Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

How Much Does a Hack Cost?

We're thinking of a number between $100,000 and $50 million; here's how to handicap your cost per incident a little more closely

It might be the most elusive figure in the security industry. Vendors want it so they can show the value of their products. Security pros want it so they can cost-justify new purchases. Attackers want it so they can measure the effectiveness of their exploits.

But after an industry-wide hunt, let us tell you: There is no single, definitive figure on the cost of security incidents.

Oh, there are data points. The problem is that they don't agree. Heck, they aren't even in the same ballpark. Check 'em out:

  • In a study of Department of Justice data scheduled to be published Aug. 28, Phoenix Technologies and law enforcement agencies found that, in cases where stolen IDs and passwords were used, the average loss per incident was $1.5 million. Some attacks caused as much as $10 million in damages.

  • According to the annual report by the Computer Security Institute and the FBI, the average loss per company due to security breaches in 2005 was about $167,000, down from more than $200,000 the year before. About half of the respondents reported between one and five incidents during the year.

  • In a study conducted by Ponemon Institute and distributed by PGP Corp. last year, companies lost an average of $14 million per breach per incident when customer data losses were incurred. The high cost was as much as $50 million.

  • A recent survey by the Yankee Group indicates that more than half of companies rate their Internet downtime costs at more than $1,000 per hour.

  • In a study published in 2004, the Aberdeen Group found that the cost of Internet-based business disruptions is about $2 million per incident.

    So, pick your number. Some rules of thumb say that $100,000 is a good starting point when measuring average loss per incident. Some say $200,000. Some say $1,000 per hour.

    "Take all studies with a grain of salt," says Rob Enderle, principal analyst with the Enderle Group, an IT consultancy. "Before you use the results, understand where you can trust them."

    "Business risk is highly context sensitive and depends on both the business in question and the technical defect," says Gary McGraw, CTO of Cigital, a security consulting firm. "The same kind of bug in two different programs can lead to very different impact estimations. Anyone who tries to stand way back and squint at the whole picture is a simpleton."

    Even the organizations that do the studies concede that they are often unscientific. "There's no uniform financial accounting for cybercrime losses," notes Robert Richardson, editorial director at the Computer Security Institute. "What respondents give to these sorts of surveys are estimates. I think their estimates are interesting, and I think it probably says something that their cumulative estimates [of losses due to breaches] have dropped over the past few years. But there are a lot of reasons why that might happen, so you have to supply your own interpretations."

    It might be attractive to use a generally-accepted industry figure to benchmark the costs of a hack, experts say, but there aren't any figures that the entire industry agrees upon. And even if there were, such industry-oriented figures probably could not be plugged into the risk assessment of any single company, where the variables may be quite different than the average.

    Cost-justifying security purchases means making a customized evaluation of the potential threat and the damages it might cause, experts say. While there are many outsourcing companies that will conduct such a risk assessment, such as Accenture or PricewaterhouseCoopers, most companies can handle it inhouse.

    "You list the likely risks and then calculate the cost of doing nothing," says Enderle. "You then have a baseline to measure the different security solutions against, both physical and electronic. You then prioritize them based on the positive financial impact that each has on the cost of doing nothing. Those that provide a reasonable return are viable."

    In simple terms, you can calculate risk by estimating the cost of an incident and multiplying it by the probability that the incident will occur, experts say. There are many factors that can be included in the damage costs, including the cost of employee downtime, the cost of repairing the problem, and the cost of any lost business. Some companies add soft costs, such as damage to the brand that may occur as a result of a public breach or data theft.

    Such calculations cannot be made using industry data, experts say. "A random study, unless it is well performed, is not something you want to base the protection of millions or billions of dollars on," says Ira Winkler, author of The Spies Among Us. "You need to see trends in attacks, and figure out where you are vulnerable. Study numbers are irrelevant compared to basic risk management."

    Despite the consensus that enterprises should conduct their own risk analysis, most experts expect IT and security departments to continue to use more convenient industry numbers to justify their purchases. "Industry studies will continue to be actually used in decision making, no matter how bad they are," Enderle says. "[IT people] want an answer and, regardless of how good the answer is, they will gravitate to those who give them one."

    — Tim Wilson, Site Editor, Dark Reading

  • Accenture
  • Computer Security Institute (CSI)
  • Phoenix Technologies Ltd. (Nasdaq: PTEC)
  • PricewaterhouseCoopers International

    Tim Wilson is Editor in Chief and co-founder of Dark Reading.com, UBM Tech's online community for information security professionals. He is responsible for managing the site, assigning and editing content, and writing breaking news stories. Wilson has been recognized as one ... View Full Bio

    Comment  | 
    Print  | 
    More Insights
  • Comments
    Newest First  |  Oldest First  |  Threaded View
    A Startup With NSA Roots Wants Silently Disarming Cyberattacks on the Wire to Become the Norm
    Kelly Jackson Higgins, Executive Editor at Dark Reading,  5/11/2021
    Cybersecurity: What Is Truly Essential?
    Joshua Goldfarb, Director of Product Management at F5,  5/12/2021
    3 Cybersecurity Myths to Bust
    Etay Maor, Sr. Director Security Strategy at Cato Networks,  5/11/2021
    Register for Dark Reading Newsletters
    White Papers
    Cartoon Contest
    Write a Caption, Win an Amazon Gift Card! Click Here
    Latest Comment: Google Maps is taking "interactive" to a whole new level!
    Current Issue
    2021 Top Enterprise IT Trends
    We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
    Flash Poll
    How Enterprises are Developing Secure Applications
    How Enterprises are Developing Secure Applications
    Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
    Twitter Feed
    Dark Reading - Bug Report
    Bug Report
    Enterprise Vulnerabilities
    From DHS/US-CERT's National Vulnerability Database
    PUBLISHED: 2021-05-18
    An Improper Access Control vulnerability in the logging component of Bitdefender Endpoint Security Tools for Windows versions prior to allows a regular user to learn the scanning exclusion paths. This issue was discovered during external security research.
    PUBLISHED: 2021-05-18
    Uncontrolled Search Path Element vulnerability in the openssl component as used in Bitdefender GravityZone Business Security allows an attacker to load a third party DLL to elevate privileges. This issue affects Bitdefender GravityZone Business S...
    PUBLISHED: 2021-05-17
    Cross Site Scripting (XSS) in emlog v6.0.0 allows remote attackers to execute arbitrary code by adding a crafted script as a link to a new blog post.
    PUBLISHED: 2021-05-17
    Cross Site Request Forgery (CSRF) in Pluck CMS v4.7.9 allows remote attackers to execute arbitrary code and delete a specific article via the component " /admin.php?action=page."
    PUBLISHED: 2021-05-17
    Cross Site Request Forgery (CSRF) in Pluck CMS v4.7.9 allows remote attackers to execute arbitrary code and delete specific images via the component " /admin.php?action=images."