Abstract
Today, almost all enterprises are highly dependent on IT services. Thus, high availability IT services and the cost of downtime have received a lot of attention in recent years. One increasingly used tool for cyber risk management and transfer is cyber insurance, which typically offers some form of business interruption coverage. However, cost structures of IT service outages are still poorly understood, as costs are often just reported as lump sums. This article contributes a multiple case study of IT service outage cost in three sectors in Sweden: transport companies (\(N=11\)), food companies (\(N=9\)) and government agencies (\(N=19\)). The contribution is three-fold: (i) the measurement instrument itself, (ii) the insights into different cost structures gained, and (iii) the implications of different cost structures on availability investment strategies. Whereas some enterprises incur only a fixed outage cost, some incur (almost) only lost productivity or almost only lost revenue. In the public sector, lost revenue is often negligible. The results are further contextualised by a discussion of cyber insurance implications.
Similar content being viewed by others
Change history
04 September 2023
A Correction to this paper has been published: https://doi.org/10.1057/s41288-023-00308-7
Notes
https://www.akeri.se/en/node/161, accessed 25 March 2020.
https://www.livsmedelsforetagen.se/in-english/, accessed 25 March 2020.
The axes are normalised to emphasise the general nature of the plot. As in Franke (2014), the particular \(\beta\) values used are \(\beta _K = 0.212\) and \(\beta _L=0.663\), building on empirical work by Hitt and Brynjolfsson (1996). For a discussion of the applicability of these numbers, see Franke (2014, Section II).
References
Andrade, E., B. Nogueira, R. Matos, G. Callou, and P. Maciel. 2017. Availability modeling and analysis of a disaster-recovery-as-a-service solution. Computing. https://doi.org/10.1007/s00607-017-0539-8.
Bharadwaj, A., M. Keil, and M. Mähring. 2009. Effects of information technology failures on the market value of firms. The Journal of Strategic Information Systems 18 (2): 66–79. https://doi.org/10.1016/j.jsis.2009.04.001.
Biener, C., M. Eling, and J.H. Wirfs. 2015. Insurability of cyber risk: An empirical analysis. Geneva Papers on Risk and Insurance: Issues and Practice 40 (1): 131–158. https://doi.org/10.1057/gpp.2014.19.
Bosse, S., M. Splieth, and K. Turowski. 2016. Multi-objective optimization of IT service availability and costs. Reliability Engineering & System Safety 147: 142–155. https://doi.org/10.1016/j.ress.2015.11.004.
Carfora, M., F. Martinelli, F. Mercaldo, and A. Orlando. 2019. Cyber risk management: An actuarial point of view. Journal of Operational Risk 4: 77–103. https://doi.org/10.21314/JOP.2019.231.
Cobb, C.W., and P.H. Douglas. 1928. A theory of production. The American Economic Review 18 (1): 139–165.
Daffron, J., S. Ruffle, C. Andrew, J. Copic, K. Quantrill, and E., Leverett. 2019. Bashe attack: Global infection by contagious malware. Technical report, Cambridge Centre for Risk Studies, Lloyd’s of London and Nanyang Technological University. Retrieved Feb 4, 2019 from https://www.lloyds.com/news-and-risk-insight/risk-reports/library/technology/bashe-attack.
Durkee, D. 2010. Why cloud computing will never be free. Queue 8 (4): 20. https://doi.org/10.1145/1755884.1772130.
Edwards, B., S. Hofmeyr, and S. Forrest. 2015. Hype and heavy tails: A closer look at data breaches. In: The Workshop on the Economics of Information Security (WEIS).
Eling, M., and N. Loperfido. 2017. Data breaches: Goodness of fit, pricing, and risk measurement. Insurance: Mathematics and Economics 75: 126–136.
Eling, M., and W. Schnell. 2016. What do we know about cyber risk and cyber risk insurance? The Journal of Risk Finance 17 (5): 474–491. https://doi.org/10.1108/JRF-09-2016-0122.
ENISA. 2016. Cyber insurance: Recent advances, good practices and challenges. Techincal Report. European Union Agency for Network and Information Security. https://doi.org/10.2824/065381.
European Commission. 2017. The directive on security of network and information systems (nis directive). https://ec.europa.eu/digital-single-market/en/network-and-information-security-nis-directive.
European Commission. 2019. The Digital Economy & Society Index (DESI). Retrieved Sep 27, 2019 from https://ec.europa.eu/digital-single-market/en/desi.
Falco, G., M. Eling, D. Jablanski, A. Gordon, S.S., Wang, J. Schmit, R. Thomas, et al. 2019. A research agenda for cyber risk and cyber insurance. In: Workshop on the Economics of Information Security (WEIS).
Florêncio, D., and C. Herley. 2013. Sex, lies and cyber-crime surveys. In Economics of Information Security and Privacy III, ed. B. Schneier, 35–53. New York: Springer.
Franke, U. 2012. Optimal IT service availability: Shorter outages, or fewer? IEEE Transactions on Network and Service Management 9 (1): 22–33.
Franke, U. 2014. Enterprise Architecture Analysis with Production Functions. In: IEEE 18th international enterprise distributed object computing conference (EDOC 2014), IEEE (pp 52–60). https://doi.org/10.1109/EDOC.2014.17.
Franke, U. 2017. The cyber insurance market in Sweden. Computers & Security 68: 130–144. https://doi.org/10.1016/j.cose.2017.04.010.
Franke, U., H. Holm, and J. König. 2014. The distribution of time to recovery of enterprise IT services. IEEE Transactions on Reliability 63 (4): 858–867. https://doi.org/10.1109/TR.2014.2336051.
Goldstein, J., A. Chernobai, and M. Benaroch. 2011. An event study analysis of the economic impact of IT operational risk and its subcategories. Journal of the Association for Information Systems 12 (9): 1.
Hitt, L.M., and E. Brynjolfsson. 1996. Productivity, business profitability, and consumer surplus: Three different measures of information technology value. MIS Quarterly 20 (2): 121–142.
Hofmann, D.M., S. Wilson, and R.S. Carter. 2018. Advancing accumulation risk management in cyber insurance. Technical report, The Geneva Association. Retrieved Feb 25, 2019 from https://www.genevaassociation.org/research-topics/cyber-and-innovation/advancing-accumulation-risk-management-cyber-insurance.
IBM Global Services. 1998. Improving systems availability. IBM Global Services: Technical report.
Ibrahimovic, S., and U. Franke. 2016. A probabilistic approach to IT risk management in the Basel regulatory framework: A case study. Journal of Financial Regulation and Compliance 25: 176–195. https://doi.org/10.1108/JFRC-06-2016-0050.
Insurance Sweden. 2019. Hur försäkrar vi oss mot cyberrisker och databrott? [How can we insure ourselves against cyber risks and cyber crimes?]. Retrieved Sept 27, 2019 from https://www.svenskforsakring.se/aktuellt/nyheter/2019/hur-forsakrar-vi-oss-mot-cyberrisker-och-databrott/.
Jammal, M., H. Hawilo, A. Kanso, and H. Shami. (2017). Mitigating the risk of cloud services downtime using live migration and high availability-aware placement (pp 578–583). https://doi.org/10.1109/CloudCom.2016.0100.
Kapur, P., H. Pham, A.G. Aggarwal, and G. Kaur. 2012. Two dimensional multi-release software reliability modeling and optimal release planning. IEEE Transactions on Reliability 61 (3): 758–768.
Lerner, A., S. Ganguli, and V. Bhalla. 2016. How to reduce network downtime in the era of digital business, g00317252. Technical report: Gartner Inc.
Li, X., Y. Qi, P. Chen, and X. Zhang. 2017. Optimizing backup resources in the cloud (pp. 790–797). https://doi.org/10.1109/CLOUD.2016.107.
Logeswaran, L., H. Bandara, and H. Bhathiya. 2017. Performance, resource, and cost aware resource provisioning in the cloud (pp. 913–916). https://doi.org/10.1109/CLOUD.2016.133.
Meland, P.H., I.A. Tøndel, M. Moe, and F. Seehusen. 2017. Facing uncertainty in cyber insurance policies. International workshop on security and trust management, 89–100. New York: Springer.
Morency, J.P. 2014. Managing IT resilience is much more than simply failing over applications. Technical report, Gartner, Inc., updated Sept 2016. G00233822.
Nguyen, T.A., D.S. Kim, and J.S. Park. 2016. Availability modeling and analysis of a data center for disaster tolerance. Future Generation Computer Systems 56: 27–50. https://doi.org/10.1016/j.future.2015.08.017.
OECD. 2017. Enhancing the role of insurance in cyber risk management. Paris: OECD.
Olsson, T., and U. Franke. 2019. Risks and assets: A qualitative study of a software ecosystem in the mining industry. In: Proceedings of the 2019 27th ACM joint meeting on European software engineering conference and symposium on the foundations of software engineering, ACM, ESEC/FSE 2019 (pp. 895–904). https://doi.org/10.1145/3338906.3340443.
Patterson, D. 2002. A simple way to estimate the cost of downtime. In: Proceedings on 16th systems administration conference| LISA (pp. 185–188).
Ponemon. 2016. 2016 cost of data center outages. Ponemon Institute and Emerson Network Power: Technical report.
Rachev, S.T., A. Chernobai, and C. Menn. 2006. Empirical examination of operational loss distributions. Perspectives on operations research, 379–401. New York: Springer.
Rapoza, J. 2014. Preventing virtual application downtime. Aberdeen Group: Technical report
Romanosky, S., L. Ablon, A. Kuehn, and T. Jones. 2019. Content analysis of cyber insurance policies: How do carriers price cyber risk? Journal of Cybersecurity 5 (1): 1–19. https://doi.org/10.1093/cybsec/tyz002.
Sohlberg, I., and S. Jansson. 2012. Dolda it-kostnader i verksamheten. Försäkringskassan och Pensionsmyndigheten. [Hidden enterprise IT costs. The Swedish Social Insurance Agency and the Swedish Pensions Agency]. Swedish Social Insurance Inspectorate, report 2012:5.
Sousa, E., F. Lins, E. Tavares, and P. Maciel. 2017. Cloud infrastructure planning considering different redundancy mechanisms. Computing. https://doi.org/10.1007/s00607-016-0533-6.
Statskontoret. 2017. Den offentliga sektorn i korthet 2017]. http://www.statskontoret.se/globalassets/publikationer/2017/offentliga-sektorn-korthet-2017.pdf, No. 2017/20-5.
Tonn, G., J.P. Kesan, L. Zhang, and J. Czajkowski. 2019. Cyber risk and insurance for transportation infrastructure. Transport Policy 79: 103–114. https://doi.org/10.1016/j.tranpol.2019.04.019.
Vecchio, D. 2016. How to derive business value from DevOps, G00317166. Technical report: Gartner Inc.
Wang, S.S. 2019. Integrated framework for information security investment and cyber insurance. Pacific-Basin Finance Journal 57: 101173. https://doi.org/10.1016/j.pacfin.2019.101173.
Woods, D., I. Agrafiotis, J.R. Nurse, and S. Creese. 2017. Mapping the coverage of security controls in cyber insurance proposal forms. Journal of Internet Services and Applications 8 (1): 8.
Woods, D., T. Moore, and A. Simpson. 2019. The county fair cyber loss distribution: Drawing inferences from insurance prices. Workshop on the Economics of Information Security (WEIS).
World Economic Forum. 2016. The 10 countries best prepared for the new digital economy. Retrieved Jan 7, 2017 from https://www.weforum.org/agenda/2016/07/countries-best-prepared-for-the-new-digital-economy/.
World Economic Forum. 2018. Cyber resilience playbook for public-private collaboration. Technical report, World Economic Forum. Retrieved Mar 9, 2018 from http://www3.weforum.org/docs/WEF_Cyber_Resilience_Playbook.pdf. REF 110117.
Yin, R.K. 2003. Case study research: Design and methods. Applied social research methods, vol. 5. Thousand Oaks: SAGE.
Acknowledgements
This work was supported by the Swedish Civil Contingencies Agency, MSB, agreement no. 2015-6986. Not only did MSB function as the funding agency, it was also instrumental in securing access to the public-private fora where many respondents were recruited. The author is grateful for this, in particular to Johan Turell, who facilitated these contacts. Thanks are also due to Professor Shaun S. Wang of the Nanyang Technological University in Singapore for discussions about availability investment allocation problems.
Author information
Authors and Affiliations
Corresponding author
Additional information
Publisher's Note
Springer Nature remains neutral with regard to jurisdictional claims in published maps and institutional affiliations.
The original online version of this article was revised: Due to an unfortunate oversight by the typesetter an encoding mistake happened in Fig. 3 of the article. Three multiplication signs (∙) in the middle of the diagram have become arrows (↑), three Greek β letters just above 0.2 on the y axis have become apostrophes (’), and two fi ligatures in the legend of the x axis have become mere dashes (-).
Electronic supplementary material
Below is the link to the electronic supplementary material.
Appendix: Derivation of Eq. (7)
Appendix: Derivation of Eq. (7)
Denoting the net cost in Eq. (6) by f and the fixed budget constraint by g, we have:
The Lagrangian is thus \({\mathcal {L}} = f(K,L) -\lambda g(K,L)\), and we solve the system of equations \(\nabla {\mathcal {L}} = {\mathbf {0}}\):
Using the first two equations, we eliminate \(\lambda\) and obtain:
Dividing by \(\frac{t_{\mathrm {op}}}{k_K} K^{- \beta _K -1} \beta _L\) we have:
Dividing by \(c_{\mathrm {var}} k_L\) and multiplying by \(L^{\beta _L}\) we have:
which is the first-order optimality condition for \(K^*\) and \(L^*\) in Eq. (7).
Rights and permissions
Springer Nature or its licensor (e.g. a society or other partner) holds exclusive rights to this article under a publishing agreement with the author(s) or other rightsholder(s); author self-archiving of the accepted manuscript version of this article is solely governed by the terms of such publishing agreement and applicable law.
About this article
Cite this article
Franke, U. IT service outage cost: case study and implications for cyber insurance. Geneva Pap Risk Insur Issues Pract 45, 760–784 (2020). https://doi.org/10.1057/s41288-020-00177-4
Received:
Accepted:
Published:
Issue Date:
DOI: https://doi.org/10.1057/s41288-020-00177-4