Cyber-Fit: Investing in cybersecurity in the electricity industry
Profitability of cybersecurity measures
Carried out in cooperation with Fraunhofer IOSB-AST, the study analyses the cost–benefit and profitability of cybersecurity measures in the electricity industry. The aim is to support managers and people on other decision-making levels in making well-founded investment decisions in order to effectively guarantee IT security. The study addresses challenges such as a lack of transparency in IT security costs, staff shortages and difficulties in resource planning. A sample calculation shows the financial impact of IT security measures using the return on security investments (RoSI) model. It is based on the fulfilment costs and estimated damage costs before and after implementation stated in the German NIS-2 Implementation and Cybersecurity Strengthening Act (NIS-2-Umsetzungs- und Cybersicherheitsstärkungsgesetz, NIS2UmsuCG) draft.
Interviews with representatives from the energy sector confirmed the importance of management for IT security and their awareness of IT investments. The plausibility of the compliance costs stated in the NIS-2 Act and the estimated loss costs was also recognised. The RoSI cost assessment shows that investments are already profitable for important companies in the first year and for particularly important ones from the second year. The sample calculation illustrates that the investments required by the NIS-2 Act are profitable even with low incident costs.
