Home > Uncategorized > Empirical Evidence Concerning the Cost of Security Compromises

Empirical Evidence Concerning the Cost of Security Compromises

A significant barrier that information security professionals constantly encounter during efforts to obtain needed resources is skepticism among senior managers concerning whether serious information security breaches really do occur and if they do, whether they could occur in their particular organizations. One of the best antidotes is to present empirical evidence concerning the cost of security compromises. Whereas horror stories and handwaving concerning the likelihood of and damage due to potential security incidents are generally ineffective, presenting empirically determined incident-related losses resulting from security compromises is more likely to convince senior management. 

Obtaining the right kind of evidence, however, is not so easy. A good first source to which to obtain incident loss statistics is the annual FBI-Computer Security Institute (CSI) survey in which respondents indicate whether or not their organizations have experienced information security incidents over the last year, and if so, what the estimated financial losses are. For example, over four years ago results of this survey showed that cumulative financial losses for 223 of 503 corporations that responded to this survey amounted to USD 455 million. At the same time, however, more recent FBI-CSI surveys have showed dwindling reported annual loss figures connected with security incidents. Furthermore, critics have also been quick to point out that the amount of reported financial loss is subjective—purely an estimate on the part of each survey respondent.

Somewhat more suitable evidence comes from surveys concerning the impact of data security compromises upon customers. A recent study by the Ponemon Institute shows, for example, that 55 percent of participants in this study said they had been informed of more than one security compromise involving their personal data over the last two years, and eight percent said that they have been informed of four or more of such compromises. The Ponemon Institute’s study also shows that 63 percent of the survey participants reported that the letters they received after data security compromises had occurred contained no information concerning what to do to safeguard their data afterwards. Furthermore, the majority of the respondents indicated that more than a month had transpired before they were finally informed that their personal data were compromised.  At the same time, however, 98 percent of those who had fallen victim to a data security compromise actually became victims of identity theft afterwards. Most significantly, almost one out of every three individuals who were informed of a data security compromise involving their personal data have ceased doing business with the company that experienced the incident. The overall message to commercial entities is clear—either protect customer data, or lose a large proportion of your customers.

From a senior management perspective, the most compelling data come from studies showing the relationship between information security breaches in organizations and the relationship between stock share price. The first such study of which I am aware was published seven years ago. Conducted at the University of Maryland, this study revealed that there was some evidence of a relationship between “public announcements of information security breaches” and an organization’s stock price. Interestingly, this relationship was found to be present only when information security breaches involved the compromise of the confidentiality of information.
More recently Australian analyst company Hydrasight and Colorado-based research company Enterprise Management Associates Inc. (EMA) conducted a similar study of six US companies. The results indicated that within four weeks of details concerning an information security compromise being publicly disclosed, negative responses, stock share prices fall. For the companies in the study, the average stock price plummeted by an average of five percent within a month of the disclosure of the incident, and the price remained depressed for almost one year.

From a senior management perspective, loss of stock share price is very high on the list of outcomes to be avoided. As such, being armed with empirical evidence concerning the relationship between security incidents and stock price is one of the wisest things an information security professional can do to “make the sale” to senior management. And, hopefully, more studies such as the ones conducted at the University of Maryland and Hydrasight/EMA will continue to be performed so that more such evidence will become available.

Categories: Uncategorized Tags:
  1. No comments yet.
  1. No trackbacks yet.
You must be logged in to post a comment.