Title: Estimating the cost of damages due to a security incident. $Revision: 1.1 $ $Date: 2001/01/29 19:47:20 $ $Author: dittrich $ Q: I've been informed by {law enforcement prosecuting a security incident | UW Internal Audit | my departmental administration } that they want a damage estimate for a security incident involving systems I manage. How do I come up with that? A: A security incident of any kind has several cost components associated with it. You, as system administrator, have to take time away from your normal activities and deal with analyzing the system, determing the extent of damage and/or how the breakin (if there was one) occured, notifying your departmental administration and users, cleaning up the damage, dealing with affected users, etc. Not only is your time spent, but it is likely that one or more users were prevented from doing their normal work tasks, which is a loss to the the organization in the form of decreased productivity. The proposed Senate Bill S2448, "The Internet Integrity and Critical Infrastructure Protection Act," clarifies how loss should be calculated. It states: (11) the term `loss' means any reasonable cost to any victim, including the cost of responding to an offense, conducting a damage assessment, and restoring the data, program, system, or information to its condition prior to the offense, and any revenue lost, cost incurred, or other consequential damages incurred because of interruption of service; So the costs to be tallied include: 1). Time spent by all staff in cleaning up the damage to systems under your control (e.g., analyzing what has occured, re-installing the operating system, restoring installed programs and data files, etc.) 2). Lost productivity by users who were prevented from using the systems during down time, or during denial of service attacks associated with these individuals using compromised systems on your network. 3). Replacement of hardware, software, or other property that was damaged or stolen. Do not include the cost of taking precations to prevent other security intrusions, which are things that should be part of normal system administration. Even though you may have taken extra precautions as a result of this incident, that isn't a direct response to the intrusion itself. Just tally lost use and direct cleanup activity costs. A recent study by a group of Big 10 (plus 1) Universities of incident costs -- the Incident Cost Analysis and Modelling Project, or ICAMP -- used the following type of analysis. o Persons affected by the incident were identified, and the amount of time spent/lost due to the incident was logged. o Staff/Faculty/Student employee time cost was calculated by dividing the individual's wage rate by 52 weeks and 40 hours per week to come up with an hourly rate. The wage rate is then multiplied by the logged hours, and varied by +/- 15%. o A benefit rate of 28% is added (an average of the institutions in the study) to come up with a dollar loss per individual. o The total of all individuals' time, plus incidental expenses (e.g., hardware stolen/damaged, phone calls to other sites, etc.), is then calculated using a simple spread-sheet approach. An example spreadsheet used to calculate the cost of a similar incident (Linux system root compromise, sniffer installed, etc.) with this method can be seen at: http://staff.washington.edu/dittrich/talks/security/costsheet.jpg Chart C-40 shows cost of cleanup, while chart C-41 shows lost user time. An Excel version of this spreadsheet (courtesy of Dylan Greene at the UW) is available at: http://staff.washington.edu/dittrich/misc/intrusion_cost.xls If you have any questions about how to calculate these figures, or want to see the full details of how the costs were estimated, please contact . Author: dittrich 12/06/2000