MENU
    Interactive Cost Model (ICM)
    • 48 Minutes to read
    • PDF

    Interactive Cost Model (ICM)

    • PDF

    Article summary

    Estimated Financial Impact


    SAFE displays the Estimated Financial Impact per Cyber Risk Scenario, i.e., the dollar value impact an enterprise can incur due to a breach. A range is also provided with upper and lower bounds of Financial Impact, with an expected value that is generally a mean. SAFE auto-generates the inherent EFI for a risk scenario based on the company characteristics, security findings, and applicable cost drivers.

    Financila Risk

    The default Estimated Financial Impact estimation is powered by Safe Security’s proprietary database - built and maintained by our expert analysts and threat intelligence teams. The model leverages:

    • Over 500,000 data points across 2,000 mapped discrete incidents taken from primary sources across:
      • Financial fraud - such as business email compromise, account takeover, and advertising fraud
      • Ransomware, PxI data breaches - including leaks and exposures
      • Wiper and cryptocurrency theft - including lost access
      • Data privacy violations
    • ~1300 CVEs identified as seen in the wild., and over 1,100 attack groups, including identified aliases
    • TTP mapping to MITRE ATT&CK for over 100 attack groups and malware (with more added regularly)
    • A pipeline of over 25,000 security incidents is being actively reconciled and processed.

    ICM

    Interactive Cost Model (ICM)


    Interactive Cost Model (ICM) is an interactive tool that allows you to calibrate the cost modeling assumptions for cyber risk scenarios.

    The ICM is designed as an interactive tool where a user can calibrate the cost modeling assumptions for the applicable cost categories for a cyber risk scenario. A user can provide upper bound, lower bound, and expected values for all the tunable cost drivers. Based on the inputs, EFI and, subsequently, the Financial Risk for the scenario shall be calibrated for the Cyber Risk Scenario. 

    We have enhanced our ICM recently, and below are the key highlights:

    • Follows with MECE Principle: ICM is structured using the Mutually Exclusive and Comprehensively Exhaustive (MECE) principle, enhancing clarity and avoiding repetition in attack cost calculations.
    • Hierarchical Model Framework: The model's framework hierarchy has been redefined, it now has a better alignment to cyber insurance coverage categories.
    • Enhanced Financial Impact Questionnaire: A new questionnaire with 20+ questions has been introduced to generate EFI values with varying levels of confidence.
    • Geographical Accuracy: Improved geographical accuracy through new logic and targeted questions in the Financial Impact Questionnaire. Geographical specificity can now be achieved by tuning cost-per-hour benchmark driver values.
    • Simplified Class Action Lawsuit Logic: The logic for building "class action record-holder lawsuit" claims has been simplified, making it easier to identify applicable record-holders and associated costs.
    • Streamlined PII Record Holders Calculation: The calculation of compromised PII record-holders has been simplified to two categories - Sensitive PII and PCI, accommodating different cyber risk scenarios.
    • Added Tunable CostDrivers: Each impact control now features tunable cost drivers in relevant cost categories, enhancing customization and accuracy.
    • New Categories and Subcategories: Introduced Customer Notification category with subcategories, PCI-DSS Liability category, biometric class action settlement category, and more, providing a comprehensive analysis.
    • Enhanced Legal Cost Calculation: Refined forensic and legal cost calculation with multiple drivers, benchmark values, and categorizations for improved accuracy.
    • Flexible Third-Party Liability Viewing: Ability to view class action litigation and "Claims Expenses - Attorneys' Fees + Discovery" before or after likelihood, enhancing third-party liability cost analysis.

    ICM is available to the below Risk Scenarios in SAFE

    Risk ScenarioDefinition
    RansomwareAttack that encrypts data on servers and laptops/desktops.
    Data Compromise - APT CybercriminalData Breach that compromises customer and/or employee sensitive PII.
    Business Email CompromiseBusiness Email Compromise - a social engineering technique whereby an attacker cons an employee into sending a fraudulent vendor wire transfer.
    EnterpriseAdditive costs of Ransomware, Data Compromise - APT Cybercriminal, and BEC attacks on the Enterprise’s assets.

    Edit values for Cost Drivers


    Follow the below step-by-step procedure to edit the cost drivers.

    1. Login to SAFE as admin.
    2. Navigate to the Risk Scenario page and click a risk scenario for which you want to edit the cost drivers. Refer to the above list of risk scenarios for which ICM is available.
    3. Scroll down to the EstimatedFinancialImpact section and click the See More button. The Estimated Financial Impact section expands and displays the ICM.
    4. Click the expand all rows icon to view all the cost categories and subcategories. Refer to List 1 below for the category and subcategory definitions.
    5. Click the Edit button to update the values of cost drivers. Refer to List 2 for cost driver definitions.
      ICM V2
    6. Once values are updated, click the Update button.
    7. On the confirmation screen, click the Ok button.

    List 1: Category and Subcategory Definitions

    Cost Category Name (like Techniques in MITRE ATT&CK)Definition

    INFORMATION PRIVACY

    Covers all costs associated with the compromise of sensitive PII records including: forensic investigation of the compromise; legal cost including discovery of the records compromised and their owners; legal costs to respond to litigation; class action settlements; legal costs to respond to regulatory investigations; and, regulatory fines.

    Sensitive PII Event Response and Management

    Direct incident response costs to determine if sensitive PII records were compromised and, if so, determining the magnitude and ownership of the compromised records.

    Forensic Investigation (PII Records Breached)

    External forensic investigation costs to determine if PII was compromised and, if so, from where in the network and the extent of the compromise.

    Legal (PII Records Breached)

    External legal costs to the determine the nature of the PII stolen and the identity and residence of the recordholders of the PIII stolen. Also includes required notifications to recordholders as well as regulatory and government authorities.

    Public Relations (PII Records Breached)

    The cost of an outside PR firm to manage disclosure of the incident so as to minimize potential reputational damage.

    Net Number of Sensitive PII Recordholders Compromised

    The number of individual sensitive PII recordholders breached - can be different from the number of records breached since multiple records may belong to one recordholder.

    Number of Sensitive PII Recordholders Compromised in non PCI-only Attacks

    This refers to data compromise risk scenarios where no PCI records were compromised or where PCI records are not the only type of record compromised.

    Number of PCI-only Recordholders Compromised

    Refers to data compromise risk scenarios where only PCI records are stolen.

    Customer Notification

    Compromised recordholders must be notified of the breach - how the notification is made depends on the nature of the data stolen and the prior breach contact method approval given by the recordholder.

    Notification by Email

    Email notification is sufficient for certain types of records and if the recordholder has given prior authorization to be notified of a breach by email.

    Notification by Postal Service

    If the recordholder did not previously authorize breach notification by email or in the case of certain types or information compromised, the company is required to send a letter to the recordholder via postal service.

    Call Center

    For large breaches the breached company generally sets up one or more call centers to handle inquiries by all customers seeking to know if their information was breached and what they should do next.

    Monitoring & ID Protection

    Generally breached companies offer a year (sometimes more) of credit monitoring (and sometimes identity theft protection as well).

    PCI-DSS Liability

    Costs imposed by the card issuer members of PCI DSS for compromise of PCI information.

    PCI-DSS Penalties

    Penalties owed to card issuers that are in excess of pre-determined levels as per contract.

    PCI Non-Compliance Fines

    Fines owed to card issuers if organization was determined to be out of compliance when the compromise took place.

    Operational Reimbursement Assessment - Card Replacement Fee

    The cost incurred by card issuers to replace compromised payment cards.

    Fraud Reimbursement Assessment

    An assessment for the amount of fraud determined to be directly related to the compromise.

    Case Management Assessment

    Cost of the compromise Assessment by PCI DSS.

    PCI-DSS Response Expenses

    Cost of a PCI qualified independent forensic investigation.

    Information Privacy Liability

    Legal and Settlement costs of litigation surrounding the compromise of sensitive PII.

    Claims Expenses - Attorneys' Fees + Discovery (outside counsel)

    Outside legal costs associated with defense of sensitive PII data litigation only.

    Class Action Recordholder Settlement

    The final settlement cost of a class action lawsuit representing recordholders whose sensitive PII records were breached.

    Class Action Recordholder Settlement Before Likelihood

    Class action litigation after a data compromise is a third party liability cost and is often presented after the likelihood of a legal settlement since lawsuits generate costs outside of the company’s control.

    Number of Settlement Members (CA-Recordholder)

    The number of compromised sensitive PII recordholders who become official members of a class action lawsuit.

    Members' Claims (CA-Recordholder)

    The sum of the one or more types of financial claims agreed to as part of the final settlement of a class action lawsuit.

    Total Fraudulent Tax Return Claims

    The cost of claims related to the filing of fraudulent tax returns using stolen tax-related records (eg, W-4s in the US).

    Total Extraordinary Documented Out-of-Pocket Claims

    The cost of claims arising from members' documented unreimbursed identity theft fraudulent costs.

    Total Documented Out-of-Pocket Claims

    The cost of claims arising from members' documented unreimbursed costs incurred to respond to the breach.

    Total Cash Payments for All Members - no Documentation

    The cost of making a one time cash payment to all members or class of members to offset the time spent responding to the breach and hardship incurred by members. Or this can be a payment to members who have not filed valid claims for reimbursement under another type of claim in the settlement.

    Members' Monitoring and ID Protection (CA-Recordholder)

    Part of Class Action Recordholder - The cost of providing credit monitoring and identity theft protection to members, usually for 2 years.

    Plaintiffs' Attorneys' Fees-Costs-Expenses (CA-Recordholder)

    Part of Class Action Recordholder - The sum of the cost of plaintiffs' legal fees, expenses, court costs, and plaintiff awards.

    Attorneys' Fees (Recordholder)

    Part of Class Action Recordholder - Plaintiffs' attorneys' fees approved by the court for trying the case.

    Court Costs and Expenses (Recordholder)

    Part of Class Action Recordholder - The costs and expenses incurred by plaintiffs’s attorneys.

    Service Awards

    Part of Class Action Recordholder - service awards paid to class members who assisted plaintiffs' attorneys with the case.

    Settlement Administration and Notification (CA-Recordholder)

    Part of Class Action Recordholder - The costs of third party settlement administration and notification.

    Class Action Biometrics Settlement

    Class Action settlement for the improper collection and/or storage of PBI (personal biometric information), usually - but not always - as a result of using employees biometric information (fingerprints) for time clocks without obtaining their prior permission.

    Class Action Biometrics Settlement Before Likelihood

    The user has the option of including possible biometric settlement before or after likelihood of occurrence.

    Number of Settlement Members (CA-Biometrics)

    The number of people whose PBI was used improperly who choose to become part of the class action.

    Members' Claims (CA-Biometrics)

    The sum of all types of member claims awarded as part of the settlement.

    California Residents

    The California CCPA (California Consumer Protection Act of 2018) has special provisions requiring businesses to safeguard individuals' biometric data.

    Illinois Residents

    Illinois (IL BIPA) is one of the most stringent laws in the US covering biometric data. To date the majority of class action settlements were filed under BIPA.

    Residents in Rest of US

    There are other class action settlements that have awarded claims from biometric data misuse to residents of states other than CA and IL.

    Plaintiffs' Attorneys' Fees-Costs-Expenses (CA-Biometrics)

    Part of Class Action Biometrics - The sum of the cost of plaintiffs' legal fees, expenses, court costs, and plaintiff awards.

    Attorneys' Fees (Biometrics)

    Part of Class Action Biometrics - Plaintiffs' attorneys' fees approved by the court for trying the case.

    Court Costs and Expenses (Biometrics)

    Part of Class Action Biometrics - The costs and expenses incurred by plaintiffs’s attorneys.

    Settlement Administration and Notification (CA-Biometrics)

    Part of Class Action Biometrics - The costs of third party settlement administration and notification.

    Class Action Financial Settlement

    The final settlement of a class action lawsuit representing financial institutions who incurred costs related to compromised PCI records.

    Regulatory Liability

    All costs associated with regulatory investigations including external legal fees and discovery as well as fines.

    Attorneys' Fees (outside counsel)

    Outside legal costs associated with defense of proposed regulatory actions.

    Privacy Violations from Data Breach only (theft or exposure)

    Fines related to data breaches only. Generally fines are only levied on companies with multiple breaches or egregiously poor cyber controls.

    HIPAA

    HIPAA fines related to the breach of PHI records. Regulatory body is the US Department of Health and Human Services and protects US resident recordholders. Benchmark costs are based on all of the actual HIPAA fines levied by the OCR HHS.

    SAG

    Fines imposed by State Attorneys General. Each SAG represents compromised recordholders residing in their respective states.

    FTC (Data Breach only)

    Fines imposed by the U.S Federal Trade Commission. Generally these fines are only for very large breaches with very poor security. Often the FTC elects to impose a mandatory consent order in lieu of a fine that requires the company to improve its cybersecurity according to strict guidelines.

    SEC

    Fines imposed by the U.S. Securities and Exchange Commission. There have been only a handful of data breach-related fines issued by the SEC.

    OCC

    Fines imposed by the U.S. Treasury Department’s Office of the Comptroller of the Currency. These fines apply to financial services companies and only to very large breaches where security measures were deemed to be unacceptable.

    NYDFS

    New York Department of Financial Services has expanded its oversight of all companies with financial service offerings in the state of New York. This is a fairly recent type of fine and potential transgressions are being actively investigated by the NYDFS. Fines are not limited to data breaches but also are imposed for lack of mandatory controls like multi factor authentication.

    UK ICO

    After Brexit the UK Information Commissioner’s Office issues fines related to data breaches and misuse of PII instead of GDPR.

    GDPR (Data Breach only)

    The General Data Protection Regulation protects EU resident recordholders. Benchmark costs are based on all of the actual GDPR fines imposed for data breaches.

    Privacy Violations from Unauthorized Use of PII

    Fines related to management’s misuse of customer or employee PII. This includes all PII, not just “sensitive” PII.

    GDPR (Unauthorized Use of PII)

    Most GDPR fines have been for management misuse of PII or not providing an individual access to their PII.

    HIPAA (Unauthorized Use of PII)

    Most of the HIPAA fines imposed have been for data compromises but there are also quite a number of fines for management misuse of data or not providing an individual access to their PHI.

    FTC (Unauthorized Use of PII)

    The FTC has issued many fines relating to improper use of PII for advertising - robocalls, blast emails, etc. without first obtaining permission for such use by the recordholder.

    BUSINESS INTERRUPTION

    Covers all costs associated with revenues or net profits lost and operating expenses paid during a business interruption due to a cyber attack on your network or a network in your supply chain.

    Direct Business Interruption

    Direct Business Interruption refers to revenue and net profit losses related to downtime from an attack on the user’s own network.

    Revenue Lost (Direct BI)

    The amount of revenue lost as a result of direct business interruption and not believed to be recoverable in the future.

    Revenue Deferred (Direct BI)

    The amount of revenue that is deferred as a result of business interruption but is believed to be recoverable in the future.

    Public Relations (Direct BI Revenue)

    The cost of an outside PR firm to manage disclosure of the incident so as to minimize potential reputational damage.

    Direct Business Interruption for Cyber Insurance Coverage

    Replaces revenue lost (direct) with net profits lost + unavoidable operating expenses (direct)to account for cyber insurance coverage calculations.

    Pre-tax Net Profit Lost - EBITDA (direct BI)

    Pre-tax Net Profit Lost (direct) for insurance calculations is assumed to be EBITDA (Earnings Before Interest, Taxes, Depreciation and Amortization).

    Expenses Incurred during BI

    Those unavoidable operating expense (direct)s incurred during business interruption (eg, salaries, rents, subscriptions, etc.)

    Forensic Accounting Firm (for cyber insurance coverage)

    Forensic accountants help determine and substantiate business interruption costs for cyber insurers.

    Public Relations (Direct BI Net Profit)

    The cost of an outside PR firm to manage disclosure of the incident so as to minimize potential reputational damage.

    Contingent Business Interruption (Supply Chain Attack Victim - 3P failure to provide IT services)

    Contingent Business Interruption refers to revenue and net profit losses related to downtime from an attack on the network of a third party from the user’s supply chain (eg, a supply chain (victim) cyber risk).

    Revenue Lost (contingent BI)

    The amount of revenue lost as a result of a contingent business interruption and not believed to be recoverable in the future.

    Public Relations (Contingent BI Revenue)

    The cost of an outside PR firm to manage disclosure of the incident so as to minimize potential reputational damage.

    Contingent Business Interruption for Cyber Insurance Coverage

    Replaces revenue lost (contingent) with net profits lost + unavoidable operating expenses (contingent) to account for cyber insurance coverage calculations.

    Pre-tax Net Profit Lost - EBITDA (contingent BI)

    Pre-tax Net Profit Lost (contingent) for insurance calculations is assumed to be EBITDA (Earnings Before Interest, Taxes, Depreciation and Amortization).

    Expenses Incurred during BI (contingent BI)

    Those unavoidable operating expense (contingent)s incurred during business interruption (eg, salaries, rents, subscriptions, etc.)

    Forensic Accounting Firm (contingent BI)

    Forensic accountants help determine and substantiate business interruption costs for cyber insurers.

    Public Relations (Contingent BI Net Profit)

    The cost of an outside PR firm to manage disclosure of the incident so as to minimize potential reputational damage.

    CYBER EXTORTION

    Covers the ransom and associated negotiation and transaction costs.

    Ransom

    Total cost of the ransom paid.

    Ransom Paid

    The amount of any ransom paid to the attacker and the cost of negotiators if used.

    NETWORK SECURITY

    Includes the costs associated with identifying, responding to and recovering from any type of attack at the network level including investigation, remediation, restoration and data recovery.

    Network Event Response and Recovery

    Incident response cost directly related to investigation, remediation, and restoration of network equipment and systems (including OS, applications and data)

    Forensic Investigation (Network Incident Response)

    Fees associated with external forensic investigators who analyze the security incident, contain the attack if necessary, collect evidence and advise on remediation measures.

    Legal (Network Incident Response)

    Fees associated with outside legal counsel specializing in security incidents and their aftermath.

    System Restoration

    The cost of re-imaging a system after it was compromised (re-installing the operating system and all applicable applications).

    Restore Servers

    The cost of restoring operating systems and applications on servers.

    Restore Computers/Laptops

    The cost of restoring operating systems and applications on computers/laptops

    Data Recovery

    The cost of restoration of data to encrypted systems.

    Restore Data to Servers

    The cost of restoring data to servers from backups.

    Restore Data to Computers/Laptops

    The cost of restoring data to computers/laptops from backups - is generally limited to the C-suite and specific systems.

    Restore Data (from hard drives) - no backup available

    The cost of restoring data from hard drives (much more difficult and problematic than restoring data from backups).

    FINANCIAL FRAUD

    In ICM v2 includes the estimated cash lost from a simple Business Email Compromise (BEC) attack on vendor wire transfers caused by social engineering.

    BEC

    The amount of money fraudulently wired as a result of social engineering employed upon an employee.

    List 2: Category and Subcategory Definitions

    Driver Name (like Sub-techniques in MITRE ATT&CK)
    TunableDefinition

    Number of hours (PII forensics) - [selected cyber risk]

    YES

    The number of hours needed to perform an action - used throughout the ICM. The Benchmark number of hours varies by cyber risk selected. The legend in () at the end of the name defines the cost category the driver belongs to.

    IC - (comprehensive, tested IR plan) - percent reduction in number of hours (PII forensics)

    YES

    IC (Impact Control) that reduces the cost of a specific function. Each IC is defined in the () after IC. The legend in () at the end of the name defines the cost category the driver belongs to.

    Cost per hour (PII forensics)

    YES

    The cost per hour for an action - is used throughout the ICM. The legend in () at the end of the name defines the cost category the driver belongs to.

    Number of hours (PII legal) - [selected cyber risk]

    YES

    The number of hours needed to perform an action - used throughout the ICM. The Benchmark number of hours varies by cyber risk selected.

    IC - (comprehensive, tested IR plan) - percent reduction in number of hours (PII legal)

    YES

    IC (Impact Control) that reduces the cost of a specific function. Each IC is defined in the () after IC. The legend in () at the end of the name defines the cost category the driver belongs to.

    Cost per hour (PII legal)

    YES

    The cost per hour for an action - used throughout the ICM. The legend in () at the end of the name defines the cost category the driver belongs to.

    Number of hours (PII PR) - [selected cyber risk]

    YES

    The number of hours needed to perform an action - used throughout the ICM. The Benchmark number of hours varies by cyber risk selected.

    IC - (comprehensive, tested BCP) - percent reduction in number of hours (PII PR)

    YES

    IC (Impact Control) that reduces the cost of a specific function. Each IC is defined in the () after IC. The legend in () at the end of the name defines the cost category the driver belongs to.

    Cost per hour (PII PR)

    YES

    The cost per hour for an action - used throughout the ICM. The legend in () at the end of the name defines the cost category the driver belongs to.

    Percent of total sensitive PII recordholders in US, Canada, and Australia

    YES

    Percent of the sum of sensitive PII recordholders in the US, Canada and Australia divided into the total number of sensitive PII recordholders [worldwide].

    Percent of total sensitive PII recordholders compromised

    YES

    The estimated percent of sensitive PII recordholders compromised (Benchmark percent is a function of total revenue).

    IC - percent of customer sensitive PII recordholders compromised if PII encrypted at rest

    YES

    IC (Impact Control) that reduces the cost of a specific function. Each IC is defined in the () after IC. The legend in () at the end of the name defines the cost category the driver belongs to.

    Percent of PCI recordholders in US, Canada, or Australia

    YES

    lInferred number of PCI recordholders that are located in US, Canada and Australia.

    Percent of PCI recordholders compromised

    YES

    The inferred percent of PCI recordholders compromised (Benchmark percent is a function of total revenue).

    IC - percent of PCI recordholders compromised if PII encrypted at rest

    YES

    IC (Impact Control) that reduces the cost of a specific function. Each IC is defined in the () after IC. The legend in () at the end of the name defines the cost category the driver belongs to.

    Cost per recordholder (notification email)

    YES

    Estimated cost per recordholder is a function of the number of recordholders compromised.

    Setup Fee (notification email)

    YES

    Fixed fee amount.

    Percent of sensitive PII recordholders required to be notified by postal service

    YES

    Customer input to question. [Some records require notification of a breach by postal service according to regulatory requirements, except that in some circumstances a customer may formally agree to be notified by email instead of postal service.

    Cost per recordholder (notification postal service)

    YES

    Estimated cost per recordholder is a function of the number of recordholders compromised.

    Setup Fee (notification postal service)

    YES

    Fixed fee amount.

    Cost per recordholder (call center)

    YES

    Estimated cost per recordholder is a function of the number of recordholders compromised.

    Setup Fee (call center)

    YES

    Fixed fee amount.

    Cost per recordholder per month (IR)

    YES

    The cost to provide credit monitoring & identity theft protection for one recordholder for a month.

    Number of months (IR)

    YES

    The number of months duration of an expense. The legend in () at the end of the name defines the cost category the driver belongs to.

    Percent of compromised recordholders that accept monitoring (IR)

    YES

    Percent of recordholders that accept the monitoring & ID protection offered. The legend in () at the end of the name defines the cost category the driver belongs to.

    Per month fine

    YES

    The number of months that an organization was found PCI-DSS noncompliant before the data compromise.

    Number of months non-compliant

    YES

    The number of months duration of an expense. The legend in () at the end of the name defines the cost category the driver belongs to.

    Per card replacement fee

    YES

    The cost of replacing payment cards after a PCI compromise.

    Percent of compromised cards replaced

    YES

    Percent of payment cards needing to be replaced after a PCI compromise.

    Fraud reimbursement assessment threshold

    YES

    The contractual threshold amount of fraud set by card issuers.

    Percent of cards stolen used fraudulently

    YES

    Estimated number of compromised payment cards used fraudulently after their compromise.

    Median fraudulent charge per card

    YES

    The estimated median fraudulent charges per compromised payment card.

    Flat fee

    YES

    Fixed fee amount for a PCI Case Management Assessment.

    Qualified PCI-DSS 3P forensic firm investigation

    YES

    A second forensic investigation by a qualified PCI-DS 3P is required after a PCI data compromise.

    QSA PCI-DSS audit

    YES

    After the qualified 3P forensic investigation, an audit by a qualified 3P PCI auditor is required.

    Number of hours (PII liability legal) - [selected cyber risk]

    YES

    The number of hours needed to perform an action - used throughout the ICM. The Benchmark number of hours varies by cyber risk selected.

    IC - (comprehensive, tested IR plan) - percent reduction in number of hours (PII liability legal)

    YES

    IC (Impact Control) that reduces the cost of a specific function. Each IC is defined in the () after IC. The legend in () at the end of the name defines the cost category the driver belongs to.

    Cost per hour (PII liability legal)

    YES

    The cost per hour for an action - used throughout the ICM. The legend in () at the end of the name defines the cost category the driver belongs to.

    Percent likelihood (PII liability legal)

    YES

    The percent likelihood of a cost occurring - used throughout the ICM. The legend in () at the end of the name defines the cost category the driver belongs to.

    Litigation costs are before applying likelihood (CA-recordholder)

    YES

    This is a cost driver to replace the question, “Do you want to account for litigation costs before applying likelihood of occurrence?” This driver can only be 0% or 100%. If the driver is 100%, it means the answer to the question is YES, show 100% of costs without apply likelihood of occurrence. If 0%, this means the litigation costs are multiplied by likelihood of occurrence.

    Percent likelihood of a lawsuit (CA-recordholder)

    YES

    The percent likelihood of a cost occurring - used throughout the ICM. The legend in () at the end of the name defines the cost category the driver belongs to.

    Maximum historical settlement (CA-recordholder)

    YES

    A maximum settlement amount is established for each class action lawsuit based on historical maximum settlements approved by the courts. This is part of the calculation of Benchmark values for Class Action Settlements. The legend in () at the end of the name defines the cost category the driver belongs to.

    Settlement subtotal (pre-improvements) (CA-recordholder)

    NO

    Subtotal formula.

    Percent of recordholders that become members

    YES

    The percent of compromised recordholders that become members of a class action lawsuit.

    Per claim (tax)

    YES

    The per recordholder claim amount for recordholders whose stolen PFI was used to file a fraudulent tax return claim with the governing tax authority.

    Percent of members with valid claims (tax)

    YES

    Percent of members with a qualified claim. The legend in () at the end of the name defines the cost category the driver belongs to.

    Per claim (extra)

    YES

    The per recordholder claim amount for recordholders who suffered unreimbursed extraordinary out-of-pocket losses as a result of identity theft.

    Percent of members with valid claims (extra)

    YES

    Percent of members with a qualified claim. The legend in () at the end of the name defines the cost category the driver belongs to.

    Per claim (documented)

    YES

    The per recordholder claim amount for recordholders who suffered unreimbursed out-of-pocket expenses responding to the breach.

    Percent of members with valid claims (documented)

    YES

    Percent of members with a qualified claim. The legend in () at the end of the name defines the cost category the driver belongs to.

    Cash payment

    YES

    The per recordholder amount offered by the breached company to all members with no documented out-of-pocket expenses required.

    Percent of members qualifying for another type of claim

    NO

    Unless the only claim type is a fixed cash payment for all members, this claims type is reserved for those members who did not qualify for a potentially larger type of cash claim.

    Percent of members participating

    YES

    Percent of members with a qualified claim. The legend in () at the end of the name defines the cost category the driver belongs to.

    Cost per employee per month (CA-recordholder)

    YES

    The cost to provide credit monitoring & identity theft protection for one recordholder for a month.

    Number of months (CA-recordholder)

    YES

    The number of months duration of an expense. The legend in () at the end of the name defines the cost category the driver belongs to.

    Percent of members that accept monitoring (CA-recordholder)

    YES

    Percent of recordholders that accept the monitoring & ID protection offered. The legend in () at the end of the name defines the cost category the driver belongs to.

    Percent of total settlement cost (excluding injunctive relief) (CA-recordholder)

    YES

    The percent of the total settlement that can be comprised of plaintiffs' attorneys fees. Usually the courts allow 25%.

    Court costs as a percent of attorneys' fees (CA-recordholder)

    YES

    Court costs and litigation expenses incurred by plaintiffs' attorneys.

    Number of service awards (CA-recordholder)

    YES

    The number of plaintiffs' representatives eligible for a service award for helping their attorneys.

    Cost per service award (CA-recordholder)

    YES

    The cost per service award (paid to settlement members who assisted plaintiffs’ attorneys).

    Maximum administration costs by revenue range (CA-recordholder)

    YES

    A maximum amount is established based on historical maximum administration costs approved by the courts. This is part of the calculation of Benchmark values for Class Action Settlements. The legend in () at the end of the name defines the cost category the driver belongs to.

    Subtotal administration and notification costs (CA-recordholder)

    NO

    Subtotal formula.

    Average administration and notification cost per record (CA-recordholder)

    YES

    The average cost per breached recordholder. The administrator needs to send official notification to every breached recordholder who may be qualified to be a member of the lawsuit. The administrator then needs to validate all claims and disperse funds according to the terms of the settlement.

    Litigation costs are after applying likelihood (CA-biometrics)

    YES

    This is a cost driver to replace the question, “Do you want to account for litigation costs before applying likelihood of occurrence?” This driver can only be 0% or 100%. If the driver is 100%, it means the answer to the question is YES, show 100% of costs without apply likelihood of occurrence. If 0%, this means the litigation costs are multiplied by likelihood of occurrence.

    Percent likelihood of a lawsuit (CA-biometrics)

    YES

    The percent likelihood of a cost occurring - used throughout the ICM. The legend in () at the end of the name defines the cost category the driver belongs to.

    Maximum historical settlement (CA-biometrics)

    YES

    A maximum settlement amount is established for each class action lawsuit based on historical maximum settlements approved by the courts. This is part of the calculation of Benchmark values for Class Action Settlements. The legend in () at the end of the name defines the cost category the driver belongs to.

    Settlement subtotal (pre-improvements) (CA-biometrics)

    NO

    Subtotal formula.

    Percent of recordholders that become members (CA-biometrics)

    YES

    The percent of compromised recordholders that become members of a class action lawsuit.

    Per claim (CA-biometrics-CA)

    YES

    The per recordholder claim amount for California residents whose biometric data was used without their prior authorization.

    Percent of members with valid claims (CA-biometrics-CA)

    YES

    Percent of members with a qualified claim. The legend in () at the end of the name defines the cost category the driver belongs to.

    Per claim (CA-biometrics-IL)

    YES

    The per recordholder claim amount for Illinois residents whose biometric data was used without their prior authorization.

    Percent of members with valid claims (CA-biometrics-IL)

    YES

    Percent of members with a qualified claim. The legend in () at the end of the name defines the cost category the driver belongs to.

    Per claim (CA-biometrics-rest of US)

    YES

    The per recordholder claim amount for US residents not residing in either California or Illinois whose biometric data was used without their prior authorization.

    Percent of members with valid claims (CA-biometrics-rest of US)

    YES

    Percent of members with a qualified claim. The legend in () at the end of the name defines the cost category the driver belongs to.

    Percent of total settlement cost (excluding injunctive relief) (CA-biometrics)

    YES

    The percent of the total settlement that can be comprised of plaintiffs' attorneys fees. Usually the courts allow 33% for biometric lawsuits.

    Court costs as a percent of attorneys' fees (CA-biometrics)

    YES

    Court costs and litigation expenses incurred by plaintiffs' attorneys.

    Maximum administration costs by revenue range (CA-biometrics)

    YES

    A maximum amount is established based on historical maximum administration costs approved by the courts. This is part of the calculation of Benchmark values for Class Action Settlements. The legend in () at the end of the name defines the cost category the driver belongs to.

    Subtotal administration and notification costs (CA-biometrics)

    NO

    Subtotal formula.

    Average administration and notification cost per record (CA-biometrics)

    YES

    The average cost per breached recordholder. The administrator needs to send official notification to every breached recordholder who may be qualified to be a member of the lawsuit. The administrator then needs to validate all claims and disperse funds according to the terms of the settlement.

    Average settlement (CA-financial)

    YES

    The average class action financial historical settlement.

    Average plaintiffs' attorneys fees (CA-financial)

    YES

    The average plaintiffs' attorneys' fees for class action financial settlements.

    Percent likelihood of a lawsuit (CA-financial)

    YES

    The percent likelihood of a cost occurring - used throughout the ICM. The legend in () at the end of the name defines the cost category the driver belongs to.

    Number of hours (regulatory legal) - [selected cyber risk]

    YES

    The number of hours needed to perform an action - used throughout the ICM. The Benchmark number of hours varies by cyber risk selected.

    IC - (comprehensive, tested IR plan) - Percent reduction in number of hours (regulatory legal)

    YES

    IC (Impact Control) that reduces the cost of a specific function. Each IC is defined in the () after IC. The legend in () at the end of the name defines the cost category the driver belongs to.

    Cost per hour (regulatory legal)

    YES

    The cost per hour for an action - used throughout the ICM. The legend in () at the end of the name defines the cost category the driver belongs to.

    Percent likelihood (regulatory legal)

    YES

    The percent likelihood of a cost occurring - used throughout the ICM. The legend in () at the end of the name defines the cost category the driver belongs to.

    HIPAA fines (actual)

    YES

    US regulatory fine - protects US resident recordholders. Based on all of the actual HIPAA fines levied by the OCR HHS for data compromise of PHI.

    IC - (encryption/tokenization) percent likelihood (HIPAA) if all sensitive PxI is encrypted

    YES

    IC (Impact Control) that reduces the cost of a specific function. Each IC is defined in the () after IC. The legend in () at the end of the name defines the cost category the driver belongs to.

    Percent likelihood (HIPAA)

    YES

    The percent likelihood of a cost occurring - used throughout the ICM. The legend in () at the end of the name defines the cost category the driver belongs to.

    SAG fines (actual)

    YES

    US regulatory fine - protects US resident (by state) recordholders. Based on actual SAG fines levied by one or more of the 51 SAGs (includes the District of Columbia).

    IC - (encryption/tokenization) percent likelihood (SAG) if all sensitive PxI is encrypted

    YES

    IC (Impact Control) that reduces the cost of a specific function. Each IC is defined in the () after IC. The legend in () at the end of the name defines the cost category the driver belongs to.

    Percent likelihood (SAG)

    YES

    The percent likelihood of a cost occurring - used throughout the ICM. The legend in () at the end of the name defines the cost category the driver belongs to.

    FTC fines (actual)

    YES

    US regulatory fine - protects US resident recordholders. Based on all of the actual FTC fines imposed for data breaches.

    IC - (encryption/tokenization) percent likelihood (FTC) if all sensitive PxI is encrypted

    YES

    IC (Impact Control) that reduces the cost of a specific function. Each IC is defined in the () after IC. The legend in () at the end of the name defines the cost category the driver belongs to.

    Percent likelihood (FTC)

    YES

    The percent likelihood of a cost occurring - used throughout the ICM. The legend in () at the end of the name defines the cost category the driver belongs to.

    SEC fines (actual)

    YES

    US regulatory fine - applies to US public companies. Based on all of the actual SEC fines imposed for data breaches.

    IC - (encryption/tokenization) percent likelihood (SEC) if all sensitive PxI is encrypted

    YES

    IC (Impact Control) that reduces the cost of a specific function. Each IC is defined in the () after IC. The legend in () at the end of the name defines the cost category the driver belongs to.

    Percent likelihood (SEC)

    YES

    The percent likelihood of a cost occurring - used throughout the ICM. The legend in () at the end of the name defines the cost category the driver belongs to.

    OCC fines (actual)

    YES

    US regulatory fine - applies to US financial companies. Based on all of the actual OCC fines imposed for data breaches.

    IC - (encryption/tokenization) percent likelihood (OCC) if all sensitive PxI is encrypted

    YES

    IC (Impact Control) that reduces the cost of a specific function. Each IC is defined in the () after IC. The legend in () at the end of the name defines the cost category the driver belongs to.

    Percent likelihood (OCC)

    YES

    The percent likelihood of a cost occurring - used throughout the ICM. The legend in () at the end of the name defines the cost category the driver belongs to.

    NYDFS fines (actual)

    YES

    US regulatory fine - applies to US financial companies operating in NY state. Based on all of the actual NYDFS fines imposed for data breaches.

    IC - (encryption/tokenization) percent likelihood (NYDFS) if all sensitive PxI is encrypted

    YES

    IC (Impact Control) that reduces the cost of a specific function. Each IC is defined in the () after IC. The legend in () at the end of the name defines the cost category the driver belongs to.

    Percent likelihood (NYDFS)

    YES

    The percent likelihood of a cost occurring - used throughout the ICM. The legend in () at the end of the name defines the cost category the driver belongs to.

    UK ICO (Data Breach only) fines (actual)

    YES

    UK regulatory fine - protects UK resident recordholders. Based on all of the actual UK ICO fines imposed for data breaches. [Since Brexit the UK is no longer part of the EU’s GDPR.)

    IC - (encryption/tokenization) percent likelihood (UK ICO) if all sensitive PxI is encrypted

    YES

    IC (Impact Control) that reduces the cost of a specific function. Each IC is defined in the () after IC. The legend in () at the end of the name defines the cost category the driver belongs to.

    Percent likelihood (UK ICO)

    YES

    The percent likelihood of a cost occurring - used throughout the ICM. The legend in () at the end of the name defines the cost category the driver belongs to.

    GDPR (Data Breach only) fines (actual)

    YES

    EU regulatory fine - protects EU resident recordholders. Based on all of the actual GDPR fines imposed for data breaches.

    adjustment for revenue size (GDPR data breach)

    YES

    Used for calculating Benchmark values.

    IC - (encryption/tokenization) percent likelihood (GDPR data breach only) if all sensitive PxI is encrypted

    YES

    IC (Impact Control) that reduces the cost of a specific function. Each IC is defined in the () after IC. The legend in () at the end of the name defines the cost category the driver belongs to.

    Percent likelihood (GDPR data breach)

    YES

    The percent likelihood of a cost occurring - used throughout the ICM. The legend in () at the end of the name defines the cost category the driver belongs to.

    GDPR (Unauthorized Use of PII) fines (actual)

    YES

    EU regulatory fine - protects EU resident recordholders. Based on all of the actual GDPR fines imposed for data misuse by management.

    Percent likelihood (GDPR - Unauthorized Use of PII)

    YES

    The percent likelihood of a cost occurring - used throughout the ICM. The legend in () at the end of the name defines the cost category the driver belongs to.

    HIPAA (Unauthorized Use of PII) fines (actual)

    YES

    US regulatory fine - protects US resident recordholders. Based on all of the actual HIPAA fines levied by the OCR HHS for misuse of PHI by management.

    Percent likelihood (HIPAA-Unauthorized Use of PII)

    YES

    The percent likelihood of a cost occurring - used throughout the ICM. The legend in () at the end of the name defines the cost category the driver belongs to.

    FTC (Unauthorized Use of PII) fines (actual)

    YES

    US regulatory fine - protects US resident recordholders. Based on all of the actual FTC fines imposed for misuse of PII data such as robocalling.

    Percent likelihood (FTC-Unauthorized Use of PII)

    YES

    The percent likelihood of a cost occurring - used throughout the ICM. The legend in () at the end of the name defines the cost category the driver belongs to.

    Number of days (direct BI revenue lost) - [selected cyber risk]

    YES

    The number of days during which revenue / Net Profit was lost (not generated) or Expenses were incurred during a Business Interruption. The legend in () at the end of the name defines the cost category the driver belongs to.

    IC - (comprehensive, tested BCP) - percent reduction in number of days (direct BI revenue lost)

    YES

    IC (Impact Control) that reduces the cost of a specific function. Each IC is defined in the () after IC. The legend in () at the end of the name defines the cost category the driver belongs to.

    Daily total annual revenue (direct BI revenue lost)

    YES

    Total revenue divided by number of days in a year to determine the daily revenue rate.

    Deferred revenue not recoverable (direct BI revenue lost)

    NO

    Subtotal formula.

    Percent of deferred revenue not recoverable (direct BI revenue lost)

    YES

    Sometimes a portion of deferred revenue is not recoverable and that unrecoverable amount should be added to revenue lost.

    Percent of revenue impacted (direct BI revenue lost) - [selected cyber risk]

    YES

    The percent of total revenue that was impacted by the business interruption. The legend in () at the end of the name defines the cost category the driver belongs to.

    Number of days (direct BI revenue deferred) - [selected cyber risk]

    YES

    The number of days during which revenue / Net Profit was lost (not generated) or Expenses were incurred during a Business Interruption. The legend in () at the end of the name defines the cost category the driver belongs to.

    IC - (comprehensive, tested BCP) - percent reduction in number of days (direct BI revenue deferred)

    YES

    IC (Impact Control) that reduces the cost of a specific function. Each IC is defined in the () after IC. The legend in () at the end of the name defines the cost category the driver belongs to.

    Daily total annual deferred revenue (direct BI revenue deferred)

    YES

    Total deferred revenue divided by number of days in a year to determine the daily revenue rate. The legend in () at the end of the name defines the cost category the driver belongs to.

    Percent of deferred revenue impacted (direct BI revenue deferred) - [selected cyber risk]

    YES

    The percent of deferred revenue that was impacted by the business interruption. The legend in () at the end of the name defines the cost category the driver belongs to.

    Number of hours (direct BI PR revenue) - [selected cyber risk]

    YES

    The number of hours needed to perform an action - used throughout the ICM. The Benchmark number of hours varies by cyber risk selected.

    IC - (comprehensive, tested BCP) - percent reduction in number of days (direct BI PR revenue)

    YES

    IC (Impact Control) that reduces the cost of a specific function. Each IC is defined in the () after IC. The legend in () at the end of the name defines the cost category the driver belongs to.

    Cost per hour (direct BI PR revenue)

    YES

    The cost per hour for an action - used throughout the ICM. The legend in () at the end of the name defines the cost category the driver belongs to.

    Waiting period number of hours (direct BI)

    YES

    The period of time (generally hours) that must elapse after a business interruption starts before insurance coverage begins. The legend in () at the end of the name defines the cost category the driver belongs to.

    Restoration period number of days (direct BI)

    YES

    The length of time that insurance will cover a business interruption. The legend in () at the end of the name defines the cost category the driver belongs to.

    Number of days (direct BI net profit) - [selected cyber risk]

    YES

    The number of days during which revenue / Net Profit was lost (not generated) or Expenses were incurred during a Business Interruption. The legend in () at the end of the name defines the cost category the driver belongs to.

    IC - (comprehensive, tested BCP) - percent reduction in number of days (direct BI net profit)

    YES

    IC (Impact Control) that reduces the cost of a specific function. Each IC is defined in the () after IC. The legend in () at the end of the name defines the cost category the driver belongs to.

    Daily pre-tax annual net profit (direct BI net profit)

    YES

    Total net profit divided by number of days in a year to determine the daily net profit rate. The legend in () at the end of the name defines the cost category the driver belongs to.

    Percent of net profit impacted (direct BI net profit) - [selected cyber risk]

    YES

    The percent of net profit that was impacted by the business interruption. The legend in () at the end of the name defines the cost category the driver belongs to.

    IC - (comprehensive, tested BCP) - percent reduction in subtotal cost (direct BI expenses)

    YES

    IC (Impact Control) that reduces the cost of a specific function. Each IC is defined in the () after IC. The legend in () at the end of the name defines the cost category the driver belongs to.

    Daily normal operating expenses (direct BI expenses)

    YES

    Total normal operating expenses divided by number of days in a year to determine the daily operating expense rate. The legend in () at the end of the name defines the cost category the driver belongs to.

    Daily extra expenses (direct BI expenses)

    YES

    Total extra expenses divided by number of days in a year to determine the daily extra expense rate. The legend in () at the end of the name defines the cost category the driver belongs to.

    Number of hours (direct BI forensic accounting) - [selected cyber risk]

    YES

    The number of hours needed to perform an action - used throughout the ICM. The Benchmark number of hours varies by cyber risk selected.

    Cost per hour (direct BI forensic accounting)

    YES

    The cost per hour for an action - used throughout the ICM. The legend in () at the end of the name defines the cost category the driver belongs to.

    Number of hours (Direct BI PR net profit) - [selected cyber risk]

    YES

    The number of hours needed to perform an action - used throughout the ICM. The Benchmark number of hours varies by cyber risk selected.

    IC - (comprehensive, tested BCP) - percent reduction in number of days (direct BI PR net profit)

    YES

    IC (Impact Control) that reduces the cost of a specific function. Each IC is defined in the () after IC. The legend in () at the end of the name defines the cost category the driver belongs to.

    Cost per hour (direct BI PR net profit)

    YES

    The cost per hour for an action - used throughout the ICM. The legend in () at the end of the name defines the cost category the driver belongs to.

    Number of days (contingent BI revenue lost) - [selected cyber risk]

    YES

    The number of days during which revenue / Net Profit was lost (not generated) or Expenses were incurred during a Business Interruption. The legend in () at the end of the name defines the cost category the driver belongs to.

    IC - (comprehensive, tested BCP) - percent reduction in number of days (contingent BI revenue lost)

    YES

    IC (Impact Control) that reduces the cost of a specific function. Each IC is defined in the () after IC. The legend in () at the end of the name defines the cost category the driver belongs to.

    Daily contingent annual revenue (contingent BI revenue lost)

    YES

    Total contingent revenue divided by number of days in a year to determine the daily contingent revenue rate. The legend in () at the end of the name defines the cost category the driver belongs to.

    Percent of contingent revenue impacted (contingent BI revenue lost) - [selected cyber risk]

    YES

    The percent of contingent revenue that was impacted by the business interruption. The legend in () at the end of the name defines the cost category the driver belongs to.

    Number of hours (contingent BI PR revenue) - [selected cyber risk]

    YES

    The number of hours needed to perform an action - used throughout the ICM. The Benchmark number of hours varies by cyber risk selected.

    IC - (comprehensive, tested BCP) - percent reduction in number of hours (contingent BI PR revenue)

    YES

    IC (Impact Control) that reduces the cost of a specific function. Each IC is defined in the () after IC. The legend in () at the end of the name defines the cost category the driver belongs to.

    Cost per hour (contingent BI PR revenue)

    YES

    The cost per hour for an action - used throughout the ICM. The legend in () at the end of the name defines the cost category the driver belongs to.

    Waiting period number of hours (contingent BI)

    YES

    The period of time (generally hours) that must elapse after a business interruption starts before insurance coverage begins. The legend in () at the end of the name defines the cost category the driver belongs to.

    Restoration period number of days (contingent BI)

    YES

    The length of time that insurance will cover a business interruption. The legend in () at the end of the name defines the cost category the driver belongs to.

    Number of days (contingent BI net profit) - [selected cyber risk]

    YES

    The number of days during which revenue / Net Profit was lost (not generated) or Expenses were incurred during a Business Interruption. The legend in () at the end of the name defines the cost category the driver belongs to.

    IC - (comprehensive, tested BCP) - percent reduction in number of days (contingent BI net profit)

    YES

    IC (Impact Control) that reduces the cost of a specific function. Each IC is defined in the () after IC. The legend in () at the end of the name defines the cost category the driver belongs to.

    Daily contingent net profit [customer input]

    YES

    Total contingent net profit divided by number of days in a year to determine the daily contingent net profit rate. The legend in () at the end of the name defines the cost category the driver belongs to.

    Percent of net profit impacted (contingent BI net profit) - [selected cyber risk]

    YES

    The percent of contingent net profit that was impacted by the business interruption. The legend in () at the end of the name defines the cost category the driver belongs to.

    IC - (comprehensive, tested BCP) - percent reduction in subtotal cost (contingent BI expenses)

    YES

    IC (Impact Control) that reduces the cost of a specific function. Each IC is defined in the () after IC. The legend in () at the end of the name defines the cost category the driver belongs to.

    Daily normal operating expenses (contingent BI expenses)

    YES

    Total operating expenses divided by number of days in a year to determine the daily operating expense rate. The legend in () at the end of the name defines the cost category the driver belongs to.

    Daily extra expenses (contingent BI expenses)

    YES

    Total extra expenses divided by number of days in a year to determine the daily extra expense rate. The legend in () at the end of the name defines the cost category the driver belongs to.

    Number of hours (contingent BI forensic accounting) - [selected cyber risk]

    YES

    The number of hours needed to perform an action - used throughout the ICM. The Benchmark number of hours varies by cyber risk selected.

    Cost per hour (contingent BI forensic accounting)

    YES

    The cost per hour for an action - used throughout the ICM. The legend in () at the end of the name defines the cost category the driver belongs to.

    Number of hours (contingent BI PR net profit) - [selected cyber risk]

    YES

    The number of hours needed to perform an action - used throughout the ICM. The Benchmark number of hours varies by cyber risk selected.

    IC - (comprehensive, tested BCP) - percent reduction in number of hours (contingent BI PR net profit)

    YES

    IC (Impact Control) that reduces the cost of a specific function. Each IC is defined in the () after IC. The legend in () at the end of the name defines the cost category the driver belongs to.

    Cost per hour (contingent BI PR net profit)

    YES

    The cost per hour for an action - used throughout the ICM. The legend in () at the end of the name defines the cost category the driver belongs to.

    Ransom demanded as a percent of revenue

    YES

    Attackers increasingly determine the initial ransom demanded as a percentage of the revenues of the victim.

    Ransom discount factor

    YES

    Depending on the revenue size and industry of the victim, attackers discount the initial ransom demanded in an effort to come up with a reasonable number most likely to be accepted by the victim.

    Ransom negotiator fees

    YES

    Ransom negotiators have become increasingly common, bringing their expertise to negotiations between the attackers and the victims. The cost of the negotiator can be a flat fee or a percent of the total ransom.

    Ransom transaction fees

    YES

    The cost to purchase and hold bitcoin for paying a ransom.

    IC (offsite-immutable data backup) - percent likelihood ransom IS paid

    YES

    IC (Impact Control) that reduces the cost of a specific function. Each IC is defined in the () after IC. The legend in () at the end of the name defines the cost category the driver belongs to.

    Number of hours (IR forensic) - [selected cyber risk]

    YES

    The number of hours needed to perform an action - used throughout the ICM. The Benchmark number of hours varies by cyber risk selected. The legend in () at the end of the name defines the cost category the driver belongs to.

    IC - (comprehensive, tested IR plan) - percent reduction in number of hours (IR forensic)

    YES

    IC (Impact Control) that reduces the cost of a specific function. Each IC is defined in the () after IC. The legend in () at the end of the name defines the cost category the driver belongs to.

    Cost per hour (IR forensic)

    YES

    The cost per hour for an action - used throughout the ICM. The legend in () at the end of the name defines the cost category the driver belongs to.

    Number of hours (Network IR legal) - [selected cyber risk]

    YES

    The number of hours needed to perform an action - used throughout the ICM. The Benchmark number of hours varies by cyber risk selected. The legend in () at the end of the name defines the cost category the driver belongs to.

    IC - (comprehensive, tested IR plan) - percent reduction in number of hours (Network IR legal)

    YES

    IC (Impact Control) that reduces the cost of a specific function. Each IC is defined in the () after IC. The legend in () at the end of the name defines the cost category the driver belongs to.

    Cost per hour (Network IR legal)

    YES

    The cost per hour for an action - used throughout the ICM. The legend in () at the end of the name defines the cost category the driver belongs to.

    Number of servers (restoration)

    YES

    The number of servers in the attack surface.

    Cost per server (restoration)

    NO

    Subtotal formula.

    IC (offsite-immutable data backup) - percent reduction in number of hours to restore a systems

    YES

    IC (Impact Control) that reduces the cost of a specific function. Each IC is defined in the () after IC. The legend in () at the end of the name defines the cost category the driver belongs to.

    Number of hours to restore a server (restoration)

    YES

    The number of hours needed to perform an action - used throughout the ICM. The Benchmark number of hours varies by cyber risk selected.

    Cost per hour per server (restoration)

    YES

    The cost per hour for an action - used throughout the ICM. The legend in () at the end of the name defines the cost category the driver belongs to.

    Percent of servers breached (restoration) - [selected cyber risk]

    YES

    The percent of servers compromised in a given cyber risk scenario.

    Number of computers including laptops (restoration)

    YES

    The number of computers including laptops in the attack surface.

    Cost per computer/laptop (restoration)

    NO

    Subtotal formula.

    IC (offsite-immutable data backup) - percent reduction in overall cost to restore systems

    YES

    IC (Impact Control) that reduces the cost of a specific function. Each IC is defined in the () after IC. The legend in () at the end of the name defines the cost category the driver belongs to.

    Number of hours to restore a computer/laptop (restoration)

    YES

    The number of hours needed to perform an action - used throughout the ICM. The Benchmark number of hours varies by cyber risk selected.

    Cost per hour per computer/laptop (restoration)

    YES

    The cost per hour for an action - used throughout the ICM. The legend in () at the end of the name defines the cost category the driver belongs to.

    Percent of computers/laptops breached (restoration) - [selected cyber risk]

    YES

    The percent of computers/laptops compromised in a given cyber risk scenario.

    Number of servers (data backup)

    YES

    The number of servers in the attack surface.

    Cost per server (data backup)

    NO

    Subtotal formula.

    IC (offsite-immutable data backup) - percent reduction in overall cost to restore data (servers)

    YES

    IC (Impact Control) that reduces the cost of a specific function. Each IC is defined in the () after IC. The legend in () at the end of the name defines the cost category the driver belongs to.

    Number of hours to restore a server (data backup)

    YES

    The number of hours needed to perform an action - used throughout the ICM. The Benchmark number of hours varies by cyber risk selected.

    Cost per hour (server data backup)

    YES

    The cost per hour for an action - used throughout the ICM. The legend in () at the end of the name defines the cost category the driver belongs to.

    Percent of servers (data backup) - [selected cyber risk]

    YES

    The percent of servers to receive data backup in a given cyber risk scenario.

    Number of computers/laptops (restore data)

    YES

    The number of computers including laptops in the attack surface.

    Cost per computer/laptop (restore data)

    NO

    Subtotal formula.

    IC (offsite-immutable data backup) - percent reduction in overall cost to restore data (computers/laptops)

    YES

    IC (Impact Control) that reduces the cost of a specific function. Each IC is defined in the () after IC. The legend in () at the end of the name defines the cost category the driver belongs to.

    Number of hours forensics to restore data on computer/laptop

    YES

    The number of hours needed to perform an action - used throughout the ICM. The Benchmark number of hours varies by cyber risk selected.

    Cost per hour - forensics to restore data on computer/laptop

    YES

    The cost per hour for an action - used throughout the ICM. The legend in () at the end of the name defines the cost category the driver belongs to.

    Number of hours to restore a computer/laptop (data backup)

    YES

    The number of hours needed to perform an action - used throughout the ICM. The Benchmark number of hours varies by cyber risk selected.

    Cost per hour (computer/laptop data backup)

    YES

    The cost per hour for an action - used throughout the ICM. The legend in () at the end of the name defines the cost category the driver belongs to.

    Percent of computers/laptops (restore data) - [selected cyber risk]

    YES

    The percent of computers/laptops compromised in a given cyber risk scenario.

    Cost per system (no data backup)

    YES

    Fixed rate to restore data from the hard drive.

    Number of servers (no data backup)

    YES

    The number of servers in the attack surface.

    Percent of servers (no data backup) - [selected cyber risk]

    YES

    The percent of servers to receive data backup in a given cyber risk scenario.

    Number of computers/laptops (no data backup)

    YES

    The number of computers including laptops in the attack surface.

    Percent of computers/laptops (no data backup) - [selected cyber risk]

    YES

    The percent of computers/laptops to receive data backup in a given cyber risk scenario.

    IC - Maximum wire transfer per protocol

    YES

    IC (Impact Control) that reduces the cost of a specific function. Each IC is defined in the () after IC. The legend in () at the end of the name defines the cost category the driver belongs to.

    Cash stolen

    NO

    Subtotal formula.

    Maximum wire fraud per revenue bucket

    NO

    Used for calculating Benchmark values.

    Subtotal cash stolen

    NO

    Subtotal formula.

    Cash stolen as function of revenue

    NO

    Used for calculating Benchmark values.

    Percent adjustment for industry

    NO

    Used for calculating Benchmark values.



    Was this article helpful?