A construction firm (HochTief AG, CHF 10 M revenue) faces two cyber risks: (1) generic ransomware ~4× per 5 years at CHF 20k each, and (2) a rare attack on their concrete-mixing plant via remote maintenance — once per 10 years at CHF 15 M. What is the total annual cyber risk?
Ransomware: 0.8/yr × 20 000 = CHF 16 000/year. Production attack: 0.1/yr × 15 000 000 = CHF 1 500 000/year. Total ≈ CHF 1 516 000/year.
Step-by-step, applying Risiko = Eintrittshäufigkeit × Schadensausmass:
- Ransomware on IT: 4 events in 5 years = 0.8 events/year; CHF 20 000 per event → 0.8 × 20 000 = CHF 16 000/year.
- Production shutdown via concrete-mixer remote maintenance: 0.1 events/year; CHF 15 000 000 per event → 0.1 × 15 000 000 = CHF 1 500 000/year.
Because the two events are statistically independent, you sum the annualised expected losses: CHF 1 516 000/year total.
The key insight:
- The ransomware feels like the daily worry — it's frequent and visible.
- But the rare-catastrophic risk (production attack) is ~100× larger in expected-loss terms.
- This is the classic risk-management trap: spending all attention on the visible, recurring threat while a low-probability/high-impact risk dwarfs it on the books.
Recommended treatment (the rest of the case):
- Vermeiden (e.g. dropping the in-house concrete production and outsourcing → eliminates the CHF 1.5 M risk by removing the asset from scope).
- Reduzieren (training + 7-day backups → cuts ransomware likelihood and impact, but only nibbles at the CHF 16 k risk, not the big one).
Tip: Whenever someone says "we should focus on ransomware", run the math on what else lives in the portfolio. The biggest risk often hides in the least-discussed scenario.