Attacks/Breaches

9/21/2016
09:50 AM
Connect Directly
Facebook
Twitter
RSS
E-Mail
50%
50%

Rand Study: Average Data Breach Costs $200K, Not Millions

Rand taps multiple data sources to calculate that cyber incidents cost firms a scant 0.4% of annual revenues, on average.

The expense and impact of enterprise data breaches may be overblown, according to a new study from the Rand Corp.

"We find that the typical cost of a data breach is less than $200,000, far lower than the millions of dollars often cited in surveys (e.g. Ponemon 2015)," writes Sasha Romanosky, author of the Rand study, Examining the costs and causes of cyber incidents, released Tuesday. The study goes on to say that $200,000 is about what most companies spend annually on information security.

In May 2015, the Ponemon Institute placed the cost of an individual data breach at $3.5 million, which the consultancy said was a 15 percent increase from the year before. While Ponemon surveyed 314 companies in 10 countries, the Rand study drew on data from more than 12,000 cyber incidents between 2004 and 2015.

Rand also found that cyber incidents cost firms a mere 0.4% of annual revenues on average. By comparison, overall rates of corruption, financial misstatements, and billing fraud account for 5% of annual revenues, followed by retail shrinkage (1.3%), followed by online fraud (0.9%).

In other words, losses from security breaches are just another cost of doing business, the authors imply.

"Relative to all the other risks companies face, the cyber risks often aren’t as big a deal as we think," Romanosky said in a statement, the onslaught of headlines about breaches and hacks notwithstanding. "It may be bad for you if you are the victim, but it doesn’t change the behavior or strategy of a company. Like you and me, companies are self-interested and operate in ways that minimize their costs. You can't begrudge them for working that way."

The Rand researchers used data on cyber incidents collected by Advisen, a company that provides information on corporate losses to the insurance industry, using local and national news sources. Advisen also uses information from online data breach clearinghouses, state and federal agencies, and Freedom of Information Act (FOIA) requests.

Rand researchers tracked four types of security events:

  • Data breaches, or unauthorized disclosure of personal information, which Rand reports as the most common of the four events.
  • Security incidents, or what Rand calls malicious attacks directed at a company.
  • Privacy violations, or alleged violation of consumer privacy.
  • Phishing/skimming incidents (individual financial crimes).

Rand's research shows that financial services (including insurance) endured the greatest number security breaches, followed by healthcare, government, education, manufacturing, and information services. But Romanosky and his team then took the number of incidents and divided it by the number of firms within each sector to come up with an "incident rate" to see who's at greatest risk. By that measure, government entities are the highest risk, followed by education, information services, and financial services.

When contacted by Dark Reading, Larry Ponemon, founder of the Ponemon Institute, said his organization collects and presents data differently than Rand, traveling the globe to collect data directly and not relying on surveys or third-party data.

One potential issue he cited in using insurance claims data was the large deductibles that aren't always calculated in the final costs. "Another issue with claims is that policies don't cover all the costs that we captured," he adds. "One cost we found was business disruption where companies spend weeks or months trying to clean up their systems and get them back online."

Ponemon commends the Rand researchers for including mean and median data in their study. "We don't have all the answers, so it's important for companies to do this kind of inquiry," he adds.

Related Content:

 

Terry Sweeney is a Los Angeles-based writer and editor who has covered technology, networking, and security for more than 20 years. He was part of the team that started Dark Reading and has been a contributor to The Washington Post, Crain's New York Business, Red Herring, ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
T Sweeney
50%
50%
T Sweeney,
User Rank: Moderator
9/22/2016 | 11:04:19 AM
Re: Following the Evidence
Thanks, knowlengr... this is certainly a different narrative than what we've grown accustomed to with the usual breach loss $ stories. But as every good data scientist knows, every set of numbers has its own story. 
knowlengr
50%
50%
knowlengr,
User Rank: Apprentice
9/22/2016 | 9:27:06 AM
Following the Evidence
Thank you for letting the evidence speak.
Higher Education: 15 Books to Help Cybersecurity Pros Be Better
Curtis Franklin Jr., Senior Editor at Dark Reading,  12/12/2018
Worst Password Blunders of 2018 Hit Organizations East and West
Curtis Franklin Jr., Senior Editor at Dark Reading,  12/12/2018
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
10 Best Practices That Could Reshape Your IT Security Department
This Dark Reading Tech Digest, explores ten best practices that could reshape IT security departments.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2018-20161
PUBLISHED: 2018-12-15
A design flaw in the BlinkForHome (aka Blink For Home) Sync Module 2.10.4 and earlier allows attackers to disable cameras via Wi-Fi, because incident clips (triggered by the motion sensor) are not saved if the attacker's traffic (such as Dot11Deauth) successfully disconnects the Sync Module from the...
CVE-2018-20159
PUBLISHED: 2018-12-15
i-doit open 1.11.2 allows Remote Code Execution because ZIP archives are mishandled. It has an upload feature that allows an authenticated user with the administrator role to upload arbitrary files to the main website directory. Exploitation involves uploading a ".php" file within a "...
CVE-2018-20157
PUBLISHED: 2018-12-15
The data import functionality in OpenRefine through 3.1 allows an XML External Entity (XXE) attack through a crafted (zip) file, allowing attackers to read arbitrary files.
CVE-2018-20154
PUBLISHED: 2018-12-14
The WP Maintenance Mode plugin before 2.0.7 for WordPress allows remote authenticated users to discover all subscriber e-mail addresses.
CVE-2018-20155
PUBLISHED: 2018-12-14
The WP Maintenance Mode plugin before 2.0.7 for WordPress allows remote authenticated subscriber users to bypass intended access restrictions on changes to plugin settings.