[BreachExchange] 4 Factors to Consider When Calculating the Cost of a Data Breach

Audrey McNeil audrey at riskbasedsecurity.com
Thu Feb 8 18:49:14 EST 2018


Data breaches are one of the most common types of security incidents. It is
quite possible, although it may be hard to prove, that every company around
the globe was at some point a victim of information leakage.

For instance, a breach may be as simple as accidently sending an email with
corporate information to the wrong recipient, or as complex as a former
executive breaching a confidentiality agreement. Breaches may occur from
widespread technical vulnerabilities such as an unexpected CPU design flaw,
or from human error like failure to follow corporate procedures. The level
of impact can vary from just a small nuisance to recovery expenses in the

To put it simply, every company should at least plan for the unforeseen
consequences of a data breach — this includes estimating the costs of
varying levels of data breaches. This task, however,may be more complex
than most people would initially assume.

Here are four areas to consider when calculating the cost of a data breach.

1. Contextual Factors: Location, Industry and Data Types Drive Breach Costs

Breach costs can vary based on the business context. For instance, business
geographical location, state or country will have direct impact over
legislation-related costs, while the branch of industry will define what
regulations the company must follow. Internal factors such as the maturity
of security controls (and whether or not they exist) will affect the level
of data exposure and can minimize the cost of incidents. These include
availability of an incident response team, use of encryption technology and
employee training.

Other factors include the number of leaked records and their nature, or how
much are they worth to the company and clients. If breached information
includes personal data or financial information, resulting profit loss or
the cost of a class action lawsuit should be factored into breach cost

2. Public Relations: Effective Outreach Can Reduce Data Breach Fallout

Once a severe security incident becomes public, depending on the scale of
the occurrence, it only takes a few hours for most major publications to
put it in their headlines. It takes even less time for it to spread through
social networks. If a company is not ready to deal with the public
backslash, this can have a drastic impact on the incident cost.

For instance, once the Equifax leak became public, the company stock price
dropped from $142.72 to $92.88 in a matter of days. It is quite obvious
that after leaking personal data of over 143 million victims, company value
will be negatively affected. However, it was made worse when some Equifax
top executives dumped stock before the hack news went public.

Having a crisis management team aligned with both the incident response
team and communications team will establish an official communications
channel. This allows the company to explain what happened and promptly help
affected parties. Also, having executives behaving ethically in a time of
crisis is always a sound way of reducing damage to corporate reputation.

3. Response Time: Slow Time-to-Detect Periods Increase Breach Costs

Depending on the existing security controls and the nature of the breach,
an incident can go for days, weeks or even years without any sort of
detection. It is quite simple: The longer it takes to discover a data
breach, the greater its cost can be. If a data leak is detected in its
initial stages, it may be contained before causing any impact.

For example, if a data leak prevention (DLP) system sends an alarm after a
confidential or sensitive file is copied to a USB drive without
authorization, the perpetrator could be detained even before leaving the
building, thus minimizing any impact. If this same incident goes without
detection, the breached information could discreetly be sold to an
unethical competitor or be traded for Bitcoins on the Dark Web. Assuming
this could go on for an undetermined period of time, the impact and cost of
the data leak could increase exponentially.

4. Unknown Factors: Even the Best Laid Security Strategy Can Fail

Unfortunately, even the best laid security strategy can fail. A recent
example is the Meltdown and Spectre vulnerability discovered in June 2017
and made public in early 2018. This severe security flaw exposed most
modern CPUs and could lead to the leak of passwords and sensitive data. So
far, there are no confirmed cases, but this issue has been present in most
systems for the last decade. It is also quite difficult to detect, as the
exploitation does not leave any traces in traditional log files. This means
it could have been used to steal information, even from companies with the
best protection technology.

In summary, a level of uncertainty will always be present when calculating
the cost of a data breach. Even with a proper security architecture, there
is always the possibility that an unknown factor that could jeopardize an
entire protection strategy.


The cost of a data breach can be rather difficult to estimate, but it is
far from impossible. If you take into consideration the corporate context,
both internal and external factors, the nature and number of records
involved in the leak, the ability to promptly detect incidents and leave
room for an acceptable level of uncertainty, cost estimates can be highly
similar to a real case.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20180208/917fb237/attachment.html>

More information about the BreachExchange mailing list