Press Release

Determining the real economic impact of cyber-incidents: A mission (almost) impossible

Today ENISA publishes a systematic review of studies on the economic impact of cyber-security incidents on critical information infrastructures (CII).

Published on August 10, 2016

Cyber security incidents affecting CIIs (Critical Information Infrastructures) are considered nowadays “global risks that can have significant negative impact for several countries or industries within the next 10 years”[1]. But the job of identifying the real impact produced proves to be quite a challenge.

Today ENISA publishes a systematic review of studies on the economic impact of cyber-security incidents on critical information infrastructures (CII) which provide resources of core functions which society depends upon. An unavailability of these resources would have a debilitating effect on society as a whole.

A prevalent challenge for all stakeholders involved (decision makers, companies and others) is to identify the exact magnitude of incidents in terms of national or EU-wide economic impact. In this context, the aim of the study is to provide an estimate, on the basis of available public source information.

The study demonstrates that the absence of a common approach and criteria for performing such an analysis has led to the development of rarely comparable standalone approaches that are often only relevant to a specific context and to a limited audience.  While some studies show annual economic impact per country, other studies provide cost per incident or per organisation. Furthermore, some studies use real cost while others use approximations based on different techniques or on internal frameworks. Despite the lack of comparable studies, this systematic review has allowed to come up with compelling findings for future work in the field, and build an early view on the current situation in the EU and beyond.

The major common findings include:

  • Finance, ICT and Energy sectors have the highest incident costs
  • The most common cyber attack types for financial sector and ICTs appear to be DoS/DDoS and malicious insiders, with the latter affecting also  public administration/government sectors
  • The most costly attacks are considered to be insider threats, followed by DDoS and web based attacks
  • In terms of country losses, the figures demonstrate up to 1.6% GDP in some EU countries. Other studies mention figures like 425,000 to 20 million euro per company per year

“Determining realistic cost values is key to outline the economic impact of cyber incidents on the EU’s economy. ENISA can play a significant role in the future, on developing work that take into account all critical variables that define the EU cyber-space, given that all the necessary resources have been allocated” commented ENISA’s Executive Director  Prof. Udo Helmbrecht

A general recommendation towards all types of readers that may be interested in such studies, is that findings  would have to be  contextualised prior to adopting conclusions or drawing their own . By doing so it will help to better understand the gaps or parts uncovered by the study, and understand the overall findings of the study and their relevance within the actual context.

For full report:

 For media and press enquiries please contact [email protected], Tel: +30 2814 409576

[1] The Global Risks Report, World Economic Forum 2016


Stay updated - subscribe to RSS feeds of both ENISA news items & press releases!

News items:


This site uses cookies to offer you a better browsing experience.
Aside from essential cookies we also use tracking cookies for analytics.
Find out more on how we use cookies.

Accept all cookies Accept only essential cookies