Cost of Data Breaches Falls, but Don’t Rejoice Yet

Last week, reputable security researcher The Ponemon Institute published the 2011 edition of its annual "US Cost of a Data Breach" study which found that the average organizational cost of a data breach in 2011 declined 24% to $5.5M v.

Last week, reputable security researcher The Ponemon Institute published the 2011 edition of its annual “US Cost of a Data Breach” study which found that theComputer eye average organizational cost of a data breach in 2011 declined 24% to $5.5M v. 2010.  This survey was based on results collected from 49 US companies that experienced a data breach in 2011.

Before infosec professionals and CFOs go dancing in the streets over this news, they should examine the data and findings and not just focus on the decreasing cost. 

These are my thoughts:

  • Be wary of averages-This is not to fault Ponemon’s findings and not meant to be a treatise on statistics, but averages can often be skewed by large outliers on either end of the data spectrum.  For that reason, it would have been interesting to compare the average cost with the median cost as the median can often be more representative. 

  • $5.5M is still a big number-Yes, costs have decreased, but costs have not decreased to zero.  Data breaches still cost millions of dollars.  That figure is still sobering and should not be an excuse for organizations to reduce their concern or budgets for dealing with potential data breaches.

  • Data breach costs should be declining for several reasons including:

    • Organizational improvements and increased awareness.  The seeming daily crescendo of data breaches in the media has made organizations of all sizes and verticals more aware of the risks of data breaches.  Some have begun to take some proactive steps to build data breach mitigation plans, so that instead of sprinting around frantically after a breach, organizations are better prepared and thus spend less money dealing with the breach.

    • Increased supply.  This is simple economics.  The rise in data breaches has led to an emergence of service vendors, consultants and other experts capable of assisting organizations with data breaches and how to prevent data breaches.  Many of these options did not exist 3-5 years ago, meaning that there is now a bigger available supply.  I do not have empirical evidence to support this, but I believe it to be a reasonable theory.  Increased supply generally leads to lower pricing.

    • Cynical consumers.  The Ponemon report noted that “lost business costs” (reputation losses, customer churn and increased customer acquisition costs) had the biggest single year cost decrease and was one of the drivers behind the year over year decline.  I would argue that customer churn is declining because so many organizations have been victims of data breach that it is difficult if not impossible for consumers to switch to another provider who has not already been victimized by a breach!  In this scenario, if my bank/retailer/insurance company/hospital is compromised, I don’t necessarily have a wide range of alternatives that have not already had public data breaches.  Therefore, the incentive for me to switch is marginal and I may be inclined to just stick with my current provider, warts and all.  That keeps churn costs down, but is not reason for rejoicing.

This report is still worth reviewing and I’ll certainly be interested in the 2012 report to see if the cost trend continues.  But against the backdrop of the Ponemon report, we also have Verizon Business’ latest Data Breach Investigations Report which also released last week.  This report does not delve into remediation costs and covers worldwide breaches instead of just US based ones, but is still worth reading.  According to Verizon Business, 2011 had the 2nd highest data loss total (174 million records) in the 10 years that Verizon Business has been producing this report, further proving that the data breach problem is unfortunately still going to remain with us for a while.

Computer security image used under Creative Commons License courtesy of Mikey G Ottawa, original artist.

Written by

Merritt Maxim

With 15 years of experience in product management and marketing, Merritt handles product marketing for…

Published in


View this topic
  • James Holland

    This is great. Hooray for Disney’s imagineers!


    become a new brand in the share market research with its accurate research. Proven
    itself always right whether market is bull or bear. Last week all paid clients
    booked handsome profit in NIFTY, BANKINIFTY & STOCKS. Now for the coming
    week we expect more correction can come in NIFTY as the IRAQ issue is getting
    more tense, If it happens more then you will see a sharp fall in all world marketNSE BSE, STOCK TIPSbecause as we know all world run on
    crude & most of the crude comes from IRAQ. So be ready for a sharp fall so
    sell will be the best strategy for next week also. Traders can make a sell
    position in NIFTY around 7600-7650 with stoploss 7750 for the target of
    7300-7200.One can also make a sell call NIFTY 50 stocks as per NIFTY levels. You
    can also take our two days free trial to check our accuracy. For further updates
    you can visit our website.



  • king lear

    testing comment functionality, please do not publish this

  • Rachel Macik

    Love the personal pic :)

    • CAHighlight

      Thank you!

  • Plutora Inc

    This is a good case study. 2.3 sec’s off a login transaction is big.

  • Michele Hudnall

    While the analysts were hyping DevOps, I posted the oversight of not including security as part of that discussion as you are highlighting here. Instead of just talking DevOps, it should be DOS (what’s old is new again :-) – DevOpsSec. As a previous AppDev person, it’s the app, who’s using it, why and where rather than the device and having the service available.

    As you rightly point, out Security should be baked into the solution.

    Nice Post and Timely!


    • CAHighlight

      Thank you for your feedback Michele. Agreed – security cannot be overlooked. Appreciate your input!

  • Mitesh

    I would love a printed copy

  • Lars Johansson

    I love the idea of BYOID! This makes me choose if I am almost anonymous (with my Hotmail Nicname) or official with identity from an official organisation. My Identity Provider will attach identity with right level of LoA according to the need of the Service provider.

    • CAHighlight

      Thank you for your comment. BYOID has tangible benefits for end users and relying parties but it also has to be weighed in the balance with potential risks and liability concerns. It will be interesting to see how BYOID plays out in the enterprise.