IT service outage cost: case study and implications for cyber insurance

Abstract

Today, almost all enterprises are highly dependent on IT services. Thus, high availability IT services and the cost of downtime have received a lot of attention in recent years. One increasingly used tool for cyber risk management and transfer is cyber insurance, which typically offers some form of business interruption coverage. However, cost structures of IT service outages are still poorly understood, as costs are often just reported as lump sums. This article contributes a multiple case study of IT service outage cost in three sectors in Sweden: transport companies (\(N=11\)), food companies (\(N=9\)) and government agencies (\(N=19\)). The contribution is three-fold: (i) the measurement instrument itself, (ii) the insights into different cost structures gained, and (iii) the implications of different cost structures on availability investment strategies. Whereas some enterprises incur only a fixed outage cost, some incur (almost) only lost productivity or almost only lost revenue. In the public sector, lost revenue is often negligible. The results are further contextualised by a discussion of cyber insurance implications.

Change history

• 04 September 2023

  A Correction to this paper has been published: https://doi.org/10.1057/s41288-023-00308-7

Appendix: Derivation of Eq. (7)

Denoting the net cost in Eq. (6) by f and the fixed budget constraint by g, we have:

$$\begin{aligned} \min _{K,L} f&= K + L + \frac{t_{\mathrm {op}}}{k_K K^{\beta _K}} \left( c_{\mathrm {fix}} + c_{\mathrm {var}} \times k_L L^{-\beta _L} \right), \\ \text {such that} \ g&= K + L - M = 0. \end{aligned}$$

The Lagrangian is thus \({\mathcal {L}} = f(K,L) -\lambda g(K,L)\), and we solve the system of equations \(\nabla {\mathcal {L}} = {\mathbf {0}}\):

$$\begin{aligned} \left\{ \begin{array}{ll} \frac{\partial {\mathcal {L}}}{\partial K} &{}= 1 - \frac{t_{\mathrm {op}}}{k_K} \beta _K K^{- \beta _K -1} \left( c_{\mathrm {fix}} + c_{\mathrm {var}} k_L L^{- \beta _L} \right) - \lambda = 0\\ \frac{\partial {\mathcal {L}}}{\partial L} &{}= 1 - \frac{t_{\mathrm {op}}}{k_K} K^{- \beta _K}c_{\mathrm {var}} k_L \beta _L L^{- \beta _L - 1} - \lambda = 0\\ \frac{\partial {\mathcal {L}}}{\partial \lambda } &{}= K + L - M = 0. \end{array} \right. \end{aligned}$$

Using the first two equations, we eliminate \(\lambda\) and obtain:

$$\begin{aligned} \frac{t_{\mathrm {op}}}{k_K} \beta _K K^{- \beta _K -1} \left( c_{\mathrm {fix}} + c_{\mathrm {var}} k_L L^{- \beta _L} \right) = \frac{t_{\mathrm {op}}}{k_K} K^{- \beta _K}c_{\mathrm {var}} k_L \beta _L L^{- \beta _L - 1}. \end{aligned}$$

Dividing by \(\frac{t_{\mathrm {op}}}{k_K} K^{- \beta _K -1} \beta _L\) we have:

$$\begin{aligned} \frac{\beta _K}{\beta _L} \left( c_{\mathrm {fix}} + c_{\mathrm {var}} k_L L^{- \beta _L} \right) = c_{\mathrm {var}} k_L K L^{- \beta _L - 1}. \end{aligned}$$

Dividing by \(c_{\mathrm {var}} k_L\) and multiplying by \(L^{\beta _L}\) we have:

$$\begin{aligned} \frac{\beta _K}{\beta _L} \left( \frac{c_{\mathrm {fix}}}{c_{\mathrm {var}}} \frac{L^{\beta _L}}{k_L} + 1\right) = \frac{K}{L}, \end{aligned}$$

which is the first-order optimality condition for \(K^*\) and \(L^*\) in Eq. (7).