Companies that spend little on security workers and technologies may not be acting irresponsibly, but making rational choices, because the cost of the average cyber-security incident is much less than previously estimated, according to research released this week by the RAND Corp.
The analysis found that the average incident costs companies about $200,000, much less than $1.0 million—the average cost of a cyber-criminal event as estimated using data from the annual Cost of Cybercrime report conducted by the Ponemon Institute.
Those losses only amount to 0.4 percent of annual revenues, costing companies far less than the annual costs of retail shrinkage at 1.3 percent and online fraud at 0.9 percent, Sasha Romanosky, a policy researcher with RAND and the author of a paper on the analysis, told eWEEK.
"That is telling and it's important, because if the losses were really high, then that would be a strong incentive for the company to adopt more security and improve their practices," he said.
The data for the analysis was provided by for-profit insurance information firm Advisen, which collects data on a variety of incidents and their eventual insurance payouts. Romanosky analyzed 12,000 cyber-security incidents over a decade.
But despite this report's findings, some large enterprises are getting hit with painfully big losses that show why some companies need to invest in strong cyber-security measures.
Target's 2013 breach involving the credit-card and personal information of 70 million customers cost the company at least $291 million as of May, damages that eventually may exceed $370 million. On Sept. 22, Yahoo acknowledged that attackers may have made off with the log-in credentials of some 500 million customers.
While large breaches make headlines, the vast majority of cyber-crime incidents are much smaller and cost far less. How much is still a large question mark. Researchers and statisticians have trouble quantifying the damage.
The averages vary from a median of $200,000 per incident for Romanosky's analysis to an annual total of $5.5 million in the Ponemon Institute report and a stunning $150 million as calculated by Deloitte & Touche in a recent paper seeking to take into account more "soft" costs, such as increases to insurance premiums, costs of operational disruptions, lost customers, loss of intellectual property and the loss of brand value.
Such soft costs are hard to quantify, however, so Romanosky used only documented costs, he said.
"We cannot deal with reputation and brand; we don't look at stock market price and revenue," he said. "We are not measuring any externalities or any chilling effects that may occur. We are trying to stay focused on the firm stuff."
In addition to the hard-to-quantify costs, the difference between the cost estimates of the Ponemon Institute and the Advisen data set could arise from differences in data sets. The median company in the Ponemon data set is between 5,000 and 10,000 employees.
Yet, without massive and widespread losses, companies will likely continue to make security investments a lower priority, Romanosky said.
"They will keep doing what they are doing, unless something big happens," he said. "You have to really suffer a personal loss and then feel the impact and feel personal change to change your behavior."