On the cost of data breaches

Author: Andrés Rieznik
Senior Researcher

Understanding the true cost of a data breach is a complex and multifactorial problem. The difference in estimations made by different research groups is extremely significant.

Understanding the true cost of cyber-attacks is crucial in deciding investment levels in information security activities. For small businesses, a data breach can be a death sentence: according to the "Data Breach Digest 2018: Studies in cyber crime" by Verizon, 60% of small businesses shut down within 6 months of suffering a major breach (this number has not been updated in the latest version of the Verizon report). More generally, is there a method to estimate the average cost of a data breach?

The Cost of a Data Breach Report, by Ponemon and IBM, has become one of the leading benchmark reports in the cybersecurity industry. According to the 2021 report, data breach costs rose from $3.86 million to $4.24 million in the last year. However, these numbers have been challenged by the researcher Sasha Romanosky in the Journal of Cybersecurity, by Oxford Academic. His work, titled "Examining the costs and causes of cyber incidents," based on data from Advisen Company, estimates a much lower average cost of $200,000.

This enormous difference in the estimated cost of a data breach is given by the fact that these studies are based on private and anonymous data, difficult to evaluate and compare:

The report by Ponemon studied 537 real breaches across 17 countries and regions and 17 different industries. They do so in the course of nearly 3,500 interviews, asking dozens of questions to determine what organizations spent on activities for the discovery of and the immediate response to the data breach. Interviewees included IT, compliance, and information security practitioners who are knowledgeable about their organization's data breach and the costs associated with resolving the breach. To preserve confidentiality, company-specific information was not captured. Participants were instructed to mark a number line in one spot between the lower and upper limits of a range for each cost category.

On the other hand, the study by Sasha Romanosky "acquired a dataset of cyber incidents from Advisen, a US-based, for-profit organization that collects, integrates and resells loss and incident data to the commercial insurance industry regarding many different forms of corporate loss. In order to compile the cyber loss database, Advisen employs a dedicated team of analysts who use a comprehensive set of search strategies in order to find and classify publicly available information regarding cyber events."

It is difficult to draw any conclusion on the origin of the enormous difference between both estimates based on the information the authors provide about their data collection method. This shows the difficulty of obtaining a simple formula to estimate the cost of a data breach for any company.

There is, however, an interesting and more transparent method to estimate a lower bound for the cost of a data breach affecting, not any, but at least public companies: to evaluate the impact on market valuation of a company after the breach. To the best of our knowledge, three recent studies use this approach. This method does not consider the cost of detection and escalation activities that enable a company to reasonably detect the breach or the cost of activities that enable the company to notify data subjects, data protection regulators, and other third parties. It also does not include the cost of activities to help victims of a breach communicate with the company and redress activities to victims and regulators or the cost of reimbursing customers for damages. But it gives a transparent lower bound for the cost of a cyber incident.

The three studies analyze the impact on market evaluation in the days immediately following a breach. They are:

These studies use event-related methodology: the basic idea is to find the abnormal return attributable to the data breach being studied by comparing the performance of the breached company stock with the market as a whole for the same time period and calculating the difference in performance between them. Of course, this methodology has its limitations since it is impossible to know what the value a company would have been if it did not suffer a data breach. But they give a first approximation to the problem, and since these three studies were performed by independent groups, a convergence in the results would strengthen their conclusions.

So, do these studies share the same general conclusion?

Generally speaking, yes. They show the same general trends and order of magnitude for the abnormal return in the days following a data breach.

Details aside, the most interesting conclusion of the first study for this article is that they found negative market returns occurring on the 20 days after the announcement of the breach: they calculated an abnormal return of -1.19%. Given the sizes of the assessed companies, this number translates into hundreds of millions of dollars. The second study, on the other hand, found a similar value of -2.53%.

At last, the third study found, among other things, that:

  1. In the six months leading up to a breach, the average share price grew +2.6%, compared to -3.0% following a breach.
  2. In the long term, breached companies underperformed the market. After 1 year, the share price fell -8.6% on average and underperformed the NASDAQ by -8.6%. After 2 years, the average share price fell -11.3% and underperformed the NASDAQ by -11.9%. And after three years, the average share price is down by -15.6% and down against the NASDAQ by -15.6%.

We emphasize that these results may not hold in the long run, and in fact, some literature suggests that most public companies bounce back to what would be their normal value. Although this conclusion may be challenged, since the counterfactual is difficult if not impossible to calculate, it is irrelevant here since the enormous amount of money lost during so many days has negative consequences for the companies.

These estimations of the cost of a data breach affecting public companies are interesting from the point of view of Bittrap's business model because it is a clear example of what we have been saying about the singular economics of hackers, namely, that there is a large gap between what a hacker monetizes from an attack and the cost to the company of that attack.

For example, the attack Twitter suffered in July 2020. Several popular Twitter accounts had been compromised, including Bill Gates, Kanye West, Joe Biden, Barack Obama, and companies like Apple Inc. These accounts began posting similar messages requesting money (Bitcoin) to be sent to a bitcoin account. These messages were taken down shortly after, but it is easy to calculate how much money the wallet used to receive the funds collected, and it was about $120k. At the same time, Twitter lost 3.25% of its market value (about $900 million). The difference between the hacker's return and the company's cost is 7500x!

One aspect that none of the studies we cited tackle is the fact that, once a company has been attacked and has done threat hunting (identifying the vulnerability exploited) and neutralized the attack vector, it can then learn from the experience and improve its security posture. The company is now aware of a vulnerability it did not know it had, which could have resulted in more damage than the one it caused. This new knowledge has value. Minimizing the cost of acquiring this knowledge is what BitTrap's radical new approach makes possible.

In conclusion, understanding the true cost of a data breach is a complex and multifactorial problem. When the attacked company is a public company, some lower bound can be estimated from its abnormal return after the breach. However, even this methodology has severe limitations given that it is based on counterfactuals impossible to know. In general, when the companies are not public, the difference in estimations made by different research groups is so significant that it becomes extremely difficult to draw any conclusion. The solution for deciding investment levels in information security activities seems to be that each CISO and information security practitioner that is knowledgeable about their organization should perform a deep analysis of its structure and business model to make an informed and reasonable decision. There are no proven algorithms that can give a complete answer to this question.

Contact us