An analysis of economic losses from cyberattacks: based on input–output model and production function

There has recently been a global increase in economic losses due to cyberattacks. However, research on the economic damage caused by cyberattacks has mainly focused on attacked companies, and spillover damage to other sectors has not been sufficiently investigated. This study analyzed the economic losses from cyberattacks in Japan using the production function and input–output model to improve the accuracy of damage prediction and various national measures. First, we provide an estimation method for the annual direct damage by industry using a production function. The mainstream input dataset is lost working hours owing to cyber incidents. Second, we devised a model to estimate the amount of spillover damage to the entire country using the input–output model. Third, although the cyber damage data were limited to only interview data by the JNSA and IPA, we showed the process of estimating direct and spillover damage in all sectors in Japan. As a result, we consider that our estimation method is feasible and effective at the national level. This study contributes to future research on cyber resilience by analyzing the damage caused by cyberattacks from a macroeconomic perspective using a production function and input–output model.

Several studies have examined the extent of the damage caused by natural and manufactured disasters. These studies determined the amount of damage caused in Japan and its various regions. A report by the Cabinet Office (2013) estimated direct damage from natural disasters to be between 97.6 and 169.5 trillion yen, and the full amount of damage has been estimated to be between 35.1 and 50.8 trillion yen in the Nankai Trough earthquake. Concerning the economic damage caused by cyberattacks, CSIS (2021) indicated that the damage exceeded USD 1 trillion and accounted for 1% of the global gross domestic product. Despite this huge loss, studies on the economic damage caused by cyberattacks have been restricted to micro-analyses. Few studies have performed comprehensive and quantitative damage analyses, including an analysis of spillover damage. Although the government of Japan has adopted several cyber security policies, such as supply chain security for critical infrastructures in CS (2021), it must be understood that an objective and quantitative analysis of results is the key to effective policymaking.

This study devised a method for quantitatively estimating the economic damage caused by cyberattacks in Japan and contributed to improving the accuracy of damage prediction and the formulation of various national measures. Specifically, we devised a method to analyze Japan's economic damage caused by cyberattacks using production functions and input–output analysis.

The remainder of this paper is organized as follows. Section 2 reviews research analyzing the economic damage caused by natural disasters and cyberattacks. Section 3 presents a method for estimating the direct and spillover damage. Section 4 presents our estimation results and provides a discussion of our findings. Section 5 presents the conclusions of the findings and plans for future research.

2.1 Analysis in Japan

Most estimation studies on economic loss due to cyberattacks in Japan are restricted to microeconomics analysis and lack quantitative analysis of the economic damage from cyberattacks. Tanaka et al. reported an estimation of economic loss due to information security incidents in Japan of about 4.6 to 9.4 billion yen from 2009 to 2011, respectively, in Tanaka (2014), but their study lacks established methods of analysis. For example, no analysis of spillover damage has been conducted yet.

In the case of natural disasters, studies have shown that the amount of damage is estimated using a production function and input–output table. For example, Shimoda and Fujikawa (2012) used an input–output model to measure the damage caused by the Great East Japan Earthquake on the demand side (backward-relation effect) of production, which experienced a decline, as well as on the supply side. A supply type model is used to measure spillover damage (forward output effect) at the initial stage of the disaster, and a demand-type model is used thereafter.

In Japan, the Information Technology Promotion Agency (IPA) and the Japan Network Security Association (JNSA) have published the results of their analyses of cyberattack damage. The amount of damage was calculated based on their self-developed model. However, the amount of damage from each incident is limited to that of the victim company, and there is no model for calculating the amount for the entire country. Tanaka (2013) suggest using the Cobb–Douglas production function to estimate cyber damage in the entire country, but none showed its feasibility and effectiveness.

2.2 Analysis overseas

Japan's Ministry of Internal Affairs and Communications has analyzed several cases of cyberattacks in the MIC (2019). Emphasizing the model and data related to estimating the amount of damage, Appendix 2 summarizes the analyses.

In terms of the model for estimating the amount of damage, only two studies^{Footnote 1} used the existing economic analysis model. The other models are original, unpublished models. Lloyd and the University of Cambridge's Center for Risk Studies have used the input–output model to calculate spillover damage (disruption of the power supply) from cyberattacks on a power grid on the east coast of the United States.

2.3 Brief summary

We found a limited number of models to calculate the amount of damage. The few existing models are unpublished, self-made models, and most damage amount calculations are based on subjective estimation, which is a general economic effect. Few quantitative estimates have been based on the objective methods used in the analysis. Appropriate analysis cannot be performed using a subjective analysis alone.

In summary, there is no established model for analyzing/estimating the damage and target data and range, among others, of the damage from cyberattacks. The most targeted damage is direct. There is only one overseas document on spillover damage. Reports on the scope of the target damage often differ depending on the literature, and the data are not unified.

Therefore, it is meaningful to estimate the direct and spillover damages using the production and input–output models, respectively. In addition, this study collected mainstream data through interviews and hearings, considering that incident data from cyberattacks are often not disclosed.

3.1 Overview

In this study, we constructed a production function and measured the decrease in production value due to a decrease in the labor force of the IT department caused by cyberattacks. In addition, we measured the negative production-inducing effect caused by this decrease in production using input–output analysis and estimated spillover damage.

The production function expresses the relationship between the production factor and the output (production value/gross value-added amount) using mathematical formulas. Capital stock and labor, considered the most universal factors of production, are usually used as explanatory variables for output. We recognized that analysis by the production function is a suitable approach for calculating the economic damage (from the viewpoint of production) in the event of a cybersecurity incident involving labor damage, as in this study.

Spillover damage (decrease in production) due to damage involving production factors leads to a further decrease in production through dependency between industries. For example, if production were stopped because of a disaster, it would also stop the production of industrial parts. The industrial suspension of industrial parts further causes the production suspension of other parts and raw materials. Input–output analysis is a powerful tool for measuring the magnitude of such spillover damage.

3.2 Direct damage estimation method using the production function

3.2.1 Model

We estimated the direct damage from cyberattacks (including viral infections) to the entire country based on the system and data recovery times. Our estimation model agrees with that of Tanaka (2014).

We estimated the production function by assuming that "the net value added (Y)" can be realized by the labor force (L-Lr) after deducting the system recovery time and data recovery working times (Lr) associated with a cyberattack (Eq. (1)). Then, based on the coefficient of the production function, using the labor force (L), we were able to determine when the system recovery time and working time (Lr) could be used for the original production activity (Y⁺). The difference between (Y⁺) and (Y) was used as the direct damage amount (LS) (Eq. (2)). We assumed that K is capital stock and constant, regardless of cybersecurity incidents, systems, or data recovery. In addition, Eq. (1) is established when the relationship α + β = 1 (constant returns to scale) holds for capital allocation ratio α and labor allocation ratio β:

Dividing both sides of Eq. (1) by L − Lr gives Eq. (2):

To calculate the amount of damage directly based on Eq. (2), we estimated the production function of Eq. (1); however, A, α, and β were calculated based on the logarithmic transformation in Eq. (3):

Because the relationship between Y⁺ and Y in Eq. (2) is Y⁺/Y = (L/(L − Lr))^1−α, the amount of damage can be calculated directly using Eq. (4):

3.2.2 Dataset

We collected economic statistical data published by IPA, JNSA, and unpublished JNSA data. We classified the industrial sector based on 108 industries' data from the Japan Industrial Productivity (JIP) database of the Institute of Economic and Industrial Research.

We describe the following components: (1) output (Y), capital stock (K), and labor force (L); (2) number of working hours (Lr) allocated to the system or data recovery times; and (3) estimation method of A, α, and β.

1) Output (Y), capital stock (K), and labor (L)

The net value added (Y) is calculated by subtracting the intermediate input from the output using the sectoral output/intermediate input reported in the 2015 JIP data input–output table. Capital stock (K) denotes the real net capital stock of the capital sector and investment data. We used data on man-hours, given that the total number of working hours of (L) is critical to reflect the system data recovery time after cyberattacks.

2) Number of working hours (Lr) allocated for system recovery or data recovery after a cyberattack

Because there are no data on the number of working hours, we estimated (Lr) allocated for the system or data recovery by each industry using the following procedure. In addition, Lr is the time spent on system and data recovery only for the IT department:

1. A)

   National-level estimation of the number of working hours allocated to the system or data recovery after a cyberattack

The IPA report (2014) outlined the time the IT department took to recover the system after a cyberattack, the additional data processing time (time spent other than recovery), and the time required to resolve other incidents. For this survey, 13,000 companies with more than 21 employees were randomly selected by industry, whose number of employees was from a private company database (Teikoku Databank). The responses to this questionnaire were 1913, with a valid response rate of 14.7%.

An analysis of the valid responses shows in the case of "large companies with more than 300 employees", the IT personnel spent 18.5 h, 5.6 h, and 23.1 h (total 47.2 hours) on recovery, additional data processing, and other incidents. In the case of "companies of between 21 and 300 employees", they are 13.1 h, 3.8 h, and 23.1 h (40.0 h total), respectively.

The 2014 economic census reported that the number of large companies with 300+ employees is 15,526, and that of employees between 300 and 20 is 320,085. We estimated the lost time for IT department employees to be 728,205 h and 12,795,816 h, respectively, for a total of 13,524,021 h. For reference, this means that the average lost time of the IT department per company is 40.3 h in each cyberattack incident.

It should be noted that this time is only the time lost in the "IT department" and does not include the time lost in other departments such as sales and administration departments.

1. B)

   Estimation of the number of working hours by industry

The industries and number of employees are stratified sampling (proportional allocation method) based on the distribution of companies by the number of employees and by industry in the Japan Standard Industrial Classification of the 2012 Economic Census to ensure statistical validity.

Using the number of IT department working hours for the entire country estimated in (A), we estimated the number of working hours by industry based on the 2017 JNSA information security incident data (380 data).

The JNSA data were generated by collecting and analyzing the results of analyses of personal information leakage incidents reported in newspapers and the Internet in the relevant fiscal year; these data originally included cases unrelated to cyberattacks. Therefore, we sorted the contents of each incident data and identified cases of cyberattacks^{Footnote 2} (75 of 380 cases were cyberattacks).

Subsequently, we identified the industry (108 industries) from industry category information in the 75-incident data. Next, the amount of damage for each incident calculated independently by the JNSA was tabulated by country and industry (108 industries). Table 1 shows the amount of damage calculated by the JNSA for each incident using self-made method aggregated for each of the 108 industries.

Then, we calculated the ratio of the whole country and each industry regarding damage calculated by the JSNA and apportioned the direct damage amount of the whole country calculated in (A) to each industry using this ratio. Table 2 shows the results. In this study, we used 2017 JNSA data. In the JNSA data, only the 2017 data show the industry category; therefore, we directly used the industry category of the FY2017 JNSA data.

3) A, α, and β (scale coefficient (A), capital share (α), and labor share (β) in the production function)

We calculated A, α, and β based on Eq. (3), which is a logarithmic transformation of Y, K, L, and Lr for the 108 sectors from 2013 to 2015. Following the method highlighted in the study by Tanaka (2014), in the JIP data, the industrial sections codes 72 (housing) and 108 (activities not elsewhere classified) for three years from 2013 to 2015, and 36 (pig iron and crude steel) for 2013 were excluded. This is because the added value, capital stock, and labor man-hours were zero, owing to a lack of data.

The results of the estimation were as follows: A = 0.23370315, α = 0.53480907, β = 0.46519093. The coefficient of determination R2 of Y/(L-Lr) on the left-hand side and K/(L-Lr) on the right-hand side of Eq. (3) was 0.5214027.

3.3 Estimating method of spillover damage by input–output model

3.3.1 Model

We estimated the spillover damage by industry based on the amount of direct damage by industry, as calculated in 3–2, and using the following input–output model: specifically, the amount of damage is calculated using a competitive import model. We define input coefficient matrix A, final demand column vector F, output vector Y, n × n unit matrix I, export column vector E, and import column vector M. If \(\widehat{M}\) is a matrix with the import coefficients on the diagonal and zeros for the off-diagonal, then we can express the formula as follows:

Here, F in Eq. (5) corresponds to the direct damage calculated in Eq. (4), and the direct damage in Eq. (4) is estimated based on the value-added production function. In the input–output table, estimates are made on a production value basis. Therefore, when F is inserted into Eq. (5), it is necessary to revise it to a production value basis. This revision was calculated using the ratio of the value-added amount and the production amount in the input–output table, and the amount excluding non-household consumption expenditure (accommodation, daily allowance, entertainment expenses, welfare expenses) was estimated as the value-added amount. In addition, because this research focuses on the domestic damage caused by cyberattacks in Japan, we calculated F as the product of the amount of added value by the self-sufficiency rate of each industry, where the self-sufficiency rate is obtained by subtracting the import coefficient from 1. The import coefficient is calculated by dividing the absolute value of “(less) Total imports” by “Total domestic demand” in the input–output table.

Because Y calculated using Eq. (5) includes direct damage, it is necessary to exclude direct damage from spillover damage. Therefore, spillover damage is estimated using Eq. (6):

3.3.2 Dataset

We used the direct input damage by industry calculated in the 2015 input–output table (37 I/O sections). Based on the integrated major sections in the input–output table for Japan, we divided the industrial sections into 37 I/O sections.

In this study, we showed that it is possible to estimate not only the direct damage caused by cyberattacks, but also spillover damage at the national level using the production function and I/O model.

4.1 Estimated damage for each industrial sector

The estimation results are shown in Tables 3, 4, and 5.

Table 3 shows the direct damage, spillover damage in each of the 37 I/O sectors, and total damage (Japan, FY2015) based on the model in 3-2-1 and 3-3-1, and Table 4 shows the proportion of each industry to the total damage of the whole country.

The direct damage in Eq. (4) in [a] of Table 3 was estimated based on the value-added production function. Then, direct damage based on production value ([c] in Table 3) is calculated by using the ratio ([b] in Table 3) of the value-added amount and the production amount. Next, because this study focuses on the domestic impact of cyberattacks, F in Eq. (5) is calculated by multiplying the direct damage based on the production value ([c] in Table 3) by the self-sufficiency rate of each industry so that F in Eq. (5) is shown as [d] of Table 3. Finally, we calculate the spillover damage ([e] in Table 3) based on Eqs. (5) and (6).

Table 5 shows the top 5 industries with the highest total losses and that the JIP industry code 59 (Information and communications) suffered damages of approximately 12,556 million yen, accounting for 40.3% of the total damage. The damages caused by industry codes 31 (business-oriented machinery), 51 (semiconductor devices and integrated circuits), 53 (finance and insurance), and 66 (business services) accounted for 5.7%, 9.3%, 12.3%, and 11.2% of the total damage, respectively. The top five industries accounted for 78.8% of the total damage.

4.2 Discussion of estimated damage for all sectors

As shown in Table 3, we estimated damages for all sectors based on the IPA dataset in 3-2-2 A). The direct damage (based on domestic production value), spillover damage, and total amount were approximately JPY 18,785 million, JPY 12,385 million, and JPY 31,170 million, respectively.

Here, we should note that the IPA dataset only showed the lost working hours in IT departments caused by cyberattacks and does not include the lost working hours in other business sections during IT department work for IT system recovery. If the cyberattack incident survey includes lost working hours in other business sections, our model will show a larger Lr, therefore the total damage will be huge. In addition, immeasurable losses, such as the loss of business opportunities and brand damage, may occur in cyberattack victim companies.

4.3 Other discussion

Table 5 shows that JIP industry code 59 (Information and communications) suffered damages of approximately 12,256 million yen, accounting for 40.3. % of the total damages. While these analyses by industry are useful for cybersecurity and economic policy discussions, it is important to improve the input dataset's quantity and quality for our estimation model. Therefore, we expect to establish a framework for collecting information on cyber incidents at the national level and for data standardization in Japan, as in the case of the United States.^{Footnote 3}

5.1 Conclusion

By presenting a method for analyzing the damage caused by cyberattacks from a macroeconomic perspective and using production functions and input–output tables, this study contributes to future studies on cyber resilience.

This study takes a macroeconomic viewpoint to directly estimate the economic losses from cyberattacks in Japan—the amount of direct and spillover damage. Cyberattack recovery consumed at least IT department working hours in Japan and caused damage worth approximately 31,170 million yen for the financial year 2015.

5.2 Future research

Future studies can improve the accuracy of the aforementioned estimation using data on the working hours required for recovery in each industry. As mentioned above, it is also expected to establish a framework for collecting information on cyber incidents at the national level and standardizing data in Japan.

We plan to study and analyze industrial characteristics in future research more precisely. First, we analyze a specific industry's characteristics by utilizing the information and communications input–output table published by the Ministry of Internal Affairs and Communications. Next, we analyze the forward linkage of the spillover effect in addition to the backward linkage, as in this study.

The data for output (Y), capital stock (K), and labor (L) are available from the JIP database: [hyperlink to dataset(s)/data source, e.g., "https://www.rieti.go.jp/jp/database/JIP2015/index.html"]. The data for number of working hours (Lr) allocated for system recovery or data recovery after a cyberattack are available from IPA: [hyperlink to dataset(s)/data source, e.g., "https://www.ipa.go.jp/security/fy26/reports/isec-survey/index.html"], and JSNA. Although the JNSA data are not open to the public, they were individually requested and obtained for this research and are available if requested individually. The data for the number of companies are available from the 2015 Economic Census: [hyperlink to dataset(s)/data source, e.g., "https://www.stat.go.jp/data/e-census/2016/kekka/gaiyo.html"]. The Japanese benchmark input–output table is available from the Ministry of Internal Affairs and Communication: [hyperlink to dataset(s)/data source, e.g., "https://www.e-stat.go.jp/stat-search/files?page=1&layout=datalist&toukei=00200603&tstat=000001130583&cycle=0&year=20150&month=0"].

1. RAND Cooperation uses the input–output table by the Organization for Economic Co-operation and Development to calculate the spillover damage of cyberattacks. The Mitsubishi Research Institute, Inc. analyzes the reputational damage of cyberattacks from the stock price effect before and after a certain event (e.g., mergers and acquisitions), by analyzing the cumulative abnormal returns. A method for analyzing changes in corporate value is used.

2. Incident data leakage identified cause categories; such as worm viruses, bug security holes, and unauthorized access during cyberattacks. The cause categories excluded from the target include: internal fraud, loss/misplacement, distress, and erroneous operation.

3. The US Department of Land Security (DHS) provides insurance companies with a data collection and analysis platform (Cyber Incident Data and Analysis Repository). This platform helps private modeling companies assess cyber risk and cyber accumulation for modeling. In one of the cases, a data standard format was integrated to the management system (CAMS: Cyber Accumulation Management System) (some public institutions (e.g., FBI) also play a role).

CSIS:

The Center for Strategic and International Studies (USA)

IPA:

Information-technology Promotion Agency (Japan)

JNSA:

The Japan Network Security Association (Japan)

JIP:

The Japan Industrial Productivity

Not applicable.

Not applicable.

Authors and Affiliations

1. Institute of Information Security, 2-14-1 Tsuruya-Cho, Kanagawa-Ku, Yokohama, Kanagawa, 221-0835, Japan

   Akiyoshi Kokaji & Atsuhiro Goto

Contributions

AG designed the study, and AK performed the calculations. AK interpreted the results and drafted the manuscript. AK revised the manuscript and created the figures. Both authors read and approved the final manuscript.

Corresponding author

Correspondence to Akiyoshi Kokaji.

Ethics approval and consent to participate

This research does not involve human subjects, human material, or human data.

Competing interests

The authors declare that they have no competing interests.

Publisher's Note

Springer Nature remains neutral with regard to jurisdictional claims in published maps and institutional affiliations.

Appendix 1: Definition of term

The terms used in this study are defined as follows:

For "Cyber attack", Information-technology Promotion Agency, Japan revealed in IPA (2021) that the major organizational threats include damage from ransomware, theft of confidential information by targeted attacks, and telework. The new normal ways of working have exposed organizations to supply chain attacks, financial damage from fraudulent emails, information leakage due to internal fraud and negligence, business suspension due to IT infrastructure failure, unauthorized logins for Internet services, and increased misuse after the renewal of vulnerability countermeasure information.

Regarding the characteristics of cyberattacks, the Ministry of Defense and the Self-Defense Forces presented a list of the characteristics of cyberattacks in a report titled (2012). These characteristics include "attacker superiority", "diversity", "anonymity", "top secret (confidentiality)", and "deterrence difficulty. Therefore, it is difficult to analyze the economic damage caused by these characteristics.

This study excluded indirect damage (damage effects due to rumors on brand value). This study focuses on the following direct and spillover damages caused by cyberattacks on the economy:

Direct damage (damage to the attacked company/industry) includes a general investigation of the cause, system recovery, data corruption, leakage, damage compensation, system outage, business interruption, and opportunity loss.

Spillover damage (damage to companies/industries directly affected by direct damage) includes general damage to other companies and industries doing business with the directly affected companies and damage from the attacked companies to other companies, industries, and society. Damage to social infrastructure may affect social and economic activities and cause significant losses.

Appendix 2: Previous research: analysis of damage caused by cyberattacks

Open Access This article is licensed under a Creative Commons Attribution 4.0 International License, which permits use, sharing, adaptation, distribution and reproduction in any medium or format, as long as you give appropriate credit to the original author(s) and the source, provide a link to the Creative Commons licence, and indicate if changes were made. The images or other third party material in this article are included in the article's Creative Commons licence, unless indicated otherwise in a credit line to the material. If material is not included in the article's Creative Commons licence and your intended use is not permitted by statutory regulation or exceeds the permitted use, you will need to obtain permission directly from the copyright holder. To view a copy of this licence, visit http://creativecommons.org/licenses/by/4.0/.

Reprints and permissions