The economics of IT risk and reputation
What business continuity and IT security really mean to your organisation
Global T...
About the study
The IBM Global Study on the Economic Impact of IT
Risk is the largest independent research study conducted...
Contents
	3	Introduction
	4	 Quantifying the economic impact of disruptions to 	
		 business and IT operations
	6	 The rep...
Quantifying the economic impact of
disruptions to business and IT operations
A very important objective of this research i...
Risk Management 5
Minor SubstantialModerate
Average minutes of down or
idle time for minor, moderate
and substantial disru...
6 The economics of IT risk and reputation
The reputational risk and IT connection
If there is any doubt about the importan...
Risk Management 7
Drawing from the minor, moderate and substantial cost
allocations indicated previously, we estimate the ...
When respondents were asked whether their organisations
had actually experienced damages to reputation or brand
value and ...
Overall, IT professionals are very accurate when it comes
to understanding the general threat landscape. According
to Figu...
10 The economics of IT risk and reputation
The role of third-party partners: a closer look
Just how much of a threat do ve...
Risk Management 11
Building the case for business continuity
and IT security investments
Business continuity and IT securi...
12 The economics of IT risk and reputation
The potential damage to reputation and brand value is
also now recognised as an...
Risk Management 13
Barriers to success
Respondents say that the most significant barriers to
achieving highly effective bu...
14 The economics of IT risk and reputation
The results summarised in Figure 19 indicate respondents
are unable to achieve ...
Risk Management 15
Conclusion and observations
The economic impact of business continuity and IT security
failures can be ...
Limitations
There are inherent limitations to survey research that need
to be carefully considered before drawing inferenc...
Upcoming SlideShare
Loading in …5
×

The Economics of IT Risk and Reputation

1,464 views

Published on

What business continuity and IT security really mean to your organization.

Get the latest on security: http://securityintelligence.com

Published in: Business
0 Comments
1 Like
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total views
1,464
On SlideShare
0
From Embeds
0
Number of Embeds
3
Actions
Shares
0
Downloads
19
Comments
0
Likes
1
Embeds 0
No embeds

No notes for slide

The Economics of IT Risk and Reputation

  1. 1. The economics of IT risk and reputation What business continuity and IT security really mean to your organisation Global Technology Services Research Report Risk Management Findings from the IBM Global Study on the Economic Impact of IT Risk
  2. 2. About the study The IBM Global Study on the Economic Impact of IT Risk is the largest independent research study conducted to date to measure the financial and reputational consequences of business disruptions caused by business continuity or IT security failures. The study—a follow-on to the 2013 IBM Reputational Risk and IT Study—was sponsored by IBM and independently conducted by Ponemon Institute® in July 2013. Ponemon Institute surveyed 1,069 business continuity specialists and 1,247 IT security practitioners representing 20 industries and 37 countries. Most of the combined group of 2,316 respondents are in the IT organisation and report directly to the CIO or head of corporate IT. Respondents at the manager level represent the largest segment (33 percent), followed by directors (23 percent) and supervisors (19 percent). More than half of the respondents are in larger-sized organisations with more than 5,000 full-time equivalent employees. Participation was limited to IT professionals whose job focus is either business continuity, IT security or both, with decision-making or performance-related responsibilities. Although most participants are focused on only one of the IT disciplines, their survey responses were remarkably similar—with only a few instances of slight but statistically relevant differences. Therefore, for the purpose of this analysis and report we have combined the data from the two sample groups. The IBM Global Study on the Economic Impact of IT Risk, independently conducted by Ponemon Institute, gathered information from 2,316 business continuity and IT security professionals from around the world. North America 49% 1,125 Europe/Middle East 26% 597 Asia Pacific 15% 353 Latin America 10% 241 Less than 500 8% 500 to 1,000 15% 10,001 to 25,000 15% 25,001 to 75,000 9% 1,001 to 5,000 23% 5,001 to 10,000 25% More than 75,000 4% Location (37 countries) Company sizes Banking 19% Healthcare 11% IT and technology 9% Industrial 9% Director 24% Staff/technician 10% Supervisor 19% C-level executive 11% Industries Job titles Public sector 14% Retail 10% Consumer goods 7% Energy and utilities 5% All others 16% Manager 31% Administrative 2% Contractor 2%
  3. 3. Contents 3 Introduction 4 Quantifying the economic impact of disruptions to business and IT operations 6 The reputational risk and IT connection 8 Understanding the threat landscape 11 Building the case for business continuity and IT security investments 13 Barriers to success 15 Conclusion and observations WHAT WOULD YOU DO? If reputation and brand are important, make IT risk management a priority. – Business continuity management supervisor, French consumer products company Introduction When the normal course of operations is disrupted as a result of IT system failures and cyber attacks, the economic and reputational costs can be devastating. Even scant minutes of downtime can be costly. In the context of this paper, IT risk is the risk associated with the use, ownership, operation and influence of IT within an organisation. Such risks include human error, system failures, security breaches and disruptions to data centre operations such as power failures and natural disasters. Understanding the financial consequences of a disruption can be valuable to determining the resources that should be invested in preventing or minimising such incidents. It also can be critical in making the business case to the C-suite for elevating the priority of business continuity and IT security activities. In this study, we measure the financial consequences or “total cost” resulting from an organisation’s inability to provide an acceptable level of service in the face of faults or challenges to normal operations. We also measure and quantify the reputational consequences—the cost of damage to a company’s image or brand value as a result of poor controls, failed processes, IT downtime, data theft and compliance violations. The voice of business continuity and IT security In this survey we asked two optional open-ended questions: ‘What steps should your organisation or industry take to reduce risks to your organisation posed by IT operations?’ and ‘Looking ahead, what are the changes or trends in the IT landscape that will most increase reputation risk for your organisation?’ The responses we received were thoughtful and thought- provoking—and a number of common themes emerged. Throughout this paper we will share responses that reflect those common concerns under one of two headings: ‘What would you do?’ and ‘Where is the risk?’ Risk Management 3
  4. 4. Quantifying the economic impact of disruptions to business and IT operations A very important objective of this research is to determine the cost to organisations when there is a disruption or compromise to business processes or IT services. Respondents were asked to estimate the costs based on three discrete levels: minor, moderate and substantial. Duration. Minor, moderate and substantial disruptions are classified according the amount of downtime. As shown in Figure 1, the average minor incident is 19.7 minutes, while a substantial incident can be 442.3 minutes or almost a full eight-hour day of down or idle time. However, some expect that substantial disruptions could last more than two days. Likelihood. According to Figure 2, 69 percent of respondents anticipate that they will experience at least one or more minor disruptions in the next 24 months, while 23 percent say one or more substantial disruptions could occur over the same time period. In other words, respondents believe their organisations are three times more likely to experience a minor incident than a substantial incident. Cost. Respondents were asked to consider all direct cash outlays, direct labour expenditures, indirect labour costs, overhead costs and lost business opportunities for six cost categories: • Cost of users’ idle time and lost productivity because of downtime or system performance delays • Cost of forensics to determine the root causes of disruptions or compromise • Cost of technical support to restore systems to an operational state • Cost associated with reputation and brand damage • Revenues lost because of system availability problems • Cost associated with compliance or regulatory failure Figure 3 reports the average cost per minute of minor, moderate and substantial disruptions to business and IT operations. The cost per minute of minor disruptions is much higher than the per minute cost of substantial disruptions (US$53,223 versus US$32,229)—reflecting that the costs for users’ idle time, forensics and technical support are spread over fewer minutes of downtime (see also Figure 5). Figure 4 reports the average total costs that could be incurred as a result of disruptions to business or IT operations. Even a minor disruption can cost a business more than US$1 million, and a substantial incident can escalate to more than US$14 million. However, some respondents say costs of a severe incident could climb to more than US$100 million. The estimate is based on the six cost categories described above. From the perspective of economic impact, the most significant threats are human errors, cyber breaches and data loss. It is important to note that while the average cost of a minor incident is low relative to a substantial incident, the high frequency of minor disruptions can mean significant financial consequences for an organisation over time. 4 The economics of IT risk and reputation
  5. 5. Risk Management 5 Minor SubstantialModerate Average minutes of down or idle time for minor, moderate and substantial disruptions Minor SubstantialModerate Likelihood of one or more disruptions to business and IT operations over the next 24 months 19.7 111.8 442.3 69% 37% 23% Minor SubstantialModerate Estimated average cost per minute of disruption (down or idle time) Minor SubstantialModerate Estimated average total cost of disruption to business and IT operations over the next 24 months $53,210 $38,065 $32,229 $1,046,454 $4,257,357 $14,255,468 Figure 1. Average minutes of down or idle time for minor, moderate and substantial disruptions Figure 2. Likelihood of one or more disruptions to business and IT operations over the next 24 months Figure 3. Estimated average cost per minute of disruption (down or idle time) Figure 4. Estimated average total cost of disruption to business and IT operations over the next 24 months
  6. 6. 6 The economics of IT risk and reputation The reputational risk and IT connection If there is any doubt about the importance of an effective business continuity or IT security program, consider the financial impact a disruption can have on reputation and brand value. Figure 5 summarises the allocation of costs determined by assigning 100 points for minor, moderate and substantial disruptions. As can be seen, the costs associated with reputation and brand damage increase in proportion to the severity of the incident. Accordingly, reputation damages represent only 2 points for minor versus 37 points for substantial disruptions to business and IT operations. The top three costs for all three levels of disruptions (combined) are (1) cost of users’ idle time, (2) cost of forensics and (3) cost of technical support. It is interesting to note that while leadership is believed to be most concerned about revenue loss because of system availability problems, it ranks near the bottom of allocated cost in the eyes of IT professionals. WHAT WOULD YOU DO? ‘We should change orientation from reactive to proactive and have a more mature risk management strategy in place.’ – IT security director, German technology company Figure 5. For each of the three levels of disruption (minor, moderate, and substantial), respondents were asked to use a 100-point scale to apportion total cost across these six cost categories. 35 Cost of users' idle time and lost productivity because of downtime or system performance delays Cost of forensics to determine the root causes of disruptions Cost of technical support to restore systems to an operational state Cost associated with reputation and brand damage Revenues lost because of system availability problems Cost associated with compliance or regulatory failure 36 15 25 20 9 28 17 7 2 11 37 4 12 22 5 4 10 Minor Moderate Substantial Allocation of total costs
  7. 7. Risk Management 7 Drawing from the minor, moderate and substantial cost allocations indicated previously, we estimate the reputation and brand-related damages that result from all three levels of disruption. Figure 6 shows that reputational cost associated with substantial disruption is almost US$5.3 million. In contrast, reputational costs associated with minor disruptions are relatively negligible. Minor SubstantialModerate Estimated reputation-related costs resulting from disruption to business or IT operations over the next 24 months $20,929 $468,309 $5,274,523 WHAT WOULD YOU DO? ‘Develop a coherent strategy that aligns information risk with enterprise risk.’ – Business continuity director, Canadian financial services company Reputational threats: perception versus reality Not so clear cut is the source of IT threats to reputation. We asked recipients to rank seven common threats in terms of reputational impact on their organisations. As Figure 7 shows, data breach and disaster top the rankings of threats respondents think pose the greatest reputational risk, with IT system failure placing third and human error sixth. Figure 6. Estimated reputation-related costs resulting from disruption to busi- ness or IT operations over the next 24 months Figure 7. Common threats ranked in terms of reputational impact 5.5 Data breach/data theft Natural or manmade disasters IT system failure Data loss (backup/ restore failure) Cyber security breach/ advanced persistent threats Human error 5.2 4.3 4.0 3.8 2.6 1.2 Third-party partner security breach or system failure Common threats ranked in terms of reputational impact
  8. 8. When respondents were asked whether their organisations had actually experienced damages to reputation or brand value and from what cause, the threat ranking is quite different. As Figure 8 shows, the most significant threats to reputation based on experience over the last two years are incidents that involve IT system failures and human errors, followed by cyber security breaches. Natural or manmade disasters are far less likely to cause reputation or brand damages. 8 The economics of IT risk and reputation 66% IT system failure Human error Cyber security breach Data loss from failed backup/restore Natural or manmade disasters Third-party security breach or IT system failure 57% 46% 39% 23% 19% Threats that impact reputation and brand value experienced over the past 24 months Understanding the threat landscape Our survey also probed the threat landscape more broadly to determine how closely what IT practitioners think will happen matches their actual experience. Overall, respondent perceptions about the likelihood of threats occurring are largely consistent with reported instances of events—with human error taking the top spot in terms of likelihood, number of disruptions experienced and projected financial impact. Figure 9 shows how respondents ranked seven common threats in terms of the likelihood of occurrence in their organisations. While these business continuity and IT security professionals rank human error as the leading potential threat, IT system failure, data breach and third- party partner security breach or system failure are almost equal leading contenders. Figure 8. Threats that caused impact to reputation and brand value over the past 24 months (percentage of “yes” response) Figure 9. Common threats ranked in terms of likelihood of occurrence 5.6 Human error IT system failure Data breach/data theft Third-party partner security breach or system failure Cyber security breach/ advanced persistent threats Data loss (backup/ restore failure) 5.2 5.0 5.0 4.0 2.3 0.0 Natural or manmade disasters Common threats ranked in terms of likelihood of occurrence
  9. 9. Overall, IT professionals are very accurate when it comes to understanding the general threat landscape. According to Figure 10, respondents report that in the past two years they have experienced on average more than nine business disruptions due to human error—coinciding with the ranking of the leading perceived threat to business and IT operations and IT security. In fact, actual occurrence of incidents caused by human error far exceeds projections. Data loss due to failed backup/restore is also more common than projected—and is slightly ahead of cyber security breaches. Risk Management 9 Figure 10. Average number of actual disruptions over the past 24 months caused by six common threats 9.5 Human error IT system failure Third-party partner security breach or system failure Data loss from failed backup/restore Cyber security breach Natural or manmade disasters 5.5 5.4 4.5 4.2 1.9 Average number of actual disruptions over the past 24 months caused by six common threats Figure 11. Common threats ranked in terms of economic impact When evaluating threats in terms of potential economic impact on an organisation, Figure 11 shows that respondents are consistent in their ranking of human error as the leading threat. However, participants believe cyber security breaches and data theft pose a much greater risk of economic impact than reputational impact (see also Figure 7). 4.7 Human error Cyber security breach/ advanced persistent threats Data breach/data theft Data loss (backup/ restore failure) IT system failure Third-party partner security breach or system failure 3.9 3.8 3.6 3.4 2.7 1.0 Natural or manmade disasters Common threats ranked in terms of economic impact
  10. 10. 10 The economics of IT risk and reputation The role of third-party partners: a closer look Just how much of a threat do vendors and third parties pose to respondents’ companies? According to 41 (21+20) percent of respondents (Figure 12), vendor-related mishaps represent a main source of disruption to business and IT operations experienced over the past 24 months. 1% Zero <25% 26 to 50% 51 to 75% 76 to 100% 21% 37% 20% 21% Percentage of disruptions to business and IT operations caused by third parties over the past 24 months One reason may be standards. According to Figure 13, not all vendors and other third parties are required to comply with the same business continuity and IT security requirements that respondents’ companies adhere to. Thirty-one percent of respondents say their companies do not require vendors and other third parties to comply with their business continuity requirements, and 40 percent say their companies do not require partner compliance with their own IT security standards. Figure 12. Percentage of disruptions to business and IT operations caused by third parties over the past 24 months Figure 13. Do vendors and other third parties comply with the same requirements deployed within your organisation? Yes No Unsure Do vendors and other third parties comply with the same requirements deployed within your organisation? 58% 42% 31% 40% 11% 17% Business continuity requirements IT security requirements
  11. 11. Risk Management 11 Building the case for business continuity and IT security investments Business continuity and IT security professionals strongly believe that their disciplines play an important role in their organisations’ success. Figure 14 reveals an unanticipated finding of this research: fully 89 percent of respondents say that protecting intellectual property is a very important objective of their IT role. We believe this reflects the increasingly digital nature of intellectual property itself and the vulnerability of intellectual property to cyber attack or loss due to IT failures. Maximising employee productivity (72 percent), minimising regulatory or legal non-compliance (70 percent) and enhancing brand value and reputation round out the top four very important objectives advanced by business continuity and IT security activities. Based on previous IBM studies, the fact that in 2013 fully 65 percent of respondents rate enhancing brand value as “very important” confirms that recognition of the relationship between IT risk and reputation risk is continuing to grow among IT professionals. WHERE IS THE RISK? ‘What frightens me is the increased use of social media that can expose corporate IP and damage reputations.’ – IT security supervisor, United States professional services company Figure 14. Business objectives advanced by business continuity and IT security management activities 89% Protecting intellectual property Maximising employee productivity Minimising non-compliance with laws Enhancing brand value and reputation Expanding into new global markets Minimising customer defection 72% 70% 65% 48% 21% 14% Maximising customer acquisition Business objectives advanced by business continuity and IT security management activities 9% Increasing revenues and positive cash flow
  12. 12. 12 The economics of IT risk and reputation The potential damage to reputation and brand value is also now recognised as an incentive for organisations to fund business continuity and IT security programs. Figure 15 reveals that preventing productivity losses, system downtime and compliance failures and reputation damages are the factors that contribute most to securing budget commitments. 44% Productivity loss System or application downtime Compliance/regulatory failure Reputation damage Information loss or theft Performance degradation 37% 34% 30% 22% 17% Factors that contribute the most to securing budget commitments for business continuity and IT security WHERE IS THE RISK? ‘Elevating IT risk management issues requires C-suite support, and this is difficult to accomplish.’ – IT security manager, Argentinean services company While respondents recognise the importance of minimising IT risks because of potential threats to reputation and brand, they don’t believe their leaders hold that same perception. Figure 16 reports only 32 percent of respondents say their company’s leaders recognise that IT risks affect brand image and 35 percent say it impacts reputation. Half (50 percent) of respondents believe their organisation’s leaders do not recognise that IT risks affect revenues. Figure 15. Factors that contribute the most to securing budget commit- ments for business continuity and IT security Figure 16. Do organisational leaders recognise the economic and reputa- tional impact of disruption to business and IT operations? (strongly agree and agree responses combined) 50% Leaders recognise that IT risks affect revenues Leaders recognise that IT risks affect reputation Leaders recognise that IT risks affect brand image 35% 32% Organisational leaders strongly agree or agree that disruptions to business and IT operations have economic and reputational impact
  13. 13. Risk Management 13 Barriers to success Respondents say that the most significant barriers to achieving highly effective business continuity and IT security management programs are funding deficits, emergence of disruptive technologies, lack of knowledgeable staff and business process complexity (Figure 17). 37% Lack of funding Disruptive technologies (mobility, cloud) Lack of expert or knowledgeable staff Complexity of business processes Insufficient planning and preparedness Silos and turf thinking 32% 28% 19% 17% 17% Barriers to achieving a highly effective business continuity or IT security program While planning, preparedness, silos and territorial thinking were only cited by 17 percent of respondents, answers to two other questions suggest that these factors may indeed play a stronger role in the success or failure of business continuity and IT security programs. According to Figure 18, a majority of respondents state their companies do not have a formal strategy for business continuity or IT security management across the enterprise (and this impacts the effectiveness of these IT operations). Figure 17. Barriers to achieving a highly effective business continuity or IT security program Figure 18. Organisational approach to business continuity and IT security strategy 17% Formal strategy applied consistently Formal strategy, but is not applied consistently Informal or "ad hoc" strategy We don't have a strategy 27% 26% 31% Organisational approach to business continuity and IT security
  14. 14. 14 The economics of IT risk and reputation The results summarised in Figure 19 indicate respondents are unable to achieve a high level of collaboration. The fact that 44 percent believe collaboration between their function and other business or IT functions is either poor or non- existent suggests that silos and turf thinking play a stronger role in hindering success than IT professionals are willing to recognise. 24% Collaboration is excellent Collaboration is adequate, but can be improved Collaboration is poor or non-existent Cannot determine 31% 44% 2% Collaboration between business continuity, IT security and other business or IT functions Our research findings also suggest that there is no clear best practice when it comes to overall responsibility for preventing disruptions to IT operations. The most likely candidate, the chief information officer (CIO), was named by only 28 percent of the respondents (Figure 20). The next largest segment, business unit leader, is outside of the IT organisation all together, and the third ranked choice is “no one person” at 11 percent. This fragmentation of responsibility may also be a barrier to success. Figure 20. Ownership of overall responsibility for directing efforts to ensure that IT operations are not disrupted 28% Chief information officer (CIO) Business unit leader Data centre manager Business continuity manager Disaster recovery manager Chief information security officer (CISO) 20% 10% 7% 6% 5% 11% No one person has overall responsibility Overall responsibility for directing efforts to ensure that IT operations are not disrupted Figure 19. Degree of collaboration between business continuity, IT security and other business or IT functions
  15. 15. Risk Management 15 Conclusion and observations The economic impact of business continuity and IT security failures can be significant, ranging on average from US$1 million for a minor disruption lasting 20 minutes to more than US$14M for a substantial disruption lasting close to 8 hours. Minor disruptions are more likely to happen than substantial ones—yet the price tag for even a single minor event is liable to outweigh the cost of prevention. Business continuity and IT security professionals recognise that the costs associated with reputation and brand damage resulting from substantial events is also significant. On average, they estimate that reputation-related costs alone will exceed US$5 million over the next 24 months. While 65 percent of survey respondents think business continuity and IT security management can enhance brand value and reputation, less than 35 percent think that upper management shares this view. This means business continuity and IT security professionals need to build a stronger business case for investments in IT controls that can help prevent downtime, data loss, cyber security breaches and the resulting loss of productivity and damage to reputation. One place to start is with a rigorous assessment of the actual root causes at work in the organisation, then connecting spend with potential financial consequences that can be averted. This approach can provide a foundation for establishing business-related metrics to measure effectiveness and provide further budget justification. Putting IT risk prevention into the business language of cost-benefit analysis can not only help elevate the discussion but also help educate leadership on the sources of risk. This is particularly important given that the greatest single cause of both disruption and economic impact is human error—which is not an issue that IT alone can address. While IT can invest in processes such as change management or automated data backup that can help reduce the opportunity for human error, educating end users and developing a security-aware and -compliant culture requires an enterprise-wide effort with top-down leadership. For more information To learn more about how IBM can help you protect your organisation’s reputation by strengthening IT risk management, contact your IBM representative or IBM Business Partner, or visit the following website: ibm.com/services/riskstudy/uk Join the business continuity conversation Join the IT security conversation
  16. 16. Limitations There are inherent limitations to survey research that need to be carefully considered before drawing inferences from the presented findings. The following items are specific limitations that are germane to most survey-based research studies. Non-response bias: The current findings are based on a sample of survey returns. We sent surveys to a representative sample of business continuity management, IT and IT security practitioners in numerous countries, resulting in a large number of usable returned responses. Despite non- response tests, it is always possible that individuals who did not participate are substantially different in terms of underlying beliefs from those who completed the survey. Sampling-frame bias: The accuracy of survey results is dependent upon the degree to which our sampling frames are representative of individuals who are business continuity management, IT or IT security practitioners within the sample of countries selected. Self-reported results: The quality of survey research is based on the integrity of confidential responses received from respondents. While certain checks and balances were incorporated into our survey evaluation process including sanity checks, there is always the possibility that some responders did not provide truthful responses. IBM United Kingdom Limited PO Box 41, North Harbour Portsmouth, Hampshire PO6 3AU United Kingdom IBM Ireland Limited Oldbrook House 24-32 Pembroke Road Dublin 4 IBM Ireland registered in Ireland under company number 16226. IBM, the IBM logo and ibm.com are trademarks of International Business Machines Corp., registered in many jurisdictions worldwide. Other product and service names might be trademarks of IBM or other companies. A current list of IBM trademarks is available on the web at “Copyright and trademark information” at ibm.com/legal/copytrade.shtml The content in this document is current as of the initial date of publication and may be changed by IBM at any time. Not all offerings are available in every country in which IBM operates. © Copyright IBM Corporation 2013 Please Recycle RLW03022-GBEN-00

×