Consider the following quotes:

“Average cost per record was 58¢…”

-2015 Verizon DBIR

“Over the past year, the cost of data breaches due to malicious or criminal attacks has increased from an average of $159 to $174 per record.”

-Ponemon 2015 Cost of Data Breach Study

“However, even the most significant recent breaches had very little impact on the company’s stock price.”

-Why Data Breaches Don’t Hurt Stock Prices, Harvard Business Review

These three statistics each paint a widely contrasting picture of the real impact of a data breach. What do you look at to make your analysis of the impact of a breach upon your organization? The stock market has never been representative of the most rational behavior; when you look at the investors who buy up stocks based on emotions or a gut feeling while ignoring the underlying financial fundamentals. After all, the stock market is first a way to make money – the social agenda investor, while real, takes a back seat to the profit-driven investor. A quick look at the 5 year stock chart of several of the recent victims of high profile breaches serves to illustrate the point that investors will overlook certain facts, like 100MM leaked customer records, in the interest of portfolio growth.

Whether anyone can truly devise a robust cost model of a breach is, in my opinion, unlikely – there are simply too many variables for that algorithm to be accurate. What I would like to look at, and have people consider in the wake of stories about how shareholders don’t care, is how different types of costs have different levels of impact for different organizations. The goal in measuring the cost of a data breach should be to create a cost model that applies to the business you care most about: yours. That said, let’s look at some of the different types of costs businesses incur from data breaches.

The easily quantified costs: What are the areas where you know the steps taken and their concrete costs? If you are issuing payment cards today, you should have a good idea of that cost; replacement cards will require a similar investment to maintain your customers. Here are a few examples of easily quantified costs:

• Replacing credit cards
• Insurance premium increases
• Regulatory fines (if applicable)
• Direct financial losses caused by a breach (theft, fraud)
• Settlements

The more difficult costs to quantify: For these costs the difficulty lies in predicting the value of things such as product design and development or other intellectual property. Losing one year of development isn’t as easy to quantify from a cost perspective as salary costs; the market has moved, competitors have evolved. Examples of costs that are more difficult to quantify include:

• Stolen IP
• Business development plans
• Marketing strategy
• Business downtime

The most difficult costs to quantify: Try as we might, there are some data breach costs that prove extremely difficult to valuate. There are questions as to whether Ashley Madison will survive as a business given that what they purportedly selling, discretion, was so egregiously violated in their data breach. Executive turnover – a common event in the fallout from a data breach – can also be costly in terms of company strategy and leadership, yet those costs too are very difficult to put a hard number on. Among the hardest breach costs to quantify are:

• Damage to brand equity/reputation
• Replacing executive staff
• Loss of competitive advantage

Breach cost. Full stop. No asterisk. How much they cost is an answer that can only be calculated with the internal information you possess about your company, and this number may not be calculable until several years after the breach. Sorry to say, but the real world is a messy place sometimes.