This is an EXCELLENT question. Sadly, there just isn't an answer. I have never seen a real study done on this, and I have looked repeatedly over the years. I think the data is so hard to come by because companies don't want to collect it. First, the data is tough to get, because you'd have to interview customers, a costly process. Also, just collecting the data may taint the data, in a Heisenberg Uncertainty Principle sort of way. Think about it: Who wants to interview a customer about security breach attitudes when the interview itself might remind the customer that he or she doesn't want to do business with you? Also, and perhaps most importantly, if it's a major loss, public companies are required to report it to regulators and share holders. That's not a good thing for management to be held responsible for. So, by not quantifying the real costs, everyone on the inside is far happier. Sad, but true. For more information on calculating damages (except the reputational impact you discuss), check out Dave Dittrich's paper.
For more information on this topic, visit these other SearchSecurity.com resources:
Ask the Expert: Gaining management support for security
Executive Security Briefing: Selling security to upper management
Best Web Links: Security Management
This was first published in December 2002