A decade ago the idea of loss prevention (LP) had been limited to the idea of theft of merchandise. With the advent of online retailing, retailers have discovered that loss must be viewed more broadly to “intended sales income that was not and cannot be realized” [Beck and Peacock, 28]. While Beck and Peacock regard malicious loses such as vandalism as part of sales that cannot be realized, Distributed Denial of Service (DDoS) attacks certainly could fit with that definition. Unlike other kinds of LP, where the attempt of the thief is to conceal their activities, a DDoS attack is designed for maximal visibility so the purpose of the attack is to deny the target customer’s access, and especially susceptible are businesses that have online payment gateways [Gordon, 20] which today includes many business and non-profit entities.
Particularly problematic for CIOs is that the nature of DDoS attacks is constantly changing. Many of these attacks occur at networking layers below the application level, which means for the CIO that buying an off-the-shelf software product is unlikely to provide an effective countermeasure [Oliveira et al, 19]. Of course, the determination of financial impact is an important consideration when weighing allocations of the IT security budget. While it is clear that the “loss of use and functionality” constitutes true losses to a company [Hovav and D’Arcy, 98], estimating a potential loss encounters difficulties given the lack of historical data and a perceived risk to putting an exact figure upon security breach losses. This presents a problem for the CIO because of the need to show ROI on security investments [Hovav and D’Arcy, 99]. Yet, a successful DDoS attack has the potential to cost a company millions of dollars in real financial losses from the direct costs of work time, equipment leases, and legal costs to the indirect costs, such as, loss of competitive advantage and damage done to the company’s brand. The direct cost of “a more complex breach that affects a cross-section of a complex organization” can often exceed £500,000 (624,000 USD) and does not include additional five or six figure fines if government regulatory agencies are involved [Walker and Krausz, 30].
If the CIO cannot buy an off-the-shelf software product to prepare against a DDoS attack, how does the CIO develop an I.T. security strategy that is appropriate to this specific threat? While this is by no means an exhaustive list: here are a few approaches that one can take that may help to developing an effective I.T. strategy that can deal with the DDoS threat. (1) Accept that developing an I.T. strategy effective against mitigating loss caused by DDoS requires resources, but your business is worth protecting. (2) Remember that the purpose of technology is to connect your business to people [Sharif, 348], and that connectivity is itself an asset that has real value. (3) Developing effective business partners can help you ensure business continuity. These partnerships could be with consultants, alliance partnerships that have successfully dealt with DDoS attacks, or businesses that specialize in dealing with this kind of security issue.
Beck, Adrian, and Colin Peacock. New Loss Prevention: Redefining Shrinkage Management. NY: Palgrave Macmillan, 2009.
Gordon, Sarah, “DDoS attacks grow,” Network Security (May 2015), 2, 20.
Horvav, Anat, and John D’Arcy, “The Impact of Denial-of-Service attack announcements on the market value of firms,” Risk Management and Insurance Review 6 (2003), 97-121.
Oliveira, Rui André, Nuno Larajeiro, and Marco Vieira, “Assessing the security of web service frameworks against Denial of Service attacks,” The Journal of Systems and Software 109 (2015), 18-31.
Sharif, Amir M. “Realizing the business benefits of enterprise IT,” Handbook of Business Strategy 7 (2006), 347-350.
Walker, John, and Michael Krausz, The True Cost of Information Security Breaches: A Business Approach. Cambrigdeshire, UK: IS Governance Publishing, 2013.
David A. Falk, , Ph.D.
Director of IT
DOSarrest Internet Security