Michael D. Moberly August 11, 2014 ‘A long form blog where attention span really matters.’
Objective calculation of losses and costs.
Calculating and assigning a dollar value to losses and costs associated with cyber crimes, particularly those which culminate in economic espionage, may appear at first blush to be relatively straightforward tasks. However, when intellectual properties and other categories of intangible assets are targeted and acquired by economic and competitive advantage adversaries, the legitimate holder of those assets is obliged to objectively assess their value?
Similarly, if a cyber attack temporarily brings down a company’s IT network, the targeted company is obliged to objectively calculate losses to productivity, sales, and essential communications as well as costs to return their system to operational normalcy with the necessart security upgrades. Obviously, there is much more to calculating and assigning a dollar values to such costs/losses than engaging in more guesstimates.
For regular readers, it should come as no surprise that there are significant differences of opinion globally about calculating the costs and losses attributed to malicious cyber activity and economic espionage directed to companies’ R&D, university-corporate research consortiums, etc. As conveyed in previous posts at this blog, dollar value losses cited in numerous respected surveys and studies range from a mere few billion dollars to hundreds of billion dollars annually. To be sure, assigning specific price tags to companies’ cyber – economic espionage losses is challenging, but too, the processes are often embedded with subjective assessments that do not reflect a comprehensive accounting of the peripheral and contributory value of each of the other intangible assets underlying a patent for example. So, it may not be especially prudent to assume the findings of the various surveys and studies have been reached using objective data or calculations that are free from the influence of larger political, social, and national security agendas. This may be a reason why we are witnessing such a broad range of loss estimates regarding cyber – economic espionage.
Is economic-cyber the greatest transfer of wealth in history or merely a rounding error?
While I am not the originator of the above question, there are numerous responsible parties that do characterize losses attributed to cybercrime and economic espionage in this fashion, i.e., as constituting either the greatest transfer of wealth in human history, or merely as rounding errors in a $14 trillion dollar economy?
The former of course represents a perspective intended to elevate the significance and adverse impact of cybercrime-economic espionage, while the latter represents an opposite perspective which is to diminish the ‘sticker shock’ if you will, of the adverse impact by characterizing it in the context of what is to most as incomprehensible dollar amounts or collective national GDP’s.
Having said that, both perspectives, through my lens, warrant inclusion in the broader conversation.
Since the passage of the Economic Espionage Act (EEA) in October, 1996, there has been no shortage of surveys and studies launched whose focus has largely been to dramatize the costs, losses, along with an array of adverse (economic, competitive advantage) impacts attributed to acts of cybercrime and economic espionage and adversely effecting either or both the private sector or national security/defense.
Having read and studied most, if not each of these reports over the past 25+ years, I interpret the findings and supporting documentation to be somewhat competitive in the sense that each report strives to be conceptually broader and offer broader ranges of losses and impacts and in more dramatic fashion.
Too, many reports, particularly those published in recent years, are collaborative, in that a known and usually global player (i.e., accounting, consulting, or IT firm) has partnered with a prestigous university (academic unit) or ‘think tank’ assuming this will elevate the reports’ credence and validity in the eyes of its previously targeted audience. In addition, more such reports include examples and/or mini-case studies describing the impact to victimized companies and/or organizations, whom, for multiple reasons have elected to ‘go public’, perhaps at the behest of federal (EEA) prosecutors and thus agree to seek prosecution of the perpetrators, whomever or whatever they may be.
Expectations of receiving damage – loss restitution…
Any victim company’s expectations of receiving damage or restitution payments is slim and therefore are largely symbolic when that is the finding of a court. That’s because a large percentage of those engaged in and prosecuted for EEA-related violations have international origins, which, while within the EEA’s scope may also find it useful to bring such action before the World Trade Organization (WTO).
Factors in play that influence companies to go public…
Readers recognize of course, there are numerous factors in play that comprise a company’s decision to ‘go public’. Going public, represents among other things, a companies’ admission of being victimized followed by a guesstimated admission of the extent – value of the losses being attributed to the acts, which, initially are often framed in passionate and angry guesstimates of how the acts and losses will impact the victims’ company and even who the culprit(s) may be and how the adverse act was actually committed.
Victim anger and passion aside, we know it is challenging to determine, let alone isolate and accurately assess such losses very rapidly. That’s because, in many instances, the losses are not limited solely to lost or undermined intellectual capital, i.e., trade secrets, proprietary information, and IP. Instead, the full extent of a targeted companies’ losses are frequently more strategic in the form of relationship capital and thus may not be fully realized for several months out.
Reputation risk factor…
Another factor in play with respect to the counsel and ultimate decision to ‘go public’ with a companies’ victimization is the very real possibility that having the matter come under public and regulatory scrutiny, there is, unfortunately, a probability the victim company, will experience the materialization of reputation risk manifesting at some level. I refer to materialization of reputation risk with the phrase ‘at some level’, because such company specific reputation risks can manifest in different ways for different sets of consumers, stakeholders, and investors, etc.
Yes, a company’s reputation is an intangible asset of the first order. A company’s reputation is embedded with – comprised of many other contributing intangible assets which collectively produce significant value. In other words, reputation represents expectations, and therefore serves as the rationale in which consumers distinguish, seek, and likely purchase one product or service over another because it consistently meets or exceeds our expectations.
Calculating losses attributed to economic espionage require objectively framed equations…
For many years there has been a general inclination to accept, perhaps naively, the guesstimated findings of after-the-fact prognosticative research regarding losses – impacts attributed to cyber – economic espionage valuations. My counsel is that any formula, conventional intangible asset valuation methodology, and/or equation used to calculate the loss and/or compromise of valuable intellectual properties (intangible assets) caused by cyber-economic espionage should…
- differentiate the assets which have been targeted, lost, and/or compromised by category, i.e., intellectual, structural, and relationship capital to ensure the findings
- bring quantitative – qualitative distinctions and clarity to a fuller range of related acts/events which can materialize following an act of cyber-economic espionage, e.g., produce adverse stock market reactions if the targeted company is publicly traded, reputation risks, productivity losses, business disruptions, loss of consumer trust, expectations, and goodwill, as well as the costs required to re-establish IT and supply chain security, etc.
As always reader comments are welcome!