I’m still catching up on my blogroll, and caught this article over at Emergent Chaos, which also referenced this one by Thurston. Both articles discuss the infamous Ponemon study that claimed the average losses in a breach were $182 per record.
Here are a couple of things to keep in mind. That particular survey was sponsored by two data security vendors: PGP and Vontu. I like both companies, and they really do help reduce breaches, but never NEVER trust vendor-sponsored numbers. I’ve written surveys; it’s damn hard, and even harder to remove bias.
This survey focused on breaking down the costs to companies that suffered breaches. In the full response details (which I can’t release since I don’t think they’re public) the costs are broken down between “hard” costs like notification and cleanup, and “soft” costs like reputation damage. Even if we remove any potential bias from Ponemon, the companies themselves doing the reporting are self-biased. If they want more money for security, they’ll exaggerate costs. If they are covering their behinds, they reduce the number, and if they’re public and have to report in a 10-K, they’ll tend to guess high.
None of it matters. All these numbers are different odors from the same source.
The hard costs alone are pretty easy to measure, and in most cases are more than enough to spur investment. How much does it cost you to compile a list of victims, get their addresses, print envelopes, stuff them, mail them, and deal with complaint/question calls? In presentations I often say let’s call it $2, and we all know it’s more than that. As the other posts state, if you add in credit monitoring costs that’s another $10 per record (most companies don’t seem to enroll people in these anymore).
If you’re fighting your CFO, and have anything more than a few tens of thousands of records, $2 per record is all you should need to get their attention. One million customers = two million in losses, even without any fines or cleanup costs.
The one category I call total BS on is “reputation” damage. Study after study shows that consumers will always say they’ll switch brands/providers if their information is lost, but looking at the real numbers this almost never happens. Why? Because it’s like moving from trash to junk to garbage- consumers don’t really believe any company is materially better than any other one at security, so it doesn’t drive their behavior.
Reader interactions
2 Replies to “Why the “$182 Per Record” Lost Number is Garbage, And You Don’t Need It Anyway”
I’‘m pretty sure all I *do* is blatantly self promote on this blog, so no worries there.
Consumers don’‘t care unless the losses hit them directly, and, to be honest, there’s nothing wrong with that. I think the banks that are suing TJX are far more interesting than consumer reactions right now.
(Blatant self-promotion)
Take a look on my blog at the story:
http://securethink.blogspot.com/2007/08/more-on-tjx-stock.html
how Javelin and to a lesser extent Gartner had some egg on their faces.
Basically, TJX’s stock has gone up since their hack and their sales too.
Allen