Home > Risk > New report on the cost of a cyber breach

New report on the cost of a cyber breach

In Making Business Sense of Technology Risk, I refer to studies conducted by the Ponemon Institute and sponsored by IBM Security.

Their latest Cost of a Data Breach Report again has some useful information.

You may be surprised to hear that the average cost of a data breach is just $3.9 million. That sounds far different than indicated by the alarm bells screaming at you from all sides. Healthcare costs are typically much higher than average. They are where the ‘megabreaches’ have typically occurred, although large companies in financial services and retail have also suffered huge public disasters.

Does it make sense to invest tens of millions of dollars or more when the average cost is relatively low?

That’s one of the issues tackled in the book. For a start, while the cost may appear low, the disruption to the business and its impact on customers and partners may be much more significant. A small out-of-pocket cost may hide the fact that significant enterprise objectives will now be much harder to achieve.

Another challenge is that resources to invest are limited. How does the leadership of an organization decide whether to invest in cyber, a new marketing campaign, an upgraded product offering, or to reduce supply chain risk?

Another factoid in the report is that despite advances in detection, the average time to identify and contain a breach remains unacceptably high: 279 days. In addition, a breach can have significant effects that last two years or more.

One of the problems with studies and discussions around cyber is that this is only one of several sources of risk to enterprise objectives. To understand the likelihood of achieving a business objective, you need to consider all related sources of risk.

Unfortunately, neither COSO nor ISO (nor anybody else to my knowledge) has provided practical guidance on this challenge of aggregating disparate sources of risk to a single objective, nor shown us how to weigh that aggregate against the upside.

Maybe that will come. In the meantime, perhaps my book will help.

I welcome your thoughts and comments.


  1. August 10, 2019 at 3:31 AM

    Hi Norman. I’m not sure I understand your phrase, ‘aggregating disparate sources of risk to a single objective’. I thought you decided on the objectives before identifying the risks. Some risks will threaten the achievement of more than one objective. For example, a data breach will threaten the achievement of the objectives to maintain/increase profits and to obey applicable laws. There will be other risks threatening the achievement of these objectives. As you have said, ‘To understand the likelihood of achieving a business objective, you need to consider all related sources of risk.’
    Resources are always limited and your point about deciding how to allocate them is most relevant. My approach would be to identify the options available to achieve the objectives. You mention, ‘cyber, a new marketing campaign, an upgraded product offering, or to reduce supply chain risk’ as examples. Each of these will have costs and benefits. The costs will be relatively easy to calculate. The benefits less so – what is the monetary benefit of obeying the law or keeping customer data secure? Ultimately it’s the board’s responsibility to decide on the options to pursue. It’s senior management’s responsibility to provide them with all the relevant information.
    My experience is now dated but I have a sneaking suspicion that organisations are not identifying all their cyber risks in a logical manner and considering the options for mitigating them, some of which may be relatively inexpensive. I once asked the CEO’s secretary whether she encrypted his documents. She answered, ‘Only by accident’. Thus anyone with access to his files (Database Administrator, for example) could read highly confidential information. That was over 20 years ago. I assume modern databases are automatically encrypted (?).
    David Griffiths

    • Norman Marks
      August 10, 2019 at 6:35 AM

      David, l;let me clarify. There are examples in detail in the book, of course.

      If you are considering opening an office to drive revenue in, say, Eastern Europe, several things can happen to threaten success. A cyber breach is one, as is the loss of key personnel, compliance issues, distribution problems, and so on. All of these have to be considered in your decision-making. Each may be tolerable while the aggregate is not.

      You then need to weigh the downsides against the opportunity.

      In addition, you need to decide whether to take actions to modify one or more of the above, both threats and opportunities.

      Finally, risks should be considered both before and after establishing objectives. COSO misses the point that if you don’t do that you may set objectives that are too high, too low, or simply in the wrong direction.

      Hope that helps.

      • August 11, 2019 at 12:15 PM

        Thanks Norman. I still don’t think that it’s possible to consider risks before establishing the first objective but I take your point that, having considered the opportunities and risks, this objective may have to be amended.
        In complex situations (like the Eastern European office), my internal audit department purchased @Risk to check the risk factors affecting company decisions.

  2. August 13, 2019 at 1:53 AM

    Interesting that the average cost of a cyber risk is so small – it puts the emphasis and fear related to cyber risks somewhat in perspective (like the risk of being a victim of a terrorist attack). That said – we have seen (rare) cases of huge consequences – so I guess the tail is very, very long.

    You, alas correctly, mention that non of the standards provide guidance as to aggregating disparate sources of risks to any one objective. To my knowledge, this can be done in one way (only) – the use of Monte Carlo simulation, which requires a few steps to do.

    1) Specify the metric of your objective – be it money, number of complaints, number of visitors, time, or whatever. How do you know you have succeeded?
    2) Identify (negative) risks and (positive) opportunities to your objective alike
    3) Analyze (using data, please) what the likelihood of the risk materializing at is
    4) Analyze (using data, please) what is the outcome distribution in terms of the the metric of the objective (be it money, number of complaints, number of visitors, time, or whatever metric your objective is expressed in)
    5) Model and Monte Carlo simulate the portfolio of risks and opportunities – and address the outcome range, which may very well go from very negative (i.e. you will severely miss your objective) to vastly positive (you will significantly outperform your objective). Monte Carlo software will also provide “tornado” diagrams, which helps you prioritize efforts decided to enhance expected/likely performance.

  3. Gregory Sosbee
    August 13, 2019 at 8:01 AM

    Norman part of the problem may be semantics as aggregating disparate sources of risk to a single objective should be basic risk management. Risk is a ballon around an exposure. As such every risk that touches the exposure has to be identified and measured on a common scale. Then and only then can the various outcomes be evaluated.

    As for cyber exposures, I suspect the number quoted represents the direct costs and ignores lost opportunity possibilities, the internal cost to correct and lost cash flow among other non-direct costs.

    • Norman Marks
      August 13, 2019 at 8:03 AM

      Peter, should we be managing exposures or the likelihood of success? Also, the numbers are supposedly inclusive of indirect costs.

  1. August 11, 2019 at 4:42 AM

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: