Cost of Cyber Incidents Not Large Compared with Other Business Losses

September 27, 2016

The cost of a typical cyber breach to an American company is much less than generally estimated, providing one possible explanation for why companies do not invest more to improve computer security, according to a new RAND Corporation study.

Researchers found that the typical cost of a breach was about $200,000 and that most cyber events cost companies less than 0.4 percent of their annual revenues. The $200,000 cost was roughly equivalent to a typical company's annual information security budget.

“Relative to all the other risks companies face, the cyber risks often aren't as big a deal as we think,” said Sasha Romanosky, author of the study and a policy researcher at RAND, a nonprofit research organization. “It may be bad for you if you are the victim, but it doesn't change the behavior or strategy of a company. Like you and me, companies are self-interested and operate in ways that minimize their costs. You can't begrudge them for working that way.”

The findings are published in the Journal of Cybersecurity.

Romanosky undertook the study in part because of an executive order issued by Barack Obama in 2013 directing the National Institute for Standards and Technology to develop voluntary guidelines for improving information security.

The policy was put in place as public concern about cyberattacks began to rise with disclosures of major breaches at Target and other prominent companies, but Romanosky wondered whether the corporate world would be willing to adopt tougher measures.

The study is based on a private dataset of 12,000 cyber incidents compiled by Advisen, a company that provides information on corporate losses to the insurance industry.

Romanosky examined incidents across four categories, They are data breaches involving the disclosure of personal information, security incidents that resulted in the theft of intellectual property or disrupted business services, malicious harvesting of account information through phishing or skimming attacks, and privacy violations through the unauthorized collection, use or sharing of personal information from cell phones, web tracking and other means.

He found that security breaches were on the upswing, from 64 reported incidents in 2012 to nearly 250 reported incidents by 2014. The sectors with the highest number of reported hacks were finance and insurance, health care and government entities.

In analyzing the financial impact of such incursions, Romanosky considered factors such as the cost of investigating the causes of a breach, notifying consumers, increasing customer support, paying for identity theft insurance or credit monitoring, and dealing with legal actions.

Yet those costs, the RAND researcher found, generally were not onerous and were lower than losses companies face because of fraud, theft, corruption or bad debt.

“If it is true that on average that businesses lose 5 percent of their annual revenue to fraud, and that the cost of a cyber event represents only 0.4 percent of a firm's revenues, then one may conclude that these hacks, attacks and careless behaviors represent a small fraction of the costs that firms face, and therefore only a small portion of the cost of doing business,” Romanosky said.

Given that finding — and surveys that indicate consumers are mostly satisfied with the ways companies respond to data breaches — he says that businesses “lack a strong incentive to increase their investment in data security and privacy protection.” Moreover, if their losses are not out of line with other costs, he said, “maybe the firms are already doing the right thing,” making government policies to induce more precautions unnecessary.

Romanosky said a more effective strategy might involve cyber insurance programs that offer reduced premiums in exchange for companies taking certain steps to beef up data security.

He also urges consumers to “stay vigilant and take precautions in sharing their information with just anyone.”

Support for the study was provided by the RAND Institute for Civil Justice.

The project was conducted within the RAND Justice Policy Program, which conducts research across the criminal and civil justice system on issues such as public safety, effective policing, drug policy and enforcement, corrections policy, tort reform and insurance regulation.

http://www.rand.org/news/press/2016/09/20/index1.html

You must login or register in order to post a comment.

ON DEMAND: DevSecOps creates an environment of shared responsibility for security, where AppSec and development teams become more collaborative. With the right training and tools, developers can become more hands-on with security and, with that upskilling, stand out among their peers... however, they need the security specialists on-side, factoring them into securing code from the start and championing this mindset across the company.

ON DEMAND: The insider threat—consisting of scores of different types of crimes and incidents—is a scourge even during the best of times. But the chaos, instability and desperation that characterize crises also catalyze both intentional and unwitting insider attacks. Learn how your workers, contractors, volunteers and partners are exploiting the dislocation caused by today's climate of Coronavirus, unemployment, disinformation and social unrest.

Security Magazine

2020 September

This month in Security magazine, we bring you our 2020 Most Influential People in Security annual report, where we highlight 22 industry leaders, their path to security, careers, goals and guidance for future security professionals. Industry experts discuss the evolution of ransomware, houses of worship security, cybersecurity standards, security careers in investigations and the unifying power of security. Diane Ritchey, past Editor-in-Chief, says goodbye and thank you to our readers.

View More Create Account

Cost of Cyber Incidents Not Large Compared with Other Business Losses

Related Articles

Related Products

Related Events

Report Abusive Comment