Overlooking the Little Guy: An Analysis of Cyber Incidents and Individual Harms

Over the last decade, cybersecurity threats have drastically increased in scale, impact and frequency across the United States. As a result, companies and governments require active monitoring of their cyber risk. While cyber risk management frameworks such as the National Institute of Standards and Technology (NIST) Cybersecurity Framework are helpful, in practice this framework is actualized through formalized approaches to cyber risk measurements. While the emphasis on entity-level loss is valuable in the continued fight against cybercrime and acts of cyberterrorism, the individual-level impact is often neglected, to the detriment of everyday users of vulnerable technologies. Negative impacts to individuals as an outcome of organizations being hacked are often not captured today, thereby artificially excluding costs to individuals from loss calculations. Through this body of research, we propose a novel approach to size negative externalities in relation to cybersecurity incidents. In contrast to prior research, this approach emphasizes the harm experienced by individuals rather than financial losses to enterprises. We present a new Taxonomy of Individual Cyber Harms, a formalized harm assessment methodology, and a cyber risk forecasting model to predict probable estimates of individual harms through a series of Monte Carlo Simulations. Through the analysis, we show that not only do harms exist for individuals as a result of cyber incidents, but that the extent of this harm is sizeable and can be greater than the harm to the entity for specific types of cyber incidents. Our results demonstrate that harms to individuals make up 42% of total losses experienced due to cyber attacks on US municipalities, or an additional 72% of harms currently captured. From a policy perspective, a discussion follows providing recommendations for avenues for remedy and redress for individuals who have experienced harm from cyber attacks.