Quantifying the Risks of DDoS Attacks for the Traditional Enterprise

In a recent report, the Aberdeen Group leverages empirical data to show that additional investment in distributed denial of service (DDoS) protection services reduces the risk of DDoS attacks for the traditional enterprise by about 50%.

As Aberdeen described in its research report on “Understanding Your Risk (for Real) from Distributed Denial of Service Attacks” (June 2015), leading industry sources provide interesting and useful information about DDoS attacks, including:

• What DDos attacks are
• How they work, in significant, technical detail
• Who is executing them, and why
• How executing them is becoming even easier
• Examples of organisations that have been affected
• Detailed stats and technical information about the latest DDoS trends

However, this doesn’t really tell security professionals and decision-makers much about their actual risk.

Case in Point: The Risk of DDoS Attacks for the Enterprise

Enterprises rely on its networks for multiple network services (e.g. mobility and data), across multiple network infrastructures (e.g. fixed and mobile). It is clear that increasingly sophisticated denial of service attacks can negatively affect the availability and performance of enterprise networks and network-based services.

To understand the risk of DDoS attacks, the likelihood and business impact of such attacks needs to be estimated.

Step 1: What is the Likelihood of DDoS Attacks Occurring?

Aberdeen leveraged findings from the Arbor Networks “Worldwide Infrastructure Security Report” (WISR, Volume X) and modelled corresponding ranges and probability distributions for each of the following, as summarised in Table 1:

• The likelihood of experiencing a DDoS attack within a 12-month period
• If attacked, the number of attacks in a 12-month period
• The maximum duration of attacks experienced, in hours

Selected characteristics of the probability distribution for the total hours of DDoS attacks likely to be experienced per year are summarised in Table 2:

Step 2: Modelling the Business Impact of DDoS Attacks Affecting the Traditional Enterprise

Aberdeen estimated the annual business impact from DDoS attacks based on a simple Monte Carlo model of the following:

• The cost of full-time equivalent responders (e.g. IT staff and forensics analysts)
• The percentage of revenue from network-based services lost during the time of disruption
• The current value of expenses or loss of future revenue as a result of disruption from DDoS attacks (e.g. reputation damage and customer defection to other companies)

The result is summarised in Table 3, and also addresses how an incremental investment in DDoS protection services reduces the organisation’s risk:

Summary and Key Takeaways

• Security professionals are needed to help organisations manage risk.
• To be regarded as a trusted adviser, security professionals must communicate the risk of DDoS attacks effectively, using data to estimate the likelihood and business impact of such an attack.
• As Aberdeen’s simple Monte Carlo analysis demonstrates, this is easier than many security professionals may think.

AFTERWORD

Aberdeen Group has been an international research partner of Nebula since 2010.  With thousands of research documents, growing daily, Aberdeen’s research library helps enterprises and service providers discover the priorities and strategies of best-in-class enterprises.

Besides Nebula’s insight and research services, we also provide services to help large enterprises assess, optimise and manage their enterprise ICT environments.

Should you be interested in finding out more about Nebula’s services or discussing this research, please send us an email indicating your requirements to ContactUs@nebula.co.za.