The Blind Man and The Elephant: Measuring Economic Impacts of DDoS Attacks

Research output: ThesisPhD Thesis - Research UT, graduation UT

3077 Downloads (Pure)


Internet has become an important part of our everyday life. We use services like Netflix, Skype, online banking and Scopus etc. daily. We even use Internet for filing our tax returns and communicating with municipalities. This dependency on network-based technologies provides an opportunity to malicious actors in our society to remotely attack IT infrastructure. One type of cyberattack that may lead to unavailability of network resources is known as distributed denial of service (DDoS) attack. A DDoS attack leverages many computers to launch a coordinated Denial of Service attack against one or more targets.

These attacks cause damages to victim businesses. According to reports published by several consultancies and security companies these attacks lead to millions of dollars in losses every year. One might ponder: are the damages caused by temporary unavailability of network services really this large? One of the points of criticism for these reports has been that they often base their findings on victim surveys and expert opinions. Now, as cost accounting/book keeping methods are not focused on measuring the impact of cyber security incidents, it is highly likely that surveys are unable to capture the true impact of an attack. A troubling fact is that most C-level managers make budgetary decisions for security based on the losses reported in these surveys. Several inputs for security investment decision models such as return on security investment (ROSI) also depend on these figures. This makes the situation very similar to the parable of the blind men and the elephant, in which several blind men try to conceptualise how the elephant looks like by touching it. Hence, it is important to develop methodologies that capture the true impact of DDoS attacks. In this thesis, we study the economic impact of DDoS attacks on public/private organisations by using an empirical approach.

In Chapter 1 we explain the motivation for our work and illustrate the problems associated with measuring the economic impacts of DDoS attacks. We then formulate our main research question and break it down into sub-questions that we investigate in later chapters. We state our main research question as follows:

What are the economic impacts of DDoS attacks on public/private organisations?

Our first contribution is identifying the main stakeholders in a DDoS attack. In Chapter 2, we discuss the evolution of DDoS attacks in the last decade and briefly describe the strategies adopted by attackers and defenders. By studying the business model of a botnet, we also analyse how DDoS attacks can be used by attackers for monetary gains.

Our second contribution is to develop methodologies to capture the direct impact of DDoS attacks. In Chapters 3 and 4 we measure the direct consequences of DDoS attacks on large managed domain name service (DNS) providers and a cryptocurrency exchange respectively. We find that a successful DDoS attack on a managed DNS service provider, changes the security behaviour of its customers. In the case of cryptocurrency exchange we find that the losses are recovered very quickly, on most instances even within a single day. We show how longitudinal datasets can be used to asses the impacts.

The third contribution of this thesis is to develop methodologies to measure the indirect consequences of DDoS attacks. In Chapter 5, we propose a more robust event study approach and use it to analyse the impact of DDoS attack announcements on victims' stock prices. We find that in most cases this impact is short lived (5-10 days). In Chapter 6, we introduce a dataset based on web articles on DDoS attacks which captures the social context of an attack. We show how machine learning algorithms can be used to filter news articles that are reporting a DDoS attack from the dataset.

We recognise that it is not possible to measure the true impact of DDoS attacks on the victim without learning about the aims of attackers. In Chapter 7, we propose a model based on Routine Activity Theory (RAT) to study attacker's aims by using the information about the attack reported in the news articles. Later in Chapter 8, we show how postulates of RAT may be used to explain DDoS attack trends on educational institutions.

Our results show that DDoS attacks are not a random phenomenon and attackers are instigated by the circumstances surrounding them. We observe that measuring the true economic impact of these attacks is complex and requires us to consider the context of an attack. Some of the consequences of short duration IT unavailability are temporary and they are recovered rather quickly. Hence, to take this work forward we propose to give economic meaning to the empirical data that is presently available and collect more data at employee level to measure the resilience of firms towards IT unavailability.
Original languageEnglish
QualificationDoctor of Philosophy
Awarding Institution
  • University of Twente
  • Nieuwenhuis, Bart, Supervisor
  • Joosten, Reinoud A.M.G., Co-Supervisor
Thesis sponsors
Award date5 Dec 2019
Place of PublicationEnschede
Print ISBNs978-90-365-4912-7
Publication statusPublished - 5 Dec 2019


  • Cybersecurity


Dive into the research topics of 'The Blind Man and The Elephant: Measuring Economic Impacts of DDoS Attacks'. Together they form a unique fingerprint.

Cite this