Data Breaches: The Probability and Financial Risk of a Breach (part 2 of 2)
Posted by Prat Moghe on Tue, Feb 12, 2008
Recently I was chatting with Avivah Litan, VP Distinguished Analyst at Gartner. Avivah is well-known for her commentary on privacy, fraud and breaches. She mentioned that one statistic we lack in the security industry is the actual probability of a breach and, subsequently, a conservative average cost or fallout. Well, we may have the makings of this statistic in the model discussed in my last post
(a) Assuming – and this is an approximation (but one that is easily refined by measuring the size of companies in the Attrition database) – that the breach stats discussed in my last post are measured over the last three years, across Fortune 5000 companies. There were a total of 813 breaches. This means that the probability that a Fortune 5000 company will see a breach is roughly 813/5000 or 16%.
(b) If a breach happens we know that on average we lose 50,000 records per moderate breach. I am ignoring large events, because they are rare enough to skew this analysis and create skepticism on the part of business risk management. For many organizations, the probability of a large loss breach may be less than the probability of other business risks occurring. This means that the organization will give those other business risks higher priority--investing money in mitigating the non-breach business risks first.
(c) Using public data records stating that cleaning up one data loss costs $182 we can determine that on an average a breach costs 50,000*$182 or $9MM per year. This means that, conservatively, breached organizations will lose $9MM.
(d) Combining (a) and (c), we can find the “expected value” of breach-related financial cost, or the expected “risk” in dollars. The expected yearly cost of breach-related losses for an enterprise is 0.16*$9MM or $1.4MM.
What conclusions can we draw?
(1) Data breaches and security spend: It is clear why, in spite of all the hype, breaches do not drive security spend. As we can see with the results above, the expected dollar risk of breaches is less than $2MM yearly. For a Fortune 5000 company, the choice between making security investments, that could cost several million dollars in addition to FTE, versus suffering a moderate breach, that will cost less than $2MM yearly, is a simple one.
(2) Compliance and security spend: In the absence of breach risk, compliance will continue to drive security spend in the foreseeable future. The reason behind this is that compliance may be tied to contractual obligations (ex. if you are an outsourcer who cannot do business without a clean compliance certificate, you are much more likely to take it seriously.)
(3) Will breaches ever be taken seriously? I think so – there are two ways that I see this occurring. First, in a circular way, compliance may force the laying of a monitoring/auditing foundation which will make breaches much more visible. (There is a general feeling that breaches are underreported. Part of the problem is that technologies to monitor data disclosure are just now being put in place.) With higher visibility, both the frequency of breaches and expected losses may increase. At the point where the expected value of annual breach losses increases beyond say $20MM – you will see a clear shift in spending priorities. Second, if the large loss incidences continue to increase and reach the point where they are not perceived as rare (today it is at 3%), there may be a psychological shift.