One of the challenges related to cybersecurity is the risk of cyberattacks that disrupt supply chains and affect a wide range of economic activities [1]. Long-standing issues include cyberattacks for financial gain and those targeting social and industrial activities. In recent years, ransomware attacks have not only caused direct damage such as system outages and business interruptions but also significant spillover damage beyond the attacked organization’s industry, including supply chain disruptions. In the damage analysis of natural disasters, damage is quantitatively assessed in terms of both direct and spillover damage. In the case of cyberattacks, it is important to quantitatively understand not only the direct damage to the attacked organization but also the spillover damage that affects other organizations. By sharing the quantitative damage results among all organizations involved in the supply chain, resilience strategies and measures can be developed with an overall optimization perspective. In this paper, we quantitatively estimate and analyze the direct and spillover damage (in both upstream and downstream industries) linked from the cyberattacked industry to other industries. We have found that the input–output analysis model used in this study can provide effective information for planning resilience enhancement measures by industry.

1. [1] A. Goto, “Supply chain resilience required in a digitally dependent era,” Trans. of Information Processing Society of Japan, Vol.65, No.9, pp. 1266-1276, 2024.
2. [2] Cybersecurity Strategic Headquarters, “Cybersecurity 2024,” Jun. 2024. https://www.nisc.go.jp/pdf/policy/kihon-s/cs2024.pdf [Accessed July 19, 2025]
3. [3] A. Kokaji and A. Goto, “An analysis of economic losses from cyberattacks: Based on input–output model and production function,” J. of Economic Structures, Vol.11, Article No.34, 2022. https://doi.org/10.1186/s40008-022-00286-4
4. [4] Cabinet Office Disaster Prevention Division, “Estimated damage from a major earthquake along the Nankai Trough (Second Report),” 2024. https://www.bousai.go.jp/jishin/nankai/taisaku_wg/pdf/20130318_shiryo2_1.pdf [Accessed July 19, 2025]
5. [5] Cabinet Office Director-General for Economic and Fiscal Analysis, “Methods for estimating the amount of economic damage caused by natural disasters—Taking the heavy rains of July 2018 as an example,” 2024. https://www5.cao.go.jp/keizai3/discussion-paper/dp184.pdf [Accessed July 19, 2025]
6. [6] Center for Strategic and International Studies and McAfee, “The hidden cost of cybercrime,” 2020. https://www.csis.org/analysis/hidden-costs-cybercrime [Accessed July 19, 2025]
7. [7] RAND Corporation, “Estimating the global cost of cyber risk: Methodology and examples,” 2023. https://www.rand.org/content/dam/rand/pubs/research_reports/RR2200/RR2299/RAND_RR2299.pdf [Accessed July 19, 2025]
8. [8] Cybersecurity Ventures, “Cybercrime to cost the world $10.5 trillion annually,” 2023. https://cybersecurityventures.com/hackerpocalypse-cybercrime-report-2016/ [Accessed July 19, 2025]
9. [9] Microsoft and Frost & Sullivan, “Cybersecurity threats to cost organizations in Asia Pacific US$1.75 trillion in economic losses,” 2023. https://news.microsoft.com/apac/2018/05/18/cybersecurity-threats-to-cost-organizations-in-asia-pacific-us1-75-trillion-in-economic-losses [Accessed July 19, 2025]
10. [10] Accenture and Ponemon Institute, “The cost of cybercrime,” 2023. https://www.sciencedirect.com/science/article/abs/pii/S1353485819300327 [Accessed July 19, 2025]
11. [11] Japan Network Security Association, “Information security incident research report,” 2023 (in Japanese). https://www.jnsa.org/result/incident/2018.html [Accessed July 19, 2025]
12. [12] Trend Micro, “Enterprises Security Trend in 2020,” 2023 (in Japanese). https://www.trendmicro.com/ja_jp/about/press-release/2020/pr-20201002-01.html [Accessed July 19, 2025]
13. [13] Security Incidents Organization, “Repository of industrial security incidents,” 2023.
14. [14] Ponemon Institute, “2015 cost of cyber crime study: United States (Cybercrime),” 2023. https://www.ponemon.org/local/upload/file/2015%20US%20CCC%20FINAL%204.pdf [Accessed July 19, 2025]
15. [15] Ponemon Institute, “2015 cost of data breach study: Global analysis (Cyberimpact),” 2023. https://www.ponemon.org/local/upload/file/2015%20US%20CCC%20FINAL%204.pdf [Accessed July 19, 2025]
16. [16] Center for Strategic and International Studies, “The economic impact of cybercrime and cyber espionage,” 2023. https://www.csis.org/analysis/economic-impact-cybercrime-and-cyber-espionage [Accessed July 19, 2025]
17. [17] Armed Forces Communications and Electronics Association, 2023. https://www.afcea.org/ [Accessed July 19, 2025]
18. [18] Center for Strategic and International Studies and McAfee, “The hidden costs of cybercrime,” 2023. https://www.csis.org/analysis/hidden-costs-cybercrime [Accessed July 19, 2025]
19. [19] Lloyd’s and Cambridge Centre for Risk Studies, University of Cambridge Judge Business School, “Business blackout,” 2023. https://www.lloyds.com/businessblackout [Accessed July 19, 2025]
20. [20] Information-technology Promotion Agency, “Information security incident damage survey,” 2014 (in Japanese). https://www.ipa.go.jp/security/products/products.html [Accessed July 19, 2025]
21. [21] Mitsubishi Research Institute, “Technology issues in cybersecurity from social problems,” 2023 (in Japanese). https://www.nisc.go.jp/pdf/council/cs/kenkyu/dai09/09shiryou03.pdf [Accessed July 19, 2025]
22. [22] H. Tanaka, T. Takemura, Y. Iidaka, K. Hanamura, and A. Komatsu, “A study about an estimation of economic loss by information security incidents,” J. of Economic Policy Studies, Vol.11, No.2, pp. 59-62, 2015 (in Japanese).
23. [23] Lloyd’s, “Cloud down,” 2023. https://www.lloyds.com/businessblackout [Accessed July 19, 2025]
24. [24] Japan Network Security Association, “Information security incident survey—Personal information leakage—(2018),” 2018 (in Japanese). https://www.jnsa.org/result/incident/2018.html [Accessed July 19, 2025]
25. [25] M. Eling, M. Elvedi, and G. Falco, “The economic impact of extreme cyber risk scenarios,” North American Actuarial J., Vol.27, Issue 3, pp. 429-443., 2022. https://doi.org/10.1080/10920277.2022.2034507
26. [26] M. Shimoda and K. Fujikawa, “Input-output analysis model and supply constraints caused by the Great East Japan Earthquake,” Input-Output Analysis, Vol.20, No.2, pp. 133-146, 2012. https://doi.org/10.11107/papaios.20.133.
27. [27] Y. Nakanishi, S. Karasawa, Y. Funabashi, and Y. Matsubayashi, “An economic impact evaluation of telecom service disruptions considering the inter-industry spillover impacts,” The 2013 IEICE General Conf., Session No.B-6-28, 2013 (in Japanese).
28. [28] T. Hiromatsu, A. Shinozaki, and Y. Yamamoto, “Economic spillover effects of the ‘Information Network Industry’: Measurements from 1990–1995–2000–2004 using input-output tables and comparison with the automobile industry,” InfoCom REVIEW, Vol.43, pp. 30-35, 2007 (in Japanese).
29. [29] Y. Yamamoto and A. Shinozaki, “Input-output analysis of japan’s information related industries: Dynamic changes from 1990 to 2005,” J. of Political Economy, Vol.76, No.4, pp. 67-82, 2010 (in Japanese). https://doi.org/10.15017/16488
30. [30] A. Oh, K. Miyagawa, and M. Yamada, “Economic Analysis of the Japan-China Structure,” Keiso Shobo, 2016 (in Japanese).
31. [31] A. Onozaki, “The impact of ICT progress at the inter-industry structure: A comparative study of Japan, the U.S., and China using IO tables,” InfoCom Economic Study Discussion Paper, No.14, 2022 (in Japanese).
32. [32] The Research Institute of Economy, Trade and Industry, “JIP Database,” 2023 (in Japanese). https://www.rieti.go.jp/jp/database/jip.html [Accessed July 19, 2025]
33. [33] Information-technology Promotion Agency, “2011 Information Security Incident Damage Status Investigation,” 2011 Research Report, pp. 81-88, 2011. https://warp.ndl.go.jp/info:ndljp/pid/12446699/www.ipa.go.jp/security/fy23/reports/isec-survey/index.html [Accessed July 28, 2025]
34. [34] Information-technology Promotion Agency, “2013 Information Security Incident Damage Status Investigation,” 2013 Research Report, pp. 84-93, 2013. https://warp.ndl.go.jp/info:ndljp/pid/12446699/www.ipa.go.jp/security/fy25/reports/isec-survey/index.html [Accessed July 28, 2025]
35. [35] Information-technology Promotion Agency, “2014 Information Security Incident Damage Status Investigation,” 2014 Research Report, pp. 85-101, 2014. https://warp.ndl.go.jp/info:ndljp/pid/12446699/www.ipa.go.jp/security/fy26/reports/isec-survey/index.html [Accessed July 28, 2025]
36. [36] Statistics Bureau, Ministry of Internal Affairs and Communications, “2016 economic census – Activity survey (final report) cross-industry tabulation (Summary),” 2024. https://www.stat.go.jp/data/e-census/2016/kekka/pdf/k_yoyaku.pdf [Accessed July 19, 2025]
37. [37] Ministry of Economy, Trade and Industry, “Input output table,” 2023 (in Japanese). https://www.meti.go.jp/statistics/tyo/entyoio/index.html [Accessed July 19, 2025]
38. [38] S. Mori and A. Goto, “Reviewing national cybersecurity strategies” J. Disaster Res., Vol.13, No.5, pp. 957-966, 2018. https://doi.org/10.20965/jdr.2018.p0957