EVALUATION OF CYBERSECURITY BREACHES: INVESTIGATING RECENT

INCIDENTS, VULNERABILITIES, AND MITIGATION STRATEGIES

BY

OWOLABI PHILIP IYANUOLUWA

MATRIC NO: 184380

SUBMITTED TO THE DEPARTMENT OF COMPUTER SCIENCE AND ENGINEERING,

FACULTY OF ENGINEERING AND TECHNOLOGY,

LADOKE AKINTOLA UNIVERSITY OF TECHNOLOGY, OGBOMOSO, OYO STATE,

NIGERIA.

IN PARTIAL FULFILMENT OF THE REQUIREMENTS FOR THE AWARD OF

BACHELOR DEGREE OF TECHNOLOGY (B.TECH) IN COMPUTER SCIENCE AND

ENGINEERING

SUPERVISED BY: PROF. A. ADETUNJI

OCTOBER, 2023

CERTIFICATION
This is to certify that this project work is done by OWOLABI PHILIP IYANUOLUWA (Matric no:

184380) in the Department of Computer Science and Engineering, Ladoke Akintola University of

Technology, Ogbomoso, Oyo State, Nigeria in partial fulfilment of the requirement for the award of

Bachelor of Technology (B.Tech) in Computer Science and Engineering.

....................................... .......................................

PROF. A. ADETUNJI Date

(Supervisor)

.............................................. ..........................................

PROF. Date

(Head of Department)

DEDICATION
This project work is dedicated to the glory of Almighty God who has been my Anchor and who in His

infinite mercy provides for me.

ACKNOWLEDGEMENT
First and foremost, all appreciation goes to Almighty God for His loving kindness, protection,

provisions and mercy shown to me during my academic pursuits and for making this project a reality.

I wish to express my sincere gratitude to my able supervisor; PROF. A. ADETUNJI for his efforts and

advice on this project work.

Also, my special thanks to my caring and loving parent for their support right from the beginning of

my educational career to this present date. May you live long to eat the fruits of your labor in Jesus

name Amen.

I will not forget to thank all members of my extended family at large for their care, moral and

financial support at all times. Thank you very much.

 ABSTRACT

As digital ecosystems become increasingly intricate, the frequency and sophistication of cybersecurity
breaches pose significant threats to organizational resilience. This project addresses the imperative
need for an in-depth analysis of recent cybersecurity incidents, the identification of common
vulnerabilities, and the development of effective mitigation strategies. The project's objectives
encompass unraveling the intricacies of recent incidents, discerning recurring vulnerabilities, and
formulating actionable strategies to fortify cybersecurity defenses.
The literature review explores the historical evolution of cybersecurity breaches, providing a
contextual understanding of the current threat landscape. Incident case studies delve into specific
instances, dissecting attack methodologies, and extracting insights to inform a holistic incident
analysis. Common vulnerabilities are identified through an extensive review, categorizing weaknesses
based on prevalence, severity, and impact.
Methodologically, a mixed-methods approach is adopted, combining qualitative and quantitative
analyses. Qualitative methods include interviews and detailed case studies, while quantitative methods
leverage advanced data analysis tools to uncover patterns and trends in cybersecurity incidents.
The analysis of recent incidents involves the creation of detailed profiles, offering a comprehensive
view of attack lifecycles, impact assessments, and commonalities among diverse incidents. Patterns
and trends across incidents inform the development of targeted mitigation strategies, addressing
vulnerabilities identified through the literature review.
The proposed mitigation strategies encompass a comprehensive and adaptive approach, considering
technical, organizational, and human factors. The conclusion summarizes key findings, emphasizing
their significance in bolstering cybersecurity defenses. Implications for organizations include
proactive security measures, the cultivation of a security-aware culture, and effective responses to
emerging threats.
The project concludes by suggesting avenues for future research, recognizing the dynamic nature of
cyber threats. Future research could explore the effectiveness of the proposed mitigation strategies in
real-world scenarios, contributing to ongoing efforts to fortify cybersecurity in an ever-evolving
digital landscape.
 TABLE OF CONTENTS

Title Page ................................................................................................................i

Certification .........................................................................................................................ii

Dedication .............................................................................................................................iii

Acknowledgement ............................................................................................................... iv

Table of Contents ................................................................................................................v-vi

List of Figures ......................................................................................................................viii

Abstract ................................................................................................................................ix-x

CHAPTER ONE

INTRODUCTION

1.1 BACKGROUND OF THE STUDY

1.2 PROBLEM STATEMENT

1.3 AIM AND OBJECTIVE OF THE RESEARCH

1.3.1 OBJECTIVES

1.4 SIGNIFICANCE OF THE STUDY

1.5 LIMITATIONS OF THE STUDY

16 SCOPES OF THE STUDY

1.6 DEFINITION OF TECHNICAL TERMS

CHAPTER TWO

LITERATURE REVIEW

2.1 ESCALATION IN CYBER THREATS

2.1.1 SOPHISTICATION OF THREAT ACTORS

2.1.2 EXPANDING ATTACK SURFACE
2.1.3 PERVASIVENESS OF NATION STATE CYBER OPERATIONS

2.2 COMMON VULNERABILITIES EXPLOITED

2.2.1 SOFTWARE VULNERABILITIES

2.2.2 MISCONFIGURATIONS

2.2.3 SOCIAL ENGINEERING AND PHISPHING

2.2.4 INSIDER THREATS

2.2.4.1 E-LEARNING ASSETS

2.2.5 CLOUD COMPUTING FOR E-LEARNING MANAGEMENT SYSTEM ON

SECURITY ISSUES

2.2.5.1 THE BENEFITS OF CLOUD- BASED E-LEARNING

2.2.5.2 SECURITY ISSUES IN CLOUD- BASED E-LEARNING

2.3 VOICE RECOGNITION

2.3.1 CHARACTERISTICS OF VOICE RECOGNITION

2.3.2 ADVANTAGES OF VOICE RECOGNITION

2.4 VOICE RECOGNITION TECHNOLOGY

 2.4.1 VOICE RECOGNITION PROCESS

CHAPTER THREE

METHODOLOGY

3.1 THREATS

3.2 ATTACKS

3.3 VULNERABILITIES

3.4 DATA COLLECTION AND CASE SELECTION

3.4.1 DATA SOURCES

3.4.2 CASE SLELCTION CRITERIA

 CHAPTER ONE
INTRODUCTION
It is well known that the Internet is a global communication system where people all around the world
can meet and talk about almost anything. Communication through social media be it for good or bad
reasons has become the order of the day. The world is so attached to the Internet. Unfortunately, not
everyone uses the Internet for good purposes. There are lots of people who are using social networks
to steal personal information, especially through phishing, so all users of such sites need to be vigilant
to protect themselves.
Phishing is a form of attack whereby attackers try to get hold of one’s personal details by misleading
them. This is widespread on the Internet and one normally receives emails instructing him/her to enter
his/her personal information to protect his/her account. This is mostly done through sending an email
that contains some enticing information. This could be for example, through sending an attractive link
that seems to come from a trusted source to lure the victim to provide personal information.
Social networks are becoming a very popular source of information for these phishers. They can
easily use all of the information that is contained in someone’s social networking account to steal the
person’s identity. The good thing is that there are preventive measures that could help mitigate Social
Engineering attacks.

1.1 BACKGROUND OF THE STUDY

Cybersecurity has been a major concern since the beginning of APRANET, which is considered to be
the first wide-area packet-switching network with distributed control and one of the first networks to
implement the TCP/IP protocol suite. The term “Phishing” which was also called carding or brand
spoofing, was coined for the first time in 1996 when the hackers created randomized credit card
numbers using an algorithm to steal users' passwords from America Online (AOL) (Whitman and
Mattord, 2012; Cui et al., 2017). Then phishers used instant messages or emails to reach users by
posing as AOL employees to convince users to reveal their passwords. Attackers believed that
requesting customers to update their account would be an effective way to disclose their sensitive
information, thereafter, phishers started to target larger financial companies. The author in (Ollmann,
2004) believes that the “ph” in phishing comes from the terminology “Phreaks” which was coined by
John Draper, who was also known as Captain Crunch, and was used by early Internet criminals when
they phreak telephone systems. Where the “f” in ‘fishing’ replaced with “ph” in “Phishing” as they
both have the same meaning by phishing the passwords and sensitive information from the sea of
internet users. Over time, phishers developed various and more advanced types of scams for launching
their attack. Sometimes, the purpose of the attack is not limited to stealing sensitive information, but it
could involve injecting viruses or downloading the malicious program into a victim's computer.
Phishers make use of a trusted source (for instance a bank helpdesk) to deceive victims so that they
disclose their sensitive information (Ollmann, 2004).
Phishing attacks are rapidly evolving, and spoofing methods are continuously changing as a response
to new corresponding countermeasures. Hackers take advantage of new tool-kits and technologies to
exploit systems’ vulnerabilities and also use social engineering techniques to fool unsuspecting users.
Therefore, phishing attacks continue to be one of the most successful cybercrime attacks.
1.2 AIM AND OBJECTIVES OF THE STUDY
The aim of this study is to comprehensively explore, analyze, and understand the dynamics of social
engineering and phishing attacks in the context of cybersecurity. By investigating the psychological
principles, techniques, and mitigation strategies, the study seeks to enhance awareness, knowledge,
and preparedness in combating these pervasive threats.
1.2.1 OBJECTIVES
Education and Awareness: Develop and deliver engaging educational content to inform participants
about social engineering and phishing attacks, their various forms, and the potential consequences.
Skill Development: Equip participants with practical skills to identify and respond to different types
of social engineering and phishing attempts.
Prevention Strategies: Provide actionable strategies and best practices for individuals and
organizations to prevent and mitigate the impact of social engineering and phishing attacks.
Interactive Training: Design interactive workshops and simulations to simulate real-life scenarios and
facilitate hands-on learning experiences.
Resources and Tools: Develop and distribute resources, such as informational pamphlets,
infographics, and e-learning modules, to support ongoing learning and reference.
Reporting and Incident Response: Establish a reporting mechanism for participants to report potential
incidents and provide guidance on the appropriate steps to take in case of a suspected attack.

1.3 SIGNIFICANCE OF THE STUDY

The study of social engineering and phishing attacks holds profound significance in today's
interconnected digital landscape. As cyber threats become increasingly sophisticated and prevalent,
understanding the intricacies of these manipulative tactics is crucial for individuals, businesses, and
society at large. Thereby it will Enhance the Cyber security awareness and protect personal privacy.

1.4 SCOPE OF THE STUDY

The scope of this study encompasses a comprehensive exploration of the concepts, techniques,
impacts, and mitigation strategies associated with social engineering and phishing attacks. The study
will delve into both the technical and psychological aspects of these attacks, aiming to provide a
holistic understanding of the threat landscape and practical ways to counteract them.
1.5 LIMITATIONS OF THE STUDY
While this project seeks to provide a comprehensive understanding of social engineering and phishing
attacks, it is important to acknowledge certain limitations that might impact the scope, depth, and
generalizability of the findings. These limitations include:
Complexity of Psychological Factors: Although the project aims to delve into the psychological
aspects of these attacks, fully capturing the intricate interplay of cognitive biases, emotions, and social
dynamics that cybercriminals exploit can be challenging. The complexity of human psychology might
result in an oversimplification of these factors.
Limited Access to Insider Information: Obtaining access to detailed insider information about specific
social engineering or phishing incidents can be difficult due to the confidential nature of these
incidents. This limitation might restrict the depth of analysis and prevent a comprehensive
examination of real-world cases.
Rapidly Evolving Techniques: The field of cyber threats, including social engineering and phishing
attacks, evolves rapidly. Some of the techniques discussed in the project might become outdated or
new attack vectors might emerge after the project's completion, limiting the relevance of the
information over time.
Resource and Technical Constraints: Exploring advanced technical aspects of these attacks might
require specialized resources, tools, and technical expertise. Resource limitations could hinder the
depth of analysis in certain technical areas.
Incomplete Data and Reporting: Not all instances of social engineering and phishing attacks are
publicly reported or documented. This limitation might result in incomplete data sets, potentially
leading to a skewed understanding of the prevalence and impact of these attacks.
Lack of Real-time Analysis: The project's research and analysis might not capture the most recent and
emerging trends in social engineering and phishing attacks, as these tactics are continually evolving.

1.6 DEFINITION OF TECHNICAL TERMS

Social Engineering: Social engineering refers to the manipulation of individuals into divulging
confidential information, performing actions, or granting unauthorized access through psychological
and emotional manipulation. It exploits human psychology, trust, and vulnerabilities to deceive
individuals and bypass traditional security measures.
Phishing Attacks: Phishing attacks are a form of cyber attack where attackers impersonate legitimate
entities, often through emails, messages, or phone calls, to deceive recipients into revealing sensitive
information, clicking on malicious links, or downloading infected attachments. These attacks aim to
trick users into taking actions that compromise their security.
Spear Phishing: Spear phishing is a targeted form of phishing attack where cybercriminals customize
their messages to a specific individual or organization. They often use personal information obtained
from various sources to make the phishing attempt appear more convincing and legitimate.
Whaling: Whaling is a subset of spear phishing that specifically targets high-profile individuals, such
as CEOs or high-ranking executives, in an organization. These attacks aim to steal sensitive corporate
information or gain access to valuable accounts.
Vishing (Voice Phishing): Vishing is a type of phishing attack that uses voice communication,
typically phone calls, to deceive victims. Attackers use social engineering techniques to manipulate
victims into providing sensitive information or taking certain actions over the phone.
Pretexting: Pretexting involves creating a fabricated scenario or pretext to trick individuals into
disclosing information or performing actions they wouldn't otherwise. The attacker creates a false
identity or reason to gain the victim's trust.
Baiting: Baiting involves enticing victims with something appealing, such as a free download, in
exchange for personal information or access credentials. This tactic exploits human curiosity and
greed to manipulate individuals.
Tailgating: Tailgating, also known as piggybacking, occurs when an attacker gains unauthorized
physical access to a secured area by following closely behind an authorized person. This exploits the
natural tendency to hold doors open for others.
Email Spoofing: Email spoofing is a technique where attackers manipulate the email header to make it
appear as though the email originates from a legitimate source. This is often used in phishing attacks
to trick recipients into believing the communication is genuine.
Domain Spoofing: Domain spoofing involves creating fraudulent websites or email addresses that
mimic the appearance of legitimate domains. Attackers use these fake domains to trick users into
thinking they are interacting with a trusted entity.
Multi-Factor Authentication (MFA): Multi-factor authentication is a security method that requires
users to provide two or more authentication factors to verify their identity. This adds an extra layer of
protection against unauthorized access, even if login credentials are compromised.
Intrusion Detection System (IDS): An intrusion detection system is a security solution that monitors
network traffic and system activities to detect and respond to unauthorized or
suspicious behavior. It helps identify potential cyber attacks, including social engineering and
phishing attempt
 CHAPTER 2
LITERATURE REVIEW
Current Landscape of Cybersecurity Breaches

2.1 Escalation in Cyber Threats

The modern threat landscape is characterized by a dynamic and evolving array of cyber threats. This
escalation can be attributed to several key factors:
2.1.1 Sophistication of Threat Actors
Cyber adversaries have evolved from opportunistic individuals to highly organized groups with
advanced capabilities. These groups include criminal enterprises, hacktivist collectives, and nation-
state actors (Schneier, 2015). The tactics employed by these groups range from social engineering and
phishing to the development of custom malware and exploits.
2.1.2 Expanding Attack Surface
As our reliance on technology grows, so does the attack surface. The proliferation of internet-
connected devices, from smartphones and IoT devices to critical infrastructure components, provides
an expanded landscape for potential attacks. Each of these devices represents a potential entry point
for cyber adversaries.
2.1.3 Pervasiveness of Nation-State Cyber Operations
State-sponsored cyber operations have become a prominent feature of the modern threat landscape.
Nations utilize cyber capabilities for various purposes, including espionage, sabotage, and geopolitical
leverage. These operations often involve highly sophisticated techniques and have the potential to
cause significant disruptions (Rid, 2019).

2.2 Common Vulnerabilities Exploited

The success of cyberattacks often hinges on the exploitation of vulnerabilities within systems. These
vulnerabilities can arise from various sources:

2.2.1 Software Vulnerabilities

Unpatched or outdated software components are a common entry point for attackers. Known
vulnerabilities in software can be exploited through techniques like code injection, privilege
escalation, and remote code execution (OWASP, 2017).
2.2.2 Misconfigurations
Improperly configured systems or applications can expose critical services or data unintentionally.
This may include weak passwords, overly permissive access controls, or misconfigured firewalls
(NIST, 2018).
2.2.3 Social Engineering and Phishing
Human error remains a significant factor in cybersecurity breaches. Attackers often leverage
psychological manipulation techniques to deceive individuals into revealing sensitive information or
performing actions that compromise security (KnowBe4, 2020).
2.2.4 Insider Threats
Employees or individuals with privileged access can pose a significant risk. Whether due to malicious
intent or inadvertent actions, insiders can be a vector for breaches. This includes unintentional data
exposure or deliberate sabotage (CERT, 2021).
 CHAPTER 3
METHODOLOGY
This is the 21st edition of the Symantec Internet Security Threat Report and much has changed since
the first one. We take a fresh look at the structure and contents of the report. As well as focusing on
the threats and findings from our research, it is also tracking industry trends. We try to highlight the
important developments and look to future trends. This goes beyond just looking at computer systems,
smartphones, and other products, and extends into broad concepts like national security, the economy,
data protection, and privacy.
3.1 CATEGORIES OF CYBER CRIMINALS
In this section, some of the Cyber-criminals have been categorized as below and shown in Fig. 1 [10-
11]:
Hacker: Hacker is a special computer operator, who seeks and exploits weaknesses in a computer
system or computer network. These individuals explore others’ computer systems for education,
eCommerce, or information system.
Crackers: Cracker is a computer literate person, who has broad computer knowledge and aims to
breach internet security and get access to information system without paying any cost.
Cyber Terrorists: Cyber terrorist is also a programmer, who breaches computer system security to
steal or destroy cyber user information for cyber-terrorism purpose. Smart hacker hacks government
websites which is also a form of cyber terrorism.
Salami Attackers: These attackers use an online database to grab the customer’s confidential
information such as bank and credit card details and targeting them for financial crimes. For example:
a new custom designed program is inserted by bank employee into bank’s servers, which deducts a
small amount from customer’s account.

Pranksters: Pranksters are least malicious computer criminals who aim to harm computer system and
financial data lost to individual or a group or an organization.
Career Criminals: Career criminals earn their income from criminal activities, while they are
dissatisfied, devotees and useless people. They work within skilful groups such as the APT17. Most of
career criminals are found in Russia, Italy, and Asia.
Cyber Bulls: Cyber bulls harass cyber users via the Internet. He/she uploads fake posts on forums,
posting fake profiles on social sites (Such as Face book, WhatsApp), sending malicious email
messages.
Industrial Spy: Industrial spy is the person who attempts to access information about future plans of
company or secrets of trade.

3.2 THREATS
Cyber security threats encompass a wide range of potentially illegal activities on internet. Cyber
security threats against utility assets have been recognized for decades. The terrorist attacks so give
the attention has been paid to the security of critical infrastructures. Insecure computer systems may
lead to fatal disruptions, disclosure of sensitive information, and frauds. Cyber threats result from
exploitation of cyber system vulnerabilities by users with unauthorized access [7]. There are crimes
that target computer networks or services directly like malware, viruses or denial of service attack and
crimes facilitated by networks or devices, the primary target of which is independent of the network or
device like fraud, identity theft, phishing scams, cyber stalking.
Cyber Theft: This is the most common cyber-attack that committed in cyberspace. This kind of
offence is normally referred as hacking in the generic sense. It basically involves using the internet
through steal information or assets. It also called the illegal access, by using the malicious script to
break or crack the computer system or network security without user knowledge or consent, for
tampering the critical data and. It is the gravest cybercrimes among the others. Most of the banks,
Microsoft, Yahoo and Amazon are victim of such cyber-attack. Cyber thieves use tactics like
plagiarism, hacking, piracy, espionage, DNS cache poisoning, and identity theft. Most of the security
web sites has described the various cyber threats.
Cyber Vandalism: Damaging or exploiting the data rather than stealing or misusing them is called
cyber vandalism. It means effect on network services are disrupted or stopped. This deprives the
authorized users for accessing the information contained on the network. This cybercrime is like a
time bomb, can be set to bring itself into action at a specified time and damage the target system. This
creation and dissemination of harmful software which do irreparable damage to computer systems,
deliberately entering malicious code like viruses, into a network to monitor, follow, disrupt, stop, or
perform any other action without the permission of the owner of the network are severe kind of
cybercrimes.
Web Jacking: Web jacking is the forceful control of a web server through gaining access and control
over the web site of another. Hackers might be manipulating the information on the site.
Stealing cards information: Stealing of credit or debit card information by stealing into the ecommerce
server and misuse this information.
Cyber Terrorism: Deliberately, usually politically motivated violence committed against civilians
through the use of, or with the help of internet.
Child Pornography: The use of computer networks to create, distribute, or access materials that
sexually exploit underage children pornography in shared drives of community networks.
Cyber Contraband: Transferring of illegal items or information through internet that is banned in some
locations, like prohibited material.
Spam: It includes the Violation of SPAM Act, through unauthorized transmission of spam by sending
illegal product marketing or immoral content proliferation via emails.
Legal accessing of network resources without altering disturbs, misuse, or damage the data or system.
It may include accessing of private information without disturbing them or snooping the network
traffic for gets some important information.
Logic bombs: These are event dependent programs. These programs are activated after the trigger of
specific even. Chernobyl virus isa specific example which acts as logic bomb and can sleep of the
particular date.
Drive by Download: A survey is undertaken by search engine companies. Numbers of websites were
acting as hosts for malware. The term “Drive by Download (DbD)” is maneuvering in software
industry since its inception with different variations. It is a phenomenon in which any software
program is installed automatically on a user computer while surfing on the internet. The intent of
installing malicious software is to gain benefit over victim machine, e.g. it could be a stealing of
confidential information like stored passwords, personal data, using victim terminal as botnet to
further spread malicious contents.
Cyber Assault by Threat: The use of a computer network such as email, videos, or phones for
threatening a person with fear for their lives or the lives of their families or persons whose safety they
are responsible for (such as employees or communities). An example of this is blackmailing a person
to a point when he is forced to transfer funds to an untraceable bank account through an online
payment facility.
Script Kiddies: Novices, who are called script kiddies, script bunny, script kitty, script running
juvenile is a derogatory term used to describe those who use scripts or programs developed by others
to attack computer systems, networks and get the root access and deface websites.
Denial of service: A denial of service attack (DoS) or distributed denial of service attack (DDoS) is an
attempt to make a computer resource unavailable to its intended users. The computer of the victim is
flooded with more requests than it can handle which cause it to crash. Although the means to carry
out, motives for, and targets of a DoS attack may vary, it generally consists of the concerted efforts of
a person or people to prevent an Internet site or service from functioning efficiently or at all,
temporarily or indefinitely. This is also known as email bombing if via used is email. E-bay, Yahoo,
Amazon suffered from this attack

3.2 ATTACKS
Cyber-attack is a big issue in the cyber world that needs to be focus because of the effect on the
critical infrastructure and data. The growth of technology is accompanied by cyber security threats or
“cyber-attacks” which threaten users security when using such technologies. Cyber threats and attacks
are difficult to identify and prevention. So users are not accepting the new technology due to the
frequently cyber-attacks less security of data. A cyber-attack is when someone gain or attempts to gain
unauthorized access to a computer maliciously [11].
UNTARGETED ATTACKS Un-targeted attacks in attackers indiscriminately target as users and
services possible. They find the vulnerabilities of the service or network. Attacker can take the
advantage of technologies like: Phishing: Phishing means fake people sending the emails to numbers
of users and asking the personal information like baking, credit card. They encouraging the visits of
fake website and give the good offers. The customers click on the links on the email to enter their
information, and so they remain unaware that the fraud has occurred. [8]. Water holing: Publish the
fake, as well as dummy website or compromising a legitimate one in order to exploit visiting user’s
information. Ransom ware: It includes spread disk encrypting extortion malware. Scanning: Attacking
wide swathes of the Internet at random.
TARGETED ATTACKS: Targeted attacks in attackers, attack on the targeted users in the cyber world.
Spear-phishing Sending links of malicious software and advertisement via emails to targeted
individuals that could contain for downloads malicious software. Deploying a botnet. It is delivering a
DDOS (Distributed Denial of Service) attack Subverting the supply chain. To attack on network or
software being delivered to the organization In general attackers will, in the first instance use tools
and techniques to probe your systems for an exploiting vulnerability of the service [3].

3.3 VULNERABILITY
Vulnerabilities are weaknesses in a system or its design that allow an intruder to execute commands,
access unauthorized data, and/or conduct denial-of service attacks. Vulnerabilities can be found in
variety of areas in the systems. They can be weaknesses in system hardware or software, weaknesses
in policies and procedures used in the systems and weaknesses of the system users themselves.
Vulnerability was identified due to hardware compatibility and interoperability and also the effort it
takes to be fixed. Software vulnerabilities can be found in operating systems, application software,
and control software like communication protocols and devices drives. There are a number of factors
that lead to software design flaws, including human factors and software complexity. Technical
vulnerabilities usually happen due to human weaknesses. [10] There is no system is automatically
immune from cyber threats, the consequences of ignoring the risks from complacency, negligence,
and incompetence are clear. In 2015, an unprecedented number of vulnerabilities were identified as
zero-day exploits that have been weaponized, and web attack exploit kits are adapting and evolving
them more quickly than ever. As more devices are connected, vulnerabilities will be exploited [14].

3.4 DATA COLLECTION AND CASE SELECTION

A robust methodology is crucial in conducting a comprehensive analysis of recent cybersecurity
breaches. The following steps outline the approach taken in this project:
3.4.1 Data sources
To ensure the integrity and reliability of the analysis, data will be sourced from reputable and verified
channels. These include incident reports from cybersecurity firms, industry publications,
governmental agencies, and established threat intelligence feeds. This multi-source approach ensures a
diverse and well-rounded dataset.

3.4.2 Case selection criteria

The selection of cases is a critical aspect of this analysis. Cases will be chosen based on several key
criteria:
Impact: Cases with a significant impact on the affected entities, whether in terms of financial losses,
data exposure, or operational disruptions, will be prioritized.
Industry and Sector: A diverse range of industries and sectors will be represented to capture the
varying threat landscapes across different domains.
Attack Vector: Cases utilizing different attack vectors (e.g., malware, social engineering, insider
threat) will be included to provide a holistic view of the tactics employed.
Geographical Spread: Cases from different regions and jurisdictions will be examined to account for
regional variations in cybersecurity practices and threat profiles.
 CHAPTER 4
PROPOSED MODEL
From the collected literature, surveys and research studies, it is noticed that the cyber era is facing the
problem of the privacy and security of cyber services, networks and integrated technologies. To
overcome or deal to this issue, a security model is proposed. This proposed model contains the merged
features of Zed Attack proxy, W3af, web security. The model has an internal working mechanism
which may take four steps to process the requested task. In this mechanism, Step-1 loads system
requested URL, after that goes for second step which scans URL and analyze the compatibility of
applications. In step three and step four monitors the threats, attacks and vulnerabilities after that lists
them along with applied actions shown in Fig. 4. This model also has a testing mechanism, which may
comprise of four phases. First phase contains the information of server and client technologies,
software and configuration practices. Phase two scan and results cyber threats, attacks and
vulnerabilities by using brute force, fuzzing technique or manually. Phase three verifies that the target
is vulnerable, measures attack effectiveness, ease of exploitability. Phase four assists in document
findings, lists improvement and present examples

TABLE 1. ECONOMIC CRIME REPORT 2016 & 2017

No. Country EconomyAffected(%)
1. Africa 50
2. WesternEurope 35
3. NorthAmerica 41
4. EasternEurope 39
5. Asia Pacific 32
6. LatinAmerica 35
 7. Middle East 21
8. Global 36

2. CYBER PROTECTION LAWS AND STRATEGIES

In 2015, lawmakers have reintroduced the “Aaron’s Law” to decline the increasing number of cyber-
attacks and threats [16]. Aaron’s Law was first introduced and sent for acceptance in 2013, but failed
to pass. The aim of lawmakers is limit the possibility of the existing antihacking act and control
prosecutorial action for assured CFAA (Computer Fraud and Abuse Act) violations. Furthermore, it is
stated that Aaron’s Law is one-step forward into the 21st Century, which cannot fix all exploiting
activities those done by cyber criminals, hackers and others. Fire Eye and Microsoft have stopped a
scheme, where malicious activities are hidden by IT pro forum of cybercriminal group known as
APT17 in China. APT17 group infects machine with the help of Black Coffee malware. This malware
uses IT forum pages and TechNet ( Microsoft product) profiles. Command-and-control server
performs malicious activities on an infected machine which are operated by online criminals. It is
simple and easy to attack a computer or machine because of this number of groups grown to choose
the legal purposes of famous websites in order to encode their command-andcontrol communications.
From this report, it is noticed that APT17 used Google and Bing to conceal their activities and host
locations in the past.

TABLE 2. TYPES OF CYBER CRIMES ALONG WITH THEIR OBJECTIVES

 Type of Cyber
Objective
Crime
Hacking is an approach by which a computer system or computer
Hacking
network is exploited.
It is a method of harassment by which an individual, a group, or an
Cyber Stalking
organization is harassed via internet.
Phishing is an e-mail fraud trick which is used for the identity theft or
Phishing
information.
Email spoofing is an online activity which is helpful to create email
Email Spoofing
messages with a fake sender address.
Cyber terrorism is one of the current emerging issues where
terrorist activities, Such as large-scale
Cyber Terrorism
disruption of computer networks are carried out
via internet.
Piracy is an act of criminal violence which is linked with copyright
Piracy
violation.
Theft is intentional activity by which a person's property is taken or
Theft
used without his/her consent to deny its legal proprietor.
Fraud is a type of criminal activity or prejudicing someone's rights
Fraud
for personal gain.
Distributed Denial An Activity which hides available resources of a machine or network
of Service for its future users.
Harassment Intended threatening behavior
Mail bomb is an internet activity by which a bunch of e-
mail are sent to a specific user or
Mail Bomb
system to hang the functioning of
server.

CHAPTER 5
 RESULT AND DISCUSSION
5.0 Applicability of existing models
Although previous researchers discussed many models for creating security solutions, an efficient
model for preventing data breaches and cyber‐attacks is still being investigated. As reported in [3],
there are two main computational models, each with its own set of data: Net Diligence, which created
the Hub International calculator (2012) and contributed to the Verizon report, Ponemon, which created
calculators with sponsorships from Symantec (2010), Megapath (2013), and IBM (2014). However,
no critical studies of these two approaches have been conducted. In addition, I examine the claims
made by Jay Jacobs of Verizon. He collaborated with Net Diligence, and has been critical of the
computations model used by Ponemon because the Ponemon approach yields a cost per record that he
believes is too high.
The difference between the two models is readily illustrated using the average cost per record implicit
in the two approaches. The cost per record of customer personally identifiable information (PII)
increased to USD 175 in breaches caused by a malicious attack. As shown in Figure 2, the per‐record
cost of customer PII was USD 175 in malicious attacks during 2020, nearly 17% more than the overall
average per‐record cost of customer
PII (USD 162 per record) compromised in any type of breach.
PII is a value that represents the personal cost and the personal share of the breach, and it includes
records containing a customer’s personal information. The cost per record of PII increases with
malicious attacks and data breaches. In the previous work by various researchers that we studied, PII
was not determined appropriately because the existing models did not have enough relevant data.
Eighty percent of the breached organizations stated that the customer’s PII was compromised during
the breach, far more than any other type of record. As in, the average cost in 2020 has decreased, and
it is further decreasing in 2021 because of improvements in cybersecurity solutions. Costs have also
decreased because information systems in the organizations are securely maintained with all available
resources. In an organization, security risks create loss and increase the cost per record. Security risks
may come from external hackers, staff mistakes, malware or viruses, and ransomware. When a model
that does not count all proactive risk details is used, it may end up causing a huge loss to the
organization, and its data and calculations will be misleading.

By using the Ponemon formula (all costs of data breach divided by compromised records: USD 400
million/700 million records = USD 0.58), the average cost per record in the 2015 Verizon Data Beach
Investigations Report (DBIR) is USD 0.58 [23]. The magnitude difference of two to three orders of
magnitude raises several questions.
Both organizations make extensive and varied use of datasets. Pone Mon gathered information from
over 1600 business companies across several countries. Data from 191 cyber insurance payouts were
included in the Net Diligence data from the 2015 Verizon (DBIR).
I compare the cost per record with the available numbers for the Target and the Home Depot breaches,
which come out to be USD 6.30 and USD 1.13 per record, respectively. In December 2013, Target
Brands Inc. experienced a significant data breach involving 40 million credit and debit card records.
The overall cost of the data breach was reported to be about USD 252 million, based on Targetʹs
financial statements. These estimates numbers are nearer to the Net Diligence numbers. Since no
lawsuit has yet been filed, the findings are close to Hub Internationalʹs estimate (Table 1) if we deduct
the estimated lawsuit cost (USD 12.57 − 7.09 = USD 5.48). This breachʹs cost per record is not even
comparable to Ponemonʹs cost per record.

Table 1. Average cost/record for two record types in hub international

calculator by our analysis.
3. Avg. Cost per Record Avg. Cost per Record for

Partial Costs
4. for CC (USD) PHI and SSN (USD)
Incident investigation 1.15 1.64
Crisis management 3.52 4.57
Sanctions 0.81 0.81
Lawsuit 7.09 1.56
Total costs 12.57 8.58

The other notable example is that of the Home Depot data breach in 2014, which involved 56 million
customer payment cards [24]. The available information about the cost of this breach is given in. I
found that the cost per card was USD 63 million divided by 56 million, which equals USD 1.13. This
cost is much smaller than what the Ponemon calculators would expect, and it is actually closer to the
Hub International estimate.
There are two apparent sources of the discrepancy:

1. What is included in the data breach cost: Intangible costs, such as reputation loss and its effect
on the business loss, are included in Ponemon costs. These costs are not included in Net
Diligence. Furthermore, Net Diligence uses insurance claims as a cost measurement. The
insurance claims, it has been argued, only reflect the costs covered by the insurance purchased.
Nonetheless, the insurance coverage should be of the same order of magnitude as the actual
cost. The cost of a lost reputation can be difficult to measure. Recent attempts to calculate it
using stock price as a metric seem to indicate that the effect may be minor in several cases, and
that the effect may be masked by more important factors in stock price movement.
2. The data breach sizes: The fact that total cost is unlikely to be proportional to the number of
records involved is most likely the major contributor to the cost per record discrepancies. The
average number of records used in the Ponemon report in 2015 was 28,070, with no more than
100,000 records in total, while the Net Diligence data includes breaches involving far more
records, with the average breach involving 3,166,600 records [30]. There are two reasons for
this: some costs of data breaches are largely constant and independent of the affected records
number. As a result, for a greater number of records, the cost per record will be lower. Even if
the cost rises in tandem with the number of records, economies of scale come into play. An
organization that encounters a significant number of data breaches should be able to manage
them more cost‐effectively and receive better prices from recovery service providers.
 According to a 2015 Verizon report, the average cost per record for 100 lost records was USD
254 because the expected breach cost is USD 25,445, but the cost was just USD 0.09 per
record for 100 million lost records because of the expected breach cost is USD 9 million. As a
result, cost per record alone is considered to be a misleading metric.

Our analysis of the Hub International calculator, which uses Net Diligence’s data breach cost data,
suggests that it assumes a linear trend. On the other hand, the calculators that rely on Ponemon data,
where the number of breaches does not exceed 100,000 records, the trend is not linear.
We thus propose a model that is non‐linear relative to the number of records since a linear model
implies that there is a cost per record that is meaningful
I analysis the Hub International calculator, which uses NetDiligenceʹs data breach cost data, suggests
that it assumes a linear trend. On the other hand, the calculators that rely on Ponemon data, where the
number of breaches does not exceed 100,000 records, the trend is not linear.
We thus propose a model that is non‐linear relative to the number of records since a linear model
implies that there is a cost per record that is meaningful.

5.1 Economy of Scale

Since the cost per record is misleading when it comes to estimating the data breach cost, the economy
of scale concept will assist in making the cost per record consistent with other factors instead of the
constant cost per record that is obtained by dividing the total breach cost by the total breach size.
Therefore, using the economy of scale is important in order to remove the correlation between the
high breach cost and breach size and ensure that the relationship relies not only on the cost per record
factor only but also on other factors. For example, cyber‐attacks and data breaches decrease profits
and affect the global economy. The data breach is one of the fastest‐growing crimes and has increased
in scale, cost, and sophistication, posing a major threat to both businesses and individuals. Some of
the cyberattacks that cost a fortune and affected the global economy include Epsilon, WannaCry and
Petya.
The current issue is that the total breach cost increases when the size of the data breach increases. To
investigate this issue, the concept of economy of scale should be considered for analysis, along with
actual data. This concept is defined as a decrease in the average long‐term costs resulting from an
increase in the size of the operating unit [31]. As is depicted by the data, many organizations have
disclosed that their business has been affected by data breaches and cybersecurity attacks. These
organizations depend on data management which is influenced by the costs of the data breach.
Therefore, we present two hypothesis:
1. The overall cost rises with breach size.
2. For larger breaches, the breach cost per record will decline. Thus, the overall breach cost will
rise less than linearly.
Although the economy of scale depends on the increasing breach cost, the larger breach may be
simplified with cost per record. The cost per affected record declines when the number of affected
records (breach size) of the whole data breach is too large because we have to divide the total cost by
the number of affected records. According to the concept of economy of scale, the cost of
development per unit decreases as the number of records increases. Therefore, the relationship
variables are the number of affected records and the cost per record.
A residual analysis suggests that the trend appears to change slightly for record sizes greater than
about 25,000. This suggests that the model may be amenable to further refinement. Perhaps a
piecewise regression may yield better accuracy, which may be addressed in future research. The
reason is that the two data collection approaches are different. The Verizon/Net Diligence data are
based on insurance payments, while the Ponemon data include more complete costs such as
opportunity costs.
As the global economy relies more and more on information technology (IT) based on the Internet of
Things (IoT), the economy of scale will depend on greater usage of secure connections. With the
growing scalability of IoT and emerging technologies such as IoT‐based IT, interconnectedness,
cybersecurity threats pose an increasing challenge. Figure 3 depicts the relationship between abuse,
attack, cybercrime and data breach.

Figure 3. Relationship among abuse, attack, cybercrime and data breach.

According to, a data breach is involved with the abuse, attack, and cybercrime (CCr) as shown in
Figure 3. Abuse encompasses any negative and/or undesirable use of technology that affects the
breaching and cost of the breach. An attack refers to a deliberate unlawful action that perpetrates the
breach or physical action targeted against another party. The CCr results from any illegal use of
technology and procedures which results in an unauthorized breach.
Figure 3 examines the problems posed by abuse, attack and CCr as well as how the public perceives
the security issues and how this, in turn, affects their data breach, trust and business engagement with
the security technology. Cyberattacks and CCr are both categorized as abuse. However, a cyberattack
will be considered a cybercrime according to the jurisprudence of the applicable law at the premises
of the attack. Misuse of legitimately assigned permissions could be categorized as abuse and
cybercrime, but it may not constitute an attack.
Further exacerbating the problem, organizations may not invest in social activities rather than
cybersecurity solutions. Cyberattacks and data breaches on private individuals and on other
organizations are not considered seriously. These security issues in private and public organizations
raise social costs as the technological resource stock externality is exacerbated. Since there are several
factors that impact the overall breach cost, it is to be expected that there would be a significant
variation that is not explained by breach size alone. For very small breaches, the fixed costs would
dominate, and thus the trend would not be clearly visible.
The regression model for calculating costs is important because it helps determine which risk or
breach factors matter the most, which can be ignored, and how these factors interact with each other.
In this model, regression analysis lies in the fact that it provides a powerful statistical method that
allows an R‐squared value to examine the relationship between two or more variables of interest used
in the calculator.
The actual computation of R‐squared requires several steps. These steps include taking the data points
of dependent and independent variables related to breach costs. Using a statistical computation, these
data points allow finding the line of best fit and Rsquared values that are determined from a regression
model. From there, we would calculate predicted values, subtract actual values, and square the results.
This process yields a list of errors squared, which is then summed to equal the unexplained variance.
To calculate the total variance, we would subtract the average actual value from each of the actual
values, square the results, and sum them. From there, we would divide the first sum of errors
(explained variance) by the second sum (total variance) and subtract the result from 1. These
calculations provide the R‐squared value.
R‐squared correlates the changes in a dependent variable with those in an independent variable. It
does not by itself tell whether the chosen model is good or bad, nor does it tell whether the data and
predictions are biased or not. Specifically, a high or low R‐squared is not necessarily desirable,
because it does not convey the reliability of the model. Similarly, its value does not explain whether
the regression is right. A good model can yield a low R‐squared value. Likewise, a poorly fit model
can result in a high Rsquared value.
What qualifies as a good R‐squared value depends on the context. In some disciplines, such as the
social sciences, even a relatively low R‐squared such as 0.5 could be considered relatively strong. In
other fields, the standards for a good R‐squared reading can be much higher, such as 0.9 or above. In
finance, an R‐squared above 0.7 is generally seen as showing a high level of correlation, whereas a
value measured below 0.4 is considered to show a low correlation. This is not a hard‐and‐fast rule,
however, and it depends on the specific analysis.
Table 2 gives the values of the two parameters for the Ponemon 2013, Ponemon 2014, and Net
Diligence data. According to the latest report of Net Diligence published in 2020, cyber claims studies
and cybercrimes (ransom ware, business interruption, social engineering) also depend on these
parameters. As observed above, the parameter values for the two Ponemon datasets are close,
suggesting that the two datasets, while distinct, were collected using the same approach. The Net
Diligence data yields somewhat different values, which is likely due to the fact that the numbers were
collected differently.

Table 2. The breach cost regression models for the three datasets.

Size of Data Regression

Breaches Points Breach Cost R2

Model
Ponemon 2013 5000– 54 y = 1924.2 0.52
100,000 x0.7662
Ponemon 2014 4700– 61 y = 2439.9 0.50
103,000 x0.7499
Net Diligence (Verizon report) 2–108 183 y = 10002 0.54
 million x0.4971
Datasets

Based on the available datasets, a model of the total breach cost (y) after incorporating economy of
scale can be formulated as below:
Y ax (1)
Where a and b are applicable parameters, and size x refers to the breach sizes bigger than or equal to
1000 records. (Equation (1) is not applicable to the cases where a smaller number of records is
affected.) The cost per record (CPR) after incorporating economy of scale is obtained by dividing (1)
by the breach size, which yields,
CPR ax (2)
The two hypotheses mentioned above are both supported by the three datasets. The parameter values
in (2) should conform to how the numbers are to be interpreted.
Sample size justification is considered for existing and proposed models. Effect size has both
theoretical and practical considerations. If the effect size is not known, it can be calculated from the
mean and standard deviation values. The practical aspect of justifying the sample size is the monetary
cost and the time needed to collect the data. Nonlinearity is caused by the economy of scale; thus, b
should be <1. The size of the data breach was positively associated with a higher negative return on
the short‐term market value of the breached company. Although Tables 3–8 allow us to analyze the
justifications of the models given in (1) and (2), the average cost in 2020 is better as given in [6].

Table 3. First factor that impacts the data breach cost, required to enter the size of the breach.

Data Source Significant Factor Option

Hub Int’l and (1) Total Number of Affected

IBM/Ponemon User’s Input
Records?
 Table 4. The values of data breach costs and the probabilities for the factors associated with data
breach types.
Factors that Impact the Types of Data Breaches
Data Options with Breach Cost and Probability Values
Significant Factors
Source
(2)
nications

Products

others
Healthca
Educatio

Financial

professio
Services:
Services
Consum
Commu

Industri
Govern

Transpo
Technol
ogyand

rtation
naland
reand

Retail
ment

All
Organization’s

er

Phaa

al
n

f
industry
IBM/ classification 219 191 184 273 169 289 174 243 267 195
182 217
Ponemon cost/record
(USD)
Probability 11 12.5 13.1 9.9 12.7 7.80 14.9 12.7 8.7 10.1
% 17.1
16.5
Custo
mer
data Customer All
includin data Student
Consumer credit excluding Employer Citizen Patient health other
Information types do data credit card records records information
your card
infor informatio data types
IBM/ n of data
employees handle mation
Ponemon
cost/record (USD) 167 243 213 250 169 195 289 210
Probability % 11.00 12.40 12.90 9.10 15.40 11.40 16.80 9.00
 Table 5. The parameters a and b, the values of data breach costs, and the probabilities for the
factors associated with incident investigation cost.

Incident Investigation Cost

Data
Significant Factors Options with Breach Cost and Probability Values
Source

(4) Data is in a

centralized Yes Yes Yes No Yes No No No

Hub System/location?
Int’l Actual fraud is Yes Yes No Yes No Yes No No
Expected already?
(6) Federal
class action
Lawsuit filed? Yes No Yes Yes No No Yes No
For A 1473.
1532.8 2 1452.4 901.37 1473.2 459.15 789.08 459.15
PHI&SSN
B 0.57 0.50 0.56 0.64 0.50 0.66 0.65 0.66
 For CC 1093.
A 1108.1 1054.2 650.41 1093.5 338.74
338.74 1.4
5
B 0.57 0.49 0.56 0.64 0.49 0.66 0.64 0.66
(7) Most likely cause Malicious or Negligence or mistakes
System glitch don’t know of a data breach? Criminal attack (Human error)
Cost/record (USD) 291 163 169 245
Probability % 16.60 10.30 9.50 12.60
IBM/ is sensitive data
Ponemon encrypted on all
Yes No not sure
Laptops or
removable
storage?
Cost/record (USD) 130 267 254
Probability % 8.80 14.20 13.80
A formal
Privacy and An informal A
formal privacy an informal
(9) Best describes your Data privacy and data
organizations and data privacy and No privacy or data
privacy protection protection data protection
protection protection
and data program that program program that is program that is program
protection is enterprise‐ in place
program? wide that is not not enterprise
enterprise‐wide
enterprise wide
wide
cost/record 156 202 228 241 258
(USD)
Probability % 10.10 10.40 11.30 13.50 16.00
(10) Duration of More than 3
business Less than 3 More than 3 More than 5
keep/retain months but years but Don’t know
months years
sensitive less
IDT911 less than 3 than 5
 information
pertaining to
years
Employees, years
customers and
patients?
cost/breach 250 1000 2000 3000 3000

Table 6. The values of data breach costs and the probabilities for the factors associated with
crisis management cost.

Crisis Management Cost

Data Significant Options with Breach Cost and Probability
Source Factors Values
(11) Credit
Hub Int’l monitoring 0 1 2 3 4 5 10 20
years?
A 31.25 60.7185.19 108.71 131.87 268.94 496.06
For
B 0.83 0.84 0.84 0.85 154.86 0.86 0.86
PHI&SSN
0.85 0.85
A 21.11 41.50 58.73 75.23 91.52 107.65 187.58 346.62
For CC
B 0.84 0.84 0.85 0.85 0.85 0.85 0.86 0.86
(12) What is the More
Fewer 1001 25,001
global headcount 501 to 5001 to 10,001 to than
than to to
IBM/ of your 1000 10,000 25,000
500 5000 75,000 75,000
Ponemon organization?
cost/record 167 180 230 243 269 224 206
(USD)
Probability % 11.00 11.20 13.40 13.50 12.80 12.50 11.40
Is your organization’s Yes No Not sure
business
continuity management
team involved in the
data
IBM/ Ponemon breach incident
response
 Process?
cost/record (USD) 184 243 224
Probability % 10.50 13.80 12.50

Table 7. The parameters a and b for the factors associated with the cost related to regulatory and
industry sanctions.

Regulatory and Industry Sanctions Cost

Options with Breach Cost and
Data
Significant Factors Probability
Source
Values
(14) Is PCI compliance
Hub Int’l Yes No
an issue?
For a 19145 865754
PHI&SSN b 0.43 0.02
a 11308 610611
For CC
b 0.47 0.03

Table 8. The parameters a and b for the factors associated with class‐
action lawsuit cost.

Class Action Lawsuit Cost

Options with
Breach
Data
Significant Factors Cost and
Source
Probability
values
Actual Fraud is expected
Yes Yes No No
already?
Hub Int’l
Class Action Lawsuit
Yes No Yes No
filed?
For a 0.36 0 0.09 0
PHI&SSN b 1.16 0 1.16 0
a 5.12 6 5.68 6
For CC
b 1.04 1 1.01 1
5.2 Comprehensive Cost Computation Model
A comprehensive model for a data breach cost and hence the cost of annual security is shown in
Figure 4. It incorporates the concepts from the current computational models. Some data breach
costs are direct financial expenses, and indirect costs such as the time, effort, and others
according to Ponemon Institute terms. Therefore, there are five partial costs that comprise the
total data breach cost: incident investigation, crisis management, regulatory and industry
sanctions related to governmental procedures, a class‐action lawsuit, and opportunity cost.
 Figure 4. Overall risk evaluation model (Data breach cost and probability).

The total security cost is made up of two parts: the total direct cost of a data breach and the cost
of security maintenance and upgrades, which would be required even if the breach had not
occurred. These two costs participate in an organization’s expected annual security cost (3) in the
event of a security data breach. Expected annual security cost (ESC) is the addition of annual
expected cost due to breaches (EB) and cost regardless of any breaches (RB).
ESC EB RB (3)
The overall risk evaluation model, as in Figure 4 allows us to analyze the cost of the data breach
through the available data. Many risks influence the costs of a data breach, including various
types of security technologies and practices.
The expected annual cost of potential data breaches is determined by the probability of a
particular type of data breach (4). Therefore, if there are n types of data, EB is the multiplication
of the likelihood of data breach type (Pi) and the total cost per breach for type (Ai).

𝐄𝐁∑𝐧𝐢𝟏 𝐏𝐢𝐀𝐢 (4)

The expected costs due to the breach could cover the past data breach that occurred or the data
breach that could occur in the future. For the past breach, the data breach probability is 1, and the
actual cost of a data breach is computed normally. However, for future data breach, the data
breach probability is less than 1.

5.2.1 Compiled Cost Data

As mentioned in, I analyzed the available calculators that estimate data breach risks. I studied
the Hub international Calculator to collect actual data such as a and b parameters by using the
power regression equations that computed partial costs but did not calculate the probability. The
IDT911’s calculator was popular in 2016 and is considered as examples for tables in this paper.
The presented costs for each option can be calculated for future recordings. These costs are part
of the total breach cost, but such small figures may not be the appropriate method for the
estimation of the breach cost. With the IBM/Ponemon calculator, the details of the cost per
record and the probability of breach which may occur within the next 12 months are provided.
However, IBM/Ponemon does not publish how it estimates each cost per record for each option
that is chosen for different factors. Our proposed model is based on the numbers of the Hub
International calculator since it was obtained by our analysis, and the IBM/Ponemon calculator
provides the multiplier factor values that represent the variation between options.
The interface of, a, b, cost per record, partial cost per breach, and the probability is shown in
(Tables 3–8).
Two types of data breaches are used in the personal security system: they are personal health
information (PHI) and social security numbers (SSN). Although credit cards (CC) provide
personal security information, they secure financial transactions in many different ways for
various business organizations. Many public organizations use the PHI and SSN for validating
the personal information before they accept the CC.
We ignore three factors during the estimation of partial costs per record for several reasons. For
instance, factor 3 is ignored since its data about costs and probability are redundant and are
overlapped with factor 2, which is industry classification. In addition, we ignore factor 10 in the
incident investigation cost classification during the estimation of that cost because the estimation
of the breach cost is small and might be insignificant, but we use this factor when we compute
the cost per record (CPR). Moreover, factor 12 is redundant, as it is similar to factor 1.
Therefore, we ignore it because its impact of more headcount will equal the impact of more
breach size. Below, different cost components are described briefly.

5.2.3 Computation of Factors

Our model of data breach cost per record and the probability uses the “multiplicative model”
approach similar to the other quantitative models such as the defect density models by Chulani
and Boehm and Malaiya and Denton [35], software cost estimation model by Barry Boehm et al.
, and MIL‐HDBK‐217 Chip failure rate model [37]. This multiplicative model illustrates the
variation between the selected options of each factor for data breach cost and probability when
the user chooses one.

5.3 Security Costs Due to Data Breach

Some partial costs contribute to the total data breach cost. These costs are impacted by two
factors: affected records number, and the type of data breach. The partial costs per record
equations are presented after incorporating the economy of scale. Then, we can obtain the partial
breach cost by multiplying the cost per record with the breach size. The partial costs include the
costs described in the following subsections.

5.3.1 Incident Investigation Cost

The incident investigation cost includes all costs associated with assisting the organization in
detecting the data breach [38]. Forensic, investigation, and consulting services, as well as
assessment and audit services and technology staff costs, are examples. We use the factors’
values to note the variation between options in the data of IBM/Ponemon. The investigation cost
per record (ICPR) shown in (5) depends on cost factors 4, 5, and 6 considered in Table 5.
ICPR ax F F F (5)
Where the values of a and b can be selected from Table 5. The cost factors used in (5) are costs
due to data breach causes (FBC), sensitive data encryption (FE) and organization’s privacy (FP)
respectively.
According to, security details of incident investigation costs in 2019 and 2020 show that many
organizations have spent less money than the previous years. Although remote work during
COVID‐19 increased, the data breach costs and incident response times (IRT) decreased thereby
reducing average data breach costs. By combining testing with IRT, organizations can reduce the
cost of a data breach.
The causes that lead to a data breach have a different impact on the cost of a data breach. The
expected cost in the case of a malicious attack is higher (factor 7), as seen in Table 5. Table 9
gives the values for this factor, where “Don’t know” is the default case. The encryption of
sensitive data on laptops or removable storage (if applicable) costs the organization less if the
organization has a data breach, but it costs more if the data are not encrypted. The values for this
factor are shown in Table 10.

Table 9. Cost factor—data breach

Data Breach Cause Multiplier
Malicious or criminal attack 1.19
Negligence or mistakes (Human error) 0.67
System glitch 0.69
Don’t know 1 (default)

Table 10. Cost factor—sensitive data encryption

Encryption
Encryption Sensitive Data Multiplier
Yes 0.51
No 1.05
Not sure 1 (default)
The privacy and the protection of data have a huge effect on the data breach cost based on the
fact whether they are applied or not. The factor values can be obtained from the cost factor of the
organizations’ privacy reports.

5.3.2 Crisis Management Cost

The activities that enable the organization to warn the public that personal information has been
lost or compromised are referred to as crisis management [38] and manage the impact of the
current data breach. For example, in the case of a credit card company, these activities include
notifications, credit tracking/monitoring, and reissuing credit cards (if any). The organization that
is affected by the data breach may not be responsible for the expense of reissuing the cards, but
rather the bank that issued the card will bear the cost based on the current rules. The crisis
management cost per record (CMCPR) allows us to estimate the crisis management cost with
cost factor 11 and is given below.
CMCPR ax F (6)
Where the values of a and b can be used from Table 6. In (6), the cost factor 11 related to the
values of the team of business continuity management (FBCM) is discussed and shown in Table
11.

Table 11. Cost factor—FBCM

BCM Involved in Incident Response Plan Multiplier
Yes 0.82
1.08

Not sure 1 (default)

This team usually knows how to detect the data security risk in the organization, and it has an
emergency plan to deal with a potential breach. Therefore, the existence of this team in the
organization will reduce the data breach cost.

5.3.3. Regulatory and Industry Sanctions Cost

This cost relies on the Payment Card Industry (PCI) compliance. Fines and penalties will be
placed on the PCI organization if it is not compliant. The sanctions cost per record (SCPR)
depends on factor 14, which is in Table 7. The regulatory and industry sanctions cost is estimated
as below:
ICPR = [ax(b-1)](FEC)(FE)(FP)
Where the values of a and b can be chosen from Table 7. Regarding the cybersecurity risks, the
PCI industries have used (7) and verified the cost analysis of SCPR in recent years up to 2020.

5.3.4. Class Action Lawsuit Cost

The organization will undertake several costs due to litigation, legal defense, damages, and
others, if a federal class‐action lawsuit is filed. When we calculate the class action lawsuit cost
per record (CALCPR), factors 15 and 16 should be considered from
Table 8 the class‐action lawsuit cost is estimated as follows:
CALCPR ax (8)

Where the values of a and b can be used from Table 8, quantitative assessment of cybersecurity
risks. This depends on many factors, including CALCPR. It is to be noted that SCPR cost in (7)
and CALCPR cost in (8) are calculated in a similar manner. However, parameters a and b are
chosen differently in both cases.

5.3.5. Opportunity Cost

It is also known as lost business costs, which are incurred as a result of lost business
opportunities and reputation after disclosure of a data breach to victims and the public in the
media [38]. This can be difficult to estimate since determining the precise opportunity loss
caused by the breach can be hard.
It has been debated that the data breach will affect the organization’s stock price. Although some
previous research indicated that there is a substantial effect on stock price, a more recent study
cast doubt on this. This may be because data breaches are thought to be widespread [39]. The
effect on the stock price is determined by the relationship between the overall cost of the data
breach and the company’s annual revenue. If the data breach cost is minimal, the breach would
have little effect on stock prices.
5.5.6 Computation of Data Breach Cost
To calculate the total data breach cost (CPR) for each compromised record, we combine all the
partial costs for the type of data breach. Then, we can use the values of some factors that impact
the total breach cost per record by using the data from the IBM/Ponemon calculator that is shown
in Tables 4, 5, and 6. These values are used as a variation measure when the user chooses options
for those factors. The expression of the cost per record is given by:
CPR F F F ∑ c (9)
where the factors impacting the cost per record for type i are the country of an organization that
had a data breach country (FC), the organization’s industry classification F industry (FI), and the
duration that the business keeps the sensitive information of employees, customers, and patients
F duration (FD).
These factors will be multiplied by the total cost per record of the four partial costs that include
incident investigation, crisis management, regulatory and industry sanctions, and class action
lawsuit. Each factor has a default value that is equal to one. Each factor is discussed below.
Cost factor based on FC depends on the organization’s country and countries for which data
breach cost data were collected in the IBM/Ponemon 2015 Global analysis [40]. We take the
USA as the default choice. The cost in some countries is significantly lower. Then, we use a
weighted cost/factor for the rest of the countries relative to the cost per record for the US, which
is USD 217.
Cost factor FI represents the organization’s industry classification. This factor takes into account
different types of industry classifications. Some of the classifications have a bigger effect on the
breach cost per record than others. The values of the factor of industry classifications are shown
in (Table 12), and the default value is one.

Table 12. Cost factor—organization’s industry classification FI

 Industry Classification Multiplier
Communications 1.01
Consumer Products 0.88
Education 0.85
Financial Services 1.26
Government Services 0.78
Healthcare and Pharmaceuticals 1.33
Industrial 0.80
Retail 0.84
Services: professional and general services 1.12
Technology and software 1.23
Transportation 0.90
All others 1 (default)

Cost factor FD focuses on sensitive information keeping. This factor takes into consideration the
fact that the businesses keep some information about their employees, customers, and patients
for different lengths of time. The cost of the breach will depend on the length of time this
information is retained. We determine how many months approximately are in each duration.
The durations are as follows: 3, 12, 48, 72. Then, we make 48 months as the default one. After
that, we plot the months with cost, make a trend line, and obtain the expression: y = 37 * months
+ 317. In addition, we normalize that expression by dividing all values by 2000, which is the cost
of 48 months (the default). The expression becomes: y= 0.0185 * months + 0.158. The values of
a factor are found by dividing the cost of each duration by 2000 that is the cost of 48 months.
The values are presented in (Table 13).

Table 13. Cost factor—sensitive information keeping FD

Duration Multiplier
3 months 0.125
1 year 0.5
4 years 1 (default)
6 years 1.5

The cost of the data breach not only depends on the duration but also the volume of the sensitive
information that is vulnerable to a breach and which should be protected using encryption [6].
After calculation of the cost per record, the total cost due to breach for type (TB ) can be
computed by multiplication of the cost per record by the number of affected records (x) as shown
in (10):
TB CPR ∗ x (10)
The cost of protecting sensitive data in a cloud environment using policy and technology
increases with the security level and the level of the sensitive information.

5.5. Security Costs Regardless of Data Breach

An organization takes steps to reduce the risk of data breaches based on the organization’s size
and the potential security risks. The indirect data breach costs comprise recurring costs of the
security measures and security upgrades. Upgrading means bridging internal security holes to
protect the organization against data loss or harm. Such security upgrades minimize the data
breach probability, and then the cyber insurance at one time.
In general, it is difficult to obtain the essential information on the costs due to security upgrades
because these upgrades happen internally, and organizations do not disclose the details. As a
result, developing a preliminary economics model to estimate the cost of a security upgrade for
an organization is still an open issue. However, some security related cost information can be
obtained from some occasionally published articles. For example, LinkedIn spent between USD
2–3 million in 2012 to prevent password theft.
These costs can be hard to calculate for departments in small organizations because each staff
member spends time, which is hard to measure, engaging in serial tasks such as installing
security patches, configuring systems and applications to improve security, and managing system
behavior in response to a security breach.
In order to calculate the cost regardless of a data breach (CRDB), we should add the following
costs: the security maintenance cost (SM), security upgrade cost (SU), and an insurance premium
(IP). Equation (11) shows how to compute the elements that comprise general security costs for
any organization.
CRDB SM SU IP (11)

The effectiveness of security processing and automation of SU on data breach costs enhance the
SM. Deployment of security levels varies with many factors; some of these factors are IP,
security tools, trust security models, etc.

5.6. Cyber Liability Insurance Coverage

Cyber liability insurance is also known as data breach insurance. It provides the required
coverage after a data breach occurs resulting in a data loss. This coverage by insurance
companies is partial. In the current days, the demand for cyber insurance has increased since the
number of data breaches has also increased. There are several cyber insurance companies that
cover the first‐party costs and third‐party costs of the data breach. Cyber insurance is becoming
the main element during cyber risk management, especially through data breach risks. Thus,
cyber insurance is an essential part of a data breach incident response plan that assists in
minimizing the organization’s damage, liability, and performance. Therefore, cyber insurance
can cover any business loss and reduce the impact due to a data breach.
The cost of cyber insurance and its coverage vary depending on how the cost is accounted for by
the organization’s agenda. Sometimes, the insurance cost is considered a security cost, and other
times it is simply considered a cost of doing business. Insurance coverage needs further analysis
and investigation in the future.

CHAPTER 6
MODELING DATA BREACH PROBABILITY
The organization’s data breach probability relies on some factors: internal [vulnerabilities (if
any) that could contribute to a data breach and if they are still open, which would mean that there
is inadequate protection], external (attacker motivation and capabilities), or Bayesian (previous
breaches can indicate weaker security unless security is dramatically improved as a result of a
breach). It is worth noting that some factors that are considered by the Ponemon Institute to
influence cost can also be considered to influence likelihood, such as BCM team and data
encryption.
There are two main factors to predict the data breach probability: number of affected records,
lost or stolen, and industry classification of organizations that is considered a factor under the
classification of data types of breach. We extracted the probability data from the 2015 Ponemon
report [40]. We find that the probability is computed from the size of the data breach and from
the country as shown in (Figures 5 and 6). The expression for the probability of data breach
based on the breach size as given in (12) is based on the data points in Figure 5 using a trend line
for the data. In (12), the probability 𝑃 represents the annual data probability calculated over a
period of 12 months or a year.
P αe (12)
where,  = 0.4405,  = 4 × 10−5, and x is the breach size. After studying the probability of data
breach, we found that most researchers estimate the probability based on limited methods, such
as surveys and collecting experts’ opinions like the Ponemon estimation.
Some researchers do not discuss how the probability is computed.
 Figure 5. Data breach probability based on the breach size (Ponemon data 2015)

Figure 6. Data breach probability by country (Ponemon data 2015)

Ponemon calculators (Symantec and IBM) use a survey with questions that we identify in this
paper as factors to examine the cost and probability incurred by organizations after experiencing
data breach incidents. We calculate the probability of data breaches for different periods. The
probability of a breach of data type i (P) calculates the data breach probability (13) for the
organization in the next 12 months:
 𝐏𝐢 𝐅𝐂 𝐅𝐁𝐂𝐌 𝐅𝐈 𝐅𝐁𝐂 𝐅𝐄 𝐅𝐏 𝛂𝐞𝛃𝐱 (13)
−5
Where  = 0.4405,  = 4 × 10 , x is the breach size, and the F factors are the six factors that
impact the data breach probability. In (13), many probability factors are considered and
discussed for calculating the P in different data types. These factors are the country of the
organization that had a data breach FC, the organization’s business continuity management team
involved in the data breach incident response process FBCM, the organization’s industry
classification FI, and the most likely cause of a data breach FBC, the sensitive data encrypted on
al laptops or removable storage FE, and the organization’s privacy and availability of data
protection program FP. The factors are multiplied with the probability obtained using (12). Each
factor has a default value that is equal to one as well. Each of these factors is discussed below.
Probability Factor of Organization’s Country (FC): Like the data breach cost, the probability of a
data breach is impacted by the country where the data are located. The country‐based probability
factor data are taken from the 2015 Ponemon report [40]. We take the USA as the default choice.
Then, we use a weighted factor for the rest of the countries based on the probability for the US,
increasing each year by a small percentage (0.2%–0.3%), as presented in [6]. France and Brazil
have a relatively higher probability of a data breach.
Probability Factor of Business Continuity Management Team (FBCM): This factor is essential to
identify the potential threats faced by the organization and the impact that comes from these
threats. Therefore, this factor has a different impact based on whether or not the team is involved
in the data breach incident response plan or not. (Table 14) shows the values of the factor for
different scenarios.

Table 14. Probability factor for FBCM

BCM Involved in Incident Response Plan Multiplier
Yes 0.84
No 1.1
Not sure 1 (default)
Probability Factor of Organization’s Industry Classification (FI): The different industry
classifications also contribute to different probabilities of a data breach, as well as the cost of the
data breach. The factor values and data from any organizations’ business report allow researchers
to calculate the F as given in [42].
Probability Factor of Data Breach Causes (FBC): The probability of data breach varies based on
the reason due to which the data are breached. Table 15 shows the possible values of this factor.

Table 15. Probability factor—data breach causes FBREACH_CAUSE

Data Breach Cause Multiplier
Malicious or criminal attack 1.32
Negligence or mistakes (Human error) 0.82
System glitch 0.75
Don’t know 1 (default)
Probability Factor of Sensitive Data Encryption (FE): If the sensitive data on the laptops or
removable storage are encrypted (if applicable), that lowers the probability of data breach
compared to data that are not encrypted. The possible values of this factor are presented in Table
16.

Table 16. Probability factor—sensitive data encryption FE

Encryption Sensitive Data Multiplier
Yes 0.64
No 1.09
Not sure 1 (default)
Probability Factor of Organization’s Privacy (FP): The private and public enterprises expect to
provide higher privacy, security, and reliability for mission‐critical services through network
slicing, which supports to lower the data breaches with appropriate F and factor’s values. The
forms of applied privacy in an organization will impact data breach probabilities. Therefore, if
the organization has strict privacy, the probability of data breaches will be lower.
Our proposed model reveals that there is an average probability that the annual cost of a data
breach enhances with a few percentages (<1). However, overall security in 2020 is improved
within the organizations.

6.2 Challenges and Limitations

Companies that have experienced data breaches frequently do not publish details on the real
costs of damage, though some figures do appear in reports. The Ponemon Institute and
NetDiligence collect proprietary information and publish an annual summary report. Thus, our
analysis has focused on the published reports and the news reports. Cost estimates for data
breaches differ from one source to another. We attempted to clarify and address the obvious
discrepancies. We develop our model of computational components to ensure that it makes
realistic assumptions backed by data from multiple sources.
The calculators of data breach cost are considered an important step towards estimating breach
costs in a systematic way. However, these are primarily designed for online estimation for
particular cases and are intended to be used for the promotion of security‐related services. In
certain cases, we must obtain computational results by filling in the calculator inputs at various
steps, and the calculator will then send us the results. The computation methodology, however, is
not disclosed. The cost per breach is usually given though for particular chosen values for a
factor in most calculators. The values returned are often not broken down into cost components;
for example, the Hub International calculator only produces the cost per breach. Moreover, some
of the calculators, such as CyberTab, do not use any underlying data to measure the cost of
security breaches, and the users have to mention the data breach cost themselves to estimate the
cost. Thus, some of the calculators provide little information that would allow the construction of
an accurate model for the cost of data breaches.
According to [43,44], the costs of cybersecurity issues around the world are increasing
continuously with many factors. Cybersecurity risk management decisions require the
knowledge of evolving threats within the organizations through the use of technology and
security measurements applied during the data management. For the calculation of the cost of
security management, the factors such as the definition of the cyberattack, behavior of the
organization, and requirements of technology impact the outcome for an organization. Regarding
technical perspective, cyberattacks (e.g., financial, espionage) need to be prevented through
intelligent security management.

CHAPTER 7
CONCLUSIONS AND FUTURE WORKS
In the age of digital cyber world, cyber and information security is an emerging field in these
days where a large number of user’s score increasing day by day where new and high equipped
cyber technologies and their services are offered by different public and private organization
which are being targeted by cyber criminals also. This paper illustrates and highlights latest
cybercrimes, criminal activists, cyber threats and attacks along with a report for the awareness of
cyber users, which may be helpful to mitigate cybercrimes, attacks/ threats. The users may be
secured from them by using and applying proposed security model and also practices of security
cyber laws and strategies. It is also noticed that appropriate education is essential for cyber users
to decrease cybercrime activities regarding cybercrime and defensive measures. In this paper,
cyber criminals have been categorized to make cyber user aware from their objectives as well as
cyber protection laws and strategies are suggested to make cyber users secure. Moreover,
research surveys using latest tools, trainings and other efficient mechanism should be adopted to
extend awareness amongst the cyber service user and also train them about their privileges and
responsibilities regarding the cyber services and information systems
There exist significant variations in how the costs of specific breaches should be computed and
how the associated risks can be estimated. In this study, we developed a systematic model for
this purpose based on available data and existing approaches. The model uses the factors that are
found to be significant. I consider the economy of scale, as observed in actual data, to develop
the model relating the cost to the number of records. We also consider the factors that may
impact the probability of a breach.
I identify several issues that need to be addressed by further research. We need to develop a
model that can estimate the costs regardless of the data breaches, such as upgrading and
maintenance costs. In addition, we need to develop more detailed approaches for estimating and
validating data breach probabilities. We did not consider the insurance payouts to cover security
breach losses or the insurance premium costs. They need to be addressed separately in detail.
The proposed model can be implemented using a suitable interface with the capability to update
the parameters as further data becomes available.

REFERENCES
Clarke, R. (2018). Cyber War: The Next Threat to National Security and What to Do About It.
HarperCollins.
Schneier, B. (2015). Data and Goliath: The Hidden Battles to Collect Your Data and Control
Your World. W. W. Norton & Company.
Dardanelli, D., & Tocci, N. (Eds.). (2017). The Schengen Information System and Border
Control Co-operation: A Transparency and Proportionality Evaluation. Springer.
Creswell, J. W., & Creswell, J. D. (2017). Research design: Qualitative, quantitative, and mixed
methods approaches. Sage publications.
Anderson, R. (2015). Security Engineering: A Guide to Building Dependable Distributed
Systems. Wiley.
Goodman, M. S. (2016). Future Crimes: Everything Is Connected, Everyone Is Vulnerable, and
What We Can Do About It. Doubleday.
National Institute of Standards and Technology. (2020). Cybersecurity Framework. Retrieved
from https://www.nist.gov/cyberframework
Verizon. (2021). Data Breach Investigations Report. Retrieved from
https://enterprise.verizon.com/resources/reports/dbir/
ISO/IEC 27001:2013. Information technology — Security techniques — Information security
management systems — Requirements.
National Institute of Standards and Technology. (2018). Framework for Improving Critical
Infrastructure Cybersecurity. Retrieved from https://www.nist.gov/cyberframework
Yin, R. K. (2018). Case study research and applications: Design and methods. Sage publications.
Miles, M. B., Huberman, A. M., & Saldana, J. (2014). Qualitative data analysis: A methods
sourcebook. Sage.