The Cost of a Near-Miss Data Breach

by Russell on October 6, 2009

Jerry escapes death, but is it cost-free?  (Image from tomandjerryonline.com)

Jerry escapes death, but is it cost-free?

If one of your security metrics is Data Breach Cost, what is the cost of a near miss incident? This seemingly simple question gets at the heart of security metrics problem.

Consider the gleeful Jerry Mouse in this cartoon. Tom the Cat has just missed in his attempt to swat Jerry and turn him into mouse meat. Is there any cost to Jerry for this near miss? Is Jerry’s cost any different than if he was running with Tom no where in sight?

By “near miss” I mean a security incident or sequence of incidents that could have resulted in a severe data breach (think TJX or Heartland), but somehow didn’t succeed. Let’s call the specific near-miss event “NM” for short. For sake of argument, let’s assume that the lack of attack success was due to dumb luck or attacker mistakes, not due to brilliant defenses or detection. Let’s say that you only discover NM long after the events took place. For simplicity let’s assume that discovering NM doesn’t result in any extraordinary costs, meaning that out-of-pocket costs are the same just before and immediately after NM. Finally, assume that your expected cost of a successful large-scale data breach is on the order of tens of millions, with the worst case being hundreds of millions of dollars.

How much does NM cost?  The realist answer is “zero”.  (Most engineers are realists, by disposition and training.)  There is a saying in street basketball that expresses the realist philosophy about losses and associated costs: “No blood, no foul”.  If you ask your accountants to pour over the spending and budget reports, they will probably agree. Case closed, right?

Not so fast….

The big problem with the realist approach is that it ignores the future and our rational expectations about future loss events. In other words, it ignores risk. It’s like the old joke about the guy who fell out of a 20-story building. As he passed the 4th floor, someone called out to him, “ARE YOU OK?”, to which he replied: “SO FAR, SO GOOD!!”. (Moments later… splat!)

We know intuitively that there is something wrong with the answer “so far, so good” when the signs of pending disaster appear.

Economists will arrive at a very different answer to account for this intuition. For economists, valuation and risk decisions are about the future, and especially about rational expectations about future cash flows and future valuations given available information. If you get significant new information that changes your expectations, then your risk and value metrics will change.

You could hardly imagine a more meaningful signal regarding risk than a near miss event. Safety engineers have known this for decades and it’s central to their practice.  (For example, see the book: Safety Management: A Qualitative Systems Approach and the web page: “Three Simple Things to Improve Process Safety Management”.)  What ever your estimation of risk before NM, it will probably go way up after NM.  Economists would argue that this increases your data breach costs, since your expectation of future cash flows has increased.

Does this economic cost of a data breach have any reality?  How could it be made tangible and meaningful for accountants and ordinary realistic managers?  Yes it can, through insurance. Imagine that your organization pays a regular insurance premium that is a probabilistic function of future data breach costs, based on all available information about likelihood and severity. (Assume either self-insurance or commercial insurance, or some combination. Assume “perfect pricing” and complete information sharing, etc.)  Forget about risk transfer. The purpose of insurance in this case is simply bringing the cost of risk into the present.

With this insurance in place, your data breach cost becomes not only the actual cash flows associated with loss events, but also the periodic insurance premiums, which would rise or fall based on risk factors and risk estimates. We are familiar with this from our experience with auto insurance, property and casualty insurance, etc.

The great advantage of this approach is that your data breach cost metrics will become a meaningful signal for management decision-making, performance management, and incentive instruments. All stakeholders will be more likely to pay attention to near misses and, hopefully, do their best to learn from them and mitigate risks.

Whether or not you buy into the details of the insurance mechanism, I hope that I have convinced you that there is a qualitative difference between “ground truth data” (in this case, historical cash flow) and overall security metrics, which need to reflect our estimates about the future, a.k.a. risk.

6 comments

Of course, there are other ways of measuring or accounting for near misses. You could leave “Data Breach Costs” alone, to include only historical costs, and then set up a new metric for “Near Miss Warning Signals” or something. Either way, you would eventually have to roll these up to some sort of forward-looking metric for overall security.

As a side note, I’ll offer two examples of economic cost that are more common in the business world and MBA curricula: “opportunity cost” http://en.wikipedia.org/wiki/Opportunity_cost and “economic value added (EVA)” http://en.wikipedia.org/wiki/Economic_value_added . Neither of these appear on accounting statements but both are accepted as “real” for purposes of economic decision-making.

by Russell on October 6, 2009 at 9:03 pm. Reply #

To answer the cartoon question, the near-miss is not cost-free to Jerry Mouse, because nearly getting killed triggers a dramatic emotional/physical response: increases stress and “fight or flight” response, including rapid energy consumption, etc. This is the body’s mobilization for anticipated threats in the immediate future.

by Russell on October 6, 2009 at 11:53 pm. Reply #

And if Jerry Mouse *doesn’t* have an extreme “fight or flight” response and acts blasé instead, then Jerry’s cost is reflected in his dramatically shorter life expectancy (numbering just a few more seconds). Either way, Jerry faces big economic costs from a near-miss by Tom.

by Russell on October 7, 2009 at 2:18 am. Reply #

A “near miss” does cost a company operational dollars – which in a lot of cases are just as important as hard dollars going out the door. I have witnessed “near miss” incident responses. It can consume hundreds of hours of FTE time as well as thousands of hard dollars that may be spent to external crisis management / communications firms in preparation for the bad news. Also, the time associated with the investigation of a threat event – that turns out to be a near miss (e.g. lost backup tape that is found after a few weeks or a month) – could potentially impact a portion of that company’s ability to meet a business objective. Finally, the cost and effort of near misses becomes very tangible supporting evidence to justify future mitigation projects or policy/process enhancements.

by Chris Hayes on October 7, 2009 at 12:48 pm. Reply #

@Chris,

Yes, indeed, if your security team detects the near-miss incident and recognizes its severity, then it certainly cost money out-of-pocket to investigate. I was offering the case above where there was no out-of-pocket costs as an extreme example to sharpen the contrast between the alternative methods.

However, I would guess that many near misses go undetected, at least at the time of the incident. As evidence I point to the Verizon Data Breach report 2009, which found that 69% of major data breaches were discovered by a third party, not the company itself.

Russ

by Russell on October 7, 2009 at 4:36 pm. Reply #

For a very thorough analysis of the importance of near misses in managing risk, see: “THE NEAR-MISS MANAGEMENT OF OPERATIONAL RISK” http://sshuebner.org/documents/alex-ulku.pdf

p 8 – “We consider Near-Misses as weak signals some of which contain a genetic signature of a serious adverse effect.”

by Russell on October 16, 2009 at 8:35 am. Reply #

Leave your comment

Not published.

If you have one.