Calculating Breach Costs: An Accounting Problem For Risk Management Strategy

Guest post from Researcher Heidi Shey.

 Calculating the cost of a data breach should be a part of every organization’s information security risk management strategy. It’s not an easy task by any means, but making efforts to do so upfront — as opposed to after a breach, when calculating cost is the last thing on the to-do list! — for your organization can help to assess risk and justify security investments. But where does one begin, and what should be considered in cost estimates? There are the usual suspects, or direct costs, relating to discovery, response, notification, and damage control such as: 

  • In-house time and labor (IT, legal, PR, incident response, call center, etc)
  • New technologies or services implemented as a result of the breach to change or repair systems
  • External consultants or services for incident response
  • Credit monitoring services for customers
  • Regulatory fines
  • Legal fees or settlements
  • Cyber insurance

But even the direct costs are not always so direct. Should the cost of in-house expertise be excluded because these employees are “doing their jobs”? Or should they be included somehow because these employees are now taken away from their main responsibilities in order to do what’s needed in response to the breach? The real answer is somewhere in between, in the form of opportunity cost. For example, instead of focusing on the latest product launch and related sales, the PR and sales teams are now spending a great chunk of their time focused on communicating to the public and clients about the organization’s response to the breach. Or, in another example, what if the new technology implemented was already on the organization’s roadmap, and the breach served to accelerate the timeline? Then there are the hidden costs such as reputational damage.  At the end of the day, we can think of security as one big cost and revenue accounting problem. The challenge is: what does this model look like, and what assumptions must we make?

 What do you think? Is it a fool’s errand to attempt to calculate the cost of a data breach, or is there real value in doing so? In our upcoming session on May 24-25 in Las Vegas at Forrester’s Security Forum, Ed Ferrara and I will be speaking about calculating the real and hidden costs of a data breach, pros and cons of various approaches, and a framework for thinking about costs. We are eager to hear your thoughts about this topic, and would love to see you at the Forum!


Twitter: @heidishey


Calculating Costs is a Good Idea

You raise some excellent points here, Heidi. What we’ve found among our customers at Symantec is that there is real value in calculating the potential costs of a data breach as well as measuring data breach risk. Knowing your potential cost of a data breach arms CISOs and CIOs with valuable information that can help business leaders understand what’s at risk so that they can make better risk management decisions. In research that we’ve sponsored, we’ve been able to benchmark the average cost of a data breach, which helps organizations begin to understand how particular characteristics impact cost and how best to allocate resources to the prevention, detection and resolution of a data breach. We then took seven years of this data and created a calculator that will estimate how much a data breach could cost an organization and how they compare with other companies. There’s a great many factors to consider when estimating these costs, and the calculator is a good first step to start understanding and communicating data breach risks. Ultimately this type of cost information can help CIOs/CISOs to obtain more IT security budget in order to better manage risk. I look forward to hearing more about this topic at your Security Forum in May.

Jobs in India

Thanks a lot man.....this helps me a lot
keep it up man for such a great information. Thnaks a lot

I agree that you should have

I agree that you should have financial impact metrics when evaluating risks. However, it may make sense to use data from industry sources vs. internally-developed metrics.

Ponemon Institute and a few other sources provide benchmarks from their annual studies that would seem to fill the need for most who are estimating and performing risk management calculations. Looking at it from an IT/Compliance perspective, there are so many "what if's" and variables in peforming an internal analysis, that it may be difficult to do better than an industry sector benchmark. I think you have to look at the cost/benefit of optimizing or personalizing a cost estimate vs. using an available benchmark. Another consideration is that internal estimates may be seen as contrived or driven by an agenda, while external benchmarks are often seen as objective and authoritative (regardless of whether these perceptions are justified).

Within this context, there is a challenge with use of industry/sector metrics . . . almost all of the data available is from US or Western Europe. We don't really know whether a breach in other regions of the world would have significantly different costs. If there are differences, what is driving them? For companies that have breach risks on a global basis, it would be beneficial to have some data that begins to answer these questions.