Symantec and the Ponemon Institute have published a new 2011 report on the cost of data breaches. The most interesting part from my perspective was the online risk calculator:
Playing with the calculator, I found it was not really geared towards companies like ours – the kinds of data were limited to certain types that don't fit our industry. However I went ahead anyway and selected what I thought were reasonable inputs and it came out with the following:
Are these numbers reasonable? Perhaps. However I feel the precision is misleading. Providing a likelihood of 9.7%, a cost per breach down to the last dollar, seems a bit like saying there is a 3.8% chance of an earthquake in the next year. It would be more useful to understand how many significant digits there are in that figure, or perhaps a 25%-75% confidence interval with a median. After all, if the cost is absolutely enormous for a small number of companies, that could easily skew the average.
That said, interesting stuff, though when I have time I'd like to understand the methodology better.