177

Chapter 16
Cybercrime Loss Valuations
CHAPTER SUMMARY
Overview
There are several important reasons to quantify the loss from a cybercrime. One reason is to report the crime
to law enforcement. Another reason for loss determination is for insurance purposes. Also, the victim may want a
loss determination for internal purposes and at the same time, the victim may not want to report the crime to law
enforcement or to file an insurance claim. Each case raises different issues the forensic investigator needs to consider
in developing loss estimates.

Attacks on Tangibles and Intangibles

16,001

Extent of the Problem

The Computer Crime and Security Survey prepared by the Australian Computer Emergency Response Team
(AusCERT) reports on losses and abuse sustained by respondents to its annual survey (http:// www.auscert.org.au/
render.html?it2001). The respondents represent a wide range of industry sectors including education, mining, and
financial organizations. The 2004 survey found:
On average the losses were estimated at $98,685 for the sample.
Infections from viruses, worms, and trojans were the most common form of attack and responsible for
most of the losses. The highest reported loss in 2004 from these attacks for one respondent was $2,000,000.
Most companies recovered from such attacks after seven days.
Heavy scanning of the network and consequential degrading of services was also a factor for 41 percent
of the respondents.
76 percent of the respondents were aware of at least one to five attacks during the 2004 period.
As would be expected, the source point for these attacks is the companys point of Internet access.
An increasing percent of the attacks in 2004 were believed to be conducted to use system resources for
launching further attacks with anonymity. The respondents believed another major reason for these attacks
was just to cause malicious damage.
88 percent of the attacks originated from outside the organization.
49 percent of respondents reported that losses arose from attacks on the confidentiality, integrity, or
availability of information.
Unpatched systems and inadequate staff training were reported as the major reasons for these problems.
Beyond theft of proprietary information and financial fraud, the survey collected loss information about those
cybercrimes such as sabotaging data, telecom eavesdropping, outsider system penetration, insider abuse of net access,
denial of service attacks, spoofing, virus attacks, unauthorized insider access, telecom fraud, wiretapping, and laptop
theft. All such criminal activities create losses and damages for business organizations. Experts and legislators have
attempted to identify losses from such activities in various state and federal laws. These legal guidelines provide
a starting point for the forensic accountant in determining a dollar value for losses due to cyber attacks. However,
losses recognized for statutory purpose are likely to differ from values filed under insurance claims. Therefore, each
is considered in this chapter.

2009 CCH. All Rights Reserved.

Chapter 16

178
16,011

Forensic and Investigative Accounting

Statutory Loss Valuations

State computer crime codes provide broad descriptions of how losses should be recognized when a computer crime
takes place. Table 16.1 contains a list of the 13 state statutes that provide guidance in making loss determinations.
In reviewing Table 16.1, the following factors are shown as remediable activities and loss classifications:
Verification costs to check systems (diagnosis-remediation).
Restoration costs to put systems back online (testing).
Market value or replacement value of the property destroyed or services.
Lost profits.
Reasonable value of loss caused by unavailability.
Investigation costs.
Past or future losses.
Injury suffered.
Loss of computer time (lost productivity).
Cost of replacing lost data.
The federal government identifies a similar list of damage losses in cyber attacks as described in 18 U.S.C. 1029
and in Act Sec. 814 of the USA Patriot Act.
16,021

High-Tech Tangible Losses Attributed to Cyber Attacks

Examples of tangible losses from a cyber attack are destroyed web servers, routers, and PCs, as well as the
cost of system restoration and lost worker productivity. In traditional manufacturing companies, tangible assets are
purchased physical assets or constructed assets developed from using resources such as labor, materials, and overhead.
With high-tech companies, the same ingredientslabor, materials, and overheadare used to develop the bits and
bytes in software. Because software and physical assets use the same ingredients, lost or destroyed program code is
considered a tangible loss if the loss can be related to staff work hours used in creating the code. At the present time,
courts have placed different interpretations on intangible losses. The value of tangible assets is easily identified
with their market or replacement cost, and the value attributed to lost productivity and system restoration costs are
based on the work-hours used to restore the system.
Hack Attack Shuts Down System. The value of a cyber asset includes the employees wages used in developing
the asset. If the asset is lost in an attack, the workers time needed to develop the asset is used in determining the extent
of the loss. Additionally, workers time used in diagnosing, restoring, checking, and testing the network as well as
possibly replacing lost data is part of the tangible loss from a cyber attack. Productivity losses arise from the reduction
of efficient, normal production of work due to an event such as a cyber attack.
Other Tangible Costs. Other tangible costs of an attack as listed in states statutes are the market value or
replacement cost of property destroyed in an attack, external investigation costs, valuation of lost productivity, and
the cost of replacing lost data. Market values for standard electronic equipment such as web servers, routers, and PCs
are readily determinable as the invoice price of a new asset. Replacement cost is considered to be the current cost of
replacing the old asset with a new asset with the same capability as the old asset.
Another cost that is also easily determined is the cost of hiring a private high-tech security firm and its team of
forensic specialists to collect evidence about the intrusion and bring the system back online.
Lost Productivity Analysis. Lost worker productivity, another tangible cost, is determinable from the labor
time during which company operations are diminished or shut down.
16,031

High-Tech Intangible Losses

The tangible loss attributed to workers time, valuations of destroyed property, external investigation costs
and lost productivity can be quickly determined, but such losses usually do not make up the most significant loss
from a network attack. The most significant losses are the intangible losses such as unavailability of the website, lost

Chapter 16

2009 CCH. All Rights Reserved.

Textbook Solutions

179

profits, general injury, and values attributed to destroyed or lost information contained on compromised PCs. Such
lost information may only have a virtual presence, such as in the coding for software. Therefore, estimating the value
attributable to an intangible loss is more complicated than summing the hourly wages of affected workers.
Loss Attributed to Unavailability. When an attack shuts down a website, the loss arising from the unavailability
of a website to customers and clients must be calculated. The unavailability loss arises from the inconvenience caused
to customers who want to use the website but are unable to do so. Although lost sales are not the same as unavailability,
sales figures can help to evaluate the loss from the unavailability of the website. Growth of sales is an indication of
consumer satisfaction with a business, its products, and its services. Unavailability of access to a companys website
decreases consumer satisfaction; therefore, rates of sales growth provide an indication of the loss suffered from a
disabled website.
Lost Profits Analysis. Lost profits occur when customers cannot gain access to a website and consequently
go to another e-tailer or bricks and mortar store to make their purchases. Analyzing the intangible loss from profits
forgone because of the crash of a website involves several considerations. First, it will be necessary to combine
financial sales data and nonfinancial data collected about the website activity. The data needed to calculate lost profits
is based on marketing information about the customer base, website statistics, and financial data. Website data about
the number of customer visits and marketing information about the sales from these visits is needed as well as revenue
and cost information to determine profit data. Without records of website activity and customers purchasing habits,
there is little that an investigation into damage loss valuations can uncover. Lost sales are included as an identified loss
under state statues, but they are an intangible loss that may not be recoverable under traditional business insurance.
Lost Data Analysis. If an intruder steals and then destroys information or software code, the loss to a company
comprises the original developmental costs, the cost to restore the information or program, and the possible business
opportunities lost or reduced because of the attack. If the loss affects a revenue stream beyond a one-year period,
the loss analysis includes present value computations. Financial effects can occur from canceled contracts, delayed
implementation of a new product, and a consequential reduced market share.
Loss of Optioned Opportunities. Managers often strategically position a company to be able to quickly exploit
a new business opportunity. Such business decisions are made to ensure a company is correctly positioned to enter a
new market, build a new plant, capture a defined market share, or develop a new product, for example.
Decision making of this nature allows for managerial flexibility to react to changing conditions in markets and
the economy. Managerial flexibility allows for a decision made in one point in time to be revised and modified as
conditions change. Thus, managers are able to begin and plan a project, but they are also ready to cut short its level
of development as conditions change. Managers may commit to a small pilot project and thus delay carrying out the
entire projectpossibly forever.
If an intruder destroys, for example, the beta version of a new software product, the intruder also destroys the
companys strategic positioning to enter the new market. Consequently, two losses have occurred. One loss is the
developmental costs of the new software, but the more substantial loss is the lost strategic option as the company has
lost its ability to expand into a new profitable market. In such a case, a value must be placed on both the developmental
costs and the option. Such options are called real options.
Real option valuation requires that: (1) there is uncertainty with an unknown probability to the outcome of a
project; (2) a project can be delayed, up to a point, without risking it; (3) managers are willing to undertake a project
with a negative NPV; (4) managers are willing to give upi.e., losethe funds they have initially invested in a pilot
project such as in beta software, and (5) managers are not obligated to make the investment, i.e., it is not a legal
contract.

Loss Valuations and Insurance Claims

16,041

Insurers

Today, insurers write contracts providing coverage from cyber attacks. Although it may be possible to convince
a court of the need for restitution from intangible losses described in federal or state statutes, insurance payments for
damages from a cyber attack are only for losses specifically described in the contract. Traditional business insurance

2009 CCH. All Rights Reserved.

Chapter 16

180

Forensic and Investigative Accounting

policies have not been forthcoming in providing insurance coverage for lost computer data because such losses are
considered intangible. Traditional property damage policies are intended to cover only tangible property. The insured
party needs to understand the method used by the insurance company to calculate the loss in each instance for which
coverage is provided.
16,051

Costs and Types of Coverage

Insurance coverage provides for first- and third-party liability coverage up to $50 million each. Premiums for
these policies can cost $20,000 to $40,000 annually. First-party liability coverage is for direct damage to the insured
from a cyber attack. Third-party liability provides for coverage from the negligent acts of the insured as, for example,
when the insureds computers are unknowingly used to launch an attack against a primary target. A list of coverage
for losses from first-party cyber insurance is included in 16,051. The list is similar to those losses recognized in the
federal and state statutes, but loss interpretation is likely to be more restrictive.
16,061

Qualifying for Coverage

Risk Survey. Before providing cyber attack coverage to a client, the insurance company would conduct a
survey of the clients site to assess the nature of the insurance risks.
Security Audit. The actuarial risk tables for companies seeking coverage against hacking attacks do not exist.
Therefore, an insurance company may require a complete security audit of any clients network as well as a risk
survey before providing insurance coverage. An experienced security assessment firm will provide a thorough due
diligent security audit of the network before issuing any policy.
What Should Be Known About Coverage. From the insureds viewpoint, it needs to be ascertained that loss
coverage is for all destroyed data, text, images, sounds, collections, and compilations as well as intellectual property
such as computer programs and coding. The method used to calculate business income losses should be clearly
described in the insurance policy as well as the inclusive time period covered after the incident. The insured should
understand the difference between coverage of the income losses compared to coverage of the revenue losses from
the attack. The insured needs to know whether a discount will be received on the policy premium if the insured has a
service contract with an insurer-certified security firm.
Third-party coverage arising from computer systems liabilities arises from lawsuits against the insured related to
negligence of the insured or their employees from errors, libel, slander, invasion of privacy, plagiarism, infringement
of a copyright, weak security on a company web server that results in losses to a third-party, mega tags with other
companys names on company web page, or the negligent provision of professional services.
16,071

Conclusion

Loss valuations need to be made for both tangible and intangible assets that are destroyed in a cyber attack. It
is important for law enforcement, the insurance industry, security assessment firms, and forensic investigators to have
accurate statistics on the number, type, and losses from these attacks. A great deal of standardization needs to be done
before the actual losses incurred from these criminal activities become known.

SOLUTIONS TO CHAPTER EXERCISES

1. A tangible asset is any asset that has a physical existence. The value of a physical asset comes from the
use of the asset such as using equipment. An intangible asset is a nonphysical asset whose value is derived
from the rights of ownership rather than the actual use of the asset. Traditional intangible assets include
goodwill, patents, copyrights, trademarks, formulas, franchises, and research and development costs. The
value attributed to them comes from its purchase price (goodwill) or its developmental costs (research and
development).
A software program may have the characteristics of both a tangible asset and an intangible asset. The tangible
value attached to a software program is insignificantthe disk or CD on which it is placed has a tangible
value. If the program was downloaded from the Internet, it would not even have this tangible asset value.
The intangible value attached to the software program is its developmental costs similar to research and

Chapter 16

2009 CCH. All Rights Reserved.

Textbook Solutions

2.

3.

4.

5.

6.

7.

8.

181

development on a new product. These costs of development are a significant portion of the softwares value.
A computer program can exist only on the Internet without ever being downloaded to a hard drive. Without
the Internet, the program has no value.
A well-executed cyber attack on a network is not detectable. The hacker will enter the system and reenter the
system without detection. Therefore, the date of detection cannot be assumed to be the same date as the date
the system was originally compromised. The Nevada code clearly provides for these differences by including
past losses as part of the loss calculation. The attackers actions that contributed to losses before detection
are also clearly part any loss determination under the statute.
The replacement cost is the current cost of replacing a lost asset with a new one that has similar abilities.
Usually the current market value is used in loss recognitions because the older lost technological asset is no
longer available. Technological assets quickly become obsolete. The replacement cost of an asset may be
important if it was specially built, i.e, a hardware item that was specially built for an operation, such as space
launches, that cannot be obtained from off-shelf purchases. In those cases, the loss is equal to the replacement
cost. With most new software applications, the summed replacement cost and the original cost of development
are important in determining the total loss from a cyber attack.
Corporations are hesitant to report cyber attacks on their networks for fear of the negative ramifications it can
have on their reputations, future business actions, and even possibly on their stock price. But, all cyber attacks
need to be reported. Without proper reporting of these crimes, the victim is contributing to the success of the
cyber criminal. When the crime and the method of attack is completely reported, the techniques used by the
cyber criminal become public knowledge. Such knowledge allows others to be able to protect themselves
from similar attacks. Additionally, crime statistics on the nature and losses attributed to these attacks allow
for the leverage needed for the government to provide the resources to prevent them. Without proper statistics,
only the attacker knows what is really occurring.
General injuries include a number of intangible factors that may arise from an attack on a network. Such
factors would include psychic losses of being robbed. The general violation of the companys private records
and the embarrassment that arises from the penetration of these files. Obviously, the company did not want
its website to be compromised and because it was successfully broken into by the hacker, the company has
suffered in a way that it should not have. General injuries can be attributed to such losses in determining the
final damage assessment.
Unavailability of a website and the incurrence of lost profits from lost sales are two different aspects of a cyber
attack. The unavailability of the website relates to the inconvenience it creates for users of the site. These
users do not have to be customers who want to make purchases. Such users may just need the information
available on the site about public programs, for example. Unavailability creates a loss as related to customer
inconvenience, loss of organizational status, and site reliability. Unavailability losses occur regardless as to
whether a physical product is being sold from the site because all sites provide information as a site product,
and when the information is unavailable a loss has occurred.
Profit losses occur from the lost sales when the website is shut down due to an attack on it. These sites are
selling physical products that the consumer cannot purchase and thus the consumer goes on to those sites that
have the product for sale. Some consumers would return to the disabled site later to see if it were working,
but others would not return to make their purchases. The nonreturning consumers create lost profits for the
disabled site.
Judgmental probabilities are important in determining the amount of an intangible loss. In many cases, the
only way in which a loss can be estimated is based on the best judgment of the owners of the site. As much as
possible, the estimates should be based on website statistics. But, in some cases the only method to estimate
the amount of the loss will be based on the judgment of the individuals affected by the disabled website.
Opportunity costs are those opportunities that are lost or foregone due to making a choice to use company
resources in one manner rather than another. These are not costs that appear in a financial statement but they
are important for managerial decision-making. If a company has had an asset lost in a cyber attack and it
decides to use company resources to rebuild or reconstruct that asset, the company will have foregone other

2009 CCH. All Rights Reserved.

Chapter 16

182

9.

10.

11.

12.

13.

Forensic and Investigative Accounting

opportunities for profit. The loss or cost of these foregone opportunities needs to be recognized as part of the
loss experience in a cyber attack. The only reason the company is being forced to make a choice between two
opportunities is due to the attack.
At this point, Company XW has experienced an intangible loss from the hacker compromising its network. A
dollar amount should be attributed to the loss even if it is only from a general injury. Company XW needs to
get the date that it became aware of the hackers activity on record. One method for doing this is to recognize
an actual loss from the penetration. If XW did not recognize the loss at this point, and it has not completely
prevented the hacker from using a backdoor to later enter the system, a question can be raised as to the time
period when loss recovery from an insurance company or damages under a legal statute should begin.
Real options are based on the Black-Scholes model of financial option theory. Here, real option analysis is applied
with real investments and capital budgeting rather than financial instruments. The latter approach uses discounted
cash flow methods and adjusts them so that strategic business decisions are incorporated into the analysis.
Strategic business decision flexibility in the face of uncertainty has value. A real option places a value
on these two factors. The nature of any option is that it has a value. Real option analysis used in capital
budgeting decisions are not different. The value they measure is managements flexibility to change as market
conditions for a project change. For example, the value of delaying the implementation of a project until
market conditions become more certain. All these actions have a value that real options analysis assesses
easier than can traditional discounted cash flow analysis.
Real option analysis is particularly important in the high-tech area where there is a great deal of uncertainty
facing companies that are launching new products along with high obsolescence of most products. Additionally,
the strategic investment practice of creating beta versions of products that may be withdrawn from the market
contribute to conditions that are prerequisites for real option analysis.
The purpose of this exercise is to make a comparison between the legal statutes and the provisions of an
insurance policy. Students should be able to use a search engine and find an example of an insurance policy
on the Internet. One example of a cyber insurance policy at the time of this writing was a 10-page document
from Hiscox Financial Services.
The answers for this question will obviously vary. The search at http://etiolated.org is performed by placing
.edu into the search engine. A large number of university breaches should appear. To determine if the
breach was revealed by the university, the students will have to do additional searches of local and university
newspapers around the time of the breach as noted on the website.
The answer to the question of university disclosure has two answers. Legally the university should have
disclosed the breach if new state breach laws were enacted and nonprofit organizations were subject to that
law. Not considering the legal issues, the university has a moral obligation to disclose to students and others
that their private information has been violated.
When Will It Be Available?
a. Using the comparative 2002 and 2003 summary income statements, discuss the best income statement
statistic to use in evaluating the unavailability loss for 2004.
Customer unavailability leads to a dissatisfaction with intangibles such as quality and ease of site use.
These are reflected in sales and profit figures for the sales that occur over the site. Therefore, the best two
measures related to unavailability are trends in sales and profits and the potential impact that a disabled
site has on those trends.
Over the two-year period, sales growth shows a 27-percent increase ($14,000,000 $11,000,000/$11,000,000)
and there was a 92-percent reduction in the loss over the two years ($250,000 $20,000/$250,000). One
of these percents should provide an indication of the unavailability loss for Webster Stores. If possible,
gross sales should be used to predict the unavailability loss. Profit figures are affected by increases in cost
of sales and operating expenses. Cost of sales and operating expense increases are less directly related
to the effect of customer actions about the products and services offered by a firm. Therefore, the best
measure is a derivative measure based on company sales figures.

Chapter 16

2009 CCH. All Rights Reserved.

Textbook Solutions

183

b. One method to determine the unavailability loss follows:

Bill Forrester indicates that next years sales should increase between 15 to 20 percent. This is an average
increase of 17.5 percent. With sales of $14,000,000 in 2003, a 17.5-percent increase is equivalent to
$16,450,000 ($14,000,000 1.175). Having a website disabled for one day creates an unavailability loss
of $6,712 as follows:
$16,450,000
14,000,000
$ 2,450,000/365 = $6,712
The website is open 365 days a year and the dissatisfaction is related to the time the site is shut down for
one day. The sales increase is likely to be affected by the dissatisfaction that consumers experience when
they go to the website and find they cannot use it.
14. My Sales Are Lost, and I Cant Find Them. Archer will have various levels of sales loss with 300 of its registered
customers. Eventually, 10 percent of these customers will return to the site. Using the site statistics, it is seen that the
initial loss from losing 300 customers is $135,000 (6 visits $75 in average sales 300 lost customers).
Yet over the next three months, a total of 30 customers will return. There are several ways to calculate the
present value effect of the loss. Assume a monthly rate discount rate of .0042.
Month
Initial Loss
(a)
(c)
1
$128,250 *
2
$122,850 **
3
$121,500 ***
4
$121,500
5
$121,500
6
$121,500
7
$121,500
8
$121,500
9
$121,500
10
$121,500
11
$121,500
12
$121,500
13
$121,500
14
$121,500
15
$121,500
16
$121,500
17
$121,500
18
$121,500
19
$121,500
20
$121,500
Total Present Value of Lost Sales

$2,334,120

* $135,000 (6 $75 15) = 128,250

** $135,000 [(6 $75 15) + (6 $75 12) = $122,850
*** $135,000 [(6 $75 15) + (6 $75 12) + (6 $75 3) = $121,500

2009 CCH. All Rights Reserved.

Chapter 16

184

Forensic and Investigative Accounting

The initial loss is $135,000 (6 visits $75 average sales per visit 300 lost customers). After the first month,
15 customers returned. During the second month, another 12 returned and in the third month, another three.
Using these numbers, the initial loss of $135,000 is slightly reduced as seen in the table, but the damages for
Archer from the lost sales is $2,334,120, which is the present value of the lost sales over the 20 months for
the 270 customers who never returned. For present value purposes, it is assumed that all changes occurred at
the end of the month rather than at the beginning or continuously throughout the month.
15. Really, Its an Option. The binomial tree for Burleigh Techs projected profits follows:

At Point A, the value of the option is:

= [.5 ($4,000,000 $500,000) / 1.06) + .5 ($1,000,000 $500,000) / 1.06)]
= $1,650,943.30 + $235,849.05
= $1,886,792.35
At the origin, the value of the option is:
= .75 (1,886,792.35 / 1.06)
= $1,334,994.50
Burleigh Tech lost an option worth $1,334,994.50 from the cyber crime.
16. Rockie II.
a. The loss to PaperDyne from the attack is determined as follows:
Original Developmental Costs ..................................................................................................$300,000
Additional Cost to Harden Network ..............................................................................................75,000
Restoration Costs .........................................................................................................................231,192*
One-month Subcontract .................................................................................................................15,000
Opportunity Cost from Second Project Abandoned ....................................................................700,000**
Total Cost of the Cyber Attack ......................................................................................$1,321,192
* Restoration Costs:
Direct Labor: 10 ($38 40 hours 12 weeks) = $182,400

Chapter 16

2009 CCH. All Rights Reserved.

Textbook Solutions

185

Overhead:
1. As related to overtime pay .............................................. 34,200
10 ($19 15 hours 12 weeks)
2. As related to direct labor dollars ..................................... 14,592
($182,400 .80)
Total Restoration Costs....................................................... $231,192
**The opportunity cost is related to the new project that was abandoned because the IT staff was required to restore
Rock II after the attack and could not therefore work on a new (second) project.

b. Sean is keeping the cyber attack a secret because he is afraid if it became known that a company selling
firewall security was successfully attacked, PaperDyne would lose all its clients. Although it is recommended
that all cyber attacks be disclosed, PaperDyne is an example of a situation where such public disclosures
would be devastating for the company. A likely result would be the closure of the company. In such a
case, PaperDyne may want to make a confidential disclosure to law enforcement after a period of time
has passed. PaperDyne would not want to file a claim for damages with its insurance company. Instead,
PaperDyne would absorb all losses from the attack itself.
If public disclosures about the attack are made, PaperDyne should evaluate the amount of the loss based
on the effect such disclosures will have on the companys projected profits for the next year.
c. Tim is trying to help PaperDyne by not being paid for the overtime hours he puts into reconstructing
Rockie II. Although it is a noble gesture, it is important for managers know the total costs involved in
reconstructing the firewall. Managerial decision making is based on a complete financial picture of a
process, and the nondisclosures of cost information makes such decisions, i.e., abandonment, expansion,
etc., more difficult. Therefore, Tim should be encouraged to record all the work hours he puts into the
reconstruction of Rockie II.

2009 CCH. All Rights Reserved.

Chapter 16