Misconceptions about data breach costs and the ripple effects of those breaches can have far-reaching impacts. To clarify these misconceptions, two security researchers set out to determine the more common falsehoods about the cost of breaches and find more accurate cost metrics.
David Severski and Wade Baker, senior data security scientist and co-founder, respectively, at research and data science firm Cyentia Institute, found that assumptions about average costs per record in data breaches are often flawed and that more publicly available data can help organizations make better, data-driven security decisions.
By studying publicly available breach data, the team also discovered that assumptions about third-party contractors being the weak links in a supply chain overshadowed the significant impact a breach at a larger organization can have on those same contractors and suppliers. These ripple events -- defined by Severski and Baker as "direct or indirect losses incurred by parties beyond the central victim organization in a cyberincident" -- mean data breaches with multiple affected parties can cost up to 13 times more than if only the original victim is taken into account.
Severski and Baker published their findings on the cost of data breaches in the Cyentia Information Risk Insights Study (IRIS 20/20) and the ripple effects of breaches in Ripples Across the Risk Surface (in collaboration with automated risk assessment firm RiskRecon). They discussed the topic at Black Hat 2020.
Editor's note: This interview was edited for length and clarity.
What are some of the biggest misconceptions about data breach costs?
David Severski: We are now in an era where we have access to information that can help us make data-driven decisions about the size of data breach losses. We can show what these losses are for breaches over time, and we can validate or disprove some commonly held metrics for estimating the size of losses. These metrics, which are commonly used, have grave ramifications for how policymakers and decision-makers orient their risk programs.
Wade Baker: Some of the stuff that starts getting traction and mind share is either flat-out wrong data, absurd or a complete myth. It's just kind of crazy.
There's this 'fact' -- I'm putting the word 'fact' in air quotes -- that has been going around for years that 60% of small businesses fail following a security breach. I've seen this repeated in various articles, but there is no basis for it. The National Cyber Security Alliance has been attributed as [the origin] but [it] put out a statement saying, 'It's not from us.'
Severski: Another report earlier this year looked at about 115 cloud-related security breaches and led with the headline that they resulted in $5 trillion in losses. But, when you start thinking about it, you realize $5 trillion is 25% of the [gross domestic product] of the U.S.
Where does that number come from? This particular report took 33 or some odd billion records potentially exposed in these breaches and multiplied that by a commonly held metric, which is a static cost of $150 per record.
That cost per record is just flat-out not correct. It was a decent enough starting place given the lack of information we had years ago, but we have access to much better information now, whether it's through a scientific partner or public breach records.
What would be a better estimate based on your research?
Severski: If you want to give a better estimate, the typical publicly disclosed breach costs about $200,000. You have really large events that have large costs, and then you have an event where a small number of records may be exposed or a large number of records with a very small total cost. Using one metric against all these different losses is just not appropriate.
When we say a metric of about $200,000 [is the cost of] a typical breach, that's across the entire population of organizations. But, for a Fortune 1000 company, the cost tends to be around $400,000 to $500,000. Those costs are certainly real, and they should not be dismissed. But, for an organization whose revenues are measured in billions, that is not materially significant.
Conversely, if you look at the small and midsize businesses where annual revenues are $100,000 per year and they experience a $200,000 breach, that is significant.
Breach costs are not evenly felt by all sectors of the economy, which has implications on policy when you're looking at this from a regulatory perspective and you're trying to consider: How much should I worry about disclosure of information, whether that be PII [personally identifiable information], PHI [protected health information] or financial information?
Is it better to account for the size of an enterprise or the type of data in a breach?
Baker: We saw some differences according to industry, but size was a huge differentiator when it comes to expected losses. If you look at the way many cyberinsurance policies are written, they take in industry and size, and they give back your premium or your risk assessment. We're able now to begin to understand what the real factors are, and I think that's going to have positive impacts as we seek to manage risk and set policy going forward.
Why do you think the ripple effects of a breach on an organization's third-party contractors or suppliers haven't been covered in other reports?
Severski: It is hard to get information on this. There's no unified reporting for these types of things. This is one of the things we talk about, this need to shift from a punitive model of breach disclosure -- where you have to respond, and you're potentially fined, and you get the bad press, etc. -- to more of a proactive, beneficial model where [an organization says], 'We are responding to this, and we are sharing what we learned about these breaches to help other organizations respond in the future.' We can get a much better data source.
Baker: The spotlight is on the central organization that experiences the breach. Those wider ripples aren't really brought to light, and companies impacted by them may not want to be exposed.
Our research shows a difference between organizations that tend to generate these ripple events and organizations that tend to receive them. The central organizations in these ripple events are large enterprises, and the receivers tend to be SMBs -- those are the suppliers.
The way we do security and set security policies when it comes to third parties is [from the perspective of a] central organization trying to protect itself from those suppliers. If we can change our understanding to the fact that [large organizations] can impact suppliers, maybe there can be a more collective 'we're in this together' mentality.