RAND Report questions breach cost
RAND Report questions breach cost

A breach isn't quite as big a deal as we've been told. That is if the findings of a new report are to be believed.

Authored by Sasha Romanosky, a policy researcher at the RAND Corporation, the report undercuts one of the great cliches of the cyber-security industry: that breaches are expensive.

The research takes data, compiled by the firm Advisen, from 12,000 ‘cyber events', including data breaches, security incidents, privacy violations and incidents of phishing.

Key to this research, the author notes, is the use of the median as opposed to the mean, which previous examinations of breach cost commonly use.

The mean, Romanosky told SCMagazineUK.com, “is a poor representation because of the few breaches that incur hundreds of millions of dollars in losses and these extreme losses greatly skew the results. The reality is that most firms aren't Target or Home Depot or Anthem or Sony. They just don't lose this much.”

The point is revelatory, but apparently is largely unnoticed. Other such studies have put the most losses in the millions, but Romanosky's puts it as a comparatively paltry US$200,000 (£154,000) and only 0.4 percent of revenue and “far less than other losses due to fraud, theft, corruption, or bad debt.”

Even ‘reputational damage', that concept that apparently keeps CISOs up at night, also seems less of a concern than we might expect.

Then again, reputational damage is at best an abstract, and by nature hard to quantify. “ It comes up in all the discussions, and yet no one is really able to properly articulate what it means”, said Romanosky, “I get answers like ‘consumer trust' or ‘brand'. But these are equally vague, because how can they tell whether a company has more ‘brand' this year over next?”

In fact, “the body of research that examines this shows no significant and lasting effect from data breaches.”

Why? Often, said Romanosky, “consumers just aren't impacted enough to punish the firm for bad practices. They just don't feel enough of an immediate, tangible and severe kind of cost from the incident.” This may well be why, despite an initial shock to the system, that can involve a drop in share price and exodus of customers, companies often recover from the bad press surrounding a breach.

Many customers, argued Steve Armstrong, managing director of Logically Secure, “are simply too lazy to move to new providers, additionally they consider it is better to stay with a company that has been breached rather than jump to one that has yet to be breached.”

Amit Ashbel, cyber-security evangelist at Checkmarx, agreed that reputational damage is a hard thing to measure and larger vendors like Target and Sony have not felt the death blow that their breaches may have been.

Those, however, are large companies and by nature hard to dent. Smaller, less established companies may well be hit harder by a breach: “If the cool kid in school would embarrass themselves in front of the whole class, the embarrassment would last for a day or two however if the less popular kid would do the same, it will have devastating impact on their social status and it would become a lifelong stigma.”


The combination of these two findings does not necessarily lead to an encouraging conclusion. The low cost of breaches would suggest few incentives to spend money avoiding them. Citing other RAND research, Romanosky added that customers tend to be quite satisfied with the way companies handle breaches. He added, “together, this suggests that they lack strong incentive to avoid these incidents.”

Graham Mann, managing director at Encode Group UK told SC that cost implications should not be at the forefront of organisations' mind upon discovery of a breach: “There are, or should be, more important issues, like: loss of IP, market intelligence leaks, consumer data losses and the knock-on impact of individuals lives, etc.”

Mann added, “Whether on average it's less financially damaging, as many have claimed in the past, should not materially impact on this decision.”