Verizon, Ponemon differ on best way to measure data breach costs

Share on FacebookShare on Google+Tweet about this on TwitterShare on LinkedInEmail this to someonePrint this page

By Jaiku­mar Vijayan, ThirdCertainty

Busi­ness­es typ­i­cal­ly have a hard time quan­ti­fy­ing poten­tial loss­es from a data breach because of the myr­i­ad fac­tors that need to be con­sid­ered when doing the math.

A recent dis­agree­ment between Ver­i­zon and the Ponemon Insti­tute about the best approach to take for esti­mat­ing breach loss­es could make that job a lit­tle harder.

Long-used met­ric

For some time, Ponemon has used a cost-per-record mea­sure to help com­pa­nies and insur­ers get an idea of how much a breach could poten­tial­ly cost them. Its esti­mates are wide­ly used with­in the indus­try, and the com­pa­ny says that many insur­ers use them for esti­mat­ing poten­tial breach losses.

The insti­tute recent­ly released its lat­est num­bers show­ing that the aver­age cost of a data breach has risen from $3.5 mil­lion in 2014 to $3.8 mil­lion this year, with the aver­age cost per lost or stolen record going from $145 to $154.

The report, spon­sored by IBM, showed that per-record costs have jumped dra­mat­i­cal­ly in the retail indus­try, from $105 last year to $165 this year. The cost was high­est in the health care indus­try, at $363 per com­pro­mised record. Ponemon has released sim­i­lar esti­mates for the past 10 years.

But accord­ing to Ver­i­zon, orga­ni­za­tions try­ing to esti­mate the poten­tial cost of a data breach should avoid using a pure cost-per-record mea­sure when doing the math.

Free IDT911 white paper: Breach, Pri­va­cy, And Cyber Cov­er­ages: Fact And Fiction

Third­Cer­tain­ty spoke with rep­re­sen­ta­tives of both Ver­i­zon and Ponemon to hear why they think their meth­ods are best.

Verizon’s Jay Jacobs

Ponemon’s mea­sure does not work very well with data breach­es involv­ing tens of mil­lions of records, said Jay Jacobs, Ver­i­zon data sci­en­tist and an author of the company’s lat­est Data Breach Inves­ti­ga­tions Report (DBIR).

Jacobs says that when Ver­i­zon applied the cost-per-record mod­el to breach-loss data obtained from 191 insur­ance claims, the num­bers it got were very dif­fer­ent from those released by Ponemon. Instead of hun­dreds of dol­lars per com­pro­mised record, Jacobs said, his math turned up an aver­age of 58 cents per record.

Why the dif­fer­ence? With a cost-per-record mea­sure, the method is to divide the sum of all loss­es stem­ming from a breach by the total num­ber of records lost. The issue with this approach, Jacobs said, is that cost per record typ­i­cal­ly tends to be high­er with small breach­es, and drops as the size of the breach increases.

Breach costs rise with the num­ber of records that are com­pro­mised. Gen­er­al­ly, the more records a com­pa­ny los­es, the more it’s like­ly to pay in asso­ci­at­ed mit­i­ga­tion costs. But the cost per record itself tends to come down as the breach size increas­es, because of economies of scale, he said.

Many per-record costs asso­ci­at­ed with a breach, such as noti­fi­ca­tion and cred­it mon­i­tor­ing, drop sharply as the vol­ume of records increase. When costs are aver­aged across mil­lions of records, per-record costs fall dra­mat­i­cal­ly, Jacobs said. For mas­sive breach­es in the range of 100 mil­lion records, the cost can drop to pen­nies per record, com­pared with the hun­dreds and even thou­sands of dol­lars that com­pa­nies can end up pay­ing per record for small breaches.

That’s sim­ply how aver­ages work,” Jacobs said. “With the megabreach­es, you get effi­cien­cies of scale, where the vic­tim is get­ting much bet­ter prices on mass-mail­ing noti­fi­ca­tions,” and most oth­er con­tribut­ing costs, he said.

Ponemon’s report does not reflect this because its esti­mates are only for breach­es involv­ing 100,000 records or less, Jacobs said. The esti­mates also include hard-to-mea­sure costs, such as those of down­time and brand dam­age, that don’t show up in insur­ance claims data, he said. The rea­son Ponemon’s per-record costs don’t drop is because it only con­sid­ers breach­es that are 100,000 records or less, Jacobs said. When big breach­es are fac­tored in, the aver­ages will be low­ered, as well.

An alter­nate method is to apply more a sta­tis­ti­cal approach to avail­able data to devel­op esti­mat­ed aver­age loss ranges for dif­fer­ent-size breach­es, Jacobs said

While breach costs increase with the num­ber of records lost, not all increas­es are the same. Sev­er­al fac­tors can cause costs to vary, such as how robust inci­dent response plans, pre-nego­ti­at­ed con­tracts for cus­tomer noti­fi­ca­tion, and cred­it mon­i­tor­ing are, Jacobs said. Com­pa­nies might want to devel­op a mod­el that cap­tures these vari­ances in costs in the most com­plete pic­ture pos­si­ble and to express poten­tial loss­es as an expect­ed range rather than per-record number.

Using this approach on the insur­ance data, Ver­i­zon has devel­oped a mod­el that, for exam­ple, lets it say with 95 per­cent con­fi­dence that the aver­age loss for a breach of 1,000 records is fore­cast to come in at between $52,000 to $87,000, with an expect­ed cost of $67,480. Sim­i­lar­ly, the expect­ed cost for a breach involv­ing 100 records is $25,450, but aver­age costs could range from $18,120 to $35,730.

Jacobs said this mod­el is not per­fect­ly accu­rate because of the many fac­tors that affect breach costs. As the num­ber of records breached increas­es, the over­all accu­ra­cy of the pre­dic­tions begins to decrease, he said. Even so, the approach is more sci­en­tif­ic than aver­ag­ing costs and arriv­ing at per-record esti­mates, he said.

Ponemon’s Lar­ry Ponemon

Lar­ry Ponemon, chair­man and founder of the Ponemon Insti­tute, stands by his method­ol­o­gy and said the esti­mates are a fair rep­re­sen­ta­tion of the eco­nom­ic impact of a breach.

Ponemon’s esti­mates are based on actu­al data col­lect­ed from indi­vid­ual com­pa­nies that have suf­fered data breach­es, he said. It con­sid­ers all costs that com­pa­nies can incur when they suf­fer a data breach and includes esti­mates from more than 180 cost cat­e­gories in total.

By con­trast, the Ver­i­zon mod­el looks only at the direct costs of a data breach col­lect­ed from a rel­a­tive­ly small sam­ple of 191 insur­ance claims, Ponemon said. Such claims often pro­vide an incom­plete pic­ture of the true costs incurred by a com­pa­ny in a data breach. Often, the claim lim­its also are small­er than the actu­al dam­ages suf­fered by an orga­ni­za­tion, he said.

In gen­er­al, the use of claims data as sur­ro­gate for breach costs is a huge prob­lem, because it under­es­ti­mates the true costs” sig­nif­i­cant­ly, Ponemon said.

Verizon’s use of log­a­rith­mic regres­sion to arrive at the esti­mates also is prob­lem­at­ic because of the small data size and the fact the data was not derived from a sci­en­tif­ic sam­ple, he said.

Ponemon said the costs of a data breach are lin­ear­ly relat­ed to the size of the breach. Per-record costs come down as the num­ber of records increas­es, but not to the extent por­trayed by Verizon’s esti­mates, he said.

I have met sev­er­al insur­ance com­pa­nies that are using our data to under­write risk,” he said.

More on emerg­ing best practices
5 data pro­tec­tion tips for SMBs
What SMBs need to know about CISOs
Pro­tect­ing your dig­i­tal foot­print in the post pri­va­cy era