The Ponemon Institute has been tracking the cost of data breaches over the last few years. Together with PGP they just released their most recent report after polling 43 companies that experienced data breaches. You can view a summary of their report here (you need to fill out your personal data for the full report).
The central finding is that data breaches cost organizations $200 a breached record (well, actually $202...). I hear variants of this $200 figure at almost every security conference I attend. Security vendors have also incorporated it into their sales pitch and I often hear this number as part of the ROI angle when I am evaluating vendors. But how accurate is it? And should it motivate companies to spend on security?
Data breaches have hard costs and soft costs associated with them. Hard costs like notifying customers account for only $15 of the $202 figure in the Ponemon study and are at the lowest point in the last four years. Soft costs like "lost business" account for $139 or 69%. I have serious doubts whether it is even possible to estimate lost business in a meaningful way. But even if it is, do so many customers really leave companies because of data breaches?
For small companies in non-critical industries this might be possible, but I find some of the figures on lost business very improbable to say the least. The highest rate of post-data breach customer churn in the report is 6.5% in the healthcare industry. I don't know about you, but when I choose a health provider the most important thing to me is medical credentials. When you're sitting in that wait room and feeling like *%$&, the last thing you are worried about is the security of the router configurations at the doctor's office.
But let's say for the sake of argument that the $202 figure is generally correct. To me that indicates that companies are spending too much, not too little, to prevent data breaches, to the detriment of reducing other forms of risk.
The Identity Theft Resource Center counts just under 36 million breached figures in the United States in 656 reported incidents for 2008. A back-of-the-napkin calculation (well, more of a Google calculation) yields a $7.2 billion dollar cost from publicly announced data breaches in the US. That's a drop in the pond in a GDP of over 14 trillion dollars, and less than the $10 billion dollars a year that businesses suffer in cheque fraud alone. Those $7.2 billion can't possibly justify the multi-billion dollar security industry, especially given that most published data breaches are the result of human error that would not have been prevented by technology.
I've said before that security spending will be primarily compliance driven in the future. The relatively low cost of a data breach to an organization is yet another reason to ditch loss-prevention approaches to justifying security spending.