Tuesday, July 30, 2013

The Cost of a Near-miss Data Breach

[This post originally appeared in the New School of Information Security blog on October 6, 2009.  This idea was incorporated in the breach impact model presented in this paper, where you can find more details: ]
How Bad Is It?–A Branching Activity Model to Estimate the Impact of Information Security Breaches

If one of your security metrics is Data Breach Cost, what is the cost of a near miss incident? This seemingly simple question gets at the heart of security metrics problem.

Jerry escapes death, but is it cost-free?
Consider the gleeful Jerry Mouse in this cartoon. Tom the Cat has just missed in his attempt to swat Jerry and turn him into mouse meat. Is there any cost to Jerry for this near miss? Is Jerry’s cost any different than if he was running with Tom no where in sight?

By “near miss” I mean a security incident or sequence of incidents that could have resulted in a severe data breach (think TJX or Heartland), but somehow didn’t succeed. Let’s call the specific near-miss event “NM” for short. For sake of argument, let’s assume that the lack of attack success was due to dumb luck or attacker mistakes, not due to brilliant defenses or detection. Let’s say that you only discover NM long after the events took place. For simplicity let’s assume that discovering NM doesn’t result in any extraordinary costs, meaning that out-of-pocket costs are the same just before and immediately after NM. Finally, assume that your expected cost of a successful large-scale data breach is on the order of tens of millions, with the worst case being hundreds of millions of dollars.

How much does NM cost? The realist answer is “zero”. (Most engineers are realists, by disposition and training.) There is a saying in street basketball that expresses the realist philosophy about losses and associated costs: “No blood, no foul”. If you ask your accountants to pour over the spending and budget reports, they will probably agree. Case closed, right?

Not so fast….

The big problem with the realist approach is that it ignores the future and our rational expectations about future loss events. In other words, it ignores risk. It’s like the old joke about the guy who fell out of a 20-story building. As he passed the 4th floor, someone called out to him, “ARE YOU OK?”, to which he replied: “SO FAR, SO GOOD!!”. (Moments later… splat!)

We know intuitively that there is something wrong with the answer “so far, so good” when the signs of pending disaster appear.

Economists will arrive at a very different answer to account for this intuition. For economists, valuation and risk decisions are about the future, and especially about rational expectations about future cash flows and future valuations given available information. If you get significant new information that changes your expectations, then your risk and value metrics will change.

You could hardly imagine a more meaningful signal regarding risk than a near miss event. Safety engineers have known this for decades and it’s central to their practice. (For example, see the book: Safety Management: A Qualitative Systems Approach and the web page: “Three Simple Things to Improve Process Safety Management”.) What ever your estimation of risk before NM, it will probably go way up after NM. Economists would argue that this increases your data breach costs, since your expectation of future cash flows has increased.

Does this economic cost of a data breach have any reality? How could it be made tangible and meaningful for accountants and ordinary realistic managers? Yes it can, through insurance. Imagine that your organization pays a regular insurance premium that is a probabilistic function of future data breach costs, based on all available information about likelihood and severity. (Assume either self-insurance or commercial insurance, or some combination. Assume “perfect pricing” and complete information sharing, etc.) Forget about risk transfer. The purpose of insurance in this case is simply bringing the cost of risk into the present.

With this insurance in place, your data breach cost becomes not only the actual cash flows associated with loss events, but also the periodic insurance premiums, which would rise or fall based on risk factors and risk estimates. We are familiar with this from our experience with auto insurance, property and casualty insurance, etc.

The great advantage of this approach is that your data breach cost metrics will become a meaningful signal for management decision-making, performance management, and incentive instruments. All stakeholders will be more likely to pay attention to near misses and, hopefully, do their best to learn from them and mitigate risks.

Whether or not you buy into the details of the insurance mechanism, I hope that I have convinced you that there is a qualitative difference between “ground truth data” (in this case, historical cash flow) and overall security metrics, which need to reflect our estimates about the future, a.k.a. risk.

No comments:

Post a Comment