February 04, 2009

The un-internalised cost of your data breach

Adam points to a report by Ponemon Institute and old friends PGP Inc on data breaches.

data breach incidents cost U.S. companies $202 per compromised customer record in 2008, compared to $197 in 2007. Within that number, the largest cost increase in 2008 concerns lost business created by abnormal churn, meaning turnover of customers. Since the study’s inception in 2005, this cost component has grown by more than $64 on a per victim basis, nearly a 40% increase.

Frequent readers of this blog will recall that I often post numbers of the average end-user cost of events like phishing. The number is about $1000.

Ignoring the obviously simplistic scientific process here, or better yet, leaving it to someone more scientific ... there is a huge difference between $200 and $1000.

We can take several views on this:

  • a "caveat emptor view" has the user taking all the costs, because in libertarian economies, the user takes the responsibility for their choices. The responsible libertarian purchases PGP, of course.
  • a "switching view" would have it that the only kick-back to the company is when a smaller proportion of the users switch to other providers, thus causing lessons of pain. This "churn view" is where the Ponemon report suggests the market is.
  • the "risk sharing view" would have it that the user pays a smaller but still painful part. Call it 20%, or the opposite of what we see above. This should put the user firmly in the security protocol, and address any risks that the user is lax, but puts the onus on the business to provide the right tools.
  • the "insurance view" is that the user pays the first $50 such as happens in credit card purchases. This more or less fixes the user's part in the protocol to little things like "don't lose the card" and passes the rest across to the company.
  • "efficient view" would have it that the cost to the users should be close to $0 and the cost to the business should be closer to $1200. This is because the business is better able to manage all of the risk, knowing the business, as it does.
120011001000900800700600500400300200100000User Pays
Caveat emptor                           user buys PGP
Switching                           "churn"
risk sharing                           small but painful
insurance                           "don't lose that card"
Efficient                           know the business!
Business pays000100200300400500600700800900100011001200

Markets tend to mature towards either the efficient view or the insurance view. The market in your identity is not mature. The reasons for that might be widely debated, but I'll have a quick stab here: we never really wanted to buy and sell our identities. We don't want that market in the first place, so damned if we're going to let it mature.

Posted by iang at February 4, 2009 04:51 AM | TrackBack

a couple of my comments on the matter (from linkedin)

a related study/report from a couple weeks ago:
New Research Reveals 45% of Card Breach Victims Lose Confidence in Their Financial Accounts

... and my comments

and for a little more topic drift ... recent comments about "mis-aligned" business processes

Posted by: Lynn Wheeler at February 4, 2009 09:58 AM

You got the axes wrong, Ian. They need to be numbered in the exact opposite direction, both of them.

On the substance, it is an interesting article, as usual. Another refreshingly honest way of looking at security.

Posted by: Daniel A. Nagy at February 5, 2009 05:29 AM

"darn! you spotted my marketing trick" :)

OK, fixed, THANKS! Of course, some will point out that the user pays always anyways ... but money being about information, Hayekian-wise, it is all about who has to carry the burden and incentive of that information.

Posted by: Iang at February 5, 2009 07:54 AM

Cool, but how do we get from here to there?

Posted by: Adam at February 5, 2009 10:55 AM

"The Ponemon Institute, which puts out an annual data breach cost report, found that the total average cost of a data breach grew to $197 per compromised record. The costs add up to more than $6.3 million per breach and ranged from $225,000 to almost $35 million. The study factors in the cost of lost business and the investment a merchant makes in security technologies following a breach. The organization plans updated figures later this month.

The Maine data breach report further illustrates the far reaching effects of data breaches and identity crime, said Larry Ponemon, founder and chairman, Ponemon Institute. Ponemon cautioned that the costs listed in the report (which one, Maine or Ponemon?) are only those associated with financial institutions and don't reflect the total costs incurred by Hannaford's, victims, and other organizations."

Posted by: Larry Ponemon on the others... at February 10, 2009 08:18 AM
Post a comment

Remember personal info?

Hit preview to see your comment as it would be displayed.