Tuesday, February 3, 2009

Risk analysis: Cost of breaches and rolling your own numbers

In my previous post I talked about how you can apply unknowns to the process of developing your Annual Loss Expectancy (ALE). In the example I gave, we tried to come up with a reasonable estimate of how much money it would cost us per record if some data were exposed. We went through a process of polling our sales force to see what they had on their machines and we estimated how much it would cost us to account for the missing data and notify the affected persons. Why didn't we just use the well known numbers that are thrown around out there? At the time I wrote that, the general consensus was that the average price per record was $197.

But now there is new data and the official price per record has gone up to $202 per record. The good news is that the price per record is not keeping up with inflation! Unless our currency is deflating, in which case we're in even worse shape than we were last year. I had to hand over my personal information and will suffer through the cold sales calls just so that I can read the PDF, but here is a link where someone else has boiled it down. http://treasuryinstitute.org/blog/index.php?itemid=227. There is one specific point that I want you to pay attention to..."lost business is the largest component of the cost" According to the PDF itself, this cost accounts for $139 of the $202 per record. Ouch. This cost is based on an increase in customer churn and diminished ability to recruit future customers. I wish that the PDF had gone into more details of how these numbers were calculated. For example, was the churn number just made up from the individual guesses of each survey respondant? How do we know that the respondant had any clue about the customer churn rate for his or her organization?

But those of us that have read The New School of Information Security know that we shouldn't just be taking these numbers from a vendor and accepting them as gospel. I quote from the good book: "Some people believe that admitting to a security breach will drive away customers. There is research that shows that in most breaches, no more than a small percentage of customers will leave." I also quote from the abstract of this research by Alessandro Acquisti, Allan Friedman, and Rahul Telang titled "Is There a Cost to Privacy Breaches? An Event Study": "We show that there exists a negative and statistically significant impact of data breaches on a company's market value on the announcement day for the breach. The cumulative effect increases in magnitude over the day following the breach announcement, but then decreases and loses statistical significance." Looking at stock market value is a very interesting and valid way to measure the impact of a security breach. If you subscribe to the efficient market hypothesis (semi strong form) then you know that the value of a company's stock already reflects all of the publicly known information about a company. And if you've spent any time reading about predictive markets then you know that a large group of people making decisions with money on the line can results in very good estimates. For example, the Iowa Electronic Market was able to predict the outcome of the 2008 Presidential election to within 1/2 of a percent http://www.biz.uiowa.edu/news/displaystory.cfm?id=2058. So we can say that the stock market will very quickly adjust the price of a company and give us a good indication of the future earnings potential of that company. And the research from Acquisti, Friedman, and Telang indicates that the effect of a data breach is not significant after a few days.

Take a look at this chart of the stock price of TJX. At this point it is difficult to even pick out when exactly they had to make the announcement of their world-famous data breach. In fact, they were forced to make multiple public statements about the data breach over the course of about a year, and the slope of their price increase was about the same as it was for the period of time before their announcement. For the record, the story broke in March of 2007. I tried to see if the same pattern was apparent in the stock charts of Heartland Payment Systems, but the current financial crisis muddies the water. Yes, their stock tanked on the day that the breach was announced, but their stock started a downward trend on October 1st of last year along with just about everyone else so it is hard to say how much of the current price is affected by breach notification and how much is global financial meltdown. If the slope that started on October 1 had kept going, the price of HPY today would be right about where it is right now.

So in the case of these new estimates on the price per record of a data breach, we can now say that over half of the cost is made up of something that we can reasonably doubt. I'm not saying that we should completely discount the cost of lost business, but I do believe that we have reasonable doubt. And that is why I would rather work out my own estimates of the cost of losing data than count on the estimates of someone else. Especially a company that wants to sell me something. I'm not even saying that the report is not valid, but remember that the headline about each record costing an average of $202 is what the company is using to sell your product. Instead, look through the document and see if there are data specific to your company or industry that you can incorporate into your own estimates.

No comments: