Call Girls Jp Nagar Just Call 👗 7737669865 👗 Top Class Call Girl Service Bang...
The Economics of IT Risk and Reputation
1. The economics of IT risk and reputation
What business continuity and IT security really mean to your organisation
Global Technology Services
Research Report
Risk Management
Findings from the IBM Global Study on the Economic Impact of IT Risk
2. About the study
The IBM Global Study on the Economic Impact of IT
Risk is the largest independent research study conducted
to date to measure the financial and reputational
consequences of business disruptions caused by business
continuity or IT security failures. The study—a follow-on
to the 2013 IBM Reputational Risk and IT Study—was
sponsored by IBM and independently conducted by
Ponemon Institute®
in July 2013.
Ponemon Institute surveyed 1,069 business continuity
specialists and 1,247 IT security practitioners
representing 20 industries and 37 countries. Most of
the combined group of 2,316 respondents are in the IT
organisation and report directly to the CIO or head of
corporate IT. Respondents at the manager level represent
the largest segment (33 percent), followed by directors
(23 percent) and supervisors (19 percent). More than half
of the respondents are in larger-sized organisations with
more than 5,000 full-time equivalent employees.
Participation was limited to IT professionals whose
job focus is either business continuity, IT security or
both, with decision-making or performance-related
responsibilities. Although most participants are focused
on only one of the IT disciplines, their survey responses
were remarkably similar—with only a few instances of
slight but statistically relevant differences. Therefore, for
the purpose of this analysis and report we have combined
the data from the two sample groups.
The IBM Global Study on the Economic Impact of IT Risk, independently conducted by Ponemon Institute, gathered information from 2,316 business
continuity and IT security professionals from around the world.
North America 49%
1,125
Europe/Middle East 26%
597
Asia Pacific 15%
353
Latin America 10%
241
Less than 500 8%
500 to 1,000 15%
10,001 to 25,000 15%
25,001 to 75,000 9%
1,001 to 5,000 23%
5,001 to 10,000 25%
More than 75,000 4%
Location (37 countries) Company sizes
Banking 19%
Healthcare 11%
IT and technology 9%
Industrial 9%
Director 24%
Staff/technician 10%
Supervisor 19%
C-level executive 11%
Industries Job titles
Public sector 14%
Retail 10%
Consumer goods 7%
Energy and utilities 5%
All others 16%
Manager 31%
Administrative 2%
Contractor 2%
3. Contents
3 Introduction
4 Quantifying the economic impact of disruptions to
business and IT operations
6 The reputational risk and IT connection
8 Understanding the threat landscape
11 Building the case for business continuity and IT
security investments
13 Barriers to success
15 Conclusion and observations
WHAT WOULD YOU DO?
If reputation and brand are important,
make IT risk management a priority.
– Business continuity management supervisor, French
consumer products company
Introduction
When the normal course of operations is disrupted as a
result of IT system failures and cyber attacks, the economic
and reputational costs can be devastating. Even scant
minutes of downtime can be costly. In the context of this
paper, IT risk is the risk associated with the use, ownership,
operation and influence of IT within an organisation. Such
risks include human error, system failures, security breaches
and disruptions to data centre operations such as power
failures and natural disasters.
Understanding the financial consequences of a disruption
can be valuable to determining the resources that should be
invested in preventing or minimising such incidents. It also
can be critical in making the business case to the C-suite
for elevating the priority of business continuity and IT
security activities.
In this study, we measure the financial consequences or
“total cost” resulting from an organisation’s inability to
provide an acceptable level of service in the face of faults
or challenges to normal operations. We also measure and
quantify the reputational consequences—the cost of damage
to a company’s image or brand value as a result of poor
controls, failed processes, IT downtime, data theft and
compliance violations.
The voice of business continuity and IT security
In this survey we asked two optional open-ended questions:
‘What steps should your organisation or industry take to
reduce risks to your organisation posed by IT operations?’
and ‘Looking ahead, what are the changes or trends in the
IT landscape that will most increase reputation risk for
your organisation?’
The responses we received were thoughtful and thought-
provoking—and a number of common themes emerged.
Throughout this paper we will share responses that reflect
those common concerns under one of two headings: ‘What
would you do?’ and ‘Where is the risk?’
Risk Management 3
4. Quantifying the economic impact of
disruptions to business and IT operations
A very important objective of this research is to determine
the cost to organisations when there is a disruption
or compromise to business processes or IT services.
Respondents were asked to estimate the costs based on three
discrete levels: minor, moderate and substantial.
Duration. Minor, moderate and substantial disruptions are
classified according the amount of downtime. As shown in
Figure 1, the average minor incident is 19.7 minutes, while
a substantial incident can be 442.3 minutes or almost a full
eight-hour day of down or idle time. However, some expect
that substantial disruptions could last more than two days.
Likelihood. According to Figure 2, 69 percent of
respondents anticipate that they will experience at least one
or more minor disruptions in the next 24 months, while 23
percent say one or more substantial disruptions could occur
over the same time period. In other words, respondents
believe their organisations are three times more likely to
experience a minor incident than a substantial incident.
Cost. Respondents were asked to consider all direct cash
outlays, direct labour expenditures, indirect labour costs,
overhead costs and lost business opportunities for six
cost categories:
• Cost of users’ idle time and lost productivity because
of downtime or system performance delays
• Cost of forensics to determine the root
causes of disruptions or compromise
• Cost of technical support to restore
systems to an operational state
• Cost associated with reputation and brand damage
• Revenues lost because of system availability problems
• Cost associated with compliance or regulatory failure
Figure 3 reports the average cost per minute of minor,
moderate and substantial disruptions to business and IT
operations. The cost per minute of minor disruptions
is much higher than the per minute cost of substantial
disruptions (US$53,223 versus US$32,229)—reflecting that
the costs for users’ idle time, forensics and technical support
are spread over fewer minutes of downtime (see also Figure
5).
Figure 4 reports the average total costs that could be
incurred as a result of disruptions to business or IT
operations. Even a minor disruption can cost a business
more than US$1 million, and a substantial incident can
escalate to more than US$14 million. However, some
respondents say costs of a severe incident could climb to
more than US$100 million. The estimate is based on the
six cost categories described above. From the perspective
of economic impact, the most significant threats are human
errors, cyber breaches and data loss.
It is important to note that while the average cost of a
minor incident is low relative to a substantial incident, the
high frequency of minor disruptions can mean significant
financial consequences for an organisation over time.
4 The economics of IT risk and reputation
5. Risk Management 5
Minor SubstantialModerate
Average minutes of down or
idle time for minor, moderate
and substantial disruptions
Minor SubstantialModerate
Likelihood of one or more disruptions
to business and IT operations over
the next 24 months
19.7
111.8
442.3 69%
37%
23%
Minor SubstantialModerate
Estimated average cost
per minute of disruption
(down or idle time)
Minor SubstantialModerate
Estimated average total cost of
disruption to business and IT
operations over the next 24 months
$53,210
$38,065
$32,229
$1,046,454
$4,257,357
$14,255,468
Figure 1. Average minutes of down or idle time for minor, moderate and
substantial disruptions
Figure 2. Likelihood of one or more disruptions to business and IT
operations over the next 24 months
Figure 3. Estimated average cost per minute of disruption (down or
idle time)
Figure 4. Estimated average total cost of disruption to business and IT
operations over the next 24 months
6. 6 The economics of IT risk and reputation
The reputational risk and IT connection
If there is any doubt about the importance of an effective
business continuity or IT security program, consider the
financial impact a disruption can have on reputation and
brand value. Figure 5 summarises the allocation of costs
determined by assigning 100 points for minor, moderate and
substantial disruptions. As can be seen, the costs associated
with reputation and brand damage increase in proportion to
the severity of the incident. Accordingly, reputation damages
represent only 2 points for minor versus 37 points for
substantial disruptions to business and IT operations.
The top three costs for all three levels of disruptions
(combined) are (1) cost of users’ idle time, (2) cost of
forensics and (3) cost of technical support. It is interesting to
note that while leadership is believed to be most concerned
about revenue loss because of system availability problems,
it ranks near the bottom of allocated cost in the eyes of
IT professionals.
WHAT WOULD YOU DO?
‘We should change orientation from
reactive to proactive and have a more
mature risk management strategy
in place.’
– IT security director, German technology company
Figure 5. For each of the three levels of disruption (minor, moderate, and substantial), respondents were asked to use a 100-point scale to apportion total cost
across these six cost categories.
35
Cost of users' idle time and lost productivity because
of downtime or system performance delays
Cost of forensics to determine the root causes
of disruptions
Cost of technical support to restore systems
to an operational state
Cost associated with reputation and brand damage
Revenues lost because of system availability problems
Cost associated with compliance or regulatory failure
36 15
25 20 9
28 17 7
2 11 37
4 12 22
5 4 10
Minor Moderate Substantial
Allocation of total costs
7. Risk Management 7
Drawing from the minor, moderate and substantial cost
allocations indicated previously, we estimate the reputation
and brand-related damages that result from all three
levels of disruption. Figure 6 shows that reputational cost
associated with substantial disruption is almost US$5.3
million. In contrast, reputational costs associated with minor
disruptions are relatively negligible.
Minor SubstantialModerate
Estimated reputation-related costs
resulting from disruption to business or
IT operations over the next 24 months
$20,929
$468,309
$5,274,523
WHAT WOULD YOU DO?
‘Develop a coherent strategy that aligns
information risk with enterprise risk.’
– Business continuity director, Canadian financial
services company
Reputational threats: perception versus reality
Not so clear cut is the source of IT threats to reputation.
We asked recipients to rank seven common threats in terms
of reputational impact on their organisations. As Figure 7
shows, data breach and disaster top the rankings of threats
respondents think pose the greatest reputational risk, with
IT system failure placing third and human error sixth.
Figure 6. Estimated reputation-related costs resulting from disruption to busi-
ness or IT operations over the next 24 months
Figure 7. Common threats ranked in terms of reputational impact
5.5
Data breach/data theft
Natural or manmade
disasters
IT system failure
Data loss (backup/
restore failure)
Cyber security breach/
advanced persistent threats
Human error
5.2
4.3
4.0
3.8
2.6
1.2
Third-party partner security
breach or system failure
Common threats ranked in
terms of reputational impact
8. When respondents were asked whether their organisations
had actually experienced damages to reputation or brand
value and from what cause, the threat ranking is quite
different. As Figure 8 shows, the most significant threats
to reputation based on experience over the last two years
are incidents that involve IT system failures and human
errors, followed by cyber security breaches. Natural or
manmade disasters are far less likely to cause reputation or
brand damages.
8 The economics of IT risk and reputation
66%
IT system failure
Human error
Cyber security breach
Data loss from failed
backup/restore
Natural or manmade
disasters
Third-party security breach
or IT system failure
57%
46%
39%
23%
19%
Threats that impact reputation and brand value
experienced over the past 24 months
Understanding the threat landscape
Our survey also probed the threat landscape more broadly
to determine how closely what IT practitioners think will
happen matches their actual experience. Overall, respondent
perceptions about the likelihood of threats occurring are
largely consistent with reported instances of events—with
human error taking the top spot in terms of likelihood,
number of disruptions experienced and projected
financial impact.
Figure 9 shows how respondents ranked seven common
threats in terms of the likelihood of occurrence in their
organisations. While these business continuity and IT
security professionals rank human error as the leading
potential threat, IT system failure, data breach and third-
party partner security breach or system failure are almost
equal leading contenders.
Figure 8. Threats that caused impact to reputation and brand value over the
past 24 months (percentage of “yes” response)
Figure 9. Common threats ranked in terms of likelihood of occurrence
5.6
Human error
IT system failure
Data breach/data theft
Third-party partner security
breach or system failure
Cyber security breach/
advanced persistent threats
Data loss (backup/
restore failure)
5.2
5.0
5.0
4.0
2.3
0.0
Natural or manmade
disasters
Common threats ranked in terms of
likelihood of occurrence
9. Overall, IT professionals are very accurate when it comes
to understanding the general threat landscape. According
to Figure 10, respondents report that in the past two years
they have experienced on average more than nine business
disruptions due to human error—coinciding with the
ranking of the leading perceived threat to business and IT
operations and IT security. In fact, actual occurrence of
incidents caused by human error far exceeds projections.
Data loss due to failed backup/restore is also more
common than projected—and is slightly ahead of
cyber security breaches.
Risk Management 9
Figure 10. Average number of actual disruptions over the past 24 months
caused by six common threats
9.5
Human error
IT system failure
Third-party partner security
breach or system failure
Data loss from failed
backup/restore
Cyber security breach
Natural or manmade
disasters
5.5
5.4
4.5
4.2
1.9
Average number of actual disruptions over the past
24 months caused by six common threats
Figure 11. Common threats ranked in terms of economic impact
When evaluating threats in terms of potential economic
impact on an organisation, Figure 11 shows that respondents
are consistent in their ranking of human error as the leading
threat. However, participants believe cyber security breaches
and data theft pose a much greater risk of economic impact
than reputational impact (see also Figure 7).
4.7
Human error
Cyber security breach/
advanced persistent threats
Data breach/data theft
Data loss (backup/
restore failure)
IT system failure
Third-party partner security
breach or system failure
3.9
3.8
3.6
3.4
2.7
1.0
Natural or manmade
disasters
Common threats ranked in terms
of economic impact
10. 10 The economics of IT risk and reputation
The role of third-party partners: a closer look
Just how much of a threat do vendors and third parties pose
to respondents’ companies? According to 41 (21+20) percent
of respondents (Figure 12), vendor-related mishaps represent
a main source of disruption to business and IT operations
experienced over the past 24 months.
1%
Zero
<25%
26 to 50%
51 to 75%
76 to 100%
21%
37%
20%
21%
Percentage of disruptions to business
and IT operations caused by third parties
over the past 24 months
One reason may be standards. According to Figure 13,
not all vendors and other third parties are required to
comply with the same business continuity and IT security
requirements that respondents’ companies adhere to.
Thirty-one percent of respondents say their companies do
not require vendors and other third parties to comply with
their business continuity requirements, and 40 percent say
their companies do not require partner compliance with
their own IT security standards.
Figure 12. Percentage of disruptions to business and IT operations caused
by third parties over the past 24 months
Figure 13. Do vendors and other third parties comply with the same
requirements deployed within your organisation?
Yes
No
Unsure
Do vendors and other third parties comply
with the same requirements deployed
within your organisation?
58% 42%
31% 40%
11% 17%
Business
continuity
requirements
IT security
requirements
11. Risk Management 11
Building the case for business continuity
and IT security investments
Business continuity and IT security professionals strongly
believe that their disciplines play an important role in their
organisations’ success. Figure 14 reveals an unanticipated
finding of this research: fully 89 percent of respondents
say that protecting intellectual property is a very important
objective of their IT role. We believe this reflects the
increasingly digital nature of intellectual property itself and
the vulnerability of intellectual property to cyber attack or
loss due to IT failures.
Maximising employee productivity (72 percent), minimising
regulatory or legal non-compliance (70 percent) and
enhancing brand value and reputation round out the
top four very important objectives advanced by business
continuity and IT security activities. Based on previous
IBM studies, the fact that in 2013 fully 65 percent of
respondents rate enhancing brand value as “very important”
confirms that recognition of the relationship between IT
risk and reputation risk is continuing to grow among IT
professionals.
WHERE IS THE RISK?
‘What frightens me is the increased use of
social media that can expose corporate IP
and damage reputations.’
– IT security supervisor, United States professional services
company
Figure 14. Business objectives advanced by business continuity and IT
security management activities
89%
Protecting intellectual
property
Maximising employee
productivity
Minimising non-compliance
with laws
Enhancing brand value
and reputation
Expanding into new
global markets
Minimising customer
defection
72%
70%
65%
48%
21%
14%
Maximising customer
acquisition
Business objectives advanced by
business continuity and IT security
management activities
9%
Increasing revenues and
positive cash flow
12. 12 The economics of IT risk and reputation
The potential damage to reputation and brand value is
also now recognised as an incentive for organisations to
fund business continuity and IT security programs.
Figure 15 reveals that preventing productivity losses,
system downtime and compliance failures and reputation
damages are the factors that contribute most to securing
budget commitments.
44%
Productivity loss
System or application
downtime
Compliance/regulatory
failure
Reputation damage
Information loss or theft
Performance degradation
37%
34%
30%
22%
17%
Factors that contribute the most to securing
budget commitments for business
continuity and IT security
WHERE IS THE RISK?
‘Elevating IT risk management issues
requires C-suite support, and this is
difficult to accomplish.’
– IT security manager, Argentinean services company
While respondents recognise the importance of minimising
IT risks because of potential threats to reputation and brand,
they don’t believe their leaders hold that same perception.
Figure 16 reports only 32 percent of respondents say their
company’s leaders recognise that IT risks affect brand image
and 35 percent say it impacts reputation. Half (50 percent)
of respondents believe their organisation’s leaders do not
recognise that IT risks affect revenues.
Figure 15. Factors that contribute the most to securing budget commit-
ments for business continuity and IT security
Figure 16. Do organisational leaders recognise the economic and reputa-
tional impact of disruption to business and IT operations? (strongly agree
and agree responses combined)
50%
Leaders recognise that IT
risks affect revenues
Leaders recognise that IT
risks affect reputation
Leaders recognise that IT
risks affect brand image
35%
32%
Organisational leaders strongly agree or agree
that disruptions to business and IT operations
have economic and reputational impact
13. Risk Management 13
Barriers to success
Respondents say that the most significant barriers to
achieving highly effective business continuity and IT security
management programs are funding deficits, emergence of
disruptive technologies, lack of knowledgeable staff and
business process complexity (Figure 17).
37%
Lack of funding
Disruptive technologies
(mobility, cloud)
Lack of expert or
knowledgeable staff
Complexity of business
processes
Insufficient planning and
preparedness
Silos and turf thinking
32%
28%
19%
17%
17%
Barriers to achieving a highly effective business
continuity or IT security program
While planning, preparedness, silos and territorial thinking
were only cited by 17 percent of respondents, answers to
two other questions suggest that these factors may indeed
play a stronger role in the success or failure of business
continuity and IT security programs. According to Figure
18, a majority of respondents state their companies do not
have a formal strategy for business continuity or IT security
management across the enterprise (and this impacts the
effectiveness of these IT operations).
Figure 17. Barriers to achieving a highly effective business continuity or IT
security program
Figure 18. Organisational approach to business continuity and IT
security strategy
17%
Formal strategy applied
consistently
Formal strategy, but is not
applied consistently
Informal or "ad hoc"
strategy
We don't have a strategy
27%
26%
31%
Organisational approach to business continuity
and IT security
14. 14 The economics of IT risk and reputation
The results summarised in Figure 19 indicate respondents
are unable to achieve a high level of collaboration. The fact
that 44 percent believe collaboration between their function
and other business or IT functions is either poor or non-
existent suggests that silos and turf thinking play a stronger
role in hindering success than IT professionals are willing
to recognise.
24%
Collaboration is excellent
Collaboration is adequate,
but can be improved
Collaboration is poor
or non-existent
Cannot determine
31%
44%
2%
Collaboration between business continuity,
IT security and other business or IT functions
Our research findings also suggest that there is no clear
best practice when it comes to overall responsibility for
preventing disruptions to IT operations. The most likely
candidate, the chief information officer (CIO), was named
by only 28 percent of the respondents (Figure 20). The
next largest segment, business unit leader, is outside of the
IT organisation all together, and the third ranked choice
is “no one person” at 11 percent. This fragmentation of
responsibility may also be a barrier to success.
Figure 20. Ownership of overall responsibility for directing efforts to
ensure that IT operations are not disrupted
28%
Chief information
officer (CIO)
Business unit leader
Data centre manager
Business continuity
manager
Disaster recovery manager
Chief information security
officer (CISO)
20%
10%
7%
6%
5%
11%
No one person has overall
responsibility
Overall responsibility for directing efforts to ensure
that IT operations are not disrupted
Figure 19. Degree of collaboration between business continuity, IT security
and other business or IT functions
15. Risk Management 15
Conclusion and observations
The economic impact of business continuity and IT security
failures can be significant, ranging on average from US$1
million for a minor disruption lasting 20 minutes to more
than US$14M for a substantial disruption lasting close to
8 hours. Minor disruptions are more likely to happen than
substantial ones—yet the price tag for even a single minor
event is liable to outweigh the cost of prevention.
Business continuity and IT security professionals recognise
that the costs associated with reputation and brand damage
resulting from substantial events is also significant. On
average, they estimate that reputation-related costs alone
will exceed US$5 million over the next 24 months. While
65 percent of survey respondents think business continuity
and IT security management can enhance brand value
and reputation, less than 35 percent think that upper
management shares this view.
This means business continuity and IT security professionals
need to build a stronger business case for investments in IT
controls that can help prevent downtime, data loss, cyber
security breaches and the resulting loss of productivity
and damage to reputation. One place to start is with a
rigorous assessment of the actual root causes at work in
the organisation, then connecting spend with potential
financial consequences that can be averted. This approach
can provide a foundation for establishing business-related
metrics to measure effectiveness and provide further
budget justification.
Putting IT risk prevention into the business language
of cost-benefit analysis can not only help elevate the
discussion but also help educate leadership on the sources
of risk. This is particularly important given that the greatest
single cause of both disruption and economic impact is
human error—which is not an issue that IT alone can
address. While IT can invest in processes such as change
management or automated data backup that can help reduce
the opportunity for human error, educating end users and
developing a security-aware and -compliant culture requires
an enterprise-wide effort with top-down leadership.
For more information
To learn more about how IBM can help you protect
your organisation’s reputation by strengthening IT risk
management, contact your IBM representative or IBM
Business Partner, or visit the following website:
ibm.com/services/riskstudy/uk
Join the business continuity conversation
Join the IT security conversation