Part 2: The Four High-Level Categories for the Business Impact of Bad Bots
There are four high-level categories for the business impact of bad bots, Brink says. These include the:
- Additional cost involved in spending more money on website resources as a result of the bad bot traffic
- Data breaches that can result from bad bots
- Loss of current revenue during the time that bad bots are active
- Loss of future revenue because of the loss of customers
Aberdeen worked with Distil Networks to create a model that examines the business impact of bad bots in terms of the four categories, and quantifies the risk of bad bots. “We can model these risks. We can estimate the risk, both likelihood and impact, using these four categories,” Brink says.
“These models are not about precision. We actually can't get precision with these things. But we can make estimates and make better informed decisions, that's the goal.” As described in the table below, the model looks at bad bot problems (what Aberdeen refers to as vulnerabilities and exploits), and the specific impact of these bot problems on each of the four categories.
So for example, under additional costs it would include how a company is squandering some of the money it spent on Web site infrastructure, because it’s over-provisioning that infrastructure as a result of bad bots. Website infrastructure isn’t just servers and bandwidth, but rather all the related people, processes, and technologies on the front and backend of a company’s online operation.
The same thing would apply to marketing dollars that tend to drive desirable traffic to Websites. “We're wasting, squandering some of that, and there's some negative impact of marketing spend as a result of bad bots,” Brink says.
With respect to additional costs, the model looks at what percentage of revenue is a company spending on website infrastructure (technology, processes, and people); and what percentage of Web traffic is represented by bad bots. A company can use this to determine the proportion of spending that is being squandered or wasted because of bad bot traffic.
As for data breaches, companies can examine studies such as the annual data breach report from Verizon to understand the business impact of data breaches. Based on the empirical data from these reports, a company can figure out about how many incident attempts it can expect per year, the likelihood of a successful breach and the business impact of data breaches. By multiplying these factors together a company could estimate the cost of data breaches resulting from bad bots.
Loss of Current and Future Revenue
Calculating loss of current and future revenue involves looking at what the Web site contributes to annual revenue; the time that the Web site is negatively affected, either by actual downtime as in the case of an application denial of service attack as a result of bots, or even in terms of slowdowns; and the percent of revenue during that period that's affected.
Of course, future revenue is also impacted when a company’s brand is diminished due to a security breach, spammy content, or loss of trust due to digital ad fraud. With negative SEO attacks, stolen duplicative content draws prospects and customers away from the original site.
Nefarious competitors also use bots for competitive data mining, content theft, and price scraping, and steal direct revenue as well as cross-sell and upsell opportunities.
Even if some of the figures that companies place into the model are estimates or ranges, an organization can still gain a good sense of the cost of bad bots to the enterprise, in terms that both technology and business leaders can understand. This is far better than having no clue about how much bad bots are impacting the business.
Crunching the Numbers
With data from a model such as this, companies will not obtain a single answer to the question of the cost of bad bots, Brink notes, but a probability curve based on a histogram of data points (the green portion of the graph below). The graph shows the likelihood of bots costing more than a certain amount to a company per year.
A point on the blue line indicates how likely it is that bots will surpass the dollar impact on the x-axis. For example, for a website that contributes $100 million in revenue, the probability of bots negatively impacting that revenue by $2.8 million is at least 75% (as shown in the red lines).
The Impact of Countermeasures
Another key element of the model is applying data from the use of a solution such as Distil Networks to see how deploying the solution would have a potential impact on the costs of bad bots, taking into account the cost of the solution. Aberdeen did this as part of its research by looking at the effectiveness of manual IP blocking versus Distil Networks.
IP blocking will work fine against the simple bots which make up about 12% of bot traffic, but will prove ineffective against Advanced Persistent Bots where Distil proves 99.9% effective.
As shown in the graph below, you can pick a point on the blue or green line to see what is the probability that bots will cost you more than a certain amount per year. For example, the point indicated on dotted red lines in the chart below shows that there’s an 80% chance that bots will cause more than $2.23 million in negative business impact with manual blocking. The risk is negligible when using Distil Networks.
The Bottom Line
Based on the firm’s findings that Brink recently presented, the risk of bad bots is likely between 1.8% and 7.6% of annual revenue; and if a company invests in Distil Networks' solution the risk would drop—even including the costs of the solution—to between 0.1% and 0.2%, with the median being about 0.2.
“The reduction of risk is about 18 times for the investment in Distil Networks, and if you want to try to calculate the annual return on the Distil investment, at least at the median, it's about 23 times,” Brink says.
The bottom line is that with such a model, security and IT leaders can answer the fundamental questions about the risk of bad bots to the organization and how that risk can be reduced through the use of a technology solution aimed at the problem of bad bots.
Given the potential risks to organizations, it’s imperative that information security and IT executives make business leaders aware of the challenges of bad bots, the means for calculating risk to the organization in business terms, and the potential solutions.