IT service outage cost: case study and implications for cyber insurance
- PDF / 1,113,004 Bytes
- 25 Pages / 439.37 x 666.142 pts Page_size
- 25 Downloads / 184 Views
IT service outage cost: case study and implications for cyber insurance Ulrik Franke1 Received: 25 September 2019 / Accepted: 15 June 2020 © The Geneva Association 2020
Abstract Today, almost all enterprises are highly dependent on IT services. Thus, high availability IT services and the cost of downtime have received a lot of attention in recent years. One increasingly used tool for cyber risk management and transfer is cyber insurance, which typically offers some form of business interruption coverage. However, cost structures of IT service outages are still poorly understood, as costs are often just reported as lump sums. This article contributes a multiple case study of IT service outage cost in three sectors in Sweden: transport companies ( N = 11 ), food companies ( N = 9 ) and government agencies ( N = 19 ). The contribution is three-fold: (i) the measurement instrument itself, (ii) the insights into different cost structures gained, and (iii) the implications of different cost structures on availability investment strategies. Whereas some enterprises incur only a fixed outage cost, some incur (almost) only lost productivity or almost only lost revenue. In the public sector, lost revenue is often negligible. The results are further contextualised by a discussion of cyber insurance implications. Keywords IT service availability · Outage cost · Cyber insurance · Business interruption · Availability investment · Fixed and variable cost
Introduction In modern society, individuals, private companies and public agencies all depend on functioning and available IT services in their daily lives and operations. For business, outages can have dramatic consequences, including lost revenue, lost productivity and damage to reputation (Lerner et al. 2016). Though the latter category of Electronic supplementary material The online version of this article (https://doi.org/10.1057/s4128 8-020-00177-4) contains supplementary material, which is available to authorized users. * Ulrik Franke [email protected] 1
RISE Research Institutes of Sweden, P.O. Box 1263, 164 29, Kista, Sweden Vol.:(0123456789)
U. Franke
damage can be difficult to quantify, it has been demonstrated that IT failures result in abnormal drops in stock prices, by 2% on average, in the days following the event (Bharadwaj et al. 2009). To avoid such consequences, enterprises pose demanding requirements on IT service continuity. The consultancy Gartner reports ‘aggressive’ targets such as recovery times of 4 h at most and availability levels of at least 99.5% (Morency 2014). However, in many cases even these targets are not sufficient and it has been argued that enterprises typically require four ‘nines’ IT service availability, i.e. 99.99%, or more (Durkee 2010). For a service running 24 h a day, 365 days a year, this corresponds to slightly below a single hour of allowed annual downtime. However, despite technical efforts, outages can never be avoided altogether. This is one of the rationales for writing cyber insurance policies that cover busines
Data Loading...
