Attacks/Breaches
9/21/2016
09:50 AM
Connect Directly
Facebook
Twitter
RSS
E-Mail
50%
50%

Rand Study: Average Data Breach Costs $200K, Not Millions

Rand taps multiple data sources to calculate that cyber incidents cost firms a scant 0.4% of annual revenues, on average.

The expense and impact of enterprise data breaches may be overblown, according to a new study from the Rand Corp.

"We find that the typical cost of a data breach is less than $200,000, far lower than the millions of dollars often cited in surveys (e.g. Ponemon 2015)," writes Sasha Romanosky, author of the Rand study, Examining the costs and causes of cyber incidents, released Tuesday. The study goes on to say that $200,000 is about what most companies spend annually on information security.

In May 2015, the Ponemon Institute placed the cost of an individual data breach at $3.5 million, which the consultancy said was a 15 percent increase from the year before. While Ponemon surveyed 314 companies in 10 countries, the Rand study drew on data from more than 12,000 cyber incidents between 2004 and 2015.

Rand also found that cyber incidents cost firms a mere 0.4% of annual revenues on average. By comparison, overall rates of corruption, financial misstatements, and billing fraud account for 5% of annual revenues, followed by retail shrinkage (1.3%), followed by online fraud (0.9%).

In other words, losses from security breaches are just another cost of doing business, the authors imply.

"Relative to all the other risks companies face, the cyber risks often aren’t as big a deal as we think," Romanosky said in a statement, the onslaught of headlines about breaches and hacks notwithstanding. "It may be bad for you if you are the victim, but it doesn’t change the behavior or strategy of a company. Like you and me, companies are self-interested and operate in ways that minimize their costs. You can't begrudge them for working that way."

The Rand researchers used data on cyber incidents collected by Advisen, a company that provides information on corporate losses to the insurance industry, using local and national news sources. Advisen also uses information from online data breach clearinghouses, state and federal agencies, and Freedom of Information Act (FOIA) requests.

Rand researchers tracked four types of security events:

  • Data breaches, or unauthorized disclosure of personal information, which Rand reports as the most common of the four events.
  • Security incidents, or what Rand calls malicious attacks directed at a company.
  • Privacy violations, or alleged violation of consumer privacy.
  • Phishing/skimming incidents (individual financial crimes).

Rand's research shows that financial services (including insurance) endured the greatest number security breaches, followed by healthcare, government, education, manufacturing, and information services. But Romanosky and his team then took the number of incidents and divided it by the number of firms within each sector to come up with an "incident rate" to see who's at greatest risk. By that measure, government entities are the highest risk, followed by education, information services, and financial services.

When contacted by Dark Reading, Larry Ponemon, founder of the Ponemon Institute, said his organization collects and presents data differently than Rand, traveling the globe to collect data directly and not relying on surveys or third-party data.

One potential issue he cited in using insurance claims data was the large deductibles that aren't always calculated in the final costs. "Another issue with claims is that policies don't cover all the costs that we captured," he adds. "One cost we found was business disruption where companies spend weeks or months trying to clean up their systems and get them back online."

Ponemon commends the Rand researchers for including mean and median data in their study. "We don't have all the answers, so it's important for companies to do this kind of inquiry," he adds.

Related Content:

 

Terry Sweeney is a Los Angeles-based writer and editor who has covered technology, networking, and security for more than 20 years. He was part of the team that started Dark Reading and has been a contributor to The Washington Post, Crain's New York Business, Red Herring, ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
T Sweeney
50%
50%
T Sweeney,
User Rank: Moderator
9/22/2016 | 11:04:19 AM
Re: Following the Evidence
Thanks, knowlengr... this is certainly a different narrative than what we've grown accustomed to with the usual breach loss $ stories. But as every good data scientist knows, every set of numbers has its own story. 
knowlengr
50%
50%
knowlengr,
User Rank: Apprentice
9/22/2016 | 9:27:06 AM
Following the Evidence
Thank you for letting the evidence speak.
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
5 Security Technologies to Watch in 2017
Emerging tools and services promise to make a difference this year. Are they on your company's list?
Flash Poll
New Best Practices for Secure App Development
New Best Practices for Secure App Development
The transition from DevOps to SecDevOps is combining with the move toward cloud computing to create new challenges - and new opportunities - for the information security team. Download this report, to learn about the new best practices for secure application development.
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2013-7445
Published: 2015-10-15
The Direct Rendering Manager (DRM) subsystem in the Linux kernel through 4.x mishandles requests for Graphics Execution Manager (GEM) objects, which allows context-dependent attackers to cause a denial of service (memory consumption) via an application that processes graphics data, as demonstrated b...

CVE-2015-4948
Published: 2015-10-15
netstat in IBM AIX 5.3, 6.1, and 7.1 and VIOS 2.2.x, when a fibre channel adapter is used, allows local users to gain privileges via unspecified vectors.

CVE-2015-5660
Published: 2015-10-15
Cross-site request forgery (CSRF) vulnerability in eXtplorer before 2.1.8 allows remote attackers to hijack the authentication of arbitrary users for requests that execute PHP code.

CVE-2015-6003
Published: 2015-10-15
Directory traversal vulnerability in QNAP QTS before 4.1.4 build 0910 and 4.2.x before 4.2.0 RC2 build 0910, when AFP is enabled, allows remote attackers to read or write to arbitrary files by leveraging access to an OS X (1) user or (2) guest account.

CVE-2015-6333
Published: 2015-10-15
Cisco Application Policy Infrastructure Controller (APIC) 1.1j allows local users to gain privileges via vectors involving addition of an SSH key, aka Bug ID CSCuw46076.

Dark Reading Radio
Archived Dark Reading Radio
In past years, security researchers have discovered ways to hack cars, medical devices, automated teller machines, and many other targets. Dark Reading Executive Editor Kelly Jackson Higgins hosts researcher Samy Kamkar and Levi Gundert, vice president of threat intelligence at Recorded Future, to discuss some of 2016's most unusual and creative hacks by white hats, and what these new vulnerabilities might mean for the coming year.