When planning strategy for an information security program, your first question should be “what is the risk of an intrusion?” Risk is a combination of probability and impact. We assume breach in most scenarios, putting probability at/near 100%. This leaves impact: when your network is compromised, what is the potential damage to your organization?
There are a number of studies with data to estimate impact. They each use a different, incomplete models of costs. You can neither directly use the figures from a report nor compare figures from any two reports. These inconsistencies make it difficult to turn the reports into actionable data.
Over a series of posts, I will normalize the cost of data breach reports into a more actionable and comprehensive framework than is currently available. This post will introduce a comprehensive cost framework. A set of subsequent posts compare the data in various studies within the context of a single cost framework. A final post will provide additional analysis, conclusions and recommendations for future work.
The most succinct and comprehensive model I’ve seen published is from Managing Cybersecurity Resources by Gordon and Loeb. In Chapter 3, they present a “Cybersecurity Cost Grid.” They use three axes: direct vs. indirect costs, explicit vs. implicit costs and intrusions damaging confidentiality vs. availability vs. integrity. Dropping the confidentiality vs. availability vs. integrity axis results in a two dimensional model:
The model’s terminology to distinguish explicit vs implicit costs is a useful insight I haven’t seen elsewhere.
Explicit vs. Implicit
Explicit costs are those you can measure directly and without ambiguity: the checks you write to the forensics teams, the costs of running a call center, the overhead from your staff’s hours, etc.
Implicit costs are those that cannot be measured with any degree of certainty: damage to reputation, increased customer churn, loss of intellectual property, etc.
Direct vs. Indirect
Direct costs are the additional costs easily linked to an intrusion: forensics teams, legal support, call center staffing, customer notifications, etc.
Indirect costs are the opportunity costs of responding to an incident: the time spent by existing staff, for instance. In many organizations this is a close parallel to overhead.
Primary cost categories
This framework is still imperfect: for instance, I’m not sure what is categorized as a “direct implicit” cost. But the distinction between explicit vs. implicit is a useful to distinguish the short-term clearly distinguishable costs from the longer-term costs. We can use these categories to segment the costs from the existing cost of data breach studies using a common model. I use five primary categories: direct explicit costs, indirect explicit costs and three implicit costs categories.
The explicit costs, both direct and indirect, are relatively straightforward to enumerate and quantify.
- Direct explicit costs – Customer notification costs, call center staffing, regulatory fines, legal costs, forensics teams, etc
- Indirect explicit costs – Overhead costs related to the intrusion: your employee’s time, etc.
Implicit costs are more difficult to quantify. I identify three primary categories of costs:
- Loss of business due to reputation damage - this may be fewer contracts, increased customer churn, decreased signups, etc.
- Lost revenue due to interrupted business operations - many manufacturing or logistics organizations have very mature financial models used to estimate the cost of downtime.
- Cost due to loss of intellectual property – the costs of corporate espionage, trade secrets, business intelligence and technology transfer.
If you’re using a breach cost estimation model that doesn’t consider all of these, you may be underinvesting due to missing costs. Of course, if you have identified cost centers that don’t fit into the model above, email me!
UPDATE: After spending time with the figures of various reports, I’ve found myself stumbling over the imperfections in this cost model. My mental references have simplified to direct, indirect and opportunity costs, the cost of lost business opportunities — i.e., the implicit costs. This is the model the Ponemon studies use and is proving to be more pragmatic in my work. Subsequent posts will use those three categories.