Data breach​ ​cost​ ​estimates get it wrong: What you need to know

How much does a data breach cost a company? Unfortunately, there isn’t a simple answer. If you follow the business press, you’re probably aware that there are two very different answers to this question.

The controversy first made its way into public consciousness in 2015 when data scientists at Verizon published breach-cost results that were wildly different from Ponemon’s, a closely followed data-breach analyst firm.

Verizon’s Data Breach Investigations Report (DBIR), an annual survey on data-breach statistics, announced in 2015 that an an average breach costs a mere $0.58 per record taken. Ponemon’s data for the same period showed an average cost of $201 per record taken.

So where do we go from here? Here's what companies need to understand about these data breach cost estimates.

State of Security Operations 2018: Go Inside World SOCs

Verizon vs. Ponemon: How we got here

There are two major reasons for the difference between the Verizon and Ponemon findings. Actual breach-incident cost data has been very difficult to obtain, but Verizon hit gold when it was able to obtain cyber-insurance claims records from NetDiligence, which aggregates insurance data. But keep in mind that insurance payouts can be far lower than the actual costs due to deductibles and other restrictions.

The second is that the NetDiligence data set is highly skewed, so that a few incidents can add a disproportionate share of records taken but without a corresponding proportionate increase in costs.

The Verizon analysts were aware of these defects, and were admittedly a little provocative in their challenging Ponemon with their under-$1 cost per record. In their report, they propose a middle-ground model that tracks a little more closely to Ponemon’s data.

What​ ​about​ ​Ponemon’s​ ​numbers?

The key thing to keep in mind with Ponemon's analysis is that it’s based on interviews with hundreds of companies worldwide. Ponemon then calculates a total cost that combines direct expenses—credit monitoring for affected customer, forensic analysis—and fuzzier indirect costs, which can include employee time and estimation of potential lost business.

These indirect costs are significant: For the 2015 survey, it represented almost 40% of the total cost of a breach.

Ponemon's methodology also differed significantly from Verizon's in that it only looked at companies experiencing breaches of less than 100,000 records. When you have the same fixed costs for an incident—forensic analysis, consulting—spread out over fewer records, the average will trend higher.

Ponemon is well aware of this issue and warns that its average breach cost number should not be applied to large breaches. For example, Target’s 2014 data breach exposed the credit card numbers of over 40 million customers, for a grand total of over $8 billion, using the Ponemon average. Target’s actual breach-related costs were far less.

The​ ​middle​-ground​ approach

Verizon is also well aware that a raw average cost is not a predictor. So you shouldn’t use its $0.58 per record to reliably calculate total incident costs. To its credit, Verizon worked out a more accurate model—technically a log-linear regression—for its dataset that calculates breach costs that are much higher than $0.58 but still less than $201.

For example, if you examine the convenient table it created for its 2015 DBIR, for incidents involving 100,000 breach records or less, it predicts an average cost of about $4.70 per record. 

This is still nowhere near Ponemon’s $201 average cost. However, if you discount Ponemon’s average by 40%—an estimate of the share that represents soft costs—it’s at least closer to the upper range of Verizon’s predictions.

Going beyond per-record costs

The key takeaway from both the Verizon and Ponemon analyses is that the raw per-record average costs are not the most useful in predicting what a company will experience in terms of real breach-related expenses. Verizon’s table, based on its regression model, is a practical middle ground in terms of quickly calculating a more realistic estimate for a breach.

However, Ponemon does provide some incredibly useful analysis in its surveys.

In its 2016 survey, it noted that having an incident-response team in place lowers data costs per record by $16. Data loss prevention (DLP) takes another $8 off, and data classification schemes lop off another $4.

One large contributing factor to Ponemon’s indirect costs is “churn,” which Ponemon defines as current customers who terminate their relationship with a company as the result of losing trust in it after a breach. Related to churn, “diminished customer acquisition” is another indirect cost that tries to predict the lost future business resulting from damage to a brand.

Obviously, these are estimates based on Ponemon analysts reviewing internal corporate statistics and putting a “lifetime” value on a customer, but it’s still an interesting insight into post-breach consequences. Ponemon notes that churn rates vary by industry, with finance and healthcare leading the pack, and media, retail, and hospitality at the bottom end.

By delving deeper into each incident, the Ponemon survey shows that there’s more behind breach-cost averages than just the actual expenses. With that in mind, it’s helpful to view the average cost per record breached as a measure of overall corporate pain.

In addition to actual expenses, you can think of Ponemon’s average as also representing extra IT, legal, call center, and consultant work and emotional effort; additional attention focused in future product marketing and branding; and administrative and HR resources needed for dealing with personnel and morale issues after a breach.

Share your thoughts on the state of data breach cost estimates below.

Topics: Security