In Depth

It's Not Easy Being Breached: Calculating the Cost of a Cybersecurity Breach

Surviving an information security incident is just the beginning. Then you need to figure out what it really cost.

By Simone Kaplan

Page 2

While circling the wagons is understandable, it's also counterproductive for the industry as a whole. "The bottom line is that CSOs are doing a pitiful job of tracking breach costs," says Michael Erbschloe, associate senior research analyst at Computer Economics, an IT investment consultancy. "They don't want to go public with the costs or even talk about it internally. The rationale is that, if CSOs don't know the numbers, no one else will either, which cuts down on the likelihood that their company's reputation or stock price will take a hit." But he cautions, "CSOs need to wake up. Start sharing data, or we'll all be more vulnerable than we'd like.

"Every breach is different, and costs will vary from incident to incident. That's why it's incumbent upon the CSO to have an incident-response plan in place prior to a breach."

Creating a methodology for quantifying as many costs associated with a breach as possible is essential. Start by determining the value of your information and assets so that you can more easily find out what you lost. Break the incident down into every conceivable category because, inevitably, it has all been affected.

Hard costsreplacing servers or paying overtimeare easy to track. The real difficulty lies in quantifying nonattributable coststhe loss of customer trust or business. "Do more than simply calculate your physical losses," says Craig Goldberg, president of Internet Trading Technologies. "Look at what was lost in terms of customer, shareholder and employee information. What was the cost of lost business?" And don't forget the most serious damagea blow to your company's reputation. "It's the gray areas that are usually the most significant in terms of cost but the hardest to prove," says Goldberg.

That's why cyberinsurance is a tough area, says Rich Mogull, research director at GartnerG2 Cross-Industry Research. Companies lack the solid actuarial formulas that enable them to figure out risks over time, so they underprotector overprotectthemselves (see "Safety at a Premium," Page 50). Knowing Is Half the BattleIt didn't take long for Ron Woerner, CISSP and information security officer for the Nebraska Department of Roads, to get a phone call from his ISP when an SQL Spida worm hit his department's systems in May. It found its way in via the Internet through an open SQL port that happened to have a blank administrator password, and then planted several files to help it look for other targets through which it could spread.