• United States



by Simone Kaplan

Criteria for Determining the Cost of a Breach

Dec 09, 20021 min
Data and Information SecurityROI and Metrics

A checklist of considerations for calculating the true cost of an information security breach

1. System downtime. What systems were out of commission and for how long?

2. People downtime. Who was unable to work, and how long were they unproductive?

3. Hardware and software. How much did it cost to replace servers, hard drives, software programs and so on?

4. Consulting fees. If you needed extra firepower while fighting an attack or for a postmortem analysis, how much did you spend on fees and other expenses?

5. Money. How much were the salaries for people affected by the breach? Consider overtime pay or trades that couldn’t be made during downtime.

6. Cost of information. What was the value of informationemployee, shareholder, customerthat was stolen or corrupted? How much did retrieving the information cost?

7. Cost of lost business. Did clients take their business elsewhere? Were there opportunity costslost contracts or business dealsdue to systems being compromised?

8. Incidentals. How much did you spend on food, lodging and transportation for the people working to fight the breach? Were there additional facilities costs, such as power usage and electricity?

9. Legal costs. What were potential and actual costs of litigating and investigating the incident?

10. Cost to your company’s reputation. Did you spend money on a PR campaign to control the damage?