The Business Impact of Bot Attacks: KPIs that matter to Leaders in the current Digital Ecosystem

Over the past decade or so, there has been a significant increase in automated bot traffic that has completely reshaped the existing digital landscape. Today, studies estimate that more than half of the traffic is generated by bots. Within the bot traffic, we also see that almost half of that is generated by malicious bad bots. These bad bots are designed to attack the business applications in the form of multiple different bot attack threats like Account Takeover, Scraping, Scalping, Denial of Inventory, Click and Ad Fraud etc. With the advent of AI, the ease of creating and executing a sophisticated bot attack has become much easier than ever before.

From account takeover attempts to price scraping and denial of inventory to Click and Ad Fraud, bad bots are eroding revenue, distorting analytics, inflating infrastructure costs, and damaging customer trust. For the business leaders and Chief Information Security Officers (CISOs), it is not just about how to secure the applications and protect against these bot attacks, but also be cognizant of what the negative business value impact that would be the result of such attacks. The leaders need to be clear on what KPIs (Key Performance Indicators) they need to focus on to translate security defense conversations into financial and business outcomes.

Beyond Security Metrics: Understanding the True Cost of Bad Bots

Traditionally, the bot management efficacy was judged solely based on security metrics. This means that the Security Operations (SecOps) leadership team was the only main persona that bot management vendors typically engaged in conversations with. The SecOps leadership team was focussed on how effective the bot management solution was in terms of mitigating bot attacks. The main KPIs/metrics were always Security Focussed i.e., False Positive (FP) %, False Negative (FN) % in terms of % of bad bot traffic getting bypassed, % of traffic seen as bad bots, good bots, and genuine human traffic, etc. Though these metrics continue to be critical and need to be tracked, the negative business impact of these bad bot attacks is something that the business owners also need to be cognizant of.

Hence, having clear KPI metrics that they can track is of the essence in the current business context that will help the business owners understand the actual business impact caused by the leaked bot attacks and how an effective bot mitigation solution can help in driving positive business outcomes. Today, the business leaders need to track how the bot management solution efficacy translates to cost saving, reduction in loss of revenue, better ROI on Marketing spend and an objective uptick in the CSAT (Customer Satisfaction) scores.

KPIs That Matter for Business Leaders

Financial KPIs: KPIs that are related to financial (revenue or cost) impact.

• Cost Impact:
  • By assessing the cost per account breach based on Account Takeover attack and by assessing the efficacy of the bot solution in preventing an account takeover attack, business can assess the reduction in direct monetary losses incurred in chargebacks and credit card processing penalties.
  • Marketing Ad-spend cost: Ad Fraud or Click fraud initiated by bots can result in completely skewing your web analytics and result in a drain of your marketing and advertising spends, as none of these clicks would convert into actual spend on the application. This is both a cost impact and at the same time, a potential loss of revenue from genuine users.
• Revenue Impact:
  • Revenue loss can occur due to different types of bot attacks. Specifically, Denial of Inventory/Cart Abandonment type of attacks results in legitimate users not being able to complete their transactions, thus resulting in a direct monetary loss impact for the business.
  • Similarly, price scraping initiated by a competitor driven bot attack can result in loss of revenues. Genuine long-time users of your application might see lower prices on the competitor websites, thus effectively resulting in lower user engagement and finally a churn. This is a direct monetary impact to the business.
  • Downtime and performance: Bot-induced server slowdowns or crashes can make a site inaccessible, directly causing missed sales opportunities.

Operational Efficiency KPIs: KPIs that look at internal support and infrastructure spend costs that could be avoided by detecting and effectively mitigating the bot attacks.

• Person-hour cost: Typical sophisticated bad bot attacks result in significant person-hours being spent by the SOC teams, Fraud and Security Teams to investigate and mitigate the bot attacks. This person-hour spent can easily be calculated over time across different security incidents and a tangible cost impact can be assessed, which is a metric that the SecOps leadership can track.
  • Also, there is a person-hour cost that comes into play whenever there is any kind of Fraud or Account Takeover type of attack, as Support Teams/Call Centre teams engage in managing the increased spike of customer complaints. This is also a metric that can be tracked easily.
• Infrastructure Spend Cost: Leaked Bot Attacks result in applications having to scale their infrastructure (compute, bandwidth, and CDN) to be able to handle the high load caused by these bots and that is essentially a significant additional infrastructure cost that can be measured and tracked as a metric. Advanced Bot Mitigation Solutions, such as Radware Bot Manager, can prevent such sophisticated bot attacks, thus resulting in a direct cost savings impact for the business.

Customer Satisfaction and brand reputation KPIs: KPIs that impact brand reputation and customer satisfaction.

• Customer Satisfaction (CSAT) score: Bot attacks can slow down or, in worst cases, bring down the customer applications, thus leading to bad user experiences which translate into poor CSAT scores for the organization.
• Negative Reviews: Bots that prevent genuine users from conducting their transactions because of either unavailability of the products caused by denial of inventory type attacks can cause the users to share negative reviews on the application website, thus further affecting the CSAT score and brand reputation. This directly has a monetary impact in terms of loss of revenue from regular customers and is a metric that needs to be tracked.
• Net Promoter Score (NPS): Reputational damage and erosion of customer trust can be reflected in a lower NPS.
• Financial losses due to Regulatory & Compliance Exposure/Fines: Breaches stemming from bot-driven scraping or account compromises can trigger GDPR, PCI, or sector-specific fines.

Other KPIs: Specific KPIs that matter to specific industry verticals.

• Look-to-book ratio: In industries like travel, bots can completely skew search traffic without a corresponding increase in bookings thus resulting in a high look to book ratio. This puts unnecessary strain on systems (e.g., GDS, booking engines) and airlines, hotels, and OTA’s often see this when competitors, aggregators, or bots are attacking the applications. These sectors typically expect to see a low look to book ratio as it indicates a robust booking conversion.
• Cart-to-Checkout Ratio: Other verticals such as e-Commerce and Retail can similarly track metrics/KPIs such as Cart-to-Checkout Ratio to see whether their organization is indeed meeting the stated business goals.
• Queue Abandonment Rate: In online ticketing companies, a metric like Queue abandonment rate would be extremely important indicator of whether bad bots are flooding the ticketing system leading to genuine users abandoning the queue.

Transition from Security Focussed Metrics to Business Focussed Metrics

As it becomes increasingly relevant to look at business focussed metrics instead of only Security focussed metrics, the discussions in leadership meetings will start to be more in the order of “We prevented an estimated $10million in potential chargeback and fraud related losses last quarter” rather than saying “We blocked 2 million credential-stuffing attempts” and to say “We saved $1million in support/call-centre and Security Operations cost last month” rather than saying “Bad Bot traffic was ~27% of overall failed traffic to the application”.

Business Leaders who measure and communicate the right KPIs are not just tracking attacks; they are quantifying business impact and proving the value of security investments. By framing bot defense in terms of revenue protection, fraud reduction, efficiency gains, and customer trust, there is an easier and clearer justification for the need of a robust Bot Management solution.

Radware Bot Manager provides the best-in-class bot protection solution that can help business leaders articulate the true business value from the Radware offering. Radware offers a robust bot management solution and that coupled with our Emergency Response Team that is constantly monitoring the customer applications and taking proactive actions, helps organizations achieve their business outcomes. Through our Customer Success Teams, we also provide customized ROI reports that clearly articulate the business value of using the Radware Bot Manager solution.

To know more about the Radware Bot Manager offering, visit: https://www.radware.com/products/bot-manager/.