I have not seen anything but gross estimates and would like to see an article on the real costs of a hacking incident. Specifically, I have seen estimates on the manpower to clean and reinstall, restore a database and worker downtime, but what does Yahoo, or ebay or other bank/financial/health institutions have to say about loss of reputation? How many customers didn't come back because of news of lost credit card numbers? How many trading partners went elsewhere? How many auction bidders stopped bidding? Is there any hard research, post incident (obviously made public) about a company's performance and the cost to reputation, cost of fines, cost of lost business, cost of replacing credit cards, etc.?
This is an EXCELLENT question. Sadly, there just isn't an answer. I have never seen a real study done on this, and I have looked repeatedly over the years. I think the data is so hard to come by because companies don't want to collect it. First, the data is tough to get, because you'd have to interview customers, a costly process. Also, just collecting the data may taint the data, in a Heisenberg Uncertainty Principle sort of way. Think about it: Who wants to interview a customer about security breach attitudes when the interview itself might remind the customer that he or she doesn't want to do business with you? Also, and perhaps most importantly, if it's a major loss, public companies are required to report it to regulators and share holders. That's not a good thing for management to be held responsible for. So, by not quantifying the real costs, everyone on the inside is far happier. Sad, but true. For more information on calculating damages (except the reputational impact you discuss), check out Dave Dittrich's paper.
For more information on this topic, visit these other SearchSecurity.com resources:
Ask the Expert: Gaining management support for security
Executive Security Briefing: Selling security to upper management
Best Web Links: Security Management
Dig Deeper on Penetration testing, ethical hacking and vulnerability assessments
Have a question for an expert?
Please add a title for your question
Get answers from a TechTarget expert on whatever's puzzling you.