emergence of disruptive technologies, lack of knowledgeable staff and business process complexity (Figure 17). 37% Lack of funding Disruptive technologies (mobility, cloud) Lack of expert or knowledgeable staff Complexity of business processes Insufficient planning and preparedness Silos and turf thinking 32% 28% 19% 17% 17% Barriers to achieving a highly effective business continuity or IT security program While planning, preparedness, silos and territorial thinking were only cited by 17 percent of respondents, answers to two other questions suggest that these factors may indeed play a stronger role in the success or failure of business continuity and IT security programs. According to Figure 18, a majority of respondents state their companies do not have a formal strategy for business continuity or IT security management across the enterprise (and this impacts the effectiveness of these IT operations). Figure 17. Barriers to achieving a highly effective business continuity or IT security program Figure 18. Organisational approach to business continuity and IT security strategy 17% Formal strategy applied consistently Formal strategy, but is not applied consistently Informal or "ad hoc" strategy We don't have a strategy 27% 26% 31% Organisational approach to business continuity and IT security
14 The economics of IT risk and reputation The results summarised in Figure 19 indicate respondents are unable to achieve a high level of collaboration. The fact that 44 percent believe collaboration between their function and other business or IT functions is either poor or non- existent suggests that silos and turf thinking play a stronger role in hindering success than IT professionals are willing to recognise. 24% Collaboration is excellent Collaboration is adequate, but can be improved Collaboration is poor or non-existent Cannot determine 31% 44% 2% Collaboration between business continuity, IT security and other business or IT functions Our research findings also suggest that there is no clear best practice when it comes to overall responsibility for preventing disruptions to IT operations. The most likely candidate, the chief information officer (CIO), was named by only 28 percent of the respondents (Figure 20). The next largest segment, business unit leader, is outside of the IT organisation all together, and the third ranked choice is “no one person” at 11 percent. This fragmentation of responsibility may also be a barrier to success. Figure 20. Ownership of overall responsibility for directing efforts to ensure that IT operations are not disrupted 28% Chief information officer (CIO) Business unit leader Data centre manager Business continuity manager Disaster recovery manager Chief information security officer (CISO) 20% 10% 7% 6% 5% 11% No one person has overall responsibility Overall responsibility for directing efforts to ensure that IT operations are not disrupted Figure 19. Degree of collaboration between business continuity, IT security and other business or IT functions
Risk Management 15 Conclusion and observations The economic impact of business continuity and IT security failures can be significant, ranging on average from US$1 million for a minor disruption lasting 20 minutes to more than US$14M for a substantial disruption lasting close to 8 hours. Minor disruptions are more likely to happen than substantial ones—yet the price tag for even a single minor event is liable to outweigh the cost of prevention. Business continuity and IT security professionals recognise that the costs associated with reputation and brand damage resulting from substantial events is also significant. On average, they estimate that reputation-related costs alone will exceed US$5 million over the next 24 months. While 65 percent of survey respondents think business continuity and IT security management can enhance brand value and reputation, less than 35 percent think that upper management shares this view. This means business continuity and IT security professionals need to build a stronger business case for investments in IT controls that can help prevent downtime, data loss, cyber security breaches and the resulting loss of productivity and damage to reputation. One place to start is with a rigorous assessment of the actual root causes at work in the organisation, then connecting spend with potential financial consequences that can be averted. This approach can provide a foundation for establishing business-related metrics to measure effectiveness and provide further budget justification. Putting IT risk prevention into the business language of cost-benefit analysis can not only help elevate the discussion but also help educate leadership on the sources of risk. This is particularly important given that the greatest single cause of both disruption and economic impact is human error—which is not an issue that IT alone can address. While IT can invest in processes such as change management or automated data backup that can help reduce the opportunity for human error, educating end users and developing a security-aware and -compliant culture requires an enterprise-wide effort with top-down leadership. For more information To learn more about how IBM can help you protect your organisation’s reputation by strengthening IT risk management, contact your IBM representative or IBM Business Partner, or visit the following website: ibm.com/services/riskstudy/uk Join the business continuity conversation Join the IT security conversation
Limitations There are inherent limitations to survey research that need to be carefully considered before drawing inferences from the presented findings. The following items are specific limitations that are germane to most survey-based research studies. Non-response bias: The current findings are based on a sample of survey returns. We sent surveys to a representative sample of business continuity management, IT and IT security practitioners in numerous countries, resulting in a large number of usable returned responses. Despite non- response tests, it is always possible that individuals who did not participate are substantially different in terms of underlying beliefs from those who completed the survey. Sampling-frame bias: The accuracy of survey results is dependent upon the degree to which our sampling frames are representative of individuals who are business continuity management, IT or IT security practitioners within the sample of countries selected. Self-reported results: The quality of survey research is based on the integrity of confidential responses received from respondents. While certain checks and balances were incorporated into our survey evaluation process including sanity checks, there is always the possibility that some responders did not provide truthful responses. IBM United Kingdom Limited PO Box 41, North Harbour Portsmouth, Hampshire PO6 3AU United Kingdom IBM Ireland Limited Oldbrook House 24-32 Pembroke Road Dublin 4 IBM Ireland registered in Ireland under company number 16226. IBM, the IBM logo and ibm.com are trademarks of International Business Machines Corp., registered in many jurisdictions worldwide. Other product and service names might be trademarks of IBM or other companies. A current list of IBM trademarks is available on the web at “Copyright and trademark information” at ibm.com/legal/copytrade.shtml The content in this document is current as of the initial date of publication and may be changed by IBM at any time. Not all offerings are available in every country in which IBM operates. © Copyright IBM Corporation 2013 Please Recycle RLW03022-GBEN-00

Recommended

IBM Insight 2015 - Security Sessions Roadmap
IBM Insight 2015 - Security Sessions RoadmapIBM Insight 2015 - Security Sessions Roadmap
IBM Insight 2015 - Security Sessions RoadmapIBM Security
 
Bridging the Gap between Privacy and Security: Using Technology to Manage Com...
Bridging the Gap between Privacy and Security: Using Technology to Manage Com...Bridging the Gap between Privacy and Security: Using Technology to Manage Com...
Bridging the Gap between Privacy and Security: Using Technology to Manage Com...IBM Security
 
Compliance is a pit stop – your destination lies ahead
Compliance is a pit stop – your destination lies aheadCompliance is a pit stop – your destination lies ahead
Compliance is a pit stop – your destination lies aheadIBM Security
 
Cybersecurity Skills in Industry 4.0
Cybersecurity Skills in Industry 4.0Cybersecurity Skills in Industry 4.0
Cybersecurity Skills in Industry 4.0Eryk Budi Pratama
 
Cybersecurity in the Cognitive Era: Priming Your Digital Immune System
Cybersecurity in the Cognitive Era: Priming Your Digital Immune SystemCybersecurity in the Cognitive Era: Priming Your Digital Immune System
Cybersecurity in the Cognitive Era: Priming Your Digital Immune SystemIBM Security
 
Top 2016 Mobile Security Threats and your Employees
Top 2016 Mobile Security Threats and your EmployeesTop 2016 Mobile Security Threats and your Employees
Top 2016 Mobile Security Threats and your EmployeesNeil Kemp
 
The 2016 Ponemon Cost of a Data Breach Study
The 2016 Ponemon Cost of a Data Breach StudyThe 2016 Ponemon Cost of a Data Breach Study
The 2016 Ponemon Cost of a Data Breach StudyIBM Security
 
Tripwire University: Cyberwar Boot Camp – Introduction and Overview
Tripwire University: Cyberwar Boot Camp – Introduction and OverviewTripwire University: Cyberwar Boot Camp – Introduction and Overview
Tripwire University: Cyberwar Boot Camp – Introduction and OverviewTripwire
 

Recommended

IBM Insight 2015 - Security Sessions Roadmap
IBM Insight 2015 - Security Sessions RoadmapIBM Insight 2015 - Security Sessions Roadmap
IBM Insight 2015 - Security Sessions RoadmapIBM Security
 
Bridging the Gap between Privacy and Security: Using Technology to Manage Com...
Bridging the Gap between Privacy and Security: Using Technology to Manage Com...Bridging the Gap between Privacy and Security: Using Technology to Manage Com...
Bridging the Gap between Privacy and Security: Using Technology to Manage Com...IBM Security
 
Compliance is a pit stop – your destination lies ahead
Compliance is a pit stop – your destination lies aheadCompliance is a pit stop – your destination lies ahead
Compliance is a pit stop – your destination lies aheadIBM Security
 
Cybersecurity Skills in Industry 4.0
Cybersecurity Skills in Industry 4.0Cybersecurity Skills in Industry 4.0
Cybersecurity Skills in Industry 4.0Eryk Budi Pratama
 
Cybersecurity in the Cognitive Era: Priming Your Digital Immune System
Cybersecurity in the Cognitive Era: Priming Your Digital Immune SystemCybersecurity in the Cognitive Era: Priming Your Digital Immune System
Cybersecurity in the Cognitive Era: Priming Your Digital Immune SystemIBM Security
 
Top 2016 Mobile Security Threats and your Employees
Top 2016 Mobile Security Threats and your EmployeesTop 2016 Mobile Security Threats and your Employees
Top 2016 Mobile Security Threats and your EmployeesNeil Kemp
 
The 2016 Ponemon Cost of a Data Breach Study
The 2016 Ponemon Cost of a Data Breach StudyThe 2016 Ponemon Cost of a Data Breach Study
The 2016 Ponemon Cost of a Data Breach StudyIBM Security
 
Tripwire University: Cyberwar Boot Camp – Introduction and Overview
Tripwire University: Cyberwar Boot Camp – Introduction and OverviewTripwire University: Cyberwar Boot Camp – Introduction and Overview
Tripwire University: Cyberwar Boot Camp – Introduction and OverviewTripwire
 
What lies ahead? 2016 Cyber Security Predictions from Symantec in the EMEA (E...
What lies ahead? 2016 Cyber Security Predictions from Symantec in the EMEA (E...What lies ahead? 2016 Cyber Security Predictions from Symantec in the EMEA (E...
What lies ahead? 2016 Cyber Security Predictions from Symantec in the EMEA (E...Symantec
 
The Resilient End-of-Year Review: The Top Cyber Security Trends in 2018 and P...
The Resilient End-of-Year Review: The Top Cyber Security Trends in 2018 and P...The Resilient End-of-Year Review: The Top Cyber Security Trends in 2018 and P...
The Resilient End-of-Year Review: The Top Cyber Security Trends in 2018 and P...IBM Security
 
ITS Datamatix Gitex Conference 2009 New ICT Security V2
ITS Datamatix Gitex Conference 2009 New ICT Security V2ITS Datamatix Gitex Conference 2009 New ICT Security V2
ITS Datamatix Gitex Conference 2009 New ICT Security V2Jorge Sebastiao
 
Security Trends in the Retail Industry
Security Trends in the Retail IndustrySecurity Trends in the Retail Industry
Security Trends in the Retail IndustryIBM Security
 
10 Security Essentials Every CxO Should Know
10 Security Essentials Every CxO Should Know10 Security Essentials Every CxO Should Know
10 Security Essentials Every CxO Should KnowIBM Security
 
See How You Measure Up With MaaS360 Mobile Metrics
See How You Measure Up With MaaS360 Mobile MetricsSee How You Measure Up With MaaS360 Mobile Metrics
See How You Measure Up With MaaS360 Mobile MetricsIBM Security
 
Kista watson summit final public version
Kista watson summit final public versionKista watson summit final public version
Kista watson summit final public versionIBM Sverige
 
CS Sakerhetsdagen 2015 IBM Feb 19
CS Sakerhetsdagen 2015 IBM Feb 19CS Sakerhetsdagen 2015 IBM Feb 19
CS Sakerhetsdagen 2015 IBM Feb 19IBM Sverige
 
Safeguarding the Enterprise
Safeguarding the EnterpriseSafeguarding the Enterprise
Safeguarding the EnterpriseADGP, Public Grivences, Bangalore
 
Safeguard Healthcare Identities and Data with Identity Governance and Intelli...
Safeguard Healthcare Identities and Data with Identity Governance and Intelli...Safeguard Healthcare Identities and Data with Identity Governance and Intelli...
Safeguard Healthcare Identities and Data with Identity Governance and Intelli...IBM Security
 
Avoiding data breach using security intelligence and big data to stay out of ...
Avoiding data breach using security intelligence and big data to stay out of ...Avoiding data breach using security intelligence and big data to stay out of ...
Avoiding data breach using security intelligence and big data to stay out of ...IBM Security
 
Bordless Breaches and Migrating Malware
Bordless Breaches and Migrating MalwareBordless Breaches and Migrating Malware
Bordless Breaches and Migrating MalwareSarah Freemantle
 
Security Principles for CEOs
Security Principles for CEOsSecurity Principles for CEOs
Security Principles for CEOsMorten Bjørklund
 
Avoiding the Data Compliance "Hot Seat"
Avoiding the Data Compliance "Hot Seat"Avoiding the Data Compliance "Hot Seat"
Avoiding the Data Compliance "Hot Seat"IBM Security
 
Information & Cyber Security Risk
Information & Cyber Security RiskInformation & Cyber Security Risk
Information & Cyber Security RiskMurray Security Services
 
X-Force Threat Intelligence: Fight Insider Threats & Protect Your Sensitive Data
X-Force Threat Intelligence: Fight Insider Threats & Protect Your Sensitive DataX-Force Threat Intelligence: Fight Insider Threats & Protect Your Sensitive Data
X-Force Threat Intelligence: Fight Insider Threats & Protect Your Sensitive DataIBM Security
 
Must Know Cyber Security Stats of 2016
Must Know Cyber Security Stats of 2016Must Know Cyber Security Stats of 2016
Must Know Cyber Security Stats of 2016DWP Information Architects Inc.
 
Cybersecurity in the Age of Mobility
Cybersecurity in the Age of MobilityCybersecurity in the Age of Mobility
Cybersecurity in the Age of MobilityBooz Allen Hamilton
 
5 Steps to Successful BYOD Implementation
5 Steps to Successful BYOD Implementation5 Steps to Successful BYOD Implementation
5 Steps to Successful BYOD ImplementationJumpCloud
 
Peter Allor - The New Era of Cognitive Security
Peter Allor - The New Era of Cognitive SecurityPeter Allor - The New Era of Cognitive Security
Peter Allor - The New Era of Cognitive Securityscoopnewsgroup
 
BCI Counting The Cost
BCI Counting The CostBCI Counting The Cost
BCI Counting The Costhaemmerle-consulting
 
Analyzing and managing reputational risk
Analyzing and managing reputational riskAnalyzing and managing reputational risk
Analyzing and managing reputational riskDawn Simpson
 

More Related Content

What's hot

What lies ahead? 2016 Cyber Security Predictions from Symantec in the EMEA (E...
What lies ahead? 2016 Cyber Security Predictions from Symantec in the EMEA (E...What lies ahead? 2016 Cyber Security Predictions from Symantec in the EMEA (E...
What lies ahead? 2016 Cyber Security Predictions from Symantec in the EMEA (E...Symantec
 
The Resilient End-of-Year Review: The Top Cyber Security Trends in 2018 and P...
The Resilient End-of-Year Review: The Top Cyber Security Trends in 2018 and P...The Resilient End-of-Year Review: The Top Cyber Security Trends in 2018 and P...
The Resilient End-of-Year Review: The Top Cyber Security Trends in 2018 and P...IBM Security
 
ITS Datamatix Gitex Conference 2009 New ICT Security V2
ITS Datamatix Gitex Conference 2009 New ICT Security V2ITS Datamatix Gitex Conference 2009 New ICT Security V2
ITS Datamatix Gitex Conference 2009 New ICT Security V2Jorge Sebastiao
 
Security Trends in the Retail Industry
Security Trends in the Retail IndustrySecurity Trends in the Retail Industry
Security Trends in the Retail IndustryIBM Security
 
10 Security Essentials Every CxO Should Know
10 Security Essentials Every CxO Should Know10 Security Essentials Every CxO Should Know
10 Security Essentials Every CxO Should KnowIBM Security
 
See How You Measure Up With MaaS360 Mobile Metrics
See How You Measure Up With MaaS360 Mobile MetricsSee How You Measure Up With MaaS360 Mobile Metrics
See How You Measure Up With MaaS360 Mobile MetricsIBM Security
 
Kista watson summit final public version
Kista watson summit final public versionKista watson summit final public version
Kista watson summit final public versionIBM Sverige
 
CS Sakerhetsdagen 2015 IBM Feb 19
CS Sakerhetsdagen 2015 IBM Feb 19CS Sakerhetsdagen 2015 IBM Feb 19
CS Sakerhetsdagen 2015 IBM Feb 19IBM Sverige
 
Safeguard Healthcare Identities and Data with Identity Governance and Intelli...
Safeguard Healthcare Identities and Data with Identity Governance and Intelli...Safeguard Healthcare Identities and Data with Identity Governance and Intelli...
Safeguard Healthcare Identities and Data with Identity Governance and Intelli...IBM Security
 
Avoiding data breach using security intelligence and big data to stay out of ...
Avoiding data breach using security intelligence and big data to stay out of ...Avoiding data breach using security intelligence and big data to stay out of ...
Avoiding data breach using security intelligence and big data to stay out of ...IBM Security
 
Bordless Breaches and Migrating Malware
Bordless Breaches and Migrating MalwareBordless Breaches and Migrating Malware
Bordless Breaches and Migrating MalwareSarah Freemantle
 
Security Principles for CEOs
Security Principles for CEOsSecurity Principles for CEOs
Security Principles for CEOsMorten Bjørklund
 
Avoiding the Data Compliance "Hot Seat"
Avoiding the Data Compliance "Hot Seat"Avoiding the Data Compliance "Hot Seat"
Avoiding the Data Compliance "Hot Seat"IBM Security
 
X-Force Threat Intelligence: Fight Insider Threats & Protect Your Sensitive Data
X-Force Threat Intelligence: Fight Insider Threats & Protect Your Sensitive DataX-Force Threat Intelligence: Fight Insider Threats & Protect Your Sensitive Data
X-Force Threat Intelligence: Fight Insider Threats & Protect Your Sensitive DataIBM Security
 
Cybersecurity in the Age of Mobility
Cybersecurity in the Age of MobilityCybersecurity in the Age of Mobility
Cybersecurity in the Age of MobilityBooz Allen Hamilton
 
5 Steps to Successful BYOD Implementation
5 Steps to Successful BYOD Implementation5 Steps to Successful BYOD Implementation
5 Steps to Successful BYOD ImplementationJumpCloud
 
Peter Allor - The New Era of Cognitive Security
Peter Allor - The New Era of Cognitive SecurityPeter Allor - The New Era of Cognitive Security
Peter Allor - The New Era of Cognitive Securityscoopnewsgroup
 

What's hot (20)

What lies ahead? 2016 Cyber Security Predictions from Symantec in the EMEA (E...
What lies ahead? 2016 Cyber Security Predictions from Symantec in the EMEA (E...What lies ahead? 2016 Cyber Security Predictions from Symantec in the EMEA (E...
What lies ahead? 2016 Cyber Security Predictions from Symantec in the EMEA (E...
 
The Resilient End-of-Year Review: The Top Cyber Security Trends in 2018 and P...
The Resilient End-of-Year Review: The Top Cyber Security Trends in 2018 and P...The Resilient End-of-Year Review: The Top Cyber Security Trends in 2018 and P...
The Resilient End-of-Year Review: The Top Cyber Security Trends in 2018 and P...
 
ITS Datamatix Gitex Conference 2009 New ICT Security V2
ITS Datamatix Gitex Conference 2009 New ICT Security V2ITS Datamatix Gitex Conference 2009 New ICT Security V2
ITS Datamatix Gitex Conference 2009 New ICT Security V2
 
Security Trends in the Retail Industry
Security Trends in the Retail IndustrySecurity Trends in the Retail Industry
Security Trends in the Retail Industry
 
10 Security Essentials Every CxO Should Know
10 Security Essentials Every CxO Should Know10 Security Essentials Every CxO Should Know
10 Security Essentials Every CxO Should Know
 
See How You Measure Up With MaaS360 Mobile Metrics
See How You Measure Up With MaaS360 Mobile MetricsSee How You Measure Up With MaaS360 Mobile Metrics
See How You Measure Up With MaaS360 Mobile Metrics
 
Kista watson summit final public version
Kista watson summit final public versionKista watson summit final public version
Kista watson summit final public version
 
CS Sakerhetsdagen 2015 IBM Feb 19
CS Sakerhetsdagen 2015 IBM Feb 19CS Sakerhetsdagen 2015 IBM Feb 19
CS Sakerhetsdagen 2015 IBM Feb 19
 
Safeguarding the Enterprise
Safeguarding the EnterpriseSafeguarding the Enterprise
Safeguarding the Enterprise
 
Safeguard Healthcare Identities and Data with Identity Governance and Intelli...
Safeguard Healthcare Identities and Data with Identity Governance and Intelli...Safeguard Healthcare Identities and Data with Identity Governance and Intelli...
Safeguard Healthcare Identities and Data with Identity Governance and Intelli...
 
Avoiding data breach using security intelligence and big data to stay out of ...
Avoiding data breach using security intelligence and big data to stay out of ...Avoiding data breach using security intelligence and big data to stay out of ...
Avoiding data breach using security intelligence and big data to stay out of ...
 
Bordless Breaches and Migrating Malware
Bordless Breaches and Migrating MalwareBordless Breaches and Migrating Malware
Bordless Breaches and Migrating Malware
 
Security Principles for CEOs
Security Principles for CEOsSecurity Principles for CEOs
Security Principles for CEOs
 
Avoiding the Data Compliance "Hot Seat"
Avoiding the Data Compliance "Hot Seat"Avoiding the Data Compliance "Hot Seat"
Avoiding the Data Compliance "Hot Seat"
 
Information & Cyber Security Risk
Information & Cyber Security RiskInformation & Cyber Security Risk
Information & Cyber Security Risk
 
X-Force Threat Intelligence: Fight Insider Threats & Protect Your Sensitive Data
X-Force Threat Intelligence: Fight Insider Threats & Protect Your Sensitive DataX-Force Threat Intelligence: Fight Insider Threats & Protect Your Sensitive Data
X-Force Threat Intelligence: Fight Insider Threats & Protect Your Sensitive Data
 
Must Know Cyber Security Stats of 2016
Must Know Cyber Security Stats of 2016Must Know Cyber Security Stats of 2016
Must Know Cyber Security Stats of 2016
 
Cybersecurity in the Age of Mobility
Cybersecurity in the Age of MobilityCybersecurity in the Age of Mobility
Cybersecurity in the Age of Mobility
 
5 Steps to Successful BYOD Implementation
5 Steps to Successful BYOD Implementation5 Steps to Successful BYOD Implementation
5 Steps to Successful BYOD Implementation
 
Peter Allor - The New Era of Cognitive Security
Peter Allor - The New Era of Cognitive SecurityPeter Allor - The New Era of Cognitive Security
Peter Allor - The New Era of Cognitive Security
 

Similar to The Economics of IT Risk and Reputation

Analyzing and managing reputational risk
Analyzing and managing reputational riskAnalyzing and managing reputational risk
Analyzing and managing reputational riskDawn Simpson
 
Strategy considerations for building a security operations center
Strategy considerations for building a security operations centerStrategy considerations for building a security operations center
Strategy considerations for building a security operations centerCMR WORLD TECH
 
Assessing and Managing IT Security Risks
Assessing and Managing IT Security RisksAssessing and Managing IT Security Risks
Assessing and Managing IT Security RisksChris Ross
 
Top 5 Steps to Disaster Preparedness for Businesses
Top 5 Steps to Disaster Preparedness for BusinessesTop 5 Steps to Disaster Preparedness for Businesses
Top 5 Steps to Disaster Preparedness for Businesses- Mark - Fullbright
 
Data security risks and the cost of business continuity (slideshare) tmcs q...
Data security risks and the cost of business continuity (slideshare) tmcs q...Data security risks and the cost of business continuity (slideshare) tmcs q...
Data security risks and the cost of business continuity (slideshare) tmcs q...tmcscs
 
Provide a MEMO.docx
Provide a MEMO.docxProvide a MEMO.docx
Provide a MEMO.docxwrite30
 
Hewlett-Packard Enterprise- State of Security Operations 2015
Hewlett-Packard Enterprise- State of Security Operations 2015Hewlett-Packard Enterprise- State of Security Operations 2015
Hewlett-Packard Enterprise- State of Security Operations 2015Kim Jensen
 
Compuware Marketing- Annual Report
Compuware Marketing- Annual ReportCompuware Marketing- Annual Report
Compuware Marketing- Annual ReportKaleidico
 
Evolving State of the Endpoint Webinar
Evolving State of the Endpoint WebinarEvolving State of the Endpoint Webinar
Evolving State of the Endpoint WebinarLumension
 
Training Catalogue - CyberSec_Technocracy.pdf
Training Catalogue - CyberSec_Technocracy.pdfTraining Catalogue - CyberSec_Technocracy.pdf
Training Catalogue - CyberSec_Technocracy.pdfdotco
 
Compliance in Manufacturing: A Very Personal Affair (2013)
Compliance in Manufacturing: A Very Personal Affair (2013)Compliance in Manufacturing: A Very Personal Affair (2013)
Compliance in Manufacturing: A Very Personal Affair (2013)Melih ÖZCANLI
 
Ponemon 2015 EMEA Cyber Impact Report
Ponemon 2015 EMEA Cyber Impact Report Ponemon 2015 EMEA Cyber Impact Report
Ponemon 2015 EMEA Cyber Impact Report Graeme Cross
 
The cyber-chasm: How the disconnect between the C-suite and security endanger...
The cyber-chasm: How the disconnect between the C-suite and security endanger...The cyber-chasm: How the disconnect between the C-suite and security endanger...
The cyber-chasm: How the disconnect between the C-suite and security endanger...The Economist Media Businesses
 
Shared Service Centers: Risks & Rewards in the Time of Coronavirus
Shared Service Centers: Risks & Rewards in the Time of CoronavirusShared Service Centers: Risks & Rewards in the Time of Coronavirus
Shared Service Centers: Risks & Rewards in the Time of CoronavirusCognizant
 
Data security: How a proactive C-suite can reduce cyber-risk for the enterprise
Data security: How a proactive C-suite can reduce cyber-risk for the enterpriseData security: How a proactive C-suite can reduce cyber-risk for the enterprise
Data security: How a proactive C-suite can reduce cyber-risk for the enterpriseThe Economist Media Businesses
 
Hp arc sight_state of security ops_whitepaper
Hp arc sight_state of security ops_whitepaperHp arc sight_state of security ops_whitepaper
Hp arc sight_state of security ops_whitepaperrickkaun
 
StateOfSecOps - Final - Published
StateOfSecOps - Final - PublishedStateOfSecOps - Final - Published
StateOfSecOps - Final - PublishedJames Blake
 

Similar to The Economics of IT Risk and Reputation (20)

BCI Counting The Cost
BCI Counting The CostBCI Counting The Cost
BCI Counting The Cost
 
Analyzing and managing reputational risk
Analyzing and managing reputational riskAnalyzing and managing reputational risk
Analyzing and managing reputational risk
 
Strategy considerations for building a security operations center
Strategy considerations for building a security operations centerStrategy considerations for building a security operations center
Strategy considerations for building a security operations center
 
Assessing and Managing IT Security Risks
Assessing and Managing IT Security RisksAssessing and Managing IT Security Risks
Assessing and Managing IT Security Risks
 
2017 global-cyber-risk-transfer-report-final
2017 global-cyber-risk-transfer-report-final2017 global-cyber-risk-transfer-report-final
2017 global-cyber-risk-transfer-report-final
 
Top 5 Steps to Disaster Preparedness for Businesses
Top 5 Steps to Disaster Preparedness for BusinessesTop 5 Steps to Disaster Preparedness for Businesses
Top 5 Steps to Disaster Preparedness for Businesses
 
Data security risks and the cost of business continuity (slideshare) tmcs q...
Data security risks and the cost of business continuity (slideshare) tmcs q...Data security risks and the cost of business continuity (slideshare) tmcs q...
Data security risks and the cost of business continuity (slideshare) tmcs q...
 
Provide a MEMO.docx
Provide a MEMO.docxProvide a MEMO.docx
Provide a MEMO.docx
 
Hewlett-Packard Enterprise- State of Security Operations 2015
Hewlett-Packard Enterprise- State of Security Operations 2015Hewlett-Packard Enterprise- State of Security Operations 2015
Hewlett-Packard Enterprise- State of Security Operations 2015
 
Compuware Marketing- Annual Report
Compuware Marketing- Annual ReportCompuware Marketing- Annual Report
Compuware Marketing- Annual Report
 
Evolving State of the Endpoint Webinar
Evolving State of the Endpoint WebinarEvolving State of the Endpoint Webinar
Evolving State of the Endpoint Webinar
 
Training Catalogue - CyberSec_Technocracy.pdf
Training Catalogue - CyberSec_Technocracy.pdfTraining Catalogue - CyberSec_Technocracy.pdf
Training Catalogue - CyberSec_Technocracy.pdf
 
Compliance in Manufacturing: A Very Personal Affair (2013)
Compliance in Manufacturing: A Very Personal Affair (2013)Compliance in Manufacturing: A Very Personal Affair (2013)
Compliance in Manufacturing: A Very Personal Affair (2013)
 
Prevent & Protect
Prevent & ProtectPrevent & Protect
Prevent & Protect
 
Ponemon 2015 EMEA Cyber Impact Report
Ponemon 2015 EMEA Cyber Impact Report Ponemon 2015 EMEA Cyber Impact Report
Ponemon 2015 EMEA Cyber Impact Report
 
The cyber-chasm: How the disconnect between the C-suite and security endanger...
The cyber-chasm: How the disconnect between the C-suite and security endanger...The cyber-chasm: How the disconnect between the C-suite and security endanger...
The cyber-chasm: How the disconnect between the C-suite and security endanger...
 
Shared Service Centers: Risks & Rewards in the Time of Coronavirus
Shared Service Centers: Risks & Rewards in the Time of CoronavirusShared Service Centers: Risks & Rewards in the Time of Coronavirus
Shared Service Centers: Risks & Rewards in the Time of Coronavirus
 
Data security: How a proactive C-suite can reduce cyber-risk for the enterprise
Data security: How a proactive C-suite can reduce cyber-risk for the enterpriseData security: How a proactive C-suite can reduce cyber-risk for the enterprise
Data security: How a proactive C-suite can reduce cyber-risk for the enterprise
 
Hp arc sight_state of security ops_whitepaper
Hp arc sight_state of security ops_whitepaperHp arc sight_state of security ops_whitepaper
Hp arc sight_state of security ops_whitepaper
 
StateOfSecOps - Final - Published
StateOfSecOps - Final - PublishedStateOfSecOps - Final - Published
StateOfSecOps - Final - Published
 

More from IBM Security

Automation: Embracing the Future of SecOps
Automation: Embracing the Future of SecOpsAutomation: Embracing the Future of SecOps
Automation: Embracing the Future of SecOpsIBM Security
 
Leaders & Laggards: The Latest Findings from the Ponemon Institute’s Study on...
Leaders & Laggards: The Latest Findings from the Ponemon Institute’s Study on...Leaders & Laggards: The Latest Findings from the Ponemon Institute’s Study on...
Leaders & Laggards: The Latest Findings from the Ponemon Institute’s Study on...IBM Security
 
Integrated Response with v32 of IBM Resilient
Integrated Response with v32 of IBM ResilientIntegrated Response with v32 of IBM Resilient
Integrated Response with v32 of IBM ResilientIBM Security
 
Leveraging Validated and Community Apps to Build a Versatile and Orchestrated...
Leveraging Validated and Community Apps to Build a Versatile and Orchestrated...Leveraging Validated and Community Apps to Build a Versatile and Orchestrated...
Leveraging Validated and Community Apps to Build a Versatile and Orchestrated...IBM Security
 
Accelerating SOC Transformation with IBM Resilient and Carbon Black
Accelerating SOC Transformation with IBM Resilient and Carbon BlackAccelerating SOC Transformation with IBM Resilient and Carbon Black
Accelerating SOC Transformation with IBM Resilient and Carbon BlackIBM Security
 
How to Build a Faster, Laser-Sharp SOC with Intelligent Orchestration
How to Build a Faster, Laser-Sharp SOC with Intelligent OrchestrationHow to Build a Faster, Laser-Sharp SOC with Intelligent Orchestration
How to Build a Faster, Laser-Sharp SOC with Intelligent OrchestrationIBM Security
 
Are You Ready to Move Your IAM to the Cloud?
Are You Ready to Move Your IAM to the Cloud?Are You Ready to Move Your IAM to the Cloud?
Are You Ready to Move Your IAM to the Cloud?IBM Security
 
Orchestrate Your Security Defenses to Optimize the Impact of Threat Intelligence
Orchestrate Your Security Defenses to Optimize the Impact of Threat IntelligenceOrchestrate Your Security Defenses to Optimize the Impact of Threat Intelligence
Orchestrate Your Security Defenses to Optimize the Impact of Threat IntelligenceIBM Security
 
Your Mainframe Environment is a Treasure Trove: Is Your Sensitive Data Protec...
Your Mainframe Environment is a Treasure Trove: Is Your Sensitive Data Protec...Your Mainframe Environment is a Treasure Trove: Is Your Sensitive Data Protec...
Your Mainframe Environment is a Treasure Trove: Is Your Sensitive Data Protec...IBM Security
 
Meet the New IBM i2 QRadar Offense Investigator App and Start Threat Hunting ...
Meet the New IBM i2 QRadar Offense Investigator App and Start Threat Hunting ...Meet the New IBM i2 QRadar Offense Investigator App and Start Threat Hunting ...
Meet the New IBM i2 QRadar Offense Investigator App and Start Threat Hunting ...IBM Security
 
Understanding the Impact of Today's Security Breaches: The 2017 Ponemon Cost ...
Understanding the Impact of Today's Security Breaches: The 2017 Ponemon Cost ...Understanding the Impact of Today's Security Breaches: The 2017 Ponemon Cost ...
Understanding the Impact of Today's Security Breaches: The 2017 Ponemon Cost ...IBM Security
 
WannaCry Ransomware Attack: What to Do Now
WannaCry Ransomware Attack: What to Do NowWannaCry Ransomware Attack: What to Do Now
WannaCry Ransomware Attack: What to Do NowIBM Security
 
How to Improve Threat Detection & Simplify Security Operations
How to Improve Threat Detection & Simplify Security OperationsHow to Improve Threat Detection & Simplify Security Operations
How to Improve Threat Detection & Simplify Security OperationsIBM Security
 
Mobile Vision 2020
Mobile Vision 2020Mobile Vision 2020
Mobile Vision 2020IBM Security
 
Retail Mobility, Productivity and Security
Retail Mobility, Productivity and SecurityRetail Mobility, Productivity and Security
Retail Mobility, Productivity and SecurityIBM Security
 
Close the Loop on Incident Response
Close the Loop on Incident ResponseClose the Loop on Incident Response
Close the Loop on Incident ResponseIBM Security
 
Orchestrate Your Security Defenses; Protect Against Insider Threats
Orchestrate Your Security Defenses; Protect Against Insider Threats Orchestrate Your Security Defenses; Protect Against Insider Threats
Orchestrate Your Security Defenses; Protect Against Insider Threats IBM Security
 
Ponemon Institute Reviews Key Findings from “2017 State of Mobile & IoT Appli...
Ponemon Institute Reviews Key Findings from “2017 State of Mobile & IoT Appli...Ponemon Institute Reviews Key Findings from “2017 State of Mobile & IoT Appli...
Ponemon Institute Reviews Key Findings from “2017 State of Mobile & IoT Appli...IBM Security
 
Valuing Data in the Age of Ransomware
Valuing Data in the Age of Ransomware Valuing Data in the Age of Ransomware
Valuing Data in the Age of Ransomware IBM Security
 

More from IBM Security (20)

Automation: Embracing the Future of SecOps
Automation: Embracing the Future of SecOpsAutomation: Embracing the Future of SecOps
Automation: Embracing the Future of SecOps
 
Leaders & Laggards: The Latest Findings from the Ponemon Institute’s Study on...
Leaders & Laggards: The Latest Findings from the Ponemon Institute’s Study on...Leaders & Laggards: The Latest Findings from the Ponemon Institute’s Study on...
Leaders & Laggards: The Latest Findings from the Ponemon Institute’s Study on...
 
Integrated Response with v32 of IBM Resilient
Integrated Response with v32 of IBM ResilientIntegrated Response with v32 of IBM Resilient
Integrated Response with v32 of IBM Resilient
 
Leveraging Validated and Community Apps to Build a Versatile and Orchestrated...
Leveraging Validated and Community Apps to Build a Versatile and Orchestrated...Leveraging Validated and Community Apps to Build a Versatile and Orchestrated...
Leveraging Validated and Community Apps to Build a Versatile and Orchestrated...
 
Accelerating SOC Transformation with IBM Resilient and Carbon Black
Accelerating SOC Transformation with IBM Resilient and Carbon BlackAccelerating SOC Transformation with IBM Resilient and Carbon Black
Accelerating SOC Transformation with IBM Resilient and Carbon Black
 
How to Build a Faster, Laser-Sharp SOC with Intelligent Orchestration
How to Build a Faster, Laser-Sharp SOC with Intelligent OrchestrationHow to Build a Faster, Laser-Sharp SOC with Intelligent Orchestration
How to Build a Faster, Laser-Sharp SOC with Intelligent Orchestration
 
Are You Ready to Move Your IAM to the Cloud?
Are You Ready to Move Your IAM to the Cloud?Are You Ready to Move Your IAM to the Cloud?
Are You Ready to Move Your IAM to the Cloud?
 
Orchestrate Your Security Defenses to Optimize the Impact of Threat Intelligence
Orchestrate Your Security Defenses to Optimize the Impact of Threat IntelligenceOrchestrate Your Security Defenses to Optimize the Impact of Threat Intelligence
Orchestrate Your Security Defenses to Optimize the Impact of Threat Intelligence
 
Your Mainframe Environment is a Treasure Trove: Is Your Sensitive Data Protec...
Your Mainframe Environment is a Treasure Trove: Is Your Sensitive Data Protec...Your Mainframe Environment is a Treasure Trove: Is Your Sensitive Data Protec...
Your Mainframe Environment is a Treasure Trove: Is Your Sensitive Data Protec...
 
Meet the New IBM i2 QRadar Offense Investigator App and Start Threat Hunting ...
Meet the New IBM i2 QRadar Offense Investigator App and Start Threat Hunting ...Meet the New IBM i2 QRadar Offense Investigator App and Start Threat Hunting ...
Meet the New IBM i2 QRadar Offense Investigator App and Start Threat Hunting ...
 
Understanding the Impact of Today's Security Breaches: The 2017 Ponemon Cost ...
Understanding the Impact of Today's Security Breaches: The 2017 Ponemon Cost ...Understanding the Impact of Today's Security Breaches: The 2017 Ponemon Cost ...
Understanding the Impact of Today's Security Breaches: The 2017 Ponemon Cost ...
 
WannaCry Ransomware Attack: What to Do Now
WannaCry Ransomware Attack: What to Do NowWannaCry Ransomware Attack: What to Do Now
WannaCry Ransomware Attack: What to Do Now
 
How to Improve Threat Detection & Simplify Security Operations
How to Improve Threat Detection & Simplify Security OperationsHow to Improve Threat Detection & Simplify Security Operations
How to Improve Threat Detection & Simplify Security Operations
 
IBM QRadar UBA
IBM QRadar UBA IBM QRadar UBA
IBM QRadar UBA
 
Mobile Vision 2020
Mobile Vision 2020Mobile Vision 2020
Mobile Vision 2020
 
Retail Mobility, Productivity and Security
Retail Mobility, Productivity and SecurityRetail Mobility, Productivity and Security
Retail Mobility, Productivity and Security
 
Close the Loop on Incident Response
Close the Loop on Incident ResponseClose the Loop on Incident Response
Close the Loop on Incident Response
 
Orchestrate Your Security Defenses; Protect Against Insider Threats
Orchestrate Your Security Defenses; Protect Against Insider Threats Orchestrate Your Security Defenses; Protect Against Insider Threats
Orchestrate Your Security Defenses; Protect Against Insider Threats
 
Ponemon Institute Reviews Key Findings from “2017 State of Mobile & IoT Appli...
Ponemon Institute Reviews Key Findings from “2017 State of Mobile & IoT Appli...Ponemon Institute Reviews Key Findings from “2017 State of Mobile & IoT Appli...
Ponemon Institute Reviews Key Findings from “2017 State of Mobile & IoT Appli...
 
Valuing Data in the Age of Ransomware
Valuing Data in the Age of Ransomware Valuing Data in the Age of Ransomware
Valuing Data in the Age of Ransomware
 

Recently uploaded

Monte Carlo simulation : Simulation using MCSM
Monte Carlo simulation : Simulation using MCSMMonte Carlo simulation : Simulation using MCSM
Monte Carlo simulation : Simulation using MCSMRavindra Nath Shukla
 
Monthly Social Media Update April 2024 pptx.pptx
Monthly Social Media Update April 2024 pptx.pptxMonthly Social Media Update April 2024 pptx.pptx
Monthly Social Media Update April 2024 pptx.pptxAndy Lambert
 
It will be International Nurses' Day on 12 May
It will be International Nurses' Day on 12 MayIt will be International Nurses' Day on 12 May
It will be International Nurses' Day on 12 MayNZSG
 
Call Girls In Panjim North Goa 9971646499 Genuine Service
Call Girls In Panjim North Goa 9971646499 Genuine ServiceCall Girls In Panjim North Goa 9971646499 Genuine Service
Call Girls In Panjim North Goa 9971646499 Genuine Serviceritikaroy0888
 
👉Chandigarh Call Girls 👉9878799926👉Just Call👉Chandigarh Call Girl In Chandiga...
👉Chandigarh Call Girls 👉9878799926👉Just Call👉Chandigarh Call Girl In Chandiga...👉Chandigarh Call Girls 👉9878799926👉Just Call👉Chandigarh Call Girl In Chandiga...
👉Chandigarh Call Girls 👉9878799926👉Just Call👉Chandigarh Call Girl In Chandiga...rajveerescorts2022
 
M.C Lodges -- Guest House in Jhang.
M.C Lodges -- Guest House in Jhang.M.C Lodges -- Guest House in Jhang.
M.C Lodges -- Guest House in Jhang.Aaiza Hassan
 
Best VIP Call Girls Noida Sector 40 Call Me: 8448380779
Best VIP Call Girls Noida Sector 40 Call Me: 8448380779Best VIP Call Girls Noida Sector 40 Call Me: 8448380779
Best VIP Call Girls Noida Sector 40 Call Me: 8448380779Delhi Call girls
 
A DAY IN THE LIFE OF A SALESMAN / WOMAN
A DAY IN THE LIFE OF A SALESMAN / WOMANA DAY IN THE LIFE OF A SALESMAN / WOMAN
A DAY IN THE LIFE OF A SALESMAN / WOMANIlamathiKannappan
 
Mysore Call Girls 8617370543 WhatsApp Number 24x7 Best Services
Mysore Call Girls 8617370543 WhatsApp Number 24x7 Best ServicesMysore Call Girls 8617370543 WhatsApp Number 24x7 Best Services
Mysore Call Girls 8617370543 WhatsApp Number 24x7 Best ServicesDipal Arora
 
KYC-Verified Accounts: Helping Companies Handle Challenging Regulatory Enviro...
KYC-Verified Accounts: Helping Companies Handle Challenging Regulatory Enviro...KYC-Verified Accounts: Helping Companies Handle Challenging Regulatory Enviro...
KYC-Verified Accounts: Helping Companies Handle Challenging Regulatory Enviro...Any kyc Account
 
Call Girls Hebbal Just Call 👗 7737669865 👗 Top Class Call Girl Service Bangalore
Call Girls Hebbal Just Call 👗 7737669865 👗 Top Class Call Girl Service BangaloreCall Girls Hebbal Just Call 👗 7737669865 👗 Top Class Call Girl Service Bangalore
Call Girls Hebbal Just Call 👗 7737669865 👗 Top Class Call Girl Service Bangaloreamitlee9823
 
Enhancing and Restoring Safety & Quality Cultures - Dave Litwiller - May 2024...
Enhancing and Restoring Safety & Quality Cultures - Dave Litwiller - May 2024...Enhancing and Restoring Safety & Quality Cultures - Dave Litwiller - May 2024...
Enhancing and Restoring Safety & Quality Cultures - Dave Litwiller - May 2024...Dave Litwiller
 
Insurers' journeys to build a mastery in the IoT usage
Insurers' journeys to build a mastery in the IoT usageInsurers' journeys to build a mastery in the IoT usage
Insurers' journeys to build a mastery in the IoT usageMatteo Carbone
 
Yaroslav Rozhankivskyy: Три складові і три передумови максимальної продуктивн...
Yaroslav Rozhankivskyy: Три складові і три передумови максимальної продуктивн...Yaroslav Rozhankivskyy: Три складові і три передумови максимальної продуктивн...
Yaroslav Rozhankivskyy: Три складові і три передумови максимальної продуктивн...Lviv Startup Club
 
RSA Conference Exhibitor List 2024 - Exhibitors Data
RSA Conference Exhibitor List 2024 - Exhibitors DataRSA Conference Exhibitor List 2024 - Exhibitors Data
RSA Conference Exhibitor List 2024 - Exhibitors DataExhibitors Data
 
Mondelez State of Snacking and Future Trends 2023
Mondelez State of Snacking and Future Trends 2023Mondelez State of Snacking and Future Trends 2023
Mondelez State of Snacking and Future Trends 2023Neil Kimberley
 
Lucknow 💋 Escorts in Lucknow - 450+ Call Girl Cash Payment 8923113531 Neha Th...
Lucknow 💋 Escorts in Lucknow - 450+ Call Girl Cash Payment 8923113531 Neha Th...Lucknow 💋 Escorts in Lucknow - 450+ Call Girl Cash Payment 8923113531 Neha Th...
Lucknow 💋 Escorts in Lucknow - 450+ Call Girl Cash Payment 8923113531 Neha Th...anilsa9823
 
Ensure the security of your HCL environment by applying the Zero Trust princi...
Ensure the security of your HCL environment by applying the Zero Trust princi...Ensure the security of your HCL environment by applying the Zero Trust princi...
Ensure the security of your HCL environment by applying the Zero Trust princi...Roland Driesen
 
Call Girls Jp Nagar Just Call 👗 7737669865 👗 Top Class Call Girl Service Bang...
Call Girls Jp Nagar Just Call 👗 7737669865 👗 Top Class Call Girl Service Bang...Call Girls Jp Nagar Just Call 👗 7737669865 👗 Top Class Call Girl Service Bang...
Call Girls Jp Nagar Just Call 👗 7737669865 👗 Top Class Call Girl Service Bang...amitlee9823
 

Recently uploaded (20)

Monte Carlo simulation : Simulation using MCSM
Monte Carlo simulation : Simulation using MCSMMonte Carlo simulation : Simulation using MCSM
Monte Carlo simulation : Simulation using MCSM
 
Monthly Social Media Update April 2024 pptx.pptx
Monthly Social Media Update April 2024 pptx.pptxMonthly Social Media Update April 2024 pptx.pptx
Monthly Social Media Update April 2024 pptx.pptx
 
It will be International Nurses' Day on 12 May
It will be International Nurses' Day on 12 MayIt will be International Nurses' Day on 12 May
It will be International Nurses' Day on 12 May
 
Call Girls In Panjim North Goa 9971646499 Genuine Service
Call Girls In Panjim North Goa 9971646499 Genuine ServiceCall Girls In Panjim North Goa 9971646499 Genuine Service
Call Girls In Panjim North Goa 9971646499 Genuine Service
 
👉Chandigarh Call Girls 👉9878799926👉Just Call👉Chandigarh Call Girl In Chandiga...
👉Chandigarh Call Girls 👉9878799926👉Just Call👉Chandigarh Call Girl In Chandiga...👉Chandigarh Call Girls 👉9878799926👉Just Call👉Chandigarh Call Girl In Chandiga...
👉Chandigarh Call Girls 👉9878799926👉Just Call👉Chandigarh Call Girl In Chandiga...
 
M.C Lodges -- Guest House in Jhang.
M.C Lodges -- Guest House in Jhang.M.C Lodges -- Guest House in Jhang.
M.C Lodges -- Guest House in Jhang.
 
Best VIP Call Girls Noida Sector 40 Call Me: 8448380779
Best VIP Call Girls Noida Sector 40 Call Me: 8448380779Best VIP Call Girls Noida Sector 40 Call Me: 8448380779
Best VIP Call Girls Noida Sector 40 Call Me: 8448380779
 
Mifty kit IN Salmiya (+918133066128) Abortion pills IN Salmiyah Cytotec pills
Mifty kit IN Salmiya (+918133066128) Abortion pills IN Salmiyah Cytotec pillsMifty kit IN Salmiya (+918133066128) Abortion pills IN Salmiyah Cytotec pills
Mifty kit IN Salmiya (+918133066128) Abortion pills IN Salmiyah Cytotec pills
 
A DAY IN THE LIFE OF A SALESMAN / WOMAN
A DAY IN THE LIFE OF A SALESMAN / WOMANA DAY IN THE LIFE OF A SALESMAN / WOMAN
A DAY IN THE LIFE OF A SALESMAN / WOMAN
 
Mysore Call Girls 8617370543 WhatsApp Number 24x7 Best Services
Mysore Call Girls 8617370543 WhatsApp Number 24x7 Best ServicesMysore Call Girls 8617370543 WhatsApp Number 24x7 Best Services
Mysore Call Girls 8617370543 WhatsApp Number 24x7 Best Services
 
KYC-Verified Accounts: Helping Companies Handle Challenging Regulatory Enviro...
KYC-Verified Accounts: Helping Companies Handle Challenging Regulatory Enviro...KYC-Verified Accounts: Helping Companies Handle Challenging Regulatory Enviro...
KYC-Verified Accounts: Helping Companies Handle Challenging Regulatory Enviro...
 
Call Girls Hebbal Just Call 👗 7737669865 👗 Top Class Call Girl Service Bangalore
Call Girls Hebbal Just Call 👗 7737669865 👗 Top Class Call Girl Service BangaloreCall Girls Hebbal Just Call 👗 7737669865 👗 Top Class Call Girl Service Bangalore
Call Girls Hebbal Just Call 👗 7737669865 👗 Top Class Call Girl Service Bangalore
 
Enhancing and Restoring Safety & Quality Cultures - Dave Litwiller - May 2024...
Enhancing and Restoring Safety & Quality Cultures - Dave Litwiller - May 2024...Enhancing and Restoring Safety & Quality Cultures - Dave Litwiller - May 2024...
Enhancing and Restoring Safety & Quality Cultures - Dave Litwiller - May 2024...
 
Insurers' journeys to build a mastery in the IoT usage
Insurers' journeys to build a mastery in the IoT usageInsurers' journeys to build a mastery in the IoT usage
Insurers' journeys to build a mastery in the IoT usage
 
Yaroslav Rozhankivskyy: Три складові і три передумови максимальної продуктивн...
Yaroslav Rozhankivskyy: Три складові і три передумови максимальної продуктивн...Yaroslav Rozhankivskyy: Три складові і три передумови максимальної продуктивн...
Yaroslav Rozhankivskyy: Три складові і три передумови максимальної продуктивн...
 
RSA Conference Exhibitor List 2024 - Exhibitors Data
RSA Conference Exhibitor List 2024 - Exhibitors DataRSA Conference Exhibitor List 2024 - Exhibitors Data
RSA Conference Exhibitor List 2024 - Exhibitors Data
 
Mondelez State of Snacking and Future Trends 2023
Mondelez State of Snacking and Future Trends 2023Mondelez State of Snacking and Future Trends 2023
Mondelez State of Snacking and Future Trends 2023
 
Lucknow 💋 Escorts in Lucknow - 450+ Call Girl Cash Payment 8923113531 Neha Th...
Lucknow 💋 Escorts in Lucknow - 450+ Call Girl Cash Payment 8923113531 Neha Th...Lucknow 💋 Escorts in Lucknow - 450+ Call Girl Cash Payment 8923113531 Neha Th...
Lucknow 💋 Escorts in Lucknow - 450+ Call Girl Cash Payment 8923113531 Neha Th...
 
Ensure the security of your HCL environment by applying the Zero Trust princi...
Ensure the security of your HCL environment by applying the Zero Trust princi...Ensure the security of your HCL environment by applying the Zero Trust princi...
Ensure the security of your HCL environment by applying the Zero Trust princi...
 
Call Girls Jp Nagar Just Call 👗 7737669865 👗 Top Class Call Girl Service Bang...
Call Girls Jp Nagar Just Call 👗 7737669865 👗 Top Class Call Girl Service Bang...Call Girls Jp Nagar Just Call 👗 7737669865 👗 Top Class Call Girl Service Bang...
Call Girls Jp Nagar Just Call 👗 7737669865 👗 Top Class Call Girl Service Bang...
 

The Economics of IT Risk and Reputation

  • 1. The economics of IT risk and reputation What business continuity and IT security really mean to your organisation Global Technology Services Research Report Risk Management Findings from the IBM Global Study on the Economic Impact of IT Risk
  • 2. About the study The IBM Global Study on the Economic Impact of IT Risk is the largest independent research study conducted to date to measure the financial and reputational consequences of business disruptions caused by business continuity or IT security failures. The study—a follow-on to the 2013 IBM Reputational Risk and IT Study—was sponsored by IBM and independently conducted by Ponemon Institute® in July 2013. Ponemon Institute surveyed 1,069 business continuity specialists and 1,247 IT security practitioners representing 20 industries and 37 countries. Most of the combined group of 2,316 respondents are in the IT organisation and report directly to the CIO or head of corporate IT. Respondents at the manager level represent the largest segment (33 percent), followed by directors (23 percent) and supervisors (19 percent). More than half of the respondents are in larger-sized organisations with more than 5,000 full-time equivalent employees. Participation was limited to IT professionals whose job focus is either business continuity, IT security or both, with decision-making or performance-related responsibilities. Although most participants are focused on only one of the IT disciplines, their survey responses were remarkably similar—with only a few instances of slight but statistically relevant differences. Therefore, for the purpose of this analysis and report we have combined the data from the two sample groups. The IBM Global Study on the Economic Impact of IT Risk, independently conducted by Ponemon Institute, gathered information from 2,316 business continuity and IT security professionals from around the world. North America 49% 1,125 Europe/Middle East 26% 597 Asia Pacific 15% 353 Latin America 10% 241 Less than 500 8% 500 to 1,000 15% 10,001 to 25,000 15% 25,001 to 75,000 9% 1,001 to 5,000 23% 5,001 to 10,000 25% More than 75,000 4% Location (37 countries) Company sizes Banking 19% Healthcare 11% IT and technology 9% Industrial 9% Director 24% Staff/technician 10% Supervisor 19% C-level executive 11% Industries Job titles Public sector 14% Retail 10% Consumer goods 7% Energy and utilities 5% All others 16% Manager 31% Administrative 2% Contractor 2%
  • 3. Contents 3 Introduction 4 Quantifying the economic impact of disruptions to business and IT operations 6 The reputational risk and IT connection 8 Understanding the threat landscape 11 Building the case for business continuity and IT security investments 13 Barriers to success 15 Conclusion and observations WHAT WOULD YOU DO? If reputation and brand are important, make IT risk management a priority. – Business continuity management supervisor, French consumer products company Introduction When the normal course of operations is disrupted as a result of IT system failures and cyber attacks, the economic and reputational costs can be devastating. Even scant minutes of downtime can be costly. In the context of this paper, IT risk is the risk associated with the use, ownership, operation and influence of IT within an organisation. Such risks include human error, system failures, security breaches and disruptions to data centre operations such as power failures and natural disasters. Understanding the financial consequences of a disruption can be valuable to determining the resources that should be invested in preventing or minimising such incidents. It also can be critical in making the business case to the C-suite for elevating the priority of business continuity and IT security activities. In this study, we measure the financial consequences or “total cost” resulting from an organisation’s inability to provide an acceptable level of service in the face of faults or challenges to normal operations. We also measure and quantify the reputational consequences—the cost of damage to a company’s image or brand value as a result of poor controls, failed processes, IT downtime, data theft and compliance violations. The voice of business continuity and IT security In this survey we asked two optional open-ended questions: ‘What steps should your organisation or industry take to reduce risks to your organisation posed by IT operations?’ and ‘Looking ahead, what are the changes or trends in the IT landscape that will most increase reputation risk for your organisation?’ The responses we received were thoughtful and thought- provoking—and a number of common themes emerged. Throughout this paper we will share responses that reflect those common concerns under one of two headings: ‘What would you do?’ and ‘Where is the risk?’ Risk Management 3
  • 4. Quantifying the economic impact of disruptions to business and IT operations A very important objective of this research is to determine the cost to organisations when there is a disruption or compromise to business processes or IT services. Respondents were asked to estimate the costs based on three discrete levels: minor, moderate and substantial. Duration. Minor, moderate and substantial disruptions are classified according the amount of downtime. As shown in Figure 1, the average minor incident is 19.7 minutes, while a substantial incident can be 442.3 minutes or almost a full eight-hour day of down or idle time. However, some expect that substantial disruptions could last more than two days. Likelihood. According to Figure 2, 69 percent of respondents anticipate that they will experience at least one or more minor disruptions in the next 24 months, while 23 percent say one or more substantial disruptions could occur over the same time period. In other words, respondents believe their organisations are three times more likely to experience a minor incident than a substantial incident. Cost. Respondents were asked to consider all direct cash outlays, direct labour expenditures, indirect labour costs, overhead costs and lost business opportunities for six cost categories: • Cost of users’ idle time and lost productivity because of downtime or system performance delays • Cost of forensics to determine the root causes of disruptions or compromise • Cost of technical support to restore systems to an operational state • Cost associated with reputation and brand damage • Revenues lost because of system availability problems • Cost associated with compliance or regulatory failure Figure 3 reports the average cost per minute of minor, moderate and substantial disruptions to business and IT operations. The cost per minute of minor disruptions is much higher than the per minute cost of substantial disruptions (US$53,223 versus US$32,229)—reflecting that the costs for users’ idle time, forensics and technical support are spread over fewer minutes of downtime (see also Figure 5). Figure 4 reports the average total costs that could be incurred as a result of disruptions to business or IT operations. Even a minor disruption can cost a business more than US$1 million, and a substantial incident can escalate to more than US$14 million. However, some respondents say costs of a severe incident could climb to more than US$100 million. The estimate is based on the six cost categories described above. From the perspective of economic impact, the most significant threats are human errors, cyber breaches and data loss. It is important to note that while the average cost of a minor incident is low relative to a substantial incident, the high frequency of minor disruptions can mean significant financial consequences for an organisation over time. 4 The economics of IT risk and reputation
  • 5. Risk Management 5 Minor SubstantialModerate Average minutes of down or idle time for minor, moderate and substantial disruptions Minor SubstantialModerate Likelihood of one or more disruptions to business and IT operations over the next 24 months 19.7 111.8 442.3 69% 37% 23% Minor SubstantialModerate Estimated average cost per minute of disruption (down or idle time) Minor SubstantialModerate Estimated average total cost of disruption to business and IT operations over the next 24 months $53,210 $38,065 $32,229 $1,046,454 $4,257,357 $14,255,468 Figure 1. Average minutes of down or idle time for minor, moderate and substantial disruptions Figure 2. Likelihood of one or more disruptions to business and IT operations over the next 24 months Figure 3. Estimated average cost per minute of disruption (down or idle time) Figure 4. Estimated average total cost of disruption to business and IT operations over the next 24 months
  • 6. 6 The economics of IT risk and reputation The reputational risk and IT connection If there is any doubt about the importance of an effective business continuity or IT security program, consider the financial impact a disruption can have on reputation and brand value. Figure 5 summarises the allocation of costs determined by assigning 100 points for minor, moderate and substantial disruptions. As can be seen, the costs associated with reputation and brand damage increase in proportion to the severity of the incident. Accordingly, reputation damages represent only 2 points for minor versus 37 points for substantial disruptions to business and IT operations. The top three costs for all three levels of disruptions (combined) are (1) cost of users’ idle time, (2) cost of forensics and (3) cost of technical support. It is interesting to note that while leadership is believed to be most concerned about revenue loss because of system availability problems, it ranks near the bottom of allocated cost in the eyes of IT professionals. WHAT WOULD YOU DO? ‘We should change orientation from reactive to proactive and have a more mature risk management strategy in place.’ – IT security director, German technology company Figure 5. For each of the three levels of disruption (minor, moderate, and substantial), respondents were asked to use a 100-point scale to apportion total cost across these six cost categories. 35 Cost of users' idle time and lost productivity because of downtime or system performance delays Cost of forensics to determine the root causes of disruptions Cost of technical support to restore systems to an operational state Cost associated with reputation and brand damage Revenues lost because of system availability problems Cost associated with compliance or regulatory failure 36 15 25 20 9 28 17 7 2 11 37 4 12 22 5 4 10 Minor Moderate Substantial Allocation of total costs
  • 7. Risk Management 7 Drawing from the minor, moderate and substantial cost allocations indicated previously, we estimate the reputation and brand-related damages that result from all three levels of disruption. Figure 6 shows that reputational cost associated with substantial disruption is almost US$5.3 million. In contrast, reputational costs associated with minor disruptions are relatively negligible. Minor SubstantialModerate Estimated reputation-related costs resulting from disruption to business or IT operations over the next 24 months $20,929 $468,309 $5,274,523 WHAT WOULD YOU DO? ‘Develop a coherent strategy that aligns information risk with enterprise risk.’ – Business continuity director, Canadian financial services company Reputational threats: perception versus reality Not so clear cut is the source of IT threats to reputation. We asked recipients to rank seven common threats in terms of reputational impact on their organisations. As Figure 7 shows, data breach and disaster top the rankings of threats respondents think pose the greatest reputational risk, with IT system failure placing third and human error sixth. Figure 6. Estimated reputation-related costs resulting from disruption to busi- ness or IT operations over the next 24 months Figure 7. Common threats ranked in terms of reputational impact 5.5 Data breach/data theft Natural or manmade disasters IT system failure Data loss (backup/ restore failure) Cyber security breach/ advanced persistent threats Human error 5.2 4.3 4.0 3.8 2.6 1.2 Third-party partner security breach or system failure Common threats ranked in terms of reputational impact
  • 8. When respondents were asked whether their organisations had actually experienced damages to reputation or brand value and from what cause, the threat ranking is quite different. As Figure 8 shows, the most significant threats to reputation based on experience over the last two years are incidents that involve IT system failures and human errors, followed by cyber security breaches. Natural or manmade disasters are far less likely to cause reputation or brand damages. 8 The economics of IT risk and reputation 66% IT system failure Human error Cyber security breach Data loss from failed backup/restore Natural or manmade disasters Third-party security breach or IT system failure 57% 46% 39% 23% 19% Threats that impact reputation and brand value experienced over the past 24 months Understanding the threat landscape Our survey also probed the threat landscape more broadly to determine how closely what IT practitioners think will happen matches their actual experience. Overall, respondent perceptions about the likelihood of threats occurring are largely consistent with reported instances of events—with human error taking the top spot in terms of likelihood, number of disruptions experienced and projected financial impact. Figure 9 shows how respondents ranked seven common threats in terms of the likelihood of occurrence in their organisations. While these business continuity and IT security professionals rank human error as the leading potential threat, IT system failure, data breach and third- party partner security breach or system failure are almost equal leading contenders. Figure 8. Threats that caused impact to reputation and brand value over the past 24 months (percentage of “yes” response) Figure 9. Common threats ranked in terms of likelihood of occurrence 5.6 Human error IT system failure Data breach/data theft Third-party partner security breach or system failure Cyber security breach/ advanced persistent threats Data loss (backup/ restore failure) 5.2 5.0 5.0 4.0 2.3 0.0 Natural or manmade disasters Common threats ranked in terms of likelihood of occurrence
  • 9. Overall, IT professionals are very accurate when it comes to understanding the general threat landscape. According to Figure 10, respondents report that in the past two years they have experienced on average more than nine business disruptions due to human error—coinciding with the ranking of the leading perceived threat to business and IT operations and IT security. In fact, actual occurrence of incidents caused by human error far exceeds projections. Data loss due to failed backup/restore is also more common than projected—and is slightly ahead of cyber security breaches. Risk Management 9 Figure 10. Average number of actual disruptions over the past 24 months caused by six common threats 9.5 Human error IT system failure Third-party partner security breach or system failure Data loss from failed backup/restore Cyber security breach Natural or manmade disasters 5.5 5.4 4.5 4.2 1.9 Average number of actual disruptions over the past 24 months caused by six common threats Figure 11. Common threats ranked in terms of economic impact When evaluating threats in terms of potential economic impact on an organisation, Figure 11 shows that respondents are consistent in their ranking of human error as the leading threat. However, participants believe cyber security breaches and data theft pose a much greater risk of economic impact than reputational impact (see also Figure 7). 4.7 Human error Cyber security breach/ advanced persistent threats Data breach/data theft Data loss (backup/ restore failure) IT system failure Third-party partner security breach or system failure 3.9 3.8 3.6 3.4 2.7 1.0 Natural or manmade disasters Common threats ranked in terms of economic impact
  • 10. 10 The economics of IT risk and reputation The role of third-party partners: a closer look Just how much of a threat do vendors and third parties pose to respondents’ companies? According to 41 (21+20) percent of respondents (Figure 12), vendor-related mishaps represent a main source of disruption to business and IT operations experienced over the past 24 months. 1% Zero <25% 26 to 50% 51 to 75% 76 to 100% 21% 37% 20% 21% Percentage of disruptions to business and IT operations caused by third parties over the past 24 months One reason may be standards. According to Figure 13, not all vendors and other third parties are required to comply with the same business continuity and IT security requirements that respondents’ companies adhere to. Thirty-one percent of respondents say their companies do not require vendors and other third parties to comply with their business continuity requirements, and 40 percent say their companies do not require partner compliance with their own IT security standards. Figure 12. Percentage of disruptions to business and IT operations caused by third parties over the past 24 months Figure 13. Do vendors and other third parties comply with the same requirements deployed within your organisation? Yes No Unsure Do vendors and other third parties comply with the same requirements deployed within your organisation? 58% 42% 31% 40% 11% 17% Business continuity requirements IT security requirements
  • 11. Risk Management 11 Building the case for business continuity and IT security investments Business continuity and IT security professionals strongly believe that their disciplines play an important role in their organisations’ success. Figure 14 reveals an unanticipated finding of this research: fully 89 percent of respondents say that protecting intellectual property is a very important objective of their IT role. We believe this reflects the increasingly digital nature of intellectual property itself and the vulnerability of intellectual property to cyber attack or loss due to IT failures. Maximising employee productivity (72 percent), minimising regulatory or legal non-compliance (70 percent) and enhancing brand value and reputation round out the top four very important objectives advanced by business continuity and IT security activities. Based on previous IBM studies, the fact that in 2013 fully 65 percent of respondents rate enhancing brand value as “very important” confirms that recognition of the relationship between IT risk and reputation risk is continuing to grow among IT professionals. WHERE IS THE RISK? ‘What frightens me is the increased use of social media that can expose corporate IP and damage reputations.’ – IT security supervisor, United States professional services company Figure 14. Business objectives advanced by business continuity and IT security management activities 89% Protecting intellectual property Maximising employee productivity Minimising non-compliance with laws Enhancing brand value and reputation Expanding into new global markets Minimising customer defection 72% 70% 65% 48% 21% 14% Maximising customer acquisition Business objectives advanced by business continuity and IT security management activities 9% Increasing revenues and positive cash flow
  • 12. 12 The economics of IT risk and reputation The potential damage to reputation and brand value is also now recognised as an incentive for organisations to fund business continuity and IT security programs. Figure 15 reveals that preventing productivity losses, system downtime and compliance failures and reputation damages are the factors that contribute most to securing budget commitments. 44% Productivity loss System or application downtime Compliance/regulatory failure Reputation damage Information loss or theft Performance degradation 37% 34% 30% 22% 17% Factors that contribute the most to securing budget commitments for business continuity and IT security WHERE IS THE RISK? ‘Elevating IT risk management issues requires C-suite support, and this is difficult to accomplish.’ – IT security manager, Argentinean services company While respondents recognise the importance of minimising IT risks because of potential threats to reputation and brand, they don’t believe their leaders hold that same perception. Figure 16 reports only 32 percent of respondents say their company’s leaders recognise that IT risks affect brand image and 35 percent say it impacts reputation. Half (50 percent) of respondents believe their organisation’s leaders do not recognise that IT risks affect revenues. Figure 15. Factors that contribute the most to securing budget commit- ments for business continuity and IT security Figure 16. Do organisational leaders recognise the economic and reputa- tional impact of disruption to business and IT operations? (strongly agree and agree responses combined) 50% Leaders recognise that IT risks affect revenues Leaders recognise that IT risks affect reputation Leaders recognise that IT risks affect brand image 35% 32% Organisational leaders strongly agree or agree that disruptions to business and IT operations have economic and reputational impact
  • 13. Risk Management 13 Barriers to success Respondents say that the most significant barriers to achieving highly effective business continuity and IT security management programs are funding deficits, emergence of disruptive technologies, lack of knowledgeable staff and business process complexity (Figure 17). 37% Lack of funding Disruptive technologies (mobility, cloud) Lack of expert or knowledgeable staff Complexity of business processes Insufficient planning and preparedness Silos and turf thinking 32% 28% 19% 17% 17% Barriers to achieving a highly effective business continuity or IT security program While planning, preparedness, silos and territorial thinking were only cited by 17 percent of respondents, answers to two other questions suggest that these factors may indeed play a stronger role in the success or failure of business continuity and IT security programs. According to Figure 18, a majority of respondents state their companies do not have a formal strategy for business continuity or IT security management across the enterprise (and this impacts the effectiveness of these IT operations). Figure 17. Barriers to achieving a highly effective business continuity or IT security program Figure 18. Organisational approach to business continuity and IT security strategy 17% Formal strategy applied consistently Formal strategy, but is not applied consistently Informal or "ad hoc" strategy We don't have a strategy 27% 26% 31% Organisational approach to business continuity and IT security
  • 14. 14 The economics of IT risk and reputation The results summarised in Figure 19 indicate respondents are unable to achieve a high level of collaboration. The fact that 44 percent believe collaboration between their function and other business or IT functions is either poor or non- existent suggests that silos and turf thinking play a stronger role in hindering success than IT professionals are willing to recognise. 24% Collaboration is excellent Collaboration is adequate, but can be improved Collaboration is poor or non-existent Cannot determine 31% 44% 2% Collaboration between business continuity, IT security and other business or IT functions Our research findings also suggest that there is no clear best practice when it comes to overall responsibility for preventing disruptions to IT operations. The most likely candidate, the chief information officer (CIO), was named by only 28 percent of the respondents (Figure 20). The next largest segment, business unit leader, is outside of the IT organisation all together, and the third ranked choice is “no one person” at 11 percent. This fragmentation of responsibility may also be a barrier to success. Figure 20. Ownership of overall responsibility for directing efforts to ensure that IT operations are not disrupted 28% Chief information officer (CIO) Business unit leader Data centre manager Business continuity manager Disaster recovery manager Chief information security officer (CISO) 20% 10% 7% 6% 5% 11% No one person has overall responsibility Overall responsibility for directing efforts to ensure that IT operations are not disrupted Figure 19. Degree of collaboration between business continuity, IT security and other business or IT functions
  • 15. Risk Management 15 Conclusion and observations The economic impact of business continuity and IT security failures can be significant, ranging on average from US$1 million for a minor disruption lasting 20 minutes to more than US$14M for a substantial disruption lasting close to 8 hours. Minor disruptions are more likely to happen than substantial ones—yet the price tag for even a single minor event is liable to outweigh the cost of prevention. Business continuity and IT security professionals recognise that the costs associated with reputation and brand damage resulting from substantial events is also significant. On average, they estimate that reputation-related costs alone will exceed US$5 million over the next 24 months. While 65 percent of survey respondents think business continuity and IT security management can enhance brand value and reputation, less than 35 percent think that upper management shares this view. This means business continuity and IT security professionals need to build a stronger business case for investments in IT controls that can help prevent downtime, data loss, cyber security breaches and the resulting loss of productivity and damage to reputation. One place to start is with a rigorous assessment of the actual root causes at work in the organisation, then connecting spend with potential financial consequences that can be averted. This approach can provide a foundation for establishing business-related metrics to measure effectiveness and provide further budget justification. Putting IT risk prevention into the business language of cost-benefit analysis can not only help elevate the discussion but also help educate leadership on the sources of risk. This is particularly important given that the greatest single cause of both disruption and economic impact is human error—which is not an issue that IT alone can address. While IT can invest in processes such as change management or automated data backup that can help reduce the opportunity for human error, educating end users and developing a security-aware and -compliant culture requires an enterprise-wide effort with top-down leadership. For more information To learn more about how IBM can help you protect your organisation’s reputation by strengthening IT risk management, contact your IBM representative or IBM Business Partner, or visit the following website: ibm.com/services/riskstudy/uk Join the business continuity conversation Join the IT security conversation
  • 16. Limitations There are inherent limitations to survey research that need to be carefully considered before drawing inferences from the presented findings. The following items are specific limitations that are germane to most survey-based research studies. Non-response bias: The current findings are based on a sample of survey returns. We sent surveys to a representative sample of business continuity management, IT and IT security practitioners in numerous countries, resulting in a large number of usable returned responses. Despite non- response tests, it is always possible that individuals who did not participate are substantially different in terms of underlying beliefs from those who completed the survey. Sampling-frame bias: The accuracy of survey results is dependent upon the degree to which our sampling frames are representative of individuals who are business continuity management, IT or IT security practitioners within the sample of countries selected. Self-reported results: The quality of survey research is based on the integrity of confidential responses received from respondents. While certain checks and balances were incorporated into our survey evaluation process including sanity checks, there is always the possibility that some responders did not provide truthful responses. IBM United Kingdom Limited PO Box 41, North Harbour Portsmouth, Hampshire PO6 3AU United Kingdom IBM Ireland Limited Oldbrook House 24-32 Pembroke Road Dublin 4 IBM Ireland registered in Ireland under company number 16226. IBM, the IBM logo and ibm.com are trademarks of International Business Machines Corp., registered in many jurisdictions worldwide. Other product and service names might be trademarks of IBM or other companies. A current list of IBM trademarks is available on the web at “Copyright and trademark information” at ibm.com/legal/copytrade.shtml The content in this document is current as of the initial date of publication and may be changed by IBM at any time. Not all offerings are available in every country in which IBM operates. © Copyright IBM Corporation 2013 Please Recycle RLW03022-GBEN-00