Shostack + Friends Blog Archive


With p=.7, Breach Costs Will Fall by 2009

There’s an article over on Tekrati, “Cost of a sensitive data breach will increase 20 percent per year through 2009, says Gartner.”

Near as I can tell, this is the sort of half-thought through analysis which Gartner sometimes spews, to the great detriment of their reputation. (To be fair, I can only see what other people report on the news, not the original Gartner slide deck.)

Gartner analysts estimate that the cost of sensitive data break will increase 20 percent per year through 2009. While mass attacks such as worms and viruses have continued, the investments that enterprises have made in intrusion prevention, vulnerability management and network access control have paid off, as those simple mass attacks have succeeded much less often. However, the attackers are now more financially motivated and have launched new waves of attacks that, when successful, cause enormous damage to the bottom line, but that often go unreported.

There’s some fascinating juxtapositioning in that last sentence. It “cleverly” mixes new motives for attacks with attacks succeeding, and then implies that there are these secret attacks happening, causing “enormous damage to the bottom line,” but that somehow these material events aren’t being reported. What might the SEC think about that? What might Milberg Weiss say about such allegations? How about Sarbanes and Oxley?

I simply don’t believe that there are real events happening at public companies with real bottom line impacts being covered up. I believe that there are events whose costs are exaggerated. I believe there are events that are reported and not widely publicized. A company which is knowingly not reporting something which has caused “enormous damage to the bottom line” is committing a felony for which their executives can be jailed.

If you’re an information security professional, making claims like this damages your credibility and your career. Similarly, claiming that breaches often drive companies out of business simply isn’t supported by the facts.

However, I made a different assertion, which is that breach costs will fall, and I need to support that or risk damaging my own credibility. Breach cost will fall as the market responds and a growing number of credible organizations offer breach response services. Competition will drive costs down as everyone tries to get in on this new space.

I’d rate the chances as .9 five years out. If I’m wrong, I’ll refund 90% of the money I made on this post.

2 comments on "With p=.7, Breach Costs Will Fall by 2009"

  • alex says:

    great post. For public companies, we do have some level of frequency and impact. Sure some information may be obfuscated, but wecan account for that uncertainty.
    So is there any qualitative evidence that suggests trending one way or another (from you or Gartner)? How transparent have you made the model you use to draw those conclusions? If you give independently give two people the same model and prior info., will we both come to generally the same conclusion?
    Am I nuts for thinking that the hypothesis we make should be held to the scrutiny of scientific method and logic?

  • Chris says:

    Gives new meaning to the term “Hype Cycle”, doesn’t it?

Comments are closed.