Laurance Dine explains Verizon’s assessment model for gauging the financial impact of a security breach
The motives for cyber-attacks still remain varied. Attackers may be looking for payment card data or sensitive commercial information; they may simply wish to disrupt business. But whatever the motive, all attacks have an impact on a business.
Protecting an organization from a data breach could save tens of millions of dollars, help maintain customer loyalty and shareholder confidence. But can we really quantify the true cost of a data breach?
We at Verizon believe so. As a part of our 2015 Data Breach Investigation Report we have sought to build an alternative – and more accurate – approach to estimating loss as a result of a security incident. We have based the approach on actual data and consider multiple contributing factors, importantly not just number of records.
The cost of breach doesn’t follow a linear model and shouldn’t be reported as such. In reality, the cost per record falls as the number of records lost increases. So instead of using a simple average, we modelled how the actual cost varies with the number of records. We believe that this provides a much more reliable indicator. And our model can be used to estimate the cost for breaches experienced by all organizations.
Analyzing the True Cost of a Breach
Verizon security analysts used a new assessment model for gauging the financial impact of a security breach, based on the analysis of nearly 200 cyber-liability insurance claims. The model accounts for the fact that the cost of each stolen record is directly affected by the type of data and total number of records compromised, and shows a high and low range for the cost of a lost record (such as credit card number or medical health record).
"It’s rarely, if ever, less expensive to suffer a breach than to put the proper defense in place"
For example, the model predicts that the cost of a breach involving 10 million records will fall between $2.1m and $5.2m (95% of the time), and depending on circumstances could range up to as much as $73.9m. For breaches with 100 million records, the cost will fall between $5m and $15.6m (95% of the time), and could top out at $199m.
Interestingly, this shows that a company’s size has no effect on the cost of a breach. The headline-making losses reported by larger organizations can be explained by the fact that these involved the loss of more records. Breaches with a comparable number of records have a similar cost, regardless of the organization’s size.
We believe this new model for estimating the cost of a breach is ground-breaking, although there is definitely still room for refinement. We must never forget that it’s rarely, if ever, less expensive to suffer a breach than to put the proper defense in place.
Comprehensive security isn’t a business luxury, it is a daily necessity.
About the Author
Laurance Dine is a managing principal for the Verizon Investigative Response Unit – a division of the Verizon RISK Team. He has assisted corporations, government agencies, and attorneys with all matters involving computer forensics, fraud investigations, and computer security incident response matters. Prior to joining Verizon, Laurance worked for a global consultancy firm and has provided advice and reporting to company boards, government regulators, the UK High Court, foreign courts, legislative boards of enquiry, and company administrators and liquidators.