Can You Calculate the Cost of a Security Breach?

Most CIO/CISOs today have moved well past the struggle of convincing management on IT Security. On the other hand, management too has woken up to better understanding of regulatory mandates and reputational risks involved as opposed to a simple IT security mandate.

However, that still does not let the CIO/CISO off the hook in justifying the spend and convincing management on the ROI. Yes, even IT security budgets need to be accounted for.

But, this mechanism for ROI analysis may not be too bad after all, for this would not only make the CIO's life easier vis-a-vis the management but also help keep a constant eye on the financial damage that each security breach incident brings along.

The first step in the direction of calculating the ROI on security is to understand how much a security incident can cost an organization. However, this is easier said than done. Many a CIOs hit a roadblock here as they tend to over-simplify the damage in terms of just calculating the face value of the data or information lost. Thereby, overlooking the quantitative loss owing to some of the finer nuances of the damage done. Thus, drawing a wrong picture of the actual impact.

Getting the 'closest possible to accurate' calculation holds the key. Skimming just the surface of the damage will take you nowhere close to the right calculation. The onus lies on rightly quantifying the impact on all possible elements of the business, including those that CIOs don't attach much significance to or consider non-quantifiable. Right raw material means right end product.

Beginning with the cost of professional services required to investigate and attend to the crisis, going right up to the cost of a lost customer, and everything in between.

If you thought that you and your team alone would conquer the data breach incident, then you are wrong. In most cases it requires outside professional help to attend to the crisis. These include professionals like IT security and Risk management consultants, lawyers, auditors, etc. Enlisting their services comes with a price. On the other hand, the cost of a lost customer is not only the business you are losing from that customer but also hundreds of other potential customers that the dissatisfied customer will influence.

Between the cost of professional services and lost customer lies the territory that is rarely quantified. Here are some of the elements belonging to this category that need to be assessed financially and factored into the overall calculation.
Cost of professional services

Disruption to business owing to the downtime
Potential business opportunities lost
Loss of access to business critical information

Loss of credibility and damage to reputation
Loss due to regulatory and compliance issues

Additional cost related to mitigating the consequences of an incident and preventing such incidents in the future

 Damage to credit rating

Losing customer

However, here I have tried to cover all the key ones. The figure derived by adding up all these elements can be pitched as the closest possible total cost of a security breach incident.

Calculating the loss is no easy business for a CIO. But it pays off by allowing the CIO to go to the CEO and CFO with numbers, which is what they ultimately understand instead of vague description.

Talking of numbers I leave you with one. Excerpts from a recent survey, conducted globally, by Kaspersky Lab and B2B International.

 In 60% of cases, data leaks caused significant disruption to business operations.

53% of incidents resulted in significant damage to the affected company's reputation.

In 29% of all the cases an incident resulted in the loss of important business contacts and missed business opportunities. 

(Image courtesy:

Categories: Management

About Author

Write a Comment

Your e-mail address will not be published.
Required fields are marked*


Recent Comments