The United States Cyber Consequences Unit


Cyber Consequence Analysis


Being able to quantify the consequences of cyber attacks is crucial for nearly all decisions about cyber security. Without credible estimates of the losses that would be caused by various cyber attacks, there is no good way to decide what to defend, to allocate cyber-security resources, to decide on appropriate defensive tools and strategies, or to justify a cyber security budget.

Yet hardly any corporations have an accurate idea of what past cyber attacks have cost them or what future losses they might suffer. Many of the key consequences of cyber attacks, such as damage to customer relationships, damage to brand, and the loss of competitively important information, seem too diffuse or intangible to measure.

This course will remedy these problems by teaching you how to quantify convincingly the damages that can be caused by cyber attacks. It will show how to approach this problem systematically and rigorously, so that no losses are overlooked or counted twice. It will show how to determine the magnitude of all the types of damage that seem hardest to assess. Finally, it will show you how to assess the changes in consequences under different conditions.

The course will be taught by Scott Borg, the Director and Chief Economist of the U.S. Cyber Consequences Unit. He is widely regarded as the world’s leading authority on the economics of cyber security and originated a large portion of the state-of-the-art methods for quantifying cyber-attack damages.

The topics and questions that will be covered in this course include:

  • How to put the analysis of cyber-attack costs on an unchallengeable foundation, avoiding common mistakes, and making the method employed completely transparent

  • How to make sense of the wide variety of cost factors that could be affected by a cyber attack

  • How a cyber attack can affect the larger market and the company’s position in it

  • The costs of cyber attacks that interrupt business activity, including the real costs of damage to physical facilities

  • The costs of cyber attacks that corrupt business activity, including the real costs of carrying out operations in a defective way or producing defective products

  • The costs of cyber attacks that discredit business activity, including the real costs of damage to business relationships and to brand or reputation

  • The costs of cyber attacks that cause loss of control of business activity, including the real costs of stolen business information

  • How to estimate the costs of cyber-attack where there is no close connection to any market, such as those that damage embedded systems or public institutions

  • How cascading effects change the overall costs for the various parties involved

  • How to quantify the potential gains for cyber attackers if their attack is successful

  • A systematic approach to reducing the consequences of cyber attacks

Cost of each course: $1,200 for corporate attendees, or $1,000 for government or academic attendees. (Payable by credit card over the phone.)

Venue (in Washington, DC): Carr Workplaces, 12th Floor, Potomac Building, 1001 N. 19th Street in Rosslyn (Arlington), two and a half blocks from the Rosslyn Metro stop and just across the bridge from Georgetown.

Arrangements can also be made for the courses to be taught to groups and at other locations.

Additional information: Please contact the course administrator through email.

Top of Page
  Copyright © 2004- U.S. Cyber Consequences Unit. All Rights Reserved.