Cyberattacks on critical infrastructure: An economic perspective

Open access


The aim of this article is to analyze the economic aspects of cybersecurity of critical infrastructure defined as physical or virtual systems and assets that are vital to a country’s functioning and whose incapacitation or destruction would have a debilitating impact on national, economic, military and public security. The functioning of modern states, firms and individuals increasingly relies on digital or cyber technologies and this trend has also materialized in various facets of critical infrastructure. Critical infrastructure presents a new cybersecurity area of attacks and threats that requires the attention of regulators and service providers. Deploying critical infrastructure systems without suitable cybersecurity might make them vulnerable to intrinsic failures or malicious attacks and result in serious negative consequences. In this article a fuller view of costs and losses associated with cyberattacks that includes both private and external (social) costs is proposed. An application of the cost-benefit analysis or the Return on Security Investment (ROSI) indicator is presented to evaluate the worthiness of cybersecurity efforts and analyze the costs associated with some major cyberattacks in recent years. The “Identify, Protect, Detect, Respond and Recover” (IPDRR) framework of organizing cybersecurity efforts is also proposed as well as an illustration as to how the blockchain technology could be utilized to improve security and efficiency within a critical infrastructure.

If the inline PDF is not rendering correctly, you can download the PDF file here.

  • Bank of America Merrill Lynch. (2015). Global cybersecurity primer.

  • Beasley C. Venayagamoorthy G. K. & Brooks R. (2014). Cyber security evaluation of synchrophasors in a power system. IEEE Computer Society 1-5.

  • Bernik I. & Prislan K. (2016). Measuring information security performance with 10 by 10 model for holistic state evaluation. PLOS ONE11(9) 1-33.

  • Bojanc R. & Jerman-Blažič B. (2008). An economic modelling approach to information security risk management. International Journal of Information Management28(5) 413-422.

  • Conti M. Kumar E. S. Lal C. & Ruj S. (2017). A survey on security and privacy issues of Bitcoin. IEEE Communications Surveys & Tutorials20(4) 3416-3452.

  • Council of Economic Advisers. (2018). The cost of malicious cyber activity to the U.S. economy. Washington DC: The White House. Retrieved from

  • ENISA (2012). Introduction to return on security investment. Athens: European Union Agency for Network and Information Security.

  • Evans G. L. (2017). Disruptive technology and the board: The tip of the iceberg. Economics and Business Review3(1) 205-223.

  • FireEye. (2013). The advanced cyber attack landscape. Milpitas CA: FireEye Inc.

  • Flick T. & Morehouse J. (2010). Securing the smart grid: next generation power grid security. Burlington MA: Elsevier.

  • Fung C. C. Roumani M. A. & Wong K. P. (2013). A proposed study on economic impacts due to cyber attacks in smart grid: A risk based assessment. IEEE Power and Energy Society General Meeting 1-5.

  • Gintis H. (2005). Behavioral game theory and contemporary economic theory. Analyse & Kritik27(1) 48-72.

  • Goodin D. (2011). PlayStation Network breach will cost Sony $171m. Retrieved from

  • Jentzsch N. (2016). State-of-the-art of the economics of cyber-security and privacy. IPACSO Deliverable D 4.

  • Klahr R. Shah J. Sheriffs P. Rossington T. Pestell G. Button M. & Wang V. (2017). Cyber security breaches survey 2017. Main report. Retrieved from

  • Kowalski T. (2013). Globalization and transformation in Central European countries: the case of Poland. Poznan: University of Economics Press.

  • Kshetri N. (2017). Blockchain’s roles in strengthening cybersecurity and protecting privacy. Telecommunications Policy41(10) 1027-1038.

  • Lloyd’s. (2015). Business blackout. Lloyd’s Emerging Risk Report–2015. Cambridge: University of Cambridge Judge Business School.

  • Lockstep Consulting. (2004). A guide for government agencies calculating return on security investment. Version 2.0. New South Wales Department of Commerce Government Chief Information Office Sydney Australia. Retrieved from

  • Louis M. Adrian B. & Evangelos R. (2016). Threat landscape 2015. Athens: European Union Agency for Network and Information Security (ENISA).

  • Marotta A. Martinelli F. Nanni S. Orlando A. & Yautsiukhin A. (2017). Cyber-insurance survey. Computer Science Review24 35-61.

  • Mendel J. (2018). The economic perspective on smart grid cyber security. (Unpublished doctoral dissertation). Poznań: Wydawnictwo Uniwersytetu Ekonomicznego.

  • NIST. (2017). Proposed updates to the framework for improving critical infrastructure cybersecurity. Gaithesburg MD: National Institute of Standards and Technology.

  • O’Dell J. (2011 January 29). How much does identity theft cost?. Mashable. Retrieved from

  • OECD. (2009a). Computer viruses and other malicious software. a threat to the internet economy. Paris: OECD Publishing. Retrieved from

  • OECD. (2009b). Malware: why should we be concerned?. In Computer viruses and other malicious software: A threat to the Internet economy. Paris: OECD Publishing. Retrieved from

  • OECD. (2013). Exploring the economics of personal data. OECD Digital Economy Papers (220) 40.

  • OECD. (2015). OECD digital economy outlook 2015. Paris: OECD Publishing. Retrieved from

  • Ponemon Institute LLC. (2015). The cost of malware containment. Traverse City MI: Ponemon Institute Research Report.

  • Ponemon Institute LLC. (2019). Cybersecurity in operational technology: 7 insights you need to know. Traverse City MI: Ponemon Institute Research Report.

  • Rebecca S. & Rob B. (2019 January 10). America’s electric grid has a vulnerable back door and Russia walked through it. The Wall Street Journal. Retrieved from

  • Rogers M. & Henderson K. (2019 April 10). How blockchain can help the utility industry develop clean power. Sustainability blog. McKinsey & Company. Retrieved from

  • Sikorski J. J. Haughton J. & Kraft M. (2017). Blockchain technology in the chemical industry: Machine-to-machine electricity market. Applied Energy (195) 234-246.

  • Singer P. W. & Friedman A. (2014). Cybersecurity: What everyone needs to know. New York NY: Oxford University Press.

  • Sobers R. (2019). 60 must-know cybersecurity statistics for 2019. Inside Out Security Blog. New York NY: Varonis. Retrieved from

  • Smith B. (2018 Novemebr 18). Government and business must fight the cyber threat. The Financial Times.

  • Su X. (2006). An overview of economic approaches to information security management. Technical Report TR-CTIT-06-30. Retrieved from

  • US Homeland Security NCCIC. (2015). Seven strategies to defend ICSs. Washington DC: US Department of Homeland Security. Retrieved from

  • Vijay S. Hoikka H. & Kenneth B. (2015). Ukraine 2015 power grid cyberattack. ELEC-E7470 Cybersecurity L-Case Study. Aalto: Aalto University. Retrieved from

  • Wakefield M. (2012). Guidebook for cost/benefit analysis of smart grid demonstration projects. Palo Alto CA: Electric Power Research Institute. Retrieved from

Journal information
All Time Past Year Past 30 Days
Abstract Views 0 0 0
Full Text Views 97 97 63
PDF Downloads 73 73 38