The Economics of Insecurity

Wanna be bad at information security? Can you afford it?

Various sources, metrics and industry studies put a variety of numbers to data loss, but the general range is around $200-$250 per compromised customer/client/credit card, etc.

How many pieces of identity data does you company protect? How many clients do you have? How many employees are in your payroll and HR systems?

Information security is expensive. Software, services, assessments, policies, awareness and a myriad of other things all cost money. But, the next time you are asking yourself or upper management about your security budget, remember that $250 number. It may just give you, or someone else, some perspective on just what it all means.

2 thoughts on “The Economics of Insecurity

  1. Errr, but that’s just another random value that lacks credibility. Sure it has shock value, just like “Get security compliance wrong and you could go to jail” …. though personally I wouldn’t recommend either approach under nornal circumstances, and both are disposable one-time-use tactics.

    There are several better approaches. Here are some clues:
    – “How confident are you in our information security security controls? Would you like to know more about the risks and reduce them? We can help …”
    – “Our internal and external auditors agree that we’re not spending nearly enough on information security relative to our needs, nor to our peers. Does the Board appreciate the full extent of our risks? How would our customers and business partners react to a serious security breach (think TJX or Heartlands)?”
    – “We know security is a bottomless pit but we’re trying to be smart about this. Let’s invest in specific controls that generate the best value, and get the most value from the security controls we already have. We can do this better than our competitors.”
    – “A solid information security framework provides a firm platform for eBusiness, and allows us to do things we simply daren’t risk without adequate security in place. How can we best support business initiatives, new product developments or other opportunities and strategies through security?”

    I hope you’ll agree that most if not all these are more positive in nature than your scaremongering.

    Kind regards,

  2. Wow, Gary, I agree with almost everything you say EXCEPT that holding the conversation around METRICS of an associable term like dollars makes it “scaremongering”. I am sorry that you feel that way. I really do try and present security as being all about a rational response to risk.

    The stats I pulled are from various sources (FBI, various articles, Ponemon, etc) and the range is valid in each of them. I am sorry if the amounts put you off, but I am continually asked to assign real world numbers to issues. That is exactly what boards and CEO’s ask from me on a daily basis. Given the ongoing research in the field, this is what I have to work with.

    Thanks for reading and commenting I appreciate the feedback, even though I resent the name calling.

Leave a Reply