Calculating Breach Costs: An Accounting Problem For Risk Management Strategy
Guest post from Researcher Heidi Shey.
Calculating the cost of a data breach should be a part of every organization’s information security risk management strategy. It’s not an easy task by any means, but making efforts to do so upfront — as opposed to after a breach, when calculating cost is the last thing on the to-do list! — for your organization can help to assess risk and justify security investments. But where does one begin, and what should be considered in cost estimates? There are the usual suspects, or direct costs, relating to discovery, response, notification, and damage control such as:
- In-house time and labor (IT, legal, PR, incident response, call center, etc)
- New technologies or services implemented as a result of the breach to change or repair systems
- External consultants or services for incident response
- Credit monitoring services for customers
- Regulatory fines
- Legal fees or settlements
- Cyber insurance
But even the direct costs are not always so direct. Should the cost of in-house expertise be excluded because these employees are “doing their jobs”? Or should they be included somehow because these employees are now taken away from their main responsibilities in order to do what’s needed in response to the breach? The real answer is somewhere in between, in the form of opportunity cost. For example, instead of focusing on the latest product launch and related sales, the PR and sales teams are now spending a great chunk of their time focused on communicating to the public and clients about the organization’s response to the breach. Or, in another example, what if the new technology implemented was already on the organization’s roadmap, and the breach served to accelerate the timeline? Then there are the hidden costs such as reputational damage. At the end of the day, we can think of security as one big cost and revenue accounting problem. The challenge is: what does this model look like, and what assumptions must we make?
What do you think? Is it a fool’s errand to attempt to calculate the cost of a data breach, or is there real value in doing so? In our upcoming session on May 24-25 in Las Vegas at Forrester’s Security Forum, Ed Ferrara and I will be speaking about calculating the real and hidden costs of a data breach, pros and cons of various approaches, and a framework for thinking about costs. We are eager to hear your thoughts about this topic, and would love to see you at the Forum!