Estimating the Global Cost of Cyber RiskMethodology and ExamplesPaul Dreyer, Therese Jones, Kelly Klima, Jenny Oberholtzer, Aaron Strong, Jonathan William Welburn, Zev WinkelmanSponsored by the William and Flora Hewlett Foundation and the CyberCube unit of the Symantec CorporationJUSTICE, INFRASTRUCTURE, AND ENVIRONMENTiii Preface Cyber incidents have been increasing in frequency and cost in recent years, with some resulting in hundreds of millions of dollars in losses. There is marked variability from study to study in the estimated direct and systemic costs of cyber incidents, which is further complicated by the considerable variation in cyber risk across countries and industry sectors. In many cases, comparing research studies is complicated by a lack of transparency in methodologies, assumptions, and data sets used. The goal of this research was to produce a transparent methodology for estimating present and future global costs of cyber risk, acknowledging the considerable uncertainty in the frequencies and costs of cyber incidents. A companion Excel tool implements the methodology described in this document.1 This research was sponsored by the William and Flora Hewlett Foundation and the CyberCube unit of the Symantec Corporation and will be of interest to researchers and policymakers involved with cyber risk assessment and mitigation. RAND Science, Technology, and Policy The research reported here was conducted in the RAND Science, Technology, and Policy program, which focuses primarily on the role of scientific development and technological innovation in human behavior, global and regional decisionmaking as it relates to science and technology, and the concurrent effects that science and technology have on policy analysis and policy choices. The program covers such topics as space exploration, information and telecommunication technologies, and nano- and biotechnologies. Program research is supported by government agencies, foundations, and the private sector. RAND Justice, Infrastructure, and Environment (JIE) conducts research and analysis in civil and criminal justice, infrastructure development and financing, environmental policy, transportation planning and technology, immigration and border protection, public and occupational safety, energy policy, science and innovation policy, space, telecommunications, and trends and implications of artificial intelligence and other computational technologies. Questions or comments about this report should be sent to the project leader, Paul Dreyer (Paul_Dreyerrand.org). For more information about RAND Science, Technology, and Policy, see www.rand.org/jie/stp or contact the director at stprand.org. 1 Dreyer, 2018. iv Contents Preface . iii Figures. vi Tables . vii Summary . viii Acknowledgments . x Abbreviations . xi Symbols . xii Chapter 1: Introduction . 1 Summary of Existing Global Cyber Cost Estimate Research and Results .1 Report Objective and Outline .3 Chapter 2: Modeling the Costs of Cyber Risk . 4 Model Structure .4 Direct Costs at the Sector and Country Levels .5 From Direct to Systemic Costs .6 Projecting Future Costs .9 Chapter 3: Model Parameters .