Network Computing is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them. Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

How Much Does a Hack Cost?

It might be the most elusive figure in the security industry. Vendors want it so they can show the value of their products. Security pros want it so they can cost-justify new purchases. Attackers want it so they can measure the effectiveness of their exploits.

But after an industry-wide hunt, let us tell you: There is no single, definitive figure on the cost of security incidents.

Oh, there are data points. The problem is that they don't agree. Heck, they aren't even in the same ballpark. Check 'em out:

  • In a study of Department of Justice data scheduled to be published Aug. 28, Phoenix Technologies and law enforcement agencies found that, in cases where stolen IDs and passwords were used, the average loss per incident was $1.5 million. Some attacks caused as much as $10 million in damages.
  • According to the annual report by the Computer Security Institute and the FBI, the average loss per company due to security breaches in 2005 was about $167,000, down from more than $200,000 the year before. About half of the respondents reported between one and five incidents during the year.
  • In a study conducted by Ponemon Institute and distributed by PGP Corp. last year, companies lost an average of $14 million per breach per incident when customer data losses were incurred. The high cost was as much as $50 million.
  • A recent survey by the Yankee Group indicates that more than half of companies rate their Internet downtime costs at more than $1,000 per hour.
  • In a study published in 2004, the Aberdeen Group found that the cost of Internet-based business disruptions is about $2 million per incident.

    So, pick your number. Some rules of thumb say that $100,000 is a good starting point when measuring average loss per incident. Some say $200,000. Some say $1,000 per hour.

    Get the full story at Dark Reading.

    • 1