The 2017 Ponemon Institute Cost of a Data Breach Study found that the cost of a data breach is going down, but the size of a data breach is going up.” Additional key findings included the following:

  • The average total cost of a data breach decreased from $4.00 to $3.62 million.
  • The average cost for each lost or stolen record containing sensitive and confidential information also decreased from $158 in 2016 to $141. (The strong USD played a role in reducing the costs.)
  • The average size of the data breaches investigated in the research increased 1.8 percent.

Okay, so what does all that mean? Good news? Bad news? Mixed news? Well, we think it is incomplete news, and here are two main reasons why:

  1. The usual limitations of these types of studies – Ponemon and IBM Security do absolutely amazing work, but all studies of this type have inherent limitations. Therefore, using them as a baseline for an industry, or country even, is ill-advised.
  2. Studies like this are absolutely no good at predicting the future – More specifically, they tell us little about what could happen during “fat-tail” events (more on that below).

When we were approached to write on this issue, some of the largest cyber breaches came to mind: Anthem, Target, Equifax, and Uber as starters. These “big ouchy” type events. And yes, we found that there are some indicators out there (like stock price or recovery and incident fees) that can give you a partial picture of what the actual “cost” of the breach was.

But all of these factors to us are just a portion of what the actual costs of a breach are. And here’s the kicker: depending on the situation, these costs could make out (Read more...)