We developed a cybersecurity cost-benefit approach to assess vulnerabilities of intangible assets and deliver a quantitative estimation of risks and guidelines to invest in mitigation measures.
Cyberattacks can harm intangible assets like reputation, Intellectual Property Rights, expertise, and know-how. In fact, intangible assets, much of which is stored on computers and could therefore be vulnerable to hackers, constitute more than half the value of companies worldwide.
Currently, there is a great disparity between the high efficiency of attacks and inadequate defences put in place by organisations, partly due to the lack of quantitative information for decision makers to prioritise security investments. Existing approaches to IT security and risk management tend to underestimate some key aspects of cyberattacks, such as the contribution of human factors to vulnerabilities, despite the fact that Social Engineering attacks generate the highest costs, or the fact that modern attackers use a multidisciplinary combination of engineering, risk assessment, and economic, cognitive, behavioural, societal and legal knowledge to identify vulnerabilities and assets at risk. The same mix is therefore needed to properly address the strategy of professional IT attackers.
Fostering a culture of risk management, this study provides individual organisations as well as business sectors with an innovative methodology to assess their vulnerabilities and tangible and intangible assets at risk, and guidelines able to support decisions related to cybersecurity investments on hard and soft mitigation measures, thus providing strategic guidance for policy makers.
These will be validated in two relevant market sectors in which intangible assets are highly important and the related costs in case of cyber-attacks are high: the healthcare and IP-intensive industry.