What should CROs do with cost of data breach studies?

Last week we wrote about a Deloitte study that estimated the potential hard and soft costs of a data breach to an organization over several years. The point was to show that less visible costs — loss of customer confidence and brand reputation — could have a long-lasting impact on an organization.

But what should chief risk officers do with these and other reports? Think carefully, according to an article today on Security Week.

For one thing, it notes there’s no consistency in cost of breach reports. In fact the European Union Agency for Network and Information Security (ENISA) released a report earlier this month that reviewed studies that try to do a calculate the costs for critical infrastructure organizations and concluded its damn hard. On the one hand it found evidence that the finance, ICT and energy sectors would suffer the highest costs, it also admits there’s no  common approach or criteria to cost of breach estimates. Any calculations use “rarely comparable” approaches that are often only relevant to a specific context.

So can cost estimates be used in a risk mitigation policy? The Security Week story suggests they have limited value to CROs. The chief security officer at Samsung Research America is quoted as saying such calculations are always subjective. In his firm’s case the big assets are intellectual property, whose loss isn’t easy to put a price on. His goal is to mitigate the effects of a breach, he points out. So he works on that, rather than the cost of a breach.

That is echoed by another expert, who says CISOs need to look at the value of assets in their own organizations to make a risk assessment, rather than use third-party averaged estimates.

The article also usefully points out there’s a difference between the estimated cost of a breach and the risk of a breach. But it also quotes an expert saying that cost calculations are “good instruments for practitioners to raise awareness and kick off an internal discussion to move from a compliance, check-box mentality to a more pro-active, risk- and business-driven approach to security.”

And talking about security across the entire enterprise is always a good thing.

Would you recommend this article?


Thanks for taking the time to let us know what you think of this article!
We'd love to hear your opinion about this or any other story you read in our publication.

Jim Love, Chief Content Officer, IT World Canada

Featured Download

Howard Solomon
Howard Solomon
Currently a freelance writer, I'm the former editor of ITWorldCanada.com and Computing Canada. An IT journalist since 1997, I've written for several of ITWC's sister publications including ITBusiness.ca and Computer Dealer News. Before that I was a staff reporter at the Calgary Herald and the Brampton (Ont.) Daily Times. I can be reached at hsolomon [@] soloreporter.com

Featured Article

ADaPT connects employers with highly skilled young workers

Help wanted. That’s what many tech companies across Canada are saying, and research shows that as the demand for skilled workers...

Related Tech News

Tech Jobs

Our experienced team of journalists and bloggers bring you engaging in-depth interviews, videos and content targeted to IT professionals and line-of-business executives.

Tech Companies Hiring Right Now