The Not Obvious blog has an interesting write up on the Heartland Breach and impact.  From the blog post:

“Heartland has had to pay other fines to Visa and MasterCard, but the total of $12.6 million they have set aside to handle the one-time costs is a drop in the bucket compared $1.5 billion in 2008 revenue and does not really even skim much off the top of the $161 million in profits from that same year (the numbers for 2009 look to be tracking the same). It is almost a guarantee that any member of the class action who submits a claim will see many years of scrutiny before receiving any payment, something which Heartland can factor into their yearly financial plans (and accommodate for by increasing fees).”

For thought:

1. One wonders how much a “sufficient” (loaded term, of course) InfoSec program for a company like Heartland costs on an annual basis.
2. Does this set a sort of “worst case” bounds to impact distributions?
3. If so, how does a worst case impact of ~$13million (US) impact security management at retailers (politically)?

Full report is here.  A quick overview from a Wired magazine article:

The supplement provides case studies, involving anonymous Verizon clients, that detail some of the tools and methods hackers used to compromise the more than 285 million sensitive records that were breached in 90 forensic cases Verizon handled last year.

[Disclosure: Alex's paw prints are on this report somewhere.]

Jerry escapes death, but is it cost-free?

If one of your security metrics is Data Breach Cost, what is the cost of a near miss incident? This seemingly simple question gets at the heart of security metrics problem.

Consider the gleeful Jerry Mouse in this cartoon. Tom the Cat has just missed in his attempt to swat Jerry and turn him into mouse meat. Is there any cost to Jerry for this near miss? Is Jerry’s cost any different than if he was running with Tom no where in sight?

By “near miss” I mean a security incident or sequence of incidents that could have resulted in a severe data breach (think TJX or Heartland), but somehow didn’t succeed. Let’s call the specific near-miss event “NM” for short. For sake of argument, let’s assume that the lack of attack success was due to dumb luck or attacker mistakes, not due to brilliant defenses or detection. Let’s say that you only discover NM long after the events took place. For simplicity let’s assume that discovering NM doesn’t result in any extraordinary costs, meaning that out-of-pocket costs are the same just before and immediately after NM. Finally, assume that your expected cost of a successful large-scale data breach is on the order of tens of millions, with the worst case being hundreds of millions of dollars.

How much does NM cost?  The realist answer is “zero”.  (Most engineers are realists, by disposition and training.)  There is a saying in street basketball that expresses the realist philosophy about losses and associated costs: “No blood, no foul”.  If you ask your accountants to pour over the spending and budget reports, they will probably agree. Case closed, right?

Not so fast….

The big problem with the realist approach is that it ignores the future and our rational expectations about future loss events. In other words, it ignores risk. It’s like the old joke about the guy who fell out of a 20-story building. As he passed the 4th floor, someone called out to him, “ARE YOU OK?”, to which he replied: “SO FAR, SO GOOD!!”. (Moments later… splat!)

We know intuitively that there is something wrong with the answer “so far, so good” when the signs of pending disaster appear.

Economists will arrive at a very different answer to account for this intuition. For economists, valuation and risk decisions are about the future, and especially about rational expectations about future cash flows and future valuations given available information. If you get significant new information that changes your expectations, then your risk and value metrics will change.

You could hardly imagine a more meaningful signal regarding risk than a near miss event. Safety engineers have known this for decades and it’s central to their practice.  (For example, see the book: Safety Management: A Qualitative Systems Approach and the web page: “Three Simple Things to Improve Process Safety Management”.)  What ever your estimation of risk before NM, it will probably go way up after NM.  Economists would argue that this increases your data breach costs, since your expectation of future cash flows has increased.

Does this economic cost of a data breach have any reality?  How could it be made tangible and meaningful for accountants and ordinary realistic managers?  Yes it can, through insurance. Imagine that your organization pays a regular insurance premium that is a probabilistic function of future data breach costs, based on all available information about likelihood and severity. (Assume either self-insurance or commercial insurance, or some combination. Assume “perfect pricing” and complete information sharing, etc.)  Forget about risk transfer. The purpose of insurance in this case is simply bringing the cost of risk into the present.

With this insurance in place, your data breach cost becomes not only the actual cash flows associated with loss events, but also the periodic insurance premiums, which would rise or fall based on risk factors and risk estimates. We are familiar with this from our experience with auto insurance, property and casualty insurance, etc.

The great advantage of this approach is that your data breach cost metrics will become a meaningful signal for management decision-making, performance management, and incentive instruments. All stakeholders will be more likely to pay attention to near misses and, hopefully, do their best to learn from them and mitigate risks.

Whether or not you buy into the details of the insurance mechanism, I hope that I have convinced you that there is a qualitative difference between “ground truth data” (in this case, historical cash flow) and overall security metrics, which need to reflect our estimates about the future, a.k.a. risk.