{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2025,3,27]],"date-time":"2025-03-27T16:55:29Z","timestamp":1743094529722,"version":"3.40.3"},"publisher-location":"Cham","reference-count":29,"publisher":"Springer International Publishing","isbn-type":[{"type":"print","value":"9783030931995"},{"type":"electronic","value":"9783030932008"}],"license":[{"start":{"date-parts":[[2021,1,1]],"date-time":"2021-01-01T00:00:00Z","timestamp":1609459200000},"content-version":"tdm","delay-in-days":0,"URL":"https:\/\/creativecommons.org\/licenses\/by\/4.0"},{"start":{"date-parts":[[2022,1,1]],"date-time":"2022-01-01T00:00:00Z","timestamp":1640995200000},"content-version":"vor","delay-in-days":365,"URL":"https:\/\/creativecommons.org\/licenses\/by\/4.0"}],"content-domain":{"domain":["link.springer.com"],"crossmark-restriction":false},"short-container-title":[],"published-print":{"date-parts":[[2021]]},"abstract":"Abstract<\/jats:title>The NIS Directive aims to increase the overall level of cyber security in the EU and establishes a mandatory reporting regime for operators of essential services and digital service providers. While this reporting has attracted much attention, both in society at large and in the scientific community, the non-public nature of reports has led to a lack of empirically based research. This paper uses the unique set of all the mandatory NIS reports in Sweden in 2020 to shed light on incident costs. The costs reported exhibit large variability and skewed distributions, where a single or a few higher values push the average upwards. Numerical values are in the range of tens to hundreds of kSEK per incident. The most common incident causes are malfunctions and mistakes, whereas attacks are rare. No operators funded their incident costs using loans or insurance. Even though the reporting is mandated by law, operator cost estimates are incomplete and sometimes difficult to interpret, calling for additional assistance and training of operators to make the data more useful.<\/jats:p>","DOI":"10.1007\/978-3-030-93200-8_7","type":"book-chapter","created":{"date-parts":[[2022,1,1]],"date-time":"2022-01-01T05:30:01Z","timestamp":1641015001000},"page":"116-129","update-policy":"https:\/\/doi.org\/10.1007\/springer_crossmark_policy","source":"Crossref","is-referenced-by-count":4,"title":["The Cost of\u00a0Incidents in\u00a0Essential Services\u2014Data from\u00a0Swedish NIS Reporting"],"prefix":"10.1007","author":[{"ORCID":"https:\/\/orcid.org\/0000-0003-2017-7914","authenticated-orcid":false,"given":"Ulrik","family":"Franke","sequence":"first","affiliation":[]},{"given":"Johan","family":"Turell","sequence":"additional","affiliation":[]},{"given":"Ivar","family":"Johansson","sequence":"additional","affiliation":[]}],"member":"297","published-online":{"date-parts":[[2022,1,1]]},"reference":[{"key":"7_CR1","doi-asserted-by":"publisher","first-page":"265","DOI":"10.1007\/978-3-642-39498-0_12","volume-title":"The Economics of Information Security and Privacy","author":"R Anderson","year":"2013","unstructured":"Anderson, R., et al.: Measuring the cost of cybercrime. In: B\u00f6hme, R. (ed.) The Economics of Information Security and Privacy, pp. 265\u2013300. Springer, Heidelberg (2013). https:\/\/doi.org\/10.1007\/978-3-642-39498-0_12"},{"issue":"5799","key":"7_CR2","doi-asserted-by":"publisher","first-page":"610","DOI":"10.1126\/science.1130992","volume":"314","author":"R Anderson","year":"2006","unstructured":"Anderson, R., Moore, T.: The economics of information security. Science 314(5799), 610\u2013613 (2006). https:\/\/doi.org\/10.1126\/science.1130992","journal-title":"Science"},{"issue":"1","key":"7_CR3","doi-asserted-by":"publisher","first-page":"54","DOI":"10.1108\/ICS-01-2019-0012","volume":"28","author":"H Bah\u015fi","year":"2019","unstructured":"Bah\u015fi, H., Franke, U., Langfeldt Friberg, E.: The cyber-insurance market in Norway. Inf. Comput. Secur. 28(1), 54\u2013670 (2019). https:\/\/doi.org\/10.1108\/ICS-01-2019-0012","journal-title":"Inf. Comput. Secur."},{"issue":"1","key":"7_CR4","doi-asserted-by":"publisher","first-page":"131","DOI":"10.1057\/gpp.2014.19","volume":"40","author":"C Biener","year":"2015","unstructured":"Biener, C., Eling, M., Wirfs, J.H.: Insurability of cyber risk: an empirical analysis. Geneva Pap. Risk Insur. Issues Pract. 40(1), 131\u2013158 (2015). https:\/\/doi.org\/10.1057\/gpp.2014.19","journal-title":"Geneva Pap. Risk Insur. Issues Pract."},{"issue":"6","key":"7_CR5","doi-asserted-by":"publisher","first-page":"429","DOI":"10.1108\/DPRG-05-2017-0029","volume":"19","author":"M van Eeten","year":"2017","unstructured":"van Eeten, M.: Patching security governance: an empirical view of emergent governance mechanisms for cybersecurity. Digit. Policy Regul. Gov. 19(6), 429\u2013448 (2017). https:\/\/doi.org\/10.1108\/DPRG-05-2017-0029","journal-title":"Digit. Policy Regul. Gov."},{"key":"7_CR6","doi-asserted-by":"publisher","unstructured":"EIOPA European Insurance and Occupational Pensions Authority: Cyber risk for insurers\u2014challenges and opportunities (2019). https:\/\/doi.org\/10.2854\/305969","DOI":"10.2854\/305969"},{"key":"7_CR7","doi-asserted-by":"publisher","unstructured":"EIOPA European Insurance and Occupational Pensions Authority: EIOPA strategy on cyber underwriting (2020). https:\/\/doi.org\/10.2854\/793935","DOI":"10.2854\/793935"},{"key":"7_CR8","unstructured":"Report from the Commission to the European Parliament and the Council assessing the consistency of the approaches taken by Member States in the identification of operators of essential services in accordance with Article 23(1) of Directive 2016\/1148\/EU on security of network and information systems (2019). https:\/\/eur-lex.europa.eu\/legal-content\/EN\/TXT\/?uri=CELEX:52019DC0546. COM(2019) 546"},{"key":"7_CR9","doi-asserted-by":"publisher","first-page":"35","DOI":"10.1007\/978-1-4614-1981-5_3","volume-title":"Economics of Information Security and Privacy III","author":"D Flor\u00eancio","year":"2013","unstructured":"Flor\u00eancio, D., Herley, C.: Sex, lies and cyber-crime surveys. In: Schneier, B. (ed.) Economics of Information Security and Privacy III, pp. 35\u201353. Springer, New York (2013). https:\/\/doi.org\/10.1007\/978-1-4614-1981-5_3"},{"key":"7_CR10","doi-asserted-by":"publisher","first-page":"130","DOI":"10.1016\/j.cose.2017.04.010","volume":"68","author":"U Franke","year":"2017","unstructured":"Franke, U.: The cyber insurance market in Sweden. Comput. Secur. 68, 130\u2013144 (2017). https:\/\/doi.org\/10.1016\/j.cose.2017.04.010","journal-title":"Comput. Secur."},{"key":"7_CR11","series-title":"Lecture Notes in Computer Science","doi-asserted-by":"publisher","first-page":"73","DOI":"10.1007\/978-3-030-01141-3_5","volume-title":"Security and Trust Management","author":"U Franke","year":"2018","unstructured":"Franke, U.: Cyber insurance against electronic payment service outages. In: Katsikas, S.K., Alcaraz, C. (eds.) STM 2018. LNCS, vol. 11091, pp. 73\u201384. Springer, Cham (2018). https:\/\/doi.org\/10.1007\/978-3-030-01141-3_5"},{"key":"7_CR12","unstructured":"Franke, U.: Cybers\u00e4kerhet f\u00f6r en uppkopplad ekonomi [Cyber security for the online economy]. Entrepren\u00f6rskapsforum (2020). http:\/\/urn.kb.se\/resolve?urn=urn:nbn:se:ri:diva-48918"},{"issue":"4","key":"7_CR13","doi-asserted-by":"publisher","first-page":"760","DOI":"10.1057\/s41288-020-00177-4","volume":"45","author":"U Franke","year":"2020","unstructured":"Franke, U.: IT service outage cost: case study and implications for cyber insurance. Geneva Pap. Risk Insur. Issues Pract. 45(4), 760\u2013784 (2020). https:\/\/doi.org\/10.1057\/s41288-020-00177-4","journal-title":"Geneva Pap. Risk Insur. Issues Pract."},{"key":"7_CR14","doi-asserted-by":"publisher","unstructured":"Franke, U., Wernberg, J.: A survey of cyber security in the Swedish manufacturing industry. In: 2020 International Conference on Cyber Situational Awareness, Data Analytics And Assessment (Cyber SA). IEEE, June 2020. https:\/\/doi.org\/10.1109\/CyberSA49311.2020.9139673","DOI":"10.1109\/CyberSA49311.2020.9139673"},{"issue":"9","key":"7_CR15","first-page":"1","volume":"12","author":"J Goldstein","year":"2011","unstructured":"Goldstein, J., Chernobai, A., Benaroch, M.: An event study analysis of the economic impact of IT operational risk and its subcategories. J. Assoc. Inf. Syst. 12(9), 1 (2011)","journal-title":"J. Assoc. Inf. Syst."},{"key":"7_CR16","doi-asserted-by":"publisher","first-page":"176","DOI":"10.1108\/JFRC-06-2016-0050","volume":"25","author":"S Ibrahimovic","year":"2016","unstructured":"Ibrahimovic, S., Franke, U.: A probabilistic approach to IT risk management in the Basel regulatory framework: a case study. J. Financ. Regul. Compliance 25, 176\u2013195 (2016). https:\/\/doi.org\/10.1108\/JFRC-06-2016-0050","journal-title":"J. Financ. Regul. Compliance"},{"key":"7_CR17","unstructured":"Insurance Europe: Key messages on EIOPA\u2019s cyber underwriting strategy (2020). https:\/\/www.insuranceeurope.eu\/publications\/1718\/key-messages-on-eiopa-s-cyber-underwriting-strategy\/. Published June 15, 2020"},{"issue":"1","key":"7_CR18","doi-asserted-by":"publisher","first-page":"1","DOI":"10.31374\/sjms.3","volume":"1","author":"MS Jensen","year":"2018","unstructured":"Jensen, M.S.: Sector responsibility or sector task? New cyber strategy occasion for rethinking the Danish Sector Responsibility Principle. Scand. J. Mil. Stud. 1(1), 1\u201318 (2018)","journal-title":"Scand. J. Mil. Stud."},{"issue":"4","key":"7_CR19","doi-asserted-by":"publisher","first-page":"236","DOI":"10.1080\/1097198X.2017.1388696","volume":"20","author":"M Kassen","year":"2017","unstructured":"Kassen, M.: Understanding transparency of government from a Nordic perspective: open government and open data movement as a multidimensional collaborative phenomenon in Sweden. J. Glob. Inf. Technol. Manage. 20(4), 236\u2013275 (2017). https:\/\/doi.org\/10.1080\/1097198X.2017.1388696","journal-title":"J. Glob. Inf. Technol. Manage."},{"key":"7_CR20","unstructured":"Cloud Down: Impacts on the US economy. Technical report, Lloyd\u2019s of London (2018). https:\/\/www.lloyds.com\/news-and-risk-insight\/risk-reports\/library\/technology\/cloud-down"},{"issue":"14","key":"7_CR21","doi-asserted-by":"publisher","first-page":"154769","DOI":"10.4108\/eai.15-5-2018.154769","volume":"4","author":"L Maglaras","year":"2018","unstructured":"Maglaras, L., Drivas, G., Noou, K., Rallis, S.: NIS directive: the case of Greece. EAI Endorsed Trans. Secur. Saf. 4(14), 154769\u2013154775 (2018)","journal-title":"EAI Endorsed Trans. Secur. Saf."},{"issue":"6","key":"7_CR22","doi-asserted-by":"publisher","first-page":"105336","DOI":"10.1016\/j.clsr.2019.06.007","volume":"35","author":"D Markopoulou","year":"2019","unstructured":"Markopoulou, D., Papakonstantinou, V., de Hert, P.: The new EU cybersecurity framework: the NIS Directive, ENISA\u2019s role and the General Data Protection Regulation. Comput. Law Secur. Rev. 35(6), 105336 (2019). https:\/\/doi.org\/10.1016\/j.clsr.2019.06.007","journal-title":"Comput. Law Secur. Rev."},{"key":"7_CR23","unstructured":"Directive (EU) 2016\/1148 of the European Parliament and of the Council of 6 July 2016 concerning measures for a high common level of security of network and information systems across the Union. Off. J. Eur. Union L 194, 1\u201330 (2016). http:\/\/data.europa.eu\/eli\/dir\/2016\/1148\/oj"},{"key":"7_CR24","doi-asserted-by":"publisher","unstructured":"OECD: Enhancing the Role of Insurance in Cyber Risk Management (2017). https:\/\/doi.org\/10.1787\/9789264282148-en","DOI":"10.1787\/9789264282148-en"},{"key":"7_CR25","doi-asserted-by":"publisher","unstructured":"Rachev, S.T., Chernobai, A., Menn, C.: Empirical examination of operational loss distributions. In: Perspectives on Operations Research, pp. 379\u2013401. Springer, Cham (2006). https:\/\/doi.org\/10.1007\/978-3-8350-9064-4_21","DOI":"10.1007\/978-3-8350-9064-4_21"},{"key":"7_CR26","doi-asserted-by":"publisher","unstructured":"Timmers, P.: The European Union\u2019s cybersecurity industrial policy. J. Cyber Policy 3(3), 363\u2013384 (2018). https:\/\/doi.org\/10.1080\/23738871.2018.1562560","DOI":"10.1080\/23738871.2018.1562560"},{"key":"7_CR27","doi-asserted-by":"publisher","unstructured":"Wallis, T., Johnson, C.: Implementing the NIS Directive, driving cybersecurity improvements for Essential Services. In: 2020 International Conference on Cyber Situational Awareness, Data Analytics and Assessment (CyberSA), pp. 1\u201310 (2020). https:\/\/doi.org\/10.1109\/CyberSA49311.2020.9139641","DOI":"10.1109\/CyberSA49311.2020.9139641"},{"key":"7_CR28","doi-asserted-by":"publisher","unstructured":"Woods, D.W., B\u00f6hme, R.: SoK: quantifying cyber risk. In: 2021 IEEE Symposium on Security and Privacy (SP), Los Alamitos, CA, USA, pp. 211\u2013228. IEEE Computer Society, May 2021. https:\/\/doi.org\/10.1109\/SP40001.2021.00053","DOI":"10.1109\/SP40001.2021.00053"},{"issue":"4","key":"7_CR29","doi-asserted-by":"publisher","first-page":"657","DOI":"10.1057\/s41288-020-00183-6","volume":"45","author":"D Wrede","year":"2020","unstructured":"Wrede, D., Stegen, T., von der Schulenburg, J.M.G.: Affirmative and silent cyber coverage in traditional insurance policies: qualitative content analysis of selected insurance products from the German insurance market. Geneva Pap. Risk Insur. Issues Pract. 45(4), 657\u2013689 (2020). https:\/\/doi.org\/10.1057\/s41288-020-00183-6","journal-title":"Geneva Pap. Risk Insur. Issues Pract."}],"container-title":["Lecture Notes in Computer Science","Critical Information Infrastructures Security"],"original-title":[],"language":"en","link":[{"URL":"https:\/\/link.springer.com\/content\/pdf\/10.1007\/978-3-030-93200-8_7","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2022,1,1]],"date-time":"2022-01-01T05:43:59Z","timestamp":1641015839000},"score":1,"resource":{"primary":{"URL":"https:\/\/link.springer.com\/10.1007\/978-3-030-93200-8_7"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2021]]},"ISBN":["9783030931995","9783030932008"],"references-count":29,"URL":"https:\/\/doi.org\/10.1007\/978-3-030-93200-8_7","relation":{},"ISSN":["0302-9743","1611-3349"],"issn-type":[{"type":"print","value":"0302-9743"},{"type":"electronic","value":"1611-3349"}],"subject":[],"published":{"date-parts":[[2021]]},"assertion":[{"value":"1 January 2022","order":1,"name":"first_online","label":"First Online","group":{"name":"ChapterHistory","label":"Chapter History"}},{"value":"CRITIS","order":1,"name":"conference_acronym","label":"Conference Acronym","group":{"name":"ConferenceInfo","label":"Conference Information"}},{"value":"International Conference on Critical Information Infrastructures Security","order":2,"name":"conference_name","label":"Conference Name","group":{"name":"ConferenceInfo","label":"Conference Information"}},{"value":"Lausanne","order":3,"name":"conference_city","label":"Conference City","group":{"name":"ConferenceInfo","label":"Conference Information"}},{"value":"Switzerland","order":4,"name":"conference_country","label":"Conference Country","group":{"name":"ConferenceInfo","label":"Conference Information"}},{"value":"2021","order":5,"name":"conference_year","label":"Conference Year","group":{"name":"ConferenceInfo","label":"Conference Information"}},{"value":"27 September 2021","order":7,"name":"conference_start_date","label":"Conference Start Date","group":{"name":"ConferenceInfo","label":"Conference Information"}},{"value":"29 September 2021","order":8,"name":"conference_end_date","label":"Conference End Date","group":{"name":"ConferenceInfo","label":"Conference Information"}},{"value":"16","order":9,"name":"conference_number","label":"Conference Number","group":{"name":"ConferenceInfo","label":"Conference Information"}},{"value":"critis2021","order":10,"name":"conference_id","label":"Conference ID","group":{"name":"ConferenceInfo","label":"Conference Information"}},{"value":"https:\/\/critis2021.org\/","order":11,"name":"conference_url","label":"Conference URL","group":{"name":"ConferenceInfo","label":"Conference Information"}},{"value":"Double-blind","order":1,"name":"type","label":"Type","group":{"name":"ConfEventPeerReviewInformation","label":"Peer Review Information (provided by the conference organizers)"}},{"value":"EasyChair","order":2,"name":"conference_management_system","label":"Conference Management System","group":{"name":"ConfEventPeerReviewInformation","label":"Peer Review Information (provided by the conference organizers)"}},{"value":"42","order":3,"name":"number_of_submissions_sent_for_review","label":"Number of Submissions Sent for Review","group":{"name":"ConfEventPeerReviewInformation","label":"Peer Review Information (provided by the conference organizers)"}},{"value":"12","order":4,"name":"number_of_full_papers_accepted","label":"Number of Full Papers Accepted","group":{"name":"ConfEventPeerReviewInformation","label":"Peer Review Information (provided by the conference organizers)"}},{"value":"0","order":5,"name":"number_of_short_papers_accepted","label":"Number of Short Papers Accepted","group":{"name":"ConfEventPeerReviewInformation","label":"Peer Review Information (provided by the conference organizers)"}},{"value":"29% - The value is computed by the equation \"Number of Full Papers Accepted \/ Number of Submissions Sent for Review * 100\" and then rounded to a whole number.","order":6,"name":"acceptance_rate_of_full_papers","label":"Acceptance Rate of Full Papers","group":{"name":"ConfEventPeerReviewInformation","label":"Peer Review Information (provided by the conference organizers)"}},{"value":"3","order":7,"name":"average_number_of_reviews_per_paper","label":"Average Number of Reviews per Paper","group":{"name":"ConfEventPeerReviewInformation","label":"Peer Review Information (provided by the conference organizers)"}},{"value":"3.5","order":8,"name":"average_number_of_papers_per_reviewer","label":"Average Number of Papers per Reviewer","group":{"name":"ConfEventPeerReviewInformation","label":"Peer Review Information (provided by the conference organizers)"}},{"value":"No","order":9,"name":"external_reviewers_involved","label":"External Reviewers Involved","group":{"name":"ConfEventPeerReviewInformation","label":"Peer Review Information (provided by the conference organizers)"}}]}}