Site Sponsor:

mcafee_logo.gif
line

Now Available:

Featured Resource:

line

Realtime Communities

line

Newsletter

Email Address:


line

Monthly Archives

line

RSS

line

Ask the Expert

Have a question for our resident expert? Email your questions to Dan or post a comment to the blog.

« Cyberwarfare Threatens Operational Capability | Main | Busted Bot Herder and Estimating Bot Population »

Getting a Handle on Data Breach Costs

One of the first steps in formulating and evaluating a security strategy is doing some basic risk assessment. We want to understand the costs and benefits of applying different technologies and procedures and get the biggest bang for the buck. Risk assessment looks easy in text book examples but the biggest single problem with it is getting decent, real world data to work with. Without data we can't answer basic questions like "How much should we spend to protect against threat X?"

The Ponemon Institute has been surveying companies on the cost of data breaches for several years and has some average cost per lost record data. The latest survey is discussed in SearchSecurity:

The study found that the total average cost of a data breach grew to $197 per compromised record, an increase of 8% since 2006 and 43% compared to 2005. The average total cost per reporting company was more than $6.3 million per breach and ranged from $225,000 to almost $35 million.

And then there is the cost of lost business:

Other findings indicate that the cost of lost business continued to increase at more than 30%, averaging $4.1 million or $128 per compromised record. Lost business now accounts for 65% of data breach costs compared to 54% in the 2006 study.

Lacking any better estimates, it may be useful to use figures from this survey when conducting a risk analysis. They may not fit your situation exactly, but they're likely better than SWAGs we sometimes have to run with. If nothing else these estimates can provide a sanity check on estimates we come up with using other methods.

That said, the SearchSecurity article cites the TJX breach to demonstrate just how difficult it can be to size up the cost of a data breach:

TJX initially underestimated what the cost of a data breach would be and the costs keep creeping up," he [Larry Ponemon, founder and chairman of the Ponemon Institute] said, noting how TJX initially said it spent $25 million responding to the breach but later admitted the cost was closer to $256 million.
 Email This!  Digg it!  Sphere it!  Del.icio.us  Reddit!  Newsvine

Posted by Dan Sullivan on November 29, 2007 12:09 PM |

TrackBack

TrackBack URL for this entry:
http://www.realtime-websecurity.com/type/mt-tb.cgi/543

Post a comment

(All comments are approved by site leader before appearing here. Thanks for commenting!)

Search

line

Most Active Posts

line

Library Resources

line
line

Recent Posts

line

Categories

line

Latest White Papers

line

Blog Roll

line

Dan Sullivan's Bio:

Dan Sullivan is a systems architect with 20 years of IT experience that includes engagements in enterprise security, application design, and systems architecture. His experience includes a broad range of industries, including financial services, manufacturing, government, retail, gas and oil production, power generation, and education. Dan’s security-related project work has ranged from requirements analysis for enterprise information security to designing and implementing security for database applications and enterprise portals. Dan has written about information security and other enterprise information management topics for Business Security Advisor, DM Review, Intelligent Enterprise, and E-Business Advisor. You can contact Dan at: dan_sullivan@realtimepublishers.net