Summary

The purpose of the Incident Cost Framework is to provide an assessment framework to help your organization understand and quantify the magnitude of loss from a cyber security incident. Managing the risks, liabilities and costs associated with a cyber incident is a challenge faced by many organizations.

  • Utilizing this assessment framework will allow your organization to:
  • Understand and measure the severity of a cyber incident on staff, departments, data, software and hardware;
  • Enhance your existing processes and operations;
  • Understand the tools and resources required to support an effective response; and
  • Calculate costs of an incident, including accounting for the number of hours spent resolving the incident, lost productivity, and reduced revenue associated with the incident.

Internal Consequences and Cost for Broader Public Sector or Agency

Internal consequences are incurred at each of the four stages of the incident response life cycle: Discovery, Investigation, Containment, and Recovery. Tracking the hours logged by teams and individuals at each phase can help you determine the severity and impact of the incident.

Costs related to the internal consequences of a cyber incident are incurred in each of the four stages: Discovery, Investigation, Containment and Recovery.

To estimate the total cost for internal consequences, multiply the total number of hours spent on each stage by the hourly cost of an hourly rate any IT and support staff have.

The number of hours should account for every person's involvement. For example, a one-hour meeting with ten people is a total of ten hours.

Click on each icon for more details.

In the discovery stage, the Broader Public Sector or Agency is responsible for notifying their Cyber Incident Response Team (CIRT) about the incident and ministry contacts. The incident coordinator may organize a meeting and gather stakeholders and teams to determine next steps.

1    How many hours did CIRT and others spend during discovery?

In the investigation stage, CIRT reviews the deployed technology and applicable logs of the environment to investigate how widespread the cybercrime attack is. IT teams may be asked to provide logs from their assets (e.g. IIS Logs, web logs) for further investigation.

2    How many hours did CIRT spend during investigation?

3   How many hours did the IT support team spend during investigation?

In the containment stage, the IT asset and/or network is isolated to prevent it from impacting the rest of the organization. CIRT and the Antivirus team (if from your IT Team or CIRT) may isolate assets from the network if it has been compromised. The network connection may be disconnected temporarily if the location or floor has been impacted.


4   How many hours did CIRT and the Antivirus team spend during containment?

5   How many hours did the IT support spend during containment

The recovery stage will often include IT support or your asset support team, especially if organizations' assets need to be rebuilt, re-imaged or restored. Recovery can also include the restoration of network connectivity if a location or floor has been disconnected as well as information reconstruction services if financial data has been lost.


6   How many hours did ITS/Field Services spend on recovery?

Total Cost of Internal Consequences = $(1 + 2 + 3 + 4 + 5 + 6)

Cost per hour = $(total cost / total hours)

External Consequences and Cost for Broader Public Sector or Agency

External consequences are incurred due to business disruption, equipment damage, information loss or theft, intangible costs, and additional services. Estimating the cost of each consequence will help quantify how the cyber incident has affected your organization.


Costs related to the external consequences of a cyber incident can be incurred due to business disruption, information loss or theft, equipment damage, intangible costs, and additional services.

Click on each icon for more details

The cost to remediate equipment and other IT assets as a result of the cyber-attack.

Formula

Lost Productivity = Employee salary / hr x utilization % x Number of employees (with same utilization %)

Lost Revenue = Revenue / hr x downtime (hrs) x uptime (%)

Example:

Employee makes $80,000 per year / 52 weeks / 36.25 hours per week = Lost Productive of 1 employee ($42.44 per hour)

7    What is the estimated cost of business disruption?

Loss or theft of sensitive or confidential information as a result of the cyber-attack. This can include trade secrets, intellectual property (including source code), customer information, and employee records.


8    What is the cost of any information lost or theft?

The cost to remediate equipment and other IT assets as a result of the cyber attack.


9   What is the cost of replacing or repairing equipment/IT assets?

Cost is incurred as downtime to your services. It can cause damage to the organization’s reputation.


10    What is the estimated cost of reputational damage?

  • Audit and consulting services
  • Legal services for defense
  • Legal services for compliance
  • Identity protection services
  • Additional services as required

11   What is the cost of any additional services?

Total Cost of External Consequences = $(7 + 8 + 9 + 10 + 11)

Total Cost of Incident = $(Total cost of internal consequences + Total cost of external consequences)

Contact

Ontario’s Cyber Security Division, Cyber Security Operations Centre (CSOC) developed this Incident Cost Framework Calculation Guide to assist in determining the consequences and costs associated with an incident. Organizations are encouraged to contact CSOC at cyberadvice@ontario.ca while completing the following guide to ensure accuracy, completeness and to provide guidance throughout the process. All questions regarding the calculation guide should also be directed to cyberadvice@ontario.ca.