In Defensive Security 172, Jerry and Andrew discuss a paper from the Oxford Press’ Journal of Cyber Security (http://cybersecurity.oxfordjournals.org/content/early/2016/08/08/cybsec.tyw001). This paper “seeks to examine the composition and costs of cyber events, and attempts to address whether or not there exist incentives for firms to improve their security practices and reduce the risk of attack.” Unfortunately, the hosts focuses their conversation on the average cost of a breach, which comes up short for several reasons.
Immediately, what constitutes a breach in that case? The paper defines their dataset as
“12 000 cyber events that include data breaches, security incidents, privacy violations, and phishing crimes”. But the stats cited in the podcast were from the section on data breaches. However, this doesn’t come through in the discussion, leaving the listener thinking about Yahoo! and Sony and Swift and Ukraine SCADA attacks and not about that time someone in HR lost their laptop or accidentally threw away a recall roster instead of shredding it.
When computing its stats on data breaches, the paper defines data breaches as “The unintentional disclosure of personally identifiable information (PII) stemming from loss or theft of digital or printed information.” This is still quite a broad category. It’s like asking the average price of food, and then scanning every item in the grocery store to get a total cost and dividing by the number of items scanned. There are just too many variables for that to be a useful measure, at least on its own.
And while the average cost isn’t the main point of the paper, it is what the podcast discussion focused on, as it does all too often. So what do we do with this number? I would suggest that much like car crashes, where the majority are small and not that costly, but the big ones will put the entire value of the car at risk, breaches are something where you must prepare for the bad ones, even if the smaller incidents are more frequent. That first starts with understand what you have that’s at risk. Who would want to take what from you?
The hosts brought up that the average breach costs 0.4% of annual budget on a breach, and then the red herring that that’s the same as the average company spends on security. One of the hosts asked something to like “many of you are thinking why don’t we just cut the security budget and spend it on the breach recovery”. Only if those many don’t have a basic understanding of cause and effect. What would be interesting to study would be the impact of spending more or less on rate and severity of breach. If you spend X less dollars, how many more breaches do you have, and how does the cost of each of those change? That’s what a business leader needs to figure out to determine how to appropriately spend money. Andrew does point out that spend doesn’t always translate to security. It’s easy to throw money away any not get return. Things like culture and investing in people in the right way is certainly the ideal variable here, but that’s also much harder to measure.
Overall this research is interesting. But we need to resist the temptation to sit back and just look at numbers like average cost of breach, because they don’t actually tell us as much as it feels like they should. This is not to pick on Andrew and Jerry, but rather to point out a discussion that has gone away from useful in a manner that happens all too frequently. And in a world where security is still trying to find its way into the boardroom conversation, it’s important to focus the conversation on useful measures.