How much does a data breach cost? The short answer is, it's hard to say. The long answer is, it's harder to say.

Data breaches are the celebutantes of the IT news cycle these days: omnipresent, unwelcome and, without the help of a cadre of highly trained engineers, no clear understanding why they're here or what they're doing. Yet, despite the unending flow of data out and bad news in, obtaining hard data on the cost to an organization of a data breach is difficult, regardless of industry.

Some data is easily discoverable. These hard costs -- engaging an external cyber forensics team or purchasing new security appliances, for example -- fall into explicit categories that can be readily measured. 

However, many (most?) of the resulting costs for a data breach are soft costs. This means only estimates can be generated, which implies that some degree of inaccuracy is built in right from the beginning. How does a breach impact the reputation of an organization? How will it affect future business? Does a breach impact an organization's mission such that other organizations take market share, or put funding sources at risk? What about employee confidence in the organization? Many, many factors can be considered but at the end of the day, it is an opinion that gets collected for soft costs.

Which brings us to recent events in which a bit of a public dust up broke out because two wildly differing values for the average cost of a breached record were put forth. The Ponemeon Institute reported $217 per record, while Verizon reported 58 cents in their 2015 Data Breach Investigation Report (DBIR). This is a preposterous difference. Both figures can’t be correct, so which is accurate? 

As in almost all things statistical in nature, comparing those data points is not comparing apples to apples. (And even apples aren't all that similar. Confuse a McIntosh with a Granny Smith and it may turn red with embarrassment, or perhaps that's the result of its natural irregular coloring.)

Let's take a deeper look at these reports and what they're telling us.

 

Ponemon Institute 2015 Cost of Data Breach Study

The Ponemon Institute conducts independent research that advances information and privacy practices within business and government. The 2015 Cost of Data Breach Study, sponsored by IBM Security, was published in May 2015.

This is the 10th annual benchmark study Ponemon has conducted and published on the cost of data breach incidents. In the 2015 study, 62 companies participated across 16 industry sectors. It is important -- critical, really -- to understand that this report, by design and intent, does not consider data breaches greater than 100,000 records. Yes, multi-million record breaches have occurred multiple times, but, as Ponemon points out, this is not typical for an organization so those cases are not considered.

Let’s not argue about what is "typical." A cursory glance at the HHS Data Breach ‘Wall of Shame’ shows over 55 incidents since 2010 in which over 100,000 records were breached. ‘Large’ breaches are certainly occurring on a more frequent basis every year.

Another key fact to note is that Ponemon collects survey data from opinions of the individual company representatives they utilize. Why? This allows them to collect data on both direct and indirect expenses incurred by organizations. Direct expenses are measures of related business expenditures while indirect expenses are extrapolations of values of customer loss and future customer acquisition rates.

 

Verizon 2015 Data Breach Investigations Report

Verizon's yearly report, produced since 2008, is packed with sharp wit, sharper insight and, this year, Frozen jokes. New in 2015 are data contributions from 70 companies, adding extra depth in data and insight.

Verizon avoided the entire issue of cost in all prior reports due to the lack of a definitive data source. This year, they roped in data from 191 cyber insurance claims. With this, Verizon is able to maintain their "data first" approach instead of relying on survey results as Ponemon does. Also, this provided them with data on numerous multi-million record data sets. And that leads to…

 

Where’s the Beef?

So, who's correct? Both. At least, for different data sets. Study different data, get different results.

And to their credit, Verizon is honest about the inherent squishiness in assigning an average cost to something that, while common, is the sum of so many different variables. In their report, Verizon characterizes the 58 cents figure as a ‘very poor estimate’ and goes on to construct a more formal mathematical model including linear regression against the raw data. Why? Having multi-million record data sets can artificially skew an ‘average’ data value.

 

And in the end…

So does any of this really matter? Unfortunately, it does. No organization has an unlimited budget, and hard decisions must continually be made to mitigate a vast emerging set of external threats and an increasing set of IT enterprise vulnerabilities. CIOs and CISOs need to be able to place cyber security risk in the normative set of business risks -- not simply a slice of an IT budget. Having a cost per data record value allows an organization to calculate risk exposure.

So which figure to use? Simple -- how many sensitive data records do you need to protect in your enterprise? If less than 100,000, feel free to use the Ponemon value. Do you have a quantity beyond that? Use Verizon's numbers, calculated with great statistical pains to construct a 95-percent confidence interval around various data set sizes. In short, the quantity of records lost greatly impacts the ‘average’ record cost. Which brings us to our next point: don't use averages.

Have we seen the last of this colorful topic? Doubtful. Sniping emerged shortly after the Verizon Report hit the streets, with a VP from IBM pointing out that printing and sending a physical letter costs more than 58 cents.

This topic has the potential to move the industry -- and media -- away from news of the most recent data breach to the more juicy prospect of various cyber vendors arguing over true breach costs and how best to prevent a breach in the first place.

Use the reports as a guide. There are no two identical data breaches in terms of cost and response, but general guidelines can help you understand what level of cyber defense you should be deploying.

And as for the dustup between the two very useful reports and their teams, we can only hope the advice of Arendelle's chief information security officer rings true and we can all just Let It Goooooooooooo...

About the Author

Robert J. Michalsky has served government and commercial customers for more than 30 years. As NJVC Principal, Cyber Security, he quantifies and pursues new business opportunities in cyber security. Mr. Michalsky spent more than 15 years providing cyber security-related IT engineering services for classified Intelligence Community and Department of Defense customers. Read More | Contact Us