Comments on: Cost of a Breach: $6, not $187? http://emergentchaos.com/archives/2007/08/cost-of-a-breach-6-not-187.html The Emergent Chaos Jazz Combo Wed, 01 Feb 2012 19:20:40 +0000 hourly 1 http://wordpress.org/?v=3.3.1 By: Mike Spinney http://emergentchaos.com/archives/2007/08/cost-of-a-breach-6-not-187.html/comment-page-1#comment-3871 Mike Spinney Mon, 20 Aug 2007 15:36:39 +0000 http://emergentchaos.com/?p=2462#comment-3871 For those reporters (and there were only a few) who bothered to ask Larry Ponemon about the costs, they got an answer that was in-line with the estimates TJX just announced. Ross Kerber's reporting in the Boston Globe back in April (http://www.boston.com/business/personalfinance/articles/2007/04/12/analysts_tjx_case_may_cost_over_1b/) should serve to demonstrate Ponemon's grasp of the issue, and his own research. Others weren't so bright, opting instead to simply multiply a breach that represented a statistical anomaly on the high end with the $183/per figure from our 2006 report. While the resulting figure was certainly sensational it was, as others have already pointed out, a misread of the information in the report. Economies of scale take over when the incident leaps from a sampling that included incidents numbering in the tens of thousands to a breach that was over 45 million. Mike For those reporters (and there were only a few) who bothered to ask Larry Ponemon about the costs, they got an answer that was in-line with the estimates TJX just announced. Ross Kerber’s reporting in the Boston Globe back in April (http://www.boston.com/business/personalfinance/articles/2007/04/12/analysts_tjx_case_may_cost_over_1b/) should serve to demonstrate Ponemon’s grasp of the issue, and his own research. Others weren’t so bright, opting instead to simply multiply a breach that represented a statistical anomaly on the high end with the $183/per figure from our 2006 report. While the resulting figure was certainly sensational it was, as others have already pointed out, a misread of the information in the report.
Economies of scale take over when the incident leaps from a sampling that included incidents numbering in the tens of thousands to a breach that was over 45 million.
Mike

]]> By: Blake http://emergentchaos.com/archives/2007/08/cost-of-a-breach-6-not-187.html/comment-page-1#comment-3870 Blake Thu, 16 Aug 2007 20:11:36 +0000 http://emergentchaos.com/?p=2462#comment-3870 Typically, those discrepancies are between direct and indirect costs. Most estimates of direct costs range in the $10-20 area, one hopes and expects there are economies of scale here. The fearmongers make up big numbers to be estimate of "lost revenue" or "brand impairment" or some other intangible that isn't falsifiable. Which is noit to say that they are wrong, just that there is no (little) data. The lesson of the TJX breach appears to be that the vast majority of consumers (and maybe even a reasonable approximation of "all") don't care about security. Typically, those discrepancies are between direct and indirect costs. Most estimates of direct costs range in the $10-20 area, one hopes and expects there are economies of scale here. The fearmongers make up big numbers to be estimate of “lost revenue” or “brand impairment” or some other intangible that isn’t falsifiable. Which is noit to say that they are wrong, just that there is no (little) data. The lesson of the TJX breach appears to be that the vast majority of consumers (and maybe even a reasonable approximation of “all”) don’t care about security.

]]> By: Alex http://emergentchaos.com/archives/2007/08/cost-of-a-breach-6-not-187.html/comment-page-1#comment-3869 Alex Thu, 16 Aug 2007 09:00:46 +0000 http://emergentchaos.com/?p=2462#comment-3869 Gee, only $1bn US? I had heard $4.5 bn: <a href="http://www.darkreading.com/document.asp?doc_id=123129" rel="nofollow">http://www.darkreading.com/document.asp?doc_id=123129</a> blogs need sarcasm tags... Gee, only $1bn US? I had heard $4.5 bn:
http://www.darkreading.com/document.asp?doc_id=123129
blogs need sarcasm tags…

]]> By: Mordaxus http://emergentchaos.com/archives/2007/08/cost-of-a-breach-6-not-187.html/comment-page-1#comment-3868 Mordaxus Thu, 16 Aug 2007 04:53:02 +0000 http://emergentchaos.com/?p=2462#comment-3868 You get discounts when you breach in bulk. $187 is retail, quantity one. $6 is what you pay for a site license. You get discounts when you breach in bulk. $187 is retail, quantity one. $6 is what you pay for a site license.

]]> By: q http://emergentchaos.com/archives/2007/08/cost-of-a-breach-6-not-187.html/comment-page-1#comment-3867 q Thu, 16 Aug 2007 00:37:28 +0000 http://emergentchaos.com/?p=2462#comment-3867 it's 256 million according to these guys: <a href="http://www.secguru.com/link/cost_data_breach_tjx_soars_256m" rel="nofollow">http://www.secguru.com/link/cost_data_breach_tjx_soars_256m</a> um it’s 256 million according to these guys:
http://www.secguru.com/link/cost_data_breach_tjx_soars_256m
um

]]>