Costs to the U.S. economy of information infrastructure failure
From the Briefcase: Research produced by America's Best Business Schools
Authors: M. Eric Johnson and Scott Dynes (Tuck School of Business, Dartmouth College), Eva Andrijcic (University of Virginia)
Status: Presented in June at the Workshop on the Economics of Information Security, Robinson College, University of Cambridge
Summary: More companies than ever rely on the Internet to do business. So what would happen if terrorists attacked Web infrastructure? According to a new study, if even one company's network went down, the effects would be felt throughout the economy.
An information infrastructure attack on a single company could send ripples of damage through the entire U.S. economy--eventually costing tens of millions of dollars even in sectors that were not directly affected by the original event, according to a new study.
"U.S. businesses increasingly rely on the Internet to enable their business processes--from product design to supply-chain management to sales and customer service," says M. Eric Johnson, director of the Center of Digital Strategies at the Tuck School of Business. "As a result, there is much interest in how vulnerable the U.S. economy could be to targeted and large-scale disruptions, or attacks, to its information infrastructure."
In June, Johnson and research fellow Scott Dynes presented results from their study entitled "Costs to the U.S. Economy of Information Infrastructure Failure" at the Fifth Workshop on the Economics of Information Security (WEIS 2006), which took place at Robinson College at the University of Cambridge in England. Another coauthor of the paper is Eva Andrijcic of the University of Virginia.
The study, which was funded in part by the Department of Homeland Security's support for the Institute for Information Infrastructure Protection (I3P), examines the possible economic losses to particular sectors of the U.S. economy arising from an Internet outage or a process control system (SCADA) failure brought on by events like a cyberattack or computer virus.
The research combined field study at U.S. firms with economic data to quantify the impact of such attacks in three economic sectors: automobile manufacturing, electrical device manufacturing, and oil refining. Johnson and his colleagues conclude that costs to the U.S. economy can range widely from virtually zero cost after a three-day Internet outage at an electrical parts firm to $65.6 million for a 10-day outage at an automobile parts plant or even as much as $404.76 million for a SCADA failure of the same length at an oil refinery.
"As compared with an oil refinery, which would have to shut down within a day after the loss of the SCADA system, the manufacturing supply chains we've looked at are fairly robust to small cyberoutages," said Dynes. "As a result, there is only a moderate decrease in the level of production. However, this is likely to change as more firms use the Internet to further integrate with their supply-chain partners."
Additionally, the study examines how economic costs can be transmitted through the company's customers and suppliers to completely different sectors of the U.S. economy, where, it explains,the "economic impacts of these ripple effects can be greater than the direct economic impact experienced by the affected sector."
WEIS 2006 is sponsored by the Institute for Information Infrastructure Protection (I3P), Microsoft Research, and the Foundation for Information Policy Research. Other topics up for discussion at the workshop include open-source software, digital-rights management, the return on security investment, and the effect of stock spam on financial markets.
The Center for Digital Strategies at the Tuck School promotes the development and practice of digital strategies--the use of technology-enabled processes to harness an organization's unique competencies, support its business strategy, and drive competitive advantage. The center addresses issues throughout the extended enterprise, including globalization, organizational change, and information security.
advertisement
