The Ponemon Institute released its latest analysis on the cost of data breaches, and this year they posit that the cost of breaches is still on the rise.  While new legislation and increased savvy and persistence from attackers is continuing to drive the cost of breaches up, I also believe that this very same legislation is forcing more breaches to be reported.  If anything, managers should take this information as a sobering reminder that the bad guys are out there and they still want your data.

I’ve discussed these studies in the past, and I’m not terribly supportive of one of the key metrics that Ponemon analyzes: the cost per breached record.  Non-security managers (and unfortunately some new security managers) will gravitate to this metric, estimate how much data they are storing, and then use simple multiplication to determine the amount of “liability” they carry.

Units of Measurement, by FeatheredTar

It’s dangerous, and I’ve thought of a few analogies to demonstrate how ridiculous this metric is outside of pure entertainment purposes.  Keep in mind, the data that Ponemon puts out is a simple average.  It has it’s purposes, and reflects the cost per record as an AVERAGE only.  Looking at the massive number of records compromised and the varying details surrounding the fines and penalties associated with a breach will tell you how volatile that number actually is, and how dangerous it is to assume that an actual breach will cost you exactly that dollar amount per record.

Here are a few metrics that I have created (conceptually of course, I don’t have the time or data to actually run the analysis) that are similar in value and construction to the cost per record metric:

  • Average cost or settlement of a lawsuit
  • Average personal tax refund
  • Average cost of a house, globally, normalized to any one currency
  • Average cost of a meal at a restaurant
  • Average cost of a car

While the metrics above are interesting conversation starters at best, they are hardly a basis by which someone should make a financial decision.  You would never automatically decide that you must spend $35,000 on a car.  Instead, you would take a look at what your transportation needs are, and then choose an appropriate car which may be priced differently depending on where you live and buy the vehicle.  You may spend as little as $5,000, or upwards of $100,000 depending on your perceived need.

As with buying a car, budgeting for information security cannot be treated like a universal dollar amount  applied to all areas of the enterprise by multiplying the cost per record breached by the number of records at risk.  The report is a useful read if used for the purposes I stated earlier, but if I were to distribute it, I would put big red flags all over the cost per record metric to try to prevent someone from making a financial decision based on it.

This post originally appeared on

Possibly Related Posts: