In a research world where we collect data on security technology (and services!) adoption, security spending, workforce attitudes about security, and more, there’s one type of data that I get asked about from Forrester clients in inquiry that makes me pause: breach cost data. I pause not because we don’t have it, but because it’s pretty useless for what S&R pros want to use it for (usually to justify investment). Here’s why:
What we see, and what is publicly available data, is not a complete picture. In fact, it’s often a tiny sliver of the actual costs incurred, or an estimate of a part of the cost that an organization opts to reveal.
What an organization may know or estimate as the cost (assuming they have done a cost analysis, which is also rare), and do not have to share, is typically not shared. After all, they would like to put this behind them as quickly as possible, and not draw further unnecessary attention.
What an organization may believe is an estimate of the cost can change over time as events related to the breach crop up. For example, in the case of the Sony PlayStation Network Platform hack in April 2011, a lot of costs were incurred in the weeks and months following the breach, but they were also getting slapped with fines in 2013 relating to the breach. In other breaches, legal actions and settlements can also draw out over the course of many years.