the blind man and the elephant: measuring economic impacts of ddos attacks

Abhishta is a Ph.D. candidtate at Industrial Engineering and Business Information Systems (IEBIS) group. His supervisors are L.J.M. Nieuwenhuis and dr. R.A.M.G. Joosten from the Faculty of Behavioural, Management and Social sciences (BMS).

Internet has become an important part of our everyday life. We use services like Netflix, Skype, online banking and Scopus etc. daily. We even use Internet for filing our tax returns and communicating with municipalities. This dependency on network-based technologies provides an opportunity to malicious actors in our society to remotely attack IT infrastructure. One type of cyberattack that may lead to unavailability of network resources is known as distributed denial of service (DDoS) attack. A DDoS attack leverages many computers to launch a coordinated Denial of Service attack against one or more targets.

These attacks cause damages to victim businesses. According to reports published by several consultancies and security companies these attacks lead to millions of dollars in losses every year. One might ponder: are the damages caused by temporary unavailability of network services really this large? One of the points of criticism for these reports has been that they often base their findings on victim surveys and expert opinions. Now, as cost accounting/book keeping methods are not focused on measuring the impact of cyber security incidents, it is highly likely that surveys are unable to capture the true impact of an attack. A troubling fact is that most C-level managers make budgetary decisions for security based on the losses reported in these surveys. Several inputs for security investment decision models such as return on security investment (ROSI) also depend on these figures. This makes the situation very similar to the parable of the "blind men and the elephant", in which several blind men try to conceptualise how the elephant looks like by touching it. Hence, it is important to develop methodologies that capture the true impact of DDoS attacks. In this research, we study the economic impact of DDoS attacks on public/private organisations by using an empirical approach. We also recognise that it is not possible to measure the true impact of DDoS attacks on the victim without learning about the aims of attackers. Hence, we propose a model based on Routine Activity Theory (RAT) to study attacker's aims by using the information about the attack reported in the news articles.

Our results show that DDoS attacks are not a random phenomenon and attackers are instigated by the circumstances surrounding them. We observe that measuring the true economic impact of these attacks is complex and requires us to consider the context of an attack. Some of the consequences of short duration IT unavailability are temporary and they are recovered rather quickly. Hence, to take this work forward we propose to give economic meaning to the empirical data that is presently available and collect more data at employee level to measure the resilience of firms towards IT unavailability.