LOGBOOK

HELP

Quiz Entry - updated: 2026.07.14

A construction firm (HochTief AG, CHF 10 M revenue) faces two cyber risks: (1) generic ransomware ~4× per 5 years at CHF 20k each, and (2) a rare attack on their concrete-mixing plant via remote maintenance — once per 10 years at CHF 15 M. What is the total annual cyber risk?

Ransomware: 0.8/yr × 20 000 = CHF 16 000/year. Production attack: 0.1/yr × 15 000 000 = CHF 1 500 000/year. Total ≈ CHF 1 516 000/year.

Step-by-step, applying Risiko = Eintrittshäufigkeit × Schadensausmass:

  • Ransomware on IT: 4 events in 5 years = 0.8 events/year; CHF 20 000 per event → 0.8 × 20 000 = CHF 16 000/year.
  • Production shutdown via concrete-mixer remote maintenance: 0.1 events/year; CHF 15 000 000 per event → 0.1 × 15 000 000 = CHF 1 500 000/year.

Because the two events are statistically independent, you sum the annualised expected losses: CHF 1 516 000/year total.

The key insight:

  • The ransomware feels like the daily worry — it's frequent and visible.
  • But the rare-catastrophic risk (production attack) is ~100× larger in expected-loss terms.
  • This is the classic risk-management trap: spending all attention on the visible, recurring threat while a low-probability/high-impact risk dwarfs it on the books.

Recommended treatment (the rest of the case):

  • Vermeiden (e.g. dropping the in-house concrete production and outsourcing → eliminates the CHF 1.5 M risk by removing the asset from scope).
  • Reduzieren (training + 7-day backups → cuts ransomware likelihood and impact, but only nibbles at the CHF 16 k risk, not the big one).

Tip: Whenever someone says "we should focus on ransomware", run the math on what else lives in the portfolio. The biggest risk often hides in the least-discussed scenario.

From Quiz: ISF / Risk Management | Updated: Jul 14, 2026