Main menu


Cybersecurity: Quantifying cyber risk

Quantifying cyber risk - 8 indicators useful for quantifying reputational damage

Quantifying cyber risk - 8 indicators useful for quantifying reputational damage cybersecurity

Cybersecurity risks will increase and become more complex due to new work styles that combine working in the office and teleworking. Cybersecurity risks are among the most critical threats facing businesses and organizations, and mismanagement can lead to not only financial loss but also reputational damage.

Executives always need metrics to quantify and manage cyber threats. With the right metrics and framework in place, it's easy to quantify financial losses from cyberattacks. However, some feel that reputational damage is difficult to calculate, and some even believe that reputational damage cannot be measured financially.

It is possible to measure reputational damage by looking at the appropriate indicators.

This article presents eight key metrics to help quantify reputational damage.

decline in stock prices

When it comes to costing reputational damage, stock price declines are one of the first metrics to adopt, at least for public companies. Stocks tend to recover after falling, but an oft-quoted comparitech blog shows that stocks that have fallen have consistently underperformed their NASDAQ peers since.

A 2020 New York University study and a 2018 academic paper also pointed out similar things, citing the strength of corporate social responsibility as one of the best ways to reduce reputational damage.

Insurance companies are also focusing on stock prices as an indicator of reputational damage. Insurers offer products designed to pay out in the event of a sharp stock market decline, such as that seen after a cybersecurity breach.

PR agency and advisor costs

Another metric to consider is the cost of professional advisors to assist with media strategy, including proper communication. Getting the expertise of a PR firm is essential, but it comes at a cost, as a wrong media strategy can be disastrous. The services of a PR firm are often covered as part of the reputational damage of an insurance policy, so they are certainly economically quantifiable. It may not be the total cost of reputational damage, but PR advisors can reliably measure it, so its cost is an imperfect but reliable indicator.

Complaint hotline costs

As complaints increase, businesses must hire or contract additional staff to handle complaints hotlines and social media channels. In order to prevent a serious situation, such temporary staffing is necessary, which is expensive. This cost is easily measured and can be used to quantify reputational damage. However, be careful not to double count when evaluating the cost of incident response.

Loss of customers and sales

Customer attrition is also a measurable way to monetize reputational damage. According to Centrify/Ponemon and others, "65% to 87% of customers move their business elsewhere after a cybersecurity breach."

This has happened to many large companies that have lost tens of thousands of customers after suffering a cybersecurity breach. As an alternative to metrics such as number of accounts or subscribers, techniques such as the relief-from-royalty method can be used to quantify the decline in an organization's intangible valuation that occurs after a breach.

Increased audit burden

Suppliers and key customers of compromised companies tend to be sensitive to cybersecurity measures of compromised organizations. As a result, the number of audits increases and certification such as ISO 27001 may be required before trust is sufficiently restored. This increased compliance burden is costly, including legal fees, private investigations, intellectual property (IP) recovery, anti-counterfeiting measures, and trademark protection. These costs run into the millions of dollars and lawsuits can go on for years. A series of actions are required on a regular basis to prevent lost sales and further loss of customers due to the victim company's brand being associated with low-quality counterfeit products.

Not all litigation costs are, and should not be, tied to reputational protection. Although we must be careful about what litigation costs we include in our metrics, we can quantify the impact on reputation by accounting for costs explicitly.

Rising credit costs and insurance premiums

Rising credit costs and insurance premiums are known to be associated with cyber incidents. Companies that breach data are viewed as less trustworthy by their creditors and have to pay correspondingly more for financial services.

Increase in medical expenses

In the healthcare sector, which has been targeted by cyberattacks, the impact on reputation can be assessed by estimating the increased costs incurred by delaying initial patient visits. Cyberattacks are known to undermine trust in medical institutions and cause patients to delay or procrastinate in the treatment of their illnesses. Delayed treatment means more severe illness and higher treatment costs, and even public organizations need a way to quantify reputational damage.

The examples above are neither exhaustive nor applicable to all organizations and incidents.

But with the right metrics in place, you can start tracking, managing, and mitigating reputational damage. Advance planning and the use of an incident response team are the most effective ways to minimize reputational damage. You need to prepare well in advance and be ready to respond appropriately when the time comes.