Much attention is given to the calculated costs associated with a security breach, where the business may experience both downtime (an outage) as well as external costs as you’ll see below.

We often see significant emphasis placed on the cost of response, external (third-party) assistance, stolen data impact, notifications and victim ID protection, sanctions and fines, remediation, and forensics.  But issues such as lost employee productivity, lost reputation, lost customers, and lost revenue production, while always represented in the total costs are nearly always categorized among the highest percentage of loss during the outage.

Every year since 2008, Information Technology Intelligence Consulting (ITIC) shares their independent survey that measures downtime cost and trends. This annual report illustrates that the average cost for a single hour of downtime has risen by nearly 30% over time.

The ITIC survey polled over 800 organizations in April/May 2017. All categories of businesses were represented in the survey respondent pool: 24% were small firms with up to 200 users; 25% came from the small/mid-sized enterprise sector with 201 to 1,000 users and 51% were large enterprises with over 1,000 users.

Below are the metrics for organizations with more than 1,000 employees (51% of businesses surveyed) from the ITIC 2017 Survey:

  • 98% of organizations say a single hour of downtime costs over $100,000
  • 81% of respondents indicated downtime costs their business over $300,000
  • 33% reported that one hour of downtime costs their business between $1 million and $5 million

Nearly all businesses today are dependent on utilities such as e-mail, intranet, corporate business applications, and, of course, the internet. Without these crucial utilities, employees are essentially cut off from the business and communications.

Most enterprises invest wisely to ensure availability and reliability from their critical infrastructure, critical business applications, and their data centers. Sometimes, however, these investments suffer pitfalls due to events such as a cyber-security incident that disrupts or disables these utilities in the form of a short-term or long-term disruption.  A denial of service is certainly one form of attack that can cause an outage, but I’m thinking more about an attack designed to destroy data and disable systems for an extended period of time measured in terms of days and weeks, not merely hours.

As a recent example, Notpetya malware infected and crippled the global container ship and supply vessel operator, Maersk, for ten (10) days. Maersks’  IT incredibly reinstalled 4,000 servers, 45,000 PCs, and 2,500 applications in what their chairman called a “heroic effort” over ten (10) days, one in which the executive said may have usually taken up to six months to implement. Maersk advised its shareholders that the outage resulting from the attack would cause losses of up to $300 million due to “serious business interruption.” Reference article

“Imagine a company where a ship with 10 to 20 thousand containers is entering a port every 15 minutes, and for 10 days, you have no IT,” chairman Hagemann commented. “It’s almost impossible to even imagine.”

The costs of such downtime is comprised of direct costs, such as:

  • lost revenue, because sales process could not be completed
  • lost wages due to employees not able to work
  • third-party assistance (response and recovery)
  • fines, sanctions, penalties, and litigation (all)
  • victim notifications and id-theft protection (remedies)
  • marketing costs, recovering consumer confidence
  • penalties for non-performance against service level agreements

and, indirect costs, such as:

  • lost business opportunities
  • losing employees and damaged employee morale
  • additional security incidents due to employees bypassing IT (shadow IT)
  • decreases in stock and market capitalization value
  • loss of customer and business partner confidence and trust
  • brand damage – business going to competitors, along with hostile publicity

The damage caused by each hour of an outage can vary depending on the nature and size of the business, as well as its reliance on critical IT to produce revenue.  The processes for evaluating and quantifying the total cost of downtime goes well beyond IT. Rather, this evaluation must consider every operational area of the business.

So how much would the average business lose as a result of an unexpected outage?  What are some simple ways one can determine such costs and impact?

In risk and loss prevention practices, there exist several methods and weighting scorecards (formal and simplified) for calculating losses attributed to an outage. For the article let’s use the simplest form for calculating Lost Revenue and Lost Productivity, and run a few examples.

GR = gross yearly revenue
TH = total yearly business hours
IR = percentage of revenue productivity impact
H = number of hours of outage


EPB = Emp Payroll and Benefits (average)
TH = total yearly business hours
NE = number of employees impacted
H = number of hours of outage


Company A, $100 million annual revenue, 2,000 annual business hours, 50% of revenue production directly impacted for the duration of the outage, $90,000 average employee burdened cost, 300 employees impacted, duration of the outage 10 hours.

Lost Revenue = $250,000

Lost Productivity = $135,000

Total = $385,000

Company B, $50 million annual revenue, 2000 annual business hours, 100% of revenue production directly impacted for the duration of the outage, $60,000 average employee burdened cost, 300 employees impacted, duration of the outage 5 hours.

Lost Revenue = $125,000

Lost Productivity = $45,000

Total = $170,000

Company C, $250 million annual revenue, 2000 annual business hours, 20% of revenue production directly impacted for the duration of the outage, $100,000 average employee burdened cost, 500 employees impacted, duration of the outage 10 hours.

Lost Revenue = $250,000

Lost Productivity = $250,000

Total = $500,000

As you can see in the simple examples (above), the percentage of revenue production impacted and the duration of the outage has a significant bearing on the total lost revenue and lost productivity. When employees can’t perform their duties due to outages affecting the systems for which they are dependent, then this loss can be as devastating as direct revenue loss.  What if Company C had an outage that lasted 40 hours?  Total lost revenue and productivity would be $2 million.

While these examples are hypothetical situations, the potential losses would likely be the same as in the calculations.

As you calculate your average loss expectancy, don’t forget to include lost revenue production impacted by the outage, as well as employee payroll losses for those unable to perform their duties during the outage since this also represents a significant financial loss.

Hope this helps,