Cybersecurity Monitor: September 2016

IN THIS ISSUE
Two studies come up with very different estimates of the typical cost of a cyber incident. The RAND Corp. estimates the cost to be $200,000; the Ponemon Institute, $7 million. Why the huge disparity? One difference lies in the respective definitions of the “typical” cost. But just as important is the difference between the types of costs included in the respective estimates. While the RAND study includes only direct costs, the Ponemon study includes both direct and indirect (or intangible) costs, such as loss of reputation. Indeed, the Ponemon study found that companies spend more on the latter than they do on the former.

 
JUST HOW MUCH DOES A CYBER INCIDENT COST?
The RAND Corp. made a splash this month with a study on the cost of cyber incidents. The researchers estimate that, during the period 2005-2014, the cost of a typical cyber incident was about $200,000, or just 0.4 percent of estimated annual revenues.
 
Based on this estimate, the study’s author concludes that, “Relative to all the other risks companies face, the cyber risks often aren’t as big a deal as we think.” Indeed, he suggests that a company’s low investment in cybersecurity may be a rational response to the relatively low financial risk of a cyber incident: “If it is true that on average that businesses lose 5 percent of their annual revenue to fraud, and that the cost of a cyber event represents only 0.4 percent of a firm’s revenues, then one may conclude that these hacks, attacks and careless behaviors represent a small fraction of the costs that firms face, and therefore only a small portion of the cost of doing business.”
 
But are either the author’s conclusion or suggestion justified? Let’s begin with the assertion that “cyber risks often aren’t as big a deal as we think.”
 
The RAND study explicitly contrasts its cost estimate with those of other surveys, above all the Ponemon Institute’s annual Cost of Data Breach Study. According to the Ponemon study’s estimate, the average cost in 2015 was just over $7 million.
 
One reason for the disparity between the two estimates is that, whereas the Ponemon study uses the average as the measure of a cyber incident’s cost, the RAND study uses the median. As the RAND study rightly observes, the inclusion of a few very costly cyber incidents in the data set will skew the average cost upwards. In this respect, then, the RAND study’s author is likely correct: cyber risks often aren’t as big a deal as we think.
 
In another respect, however, companies would be unwise to base their cybersecurity strategies on the suggestion that low investment in cybersecurity may be a rational response to the relatively low financial risk of a cyber incident. While most companies will pay nowhere near $7 million to remediate a cyber incident, it is just as certain that the RAND study’s estimate is too low.
 
A second important difference between the two studies lies in the types of costs included in their respective estimates. The RAND study includes only direct costs, such as engaging forensic investigators, consumer notification, customer support efforts, litigation, and government penalties. The Ponemon study, by contrast, found that companies typically spend more on indirect (or intangible) costs – such as loss of reputation and abnormal customer turnover – than on direct costs.