Understanding the true cost of a data breach is a complex and
multifactorial problem. The difference in estimations made by different research
groups is extremely significant.
Understanding the true cost of cyber-attacks is crucial in deciding investment
levels
in information security activities. For small businesses, a data breach can
be a
death sentence: according to the "Data Breach Digest 2018: Studies in cyber crime"
by Verizon, 60% of small businesses shut down within 6 months of suffering a major
breach (this number has not been updated in the latest version of the Verizon
report). More generally, is there a method to estimate the average cost of a data
breach?
The Cost of a Data Breach Report, by Ponemon and IBM, has become one of the
leading
benchmark reports in the cybersecurity industry. According to the 2021 report,
data
breach costs rose from $3.86 million to $4.24 million in the last year. However,
these numbers have been challenged by the researcher Sasha Romanosky in the
Journal
of Cybersecurity, by Oxford Academic. His work, titled "Examining the costs and
causes of cyber incidents," based on data from Advisen Company,
estimates a much lower average cost of $200,000.
This enormous difference in the estimated cost of a data breach is given by the fact
that these studies are based on private and anonymous data, difficult to evaluate
and compare:
The report by Ponemon studied 537 real breaches across 17 countries and regions and
17 different industries. They do so in the course of nearly 3,500 interviews, asking
dozens of questions to determine what organizations spent on activities for the
discovery of and the immediate response to the data breach. Interviewees included
IT, compliance, and information security practitioners who are knowledgeable about
their organization's data breach and the costs associated with resolving the breach.
To preserve confidentiality, company-specific information was not captured.
Participants were instructed to mark a number line in one spot between the lower and
upper limits of a range for each cost category.
On the other hand, the study by Sasha Romanosky "acquired a dataset of cyber
incidents from Advisen, a US-based, for-profit organization that collects,
integrates and resells loss and incident data to the commercial insurance
industry
regarding many different forms of corporate loss. In order to compile the cyber
loss
database, Advisen employs a dedicated team of analysts who use a comprehensive
set
of search strategies in order to find and classify publicly available
information
regarding cyber events."
It is difficult to draw any conclusion on the origin of the enormous difference
between both estimates based on the information the authors provide about their
data
collection method. This shows the difficulty of obtaining a simple formula
to
estimate the cost of a data breach for any company.
There is, however, an interesting and more transparent method to estimate a lower
bound for the cost of a data breach affecting, not any, but at least public
companies: to evaluate the impact on market valuation of a company after the
breach.
To the best of our knowledge, three recent studies use this approach. This
method
does not consider the cost of detection and escalation activities that enable a
company to reasonably detect the breach or the cost of activities that enable the
company to notify data subjects, data protection regulators, and other third
parties. It also does not include the cost of activities to help victims of a breach
communicate with the company and redress activities to victims and regulators or the
cost of reimbursing customers for damages. But it gives a transparent lower bound
for the cost of a cyber incident.
The three studies analyze the impact on market evaluation in the days immediately
following a breach. They are:
These studies use event-related methodology: the basic idea is to find the
abnormal
return attributable to the data breach being studied by comparing the
performance of
the breached company stock with the market as a whole for the same time period
and
calculating the difference in performance between them. Of course, this
methodology
has its limitations since it is impossible to know what the value a company would
have been if it did not suffer a data breach. But they give a first approximation to
the problem, and since these three studies were performed by independent groups,
a
convergence in the results would strengthen their conclusions.
So, do these studies share the same general conclusion?
Generally speaking, yes. They show the same general trends and order of
magnitude
for the abnormal return in the days following a data breach.
Details aside, the most interesting conclusion of the first study for this article
is that they found negative market returns occurring on the 20 days after the
announcement of the breach: they calculated an abnormal return of -1.19%. Given
the
sizes of the assessed companies, this number translates into hundreds of
millions of
dollars. The second study, on the other hand, found a similar value of
-2.53%.
At last, the third study found, among other things, that:
-
In the six months leading up to a breach, the average share price grew +2.6%,
compared to -3.0% following a breach.
-
In the long term, breached companies underperformed the market. After 1
year,
the share price fell -8.6% on average and underperformed the NASDAQ by -8.6%.
After 2 years, the average share price fell -11.3% and underperformed the
NASDAQ
by -11.9%. And after three years, the average share price is down by
-15.6% and
down against the NASDAQ by -15.6%.
We emphasize that these results may not hold in the long run, and in fact, some
literature suggests that most public companies bounce back to what would be their
normal value. Although this conclusion may be challenged, since the counterfactual
is difficult if not impossible to calculate, it is irrelevant here since the
enormous amount of money lost during so many days has negative consequences for the
companies.
These estimations of the cost of a data breach affecting public companies are
interesting from the point of view of Bittrap's business model because it is a clear
example of what we have been saying about the singular economics of hackers, namely,
that there is a large gap between what a hacker monetizes from an attack and the
cost to the company of that attack.
For example, the attack Twitter suffered in July 2020. Several popular Twitter
accounts had been compromised, including Bill Gates, Kanye West, Joe Biden,
Barack
Obama, and companies like Apple Inc. These accounts began posting similar
messages
requesting money (Bitcoin) to be sent to a bitcoin account. These messages were
taken down shortly after, but it is easy to calculate how much money the wallet used
to receive the funds collected, and it was about $120k. At the same time, Twitter
lost 3.25% of its market value (about $900 million). The difference between the
hacker's return and the company's cost is 7500x!
One aspect that none of the studies we cited tackle is the fact that, once a
company
has been attacked and has done threat hunting (identifying the vulnerability
exploited) and neutralized the attack vector, it can then learn from the
experience
and improve its security posture. The company is now aware of a vulnerability it
did
not know it had, which could have resulted in more damage than the one it
caused.
This new knowledge has value. Minimizing the cost of acquiring this knowledge is
what BitTrap's radical new approach makes possible.
In conclusion, understanding the true cost of a data breach is a complex and
multifactorial problem. When the attacked company is a public company, some
lower
bound can be estimated from its abnormal return after the breach. However, even this
methodology has severe limitations given that it is based on counterfactuals
impossible to know. In general, when the companies are not public, the difference in
estimations made by different research groups is so significant that it becomes
extremely difficult to draw any conclusion. The solution for deciding investment
levels in information security activities seems to be that each CISO and
information
security practitioner that is knowledgeable about their organization should
perform
a deep analysis of its structure and business model to make an informed and
reasonable decision. There are no proven algorithms that can give a complete
answer
to this question.