Attacks/Breaches
9/21/2016
09:50 AM
Connect Directly
Facebook
Twitter
RSS
E-Mail
50%
50%

Rand Study: Average Data Breach Costs $200K, Not Millions

Rand taps multiple data sources to calculate that cyber incidents cost firms a scant 0.4% of annual revenues, on average.

The expense and impact of enterprise data breaches may be overblown, according to a new study from the Rand Corp.

"We find that the typical cost of a data breach is less than $200,000, far lower than the millions of dollars often cited in surveys (e.g. Ponemon 2015)," writes Sasha Romanosky, author of the Rand study, Examining the costs and causes of cyber incidents, released Tuesday. The study goes on to say that $200,000 is about what most companies spend annually on information security.

In May 2015, the Ponemon Institute placed the cost of an individual data breach at $3.5 million, which the consultancy said was a 15 percent increase from the year before. While Ponemon surveyed 314 companies in 10 countries, the Rand study drew on data from more than 12,000 cyber incidents between 2004 and 2015.

Rand also found that cyber incidents cost firms a mere 0.4% of annual revenues on average. By comparison, overall rates of corruption, financial misstatements, and billing fraud account for 5% of annual revenues, followed by retail shrinkage (1.3%), followed by online fraud (0.9%).

In other words, losses from security breaches are just another cost of doing business, the authors imply.

"Relative to all the other risks companies face, the cyber risks often aren’t as big a deal as we think," Romanosky said in a statement, the onslaught of headlines about breaches and hacks notwithstanding. "It may be bad for you if you are the victim, but it doesn’t change the behavior or strategy of a company. Like you and me, companies are self-interested and operate in ways that minimize their costs. You can't begrudge them for working that way."

The Rand researchers used data on cyber incidents collected by Advisen, a company that provides information on corporate losses to the insurance industry, using local and national news sources. Advisen also uses information from online data breach clearinghouses, state and federal agencies, and Freedom of Information Act (FOIA) requests.

Rand researchers tracked four types of security events:

  • Data breaches, or unauthorized disclosure of personal information, which Rand reports as the most common of the four events.
  • Security incidents, or what Rand calls malicious attacks directed at a company.
  • Privacy violations, or alleged violation of consumer privacy.
  • Phishing/skimming incidents (individual financial crimes).

Rand's research shows that financial services (including insurance) endured the greatest number security breaches, followed by healthcare, government, education, manufacturing, and information services. But Romanosky and his team then took the number of incidents and divided it by the number of firms within each sector to come up with an "incident rate" to see who's at greatest risk. By that measure, government entities are the highest risk, followed by education, information services, and financial services.

When contacted by Dark Reading, Larry Ponemon, founder of the Ponemon Institute, said his organization collects and presents data differently than Rand, traveling the globe to collect data directly and not relying on surveys or third-party data.

One potential issue he cited in using insurance claims data was the large deductibles that aren't always calculated in the final costs. "Another issue with claims is that policies don't cover all the costs that we captured," he adds. "One cost we found was business disruption where companies spend weeks or months trying to clean up their systems and get them back online."

Ponemon commends the Rand researchers for including mean and median data in their study. "We don't have all the answers, so it's important for companies to do this kind of inquiry," he adds.

Related Content:

 

Terry Sweeney is a Los Angeles-based writer and editor who has covered technology, networking, and security for more than 20 years. He was part of the team that started Dark Reading and has been a contributor to The Washington Post, Crain's New York Business, Red Herring, ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
T Sweeney
50%
50%
T Sweeney,
User Rank: Moderator
9/22/2016 | 11:04:19 AM
Re: Following the Evidence
Thanks, knowlengr... this is certainly a different narrative than what we've grown accustomed to with the usual breach loss $ stories. But as every good data scientist knows, every set of numbers has its own story. 
knowlengr
50%
50%
knowlengr,
User Rank: Apprentice
9/22/2016 | 9:27:06 AM
Following the Evidence
Thank you for letting the evidence speak.
1.9 Billion Data Records Exposed in First Half of 2017
Kelly Jackson Higgins, Executive Editor at Dark Reading,  9/20/2017
Get Serious about IoT Security
Derek Manky, Global Security Strategist, Fortinet,  9/20/2017
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
Security Vulnerabilities: The Next Wave
Just when you thought it was safe, researchers have unveiled a new round of IT security flaws. Is your enterprise ready?
Flash Poll
[Strategic Security Report] How Enterprises Are Attacking the IT Security Problem
[Strategic Security Report] How Enterprises Are Attacking the IT Security Problem
Enterprises are spending more of their IT budgets on cybersecurity technology. How do your organization's security plans and strategies compare to what others are doing? Here's an in-depth look.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2017-0290
Published: 2017-05-09
NScript in mpengine in Microsoft Malware Protection Engine with Engine Version before 1.1.13704.0, as used in Windows Defender and other products, allows remote attackers to execute arbitrary code or cause a denial of service (type confusion and application crash) via crafted JavaScript code within ...

CVE-2016-10369
Published: 2017-05-08
unixsocket.c in lxterminal through 0.3.0 insecurely uses /tmp for a socket file, allowing a local user to cause a denial of service (preventing terminal launch), or possibly have other impact (bypassing terminal access control).

CVE-2016-8202
Published: 2017-05-08
A privilege escalation vulnerability in Brocade Fibre Channel SAN products running Brocade Fabric OS (FOS) releases earlier than v7.4.1d and v8.0.1b could allow an authenticated attacker to elevate the privileges of user accounts accessing the system via command line interface. With affected version...

CVE-2016-8209
Published: 2017-05-08
Improper checks for unusual or exceptional conditions in Brocade NetIron 05.8.00 and later releases up to and including 06.1.00, when the Management Module is continuously scanned on port 22, may allow attackers to cause a denial of service (crash and reload) of the management module.

CVE-2017-0890
Published: 2017-05-08
Nextcloud Server before 11.0.3 is vulnerable to an inadequate escaping leading to a XSS vulnerability in the search module. To be exploitable a user has to write or paste malicious content into the search dialogue.