In Depth

It's Not Easy Being Breached: Calculating the Cost of a Cybersecurity Breach

Surviving an information security incident is just the beginning. Then you need to figure out what it really cost.

By Simone Kaplan

Page 3

"The ISP wanted to know why we were making so many SQL calls, so I got suspicious," Woerner recalls. "I asked him to block all our SQL calls to the Internet, since it's not a critical method of connection for us. Then I contacted our administrator for that particular system and confirmed that we were infected. At that point, I alerted our incident-response team, but I only put them on alert. The situation seemed under control, and we didn't want to go overboard with our response. I updated our virus scanner on the infected system, found four files associated with the worm and removed them. We rebooted the server, did a sweep so everything was clean, and made sure our switch was configured to block the SQL port from our box to the Internet to prevent reinfection."

The whole incident took two hours to handle. Since it was a relatively minor attack and Woerner had a detailed incident-response plan in place, he was able to track the breach cost easily. The worm had infected an internal server, and during the downtime necessary to contain the infection, 15 employees were unable to do work on their computer. "Average pay for those workers was $25 an hour; they were out for two hours, so I figure it cost about $750," he says.

The incident's relatively small size doesn't diminish its importance as an example of why adding up the numbers can pay off in the end. Woerner took the $750 number to his CIO and used it to demonstrate the need for a security budget and the necessity of taking preventive, instead of defensive, action. If the password on the SQL application had been changed from the default or if the SQL port had been blocked, he points out, it would have taken only 10 minutes instead of 30 hours of work time away from the employeesand it would have cost nothing.

Because no data or system was seriously corrupted, Woerner had to consider only system and worker downtime, two of the most basic considerations when attempting to quantify the cost of a breach. But it can quickly get more complicated (see "Criteria for Determining the Cost of a Breach," this page).

Woerner says he could have padded the breach's cost to underline his argument to the CIO, "but if you inflate the cost, it will come back to bite you," he says. Legal EaglesThe industry's lack of a consistent model for calculating security losses often results in inaccurate loss estimates, "numbers that never would hold up in a court of law," says Varney, who spent years doing computer forensics with the Department of Defense and the Secret Service. "A company calls up and says, 'We've just been hacked. We've lost $1 million.' They pull a number out of the air," he says. "I ask how they got that number, and it turns out they're just guessing."