Verizon has looked to redefine how we should look at the cost of breaches–beyond estimates based solely on the number of records stolen–and has come up with ranges of loss with varying degrees of certainty.
In its 2015 Data Breach Investigations Report , Verizon said current estimates of $201 per stolen record from a data breach is derived from dividing a sum of all loss estimates by total records lost. But by using new loss claims data and applying the average cost-per-record approach, Verizon got a new amount per record: 58 cents.
Part of the major difference is the old approach based on the number of records lost excluded breaches over of 100,000 records because the $201-per-record amount from the Ponemon Institute was never meant to be applied to these types of large breaches. But when you do include larger breaches, it is clear that the average cost-per-record for smaller breaches is much larger than larger breaches. The more records taken in a breach, the less the records cost–down to a penny in the most extreme cases.
Verizon said it looked to new data provided by NetDiligence and extracted 191 insurance claims involving claims with loss of payment cards, personal information and personal medical records.
Continuing to use this data, Verizon found that the “$0.58 and $201 cost-per-record models create very poor estimators” because there are many more factors involved in the cost of a breach, including the use of incident-response plans, lawyers, etc. “Records tell us only half the story when it comes to impact,” Verizon said. But this information isn’t in claims data, so the rest is speculation and therefore estimations of loss from a breach must be said as a range, and the uncertainty gets larger and the breach gets larger.
Verizon’s chart to express the growing uncertainty as a breach gets larger resembles hurricane modelers’ cone of uncertainty when predicting a storm’s landfall as it spins in the Atlantic Ocean.
With 95 percent confidence Verizon can say the estimated average loss for a breach of 1,000 records is between $52,000 and $87,000. The range widens the larger the breach gets.
For example, a breach involving 10 million records has an average forecasted loss of between about $2.1 million and about $5.2 million.
Does the manner of a loss matter? In other words, does the cost of a breach increase from a breach by an insider, for instance? What about a lost device? None of it seemed to impact the loss calculations. Larger organizations have higher losses pre breach but they typically lost more records that small organizations no matter the technical aspect of the breach.
Verizon recommends that technical efforts focus on minimizing or preventing compromised records.
Therefore, concluded Verizon, record count is not all that matters in calculating losses from a data breach but the counts ate “all that seems to matter among the data points we have at our disposal.
“What we’ve learned here is that while we can create a better model than cost per records, it could be improved by collecting more and different data, rather than specifics about the breach.”