• United States




The potential costs of cybercrime that can’t be calculated

Sep 25, 20185 mins
BudgetingCybercrimeTechnology Industry

Cybersecurity risk often is treated as a nebulous, abstract concept. However, the possibility of attacks that start as cyber incidents but turn out to be a precursor to physical attacks are increasingly commanding more of our attention and vigilance.

controling it costs
Credit: Thinkstock

Analysis of the cost of cyberattacks often comes with a price tag attached. We regularly read reports highlighting the average and cumulative costs of data breaches, and those figures can be staggering, such as in a Juniper Research report that asserts the global cost of breaches could exceed $2 trillion by next year. While such whopping estimates rightfully garner attention, often overlooked is an even deeper and more jarring consideration — the relationship between information and cyber security and our physical security. 

Cybersecurity risk often is treated as a nebulous, abstract concept. Except for those working on the front lines as a security practitioner, it is easy to make a distinction between our digital and our physical environments — our homes, our offices, the park where we take our children and grandchildren. We read about cyberattacks in the headlines, but it probably does not rate as visceral of a reaction as when we read about a physical assault or a bank robbery, where the imagery that springs to mind is more harrowing and personal. Yet, as the volume of cyberattacks continues to rise and the attack methods of cybercriminals becomes more wide-ranging and less predictable– and more potent — the barrier between our digital and physical worlds is becoming thinner and more fragile. Increasingly, the possibility of kinetic attacks — those that can start as cyber incidents but turn out to be a precursor or conduit to physical attacks — are commanding more and more of our attention and vigilance.

Threats apply to individuals and wider society alike

The connection between cyber and physical security applies on both a broad scale — cybersecurity is unquestionably a major national security issue, and critical infrastructure attacks carry the potential for widespread damage to our physical well-being — as well as on an individual level, particularly when it comes to the exposure of personally identifiable information (PII). Data breaches resulting in home addresses, contact information and other PII falling into the wrong hands can provide the starting point for those with malevolent intent to carry out kinetic attacks resulting in physical harm. Physical threats stemming from cyberattacks can target the most vulnerable among us — those dependent on life-saving medical treatment and devices. The potentially chilling consequences of bad actors hacking medical devices such as pacemakers or insulin pumps place a high responsibility on healthcare organizations to be diligent in making strategic investments in security and risk management programs capable of providing patients the peace of mind they deserve. 

While attacks on individuals are concerning enough, threats impacting critical infrastructure pose a larger-scale threat to our physical security. As noted in a 2017 Massachusetts Institute for Technology (MIT) report, “the digital systems that control critical infrastructure in the United States and most countries are easily penetrated and architecturally weak.” The proliferation of connected IoT devices, for all their benefits, make industrial control system inviting targets for cybercriminals, with potentially grave consequences. Attacks on critical infrastructure introduce a range of serious safety threats, including explosions at plants that would jeopardize workers, injuries to those using public transportation, and power grid failures that could leave thousands of people without food, water and sanitation services. The loss of power for an extended period would also create a dangerous environment in the streets for residents and businesses. Perhaps most disturbingly, it is conceivable to envision a brazen attack by a nation-state on a country’s critical infrastructure spiraling in a way that transitions cyber warfare into a military conflict that puts large-scale loss of life at risk.

More tools for cybercriminals to draw upon

The potential for threats that originate in the digital world to surface in our physical environment is becoming more pronounced. Increasingly, malicious uses of artificial intelligence loom as a threat to our safety, as only 40 percent of respondents to ISACA’s 2018 Digital Transformation Barometer express confidence that their organizations can accurately assess the security of systems based on AI and machine learning. As self-driving vehicles and the use of AI in maritime and other transportation modalities become more prevalent, the need for enhanced assurance of these systems’ safety will be critically important to prevent these promising innovations from leading to dangerous outcomes.  

The dark web presents another platform by which cyberthreats can transition into real-world threats to our physical safety. The dark web, inaccessible by search engines, is a haven for criminals, extremists and other groups that are looking to evade the notice of law enforcement. Dealings on the dark web can lead to hitmen being hired to carry out attacks, the plotting of terrorist activity and a range of illegal transactions, often involving drugs, that can lead to violence on the streets. We must also recognize the potential for misuse of social media to set in motion threats to our physical well-being, as oversharing or compromising information spread on social channels can swiftly turn into violence in our neighborhoods, schools, and beyond.

While all these threats are real and, in most cases, terrifying portents of a world of exponential risk, we need to balance our anxiety by remembering that there are “good guys” doing their best to delay, if not avert, a tech-induced physical attack. For instance, the IoT Security Foundation is dedicated to raising attention to important security considerations not to be neglected as we move forward to a more interconnected world. Businesses are adopting and promoting the best security practices in cloud computing with help from the Cloud Security Alliance. However, despite the best efforts of organizations such as these, it is near impossible to calculate their true effectiveness in comparison to the headline attacks and potential for physical harm. This reinforces what I have maintained all along — cybersecurity is everybody’s business, and we collectively must understand and be vigilant about working together to minimize the risks for the good of our global society and citizens.


Matt Loeb, CGEIT, FASAE, CAE, is the CEO of ISACA, which serves 159,000 professionals with expertise in audit, assurance, security, privacy and risk. Prior to joining ISACA, Loeb was staff executive for the Institute of Electrical and Electronics Engineers (IEEE) and the executive director of the IEEE Foundation. His professional experience includes enterprise strategy, corporate development, global business operations, governance, publishing, sales, marketing, product development and acquisitions functions in a variety of for-profit and nonprofit organizations.

In 2016, Matt named a Fellow of the American Society of Association Executives (ASAE). He is one of only 251 individuals to receive this recognition since the program’s inception 30 years ago. This industry recognition is bestowed on fewer than 1 percent of those working in the nonprofit industry. He was also selected by the National Association of Corporate Directors (NACD) as one of the top 100 Directors for 2016, and honored for this recognition at NACD’s annual Directorship 100 event in New York City in November.

Matt has been on numerous corporate for-profit and non-profit Boards. He currently serves as board chair of Pittsburgh-based Clearmodel, as a director on the Board of the American Society of Association Executives and the ASAE Foundation, both of which are based in Washington, DC, and as a trustee of Excelsior College located in Albany, NY.

The opinions expressed in this blog are those of Matt Loeb and do not necessarily represent those of IDG Communications, Inc., its parent, subsidiary or affiliated companies.

More from this author