Sponsored by the William and Flora Hewlett Foundationand the CyberCube unit of the Symantec Corporation
JUSTICE, INFRASTRUCTURE, AND ENVIRONMENT
Limited Print and Electronic Distribution RightsThis document and trademark(s) contained herein are protected by law. This representation of RAND intellectual property is provided for noncommercial use only. Unauthorized posting of this publication online is prohibited. Permission is given to duplicate this document for personal use only, as long as it is unaltered and complete. Permission is required from RAND to reproduce, or reuse in another form, any of its research documents for commercial use. For information on reprint and linking permissions, please visit www.rand.org/pubs/permissions.The RAND Corporation is a research organization that develops solutions to public policy challenges to help make communities throughout the world safer and more secure, healthier and more prosperous. RAND is nonprofit, nonpartisan, and committed to the public interest.RAND's publications do not necessarily reflect the opinions of its research clients and sponsors.Support RAND Make a tax-deductible charitable contribution at www.rand.org/giving/contribute www.rand.org For more information on this publication, visit www.rand.org/t/RR2299Published by the RAND Corporation, Santa Monica, Calif.
© Copyright 2018 RAND CorporationR® is a registered trademark.iii Preface Cyber incidents have been increasing in frequency and cost in recent years, with some resulting in hundreds of millions of dollars in losses. There is marked variability from study to study in the estimated direct and systemic costs of cyber incidents, which is further complicated by the considerable variation in cyber risk across countries and industry sectors. In many cases, comparing research studies is complicated by a lack of transparency in methodologies, assumptions, and data sets used. The goal of this research was to produce a transparent methodology for estimating present and future global costs of cyber risk, acknowledging the considerable uncertainty in the frequencies and costs of cyber incidents. A companion Excel tool implements the methodology described in this document.1 This research was sponsored by the William and Flora Hewlett Foundation and the CyberCube unit of the Symantec Corporation and will be of interest to researchers and policymakers involved with cyber risk assessment and mitigation.
RAND Science, Technology, and PolicyThe research reported here was conducted in the RAND Science, Technology, and Policy program, which focuses primarily on the role of scientific development and technological innovation in human behavior, global and regional decisionmaking as it relates to science and technology, and the concurrent effects that science and technology have on policy analysis and policy choices. The program covers such topics as space exploration, information and telecommunication technologies, and nano-and biotechnologies. Program research is supported by government agencies, foundations, and the ...
