Rand taps multiple data sources to calculate that cyber incidents cost firms a scant 0.4% of annual revenues, on average.

3 Min Read

The expense and impact of enterprise data breaches may be overblown, according to a new study from the Rand Corp.

"We find that the typical cost of a data breach is less than $200,000, far lower than the millions of dollars often cited in surveys (e.g. Ponemon 2015)," writes Sasha Romanosky, author of the Rand study, Examining the costs and causes of cyber incidents, released Tuesday. The study goes on to say that $200,000 is about what most companies spend annually on information security.

In May 2015, the Ponemon Institute placed the cost of an individual data breach at $3.5 million, which the consultancy said was a 15 percent increase from the year before. While Ponemon surveyed 314 companies in 10 countries, the Rand study drew on data from more than 12,000 cyber incidents between 2004 and 2015.

Rand also found that cyber incidents cost firms a mere 0.4% of annual revenues on average. By comparison, overall rates of corruption, financial misstatements, and billing fraud account for 5% of annual revenues, followed by retail shrinkage (1.3%), followed by online fraud (0.9%).

In other words, losses from security breaches are just another cost of doing business, the authors imply.

"Relative to all the other risks companies face, the cyber risks often aren’t as big a deal as we think," Romanosky said in a statement, the onslaught of headlines about breaches and hacks notwithstanding. "It may be bad for you if you are the victim, but it doesn’t change the behavior or strategy of a company. Like you and me, companies are self-interested and operate in ways that minimize their costs. You can't begrudge them for working that way."

The Rand researchers used data on cyber incidents collected by Advisen, a company that provides information on corporate losses to the insurance industry, using local and national news sources. Advisen also uses information from online data breach clearinghouses, state and federal agencies, and Freedom of Information Act (FOIA) requests.

Rand researchers tracked four types of security events:

  • Data breaches, or unauthorized disclosure of personal information, which Rand reports as the most common of the four events.

  • Security incidents, or what Rand calls malicious attacks directed at a company.

  • Privacy violations, or alleged violation of consumer privacy.

  • Phishing/skimming incidents (individual financial crimes).

Rand's research shows that financial services (including insurance) endured the greatest number security breaches, followed by healthcare, government, education, manufacturing, and information services. But Romanosky and his team then took the number of incidents and divided it by the number of firms within each sector to come up with an "incident rate" to see who's at greatest risk. By that measure, government entities are the highest risk, followed by education, information services, and financial services.

When contacted by Dark Reading, Larry Ponemon, founder of the Ponemon Institute, said his organization collects and presents data differently than Rand, traveling the globe to collect data directly and not relying on surveys or third-party data.

One potential issue he cited in using insurance claims data was the large deductibles that aren't always calculated in the final costs. "Another issue with claims is that policies don't cover all the costs that we captured," he adds. "One cost we found was business disruption where companies spend weeks or months trying to clean up their systems and get them back online."

Ponemon commends the Rand researchers for including mean and median data in their study. "We don't have all the answers, so it's important for companies to do this kind of inquiry," he adds.

Related Content:

 

About the Author(s)

Terry Sweeney, Contributing Editor

Terry Sweeney is a Los Angeles-based writer and editor who has covered technology, networking, and security for more than 20 years. He was part of the team that started Dark Reading and has been a contributor to The Washington Post, Crain's New York Business, Red Herring, Network World, InformationWeek and Mobile Sports Report.

In addition to information security, Sweeney has written extensively about cloud computing, wireless technologies, storage networking, and analytics. After watching successive waves of technological advancement, he still prefers to chronicle the actual application of these breakthroughs by businesses and public sector organizations.


Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like


More Insights