Security Business Case for Breach Risk Reduction (Part 1)
Security business case justification is always a complex task for two reasons. First, security earns its keep by reducing risk of losses, not by producing revenues. Second, estimating both the size of losses to security incidents, and the extent to which security investments can reduce the risk of losses requires making multiple assumptions on probability and impact of these circumstances.
Security Business Case for DLP
On a recent data loss prevention (DLP) project, Security Architects Partners was retained to provide DLP gap analysis, recommendations and solution roadmap for a higher education institution in the U.S. You may recall we wrote about a DLP client’s gaps and challenges in How to Drive Successful DLP Projects. It happens that the institution in question has only rudimentary security systems in place. Thus, creating its DLP Solution Roadmap basically involves building a security program from the ground up. From now on, we’ll just refer to the exercise as “justifying security investment.”
Let’s fast forward to the final phase of the project where our tasking required high level cost estimates and a business case model. We’re going to replay the results for you with some of the numbers scaled to provide additional protection for our client’s anonymity.
Security Investment Rollup
First, we established the recommended security investment budget at approximately $1,000,000. However, the risk reduction from the program will be felt over a longer time, during which additional operational costs must be paid for staff salaries, software maintenance and subscription services. Adding only the ongoing costs for a fourth year yields a four-year budget of approximately $1,300,000.
Estimated Breach Impact, or Potential Losses
Next, we estimated the losses the security investment strives to mitigate. Normally, quantifying security losses is difficult. Fortunately, our DLP focus helps in that the security industry has plentiful actuarial information on the costs to organizations of security breaches of personal information, such as social security numbers (SSNs), personal health information (PHI) and credit card information (PCI) data. Specifically, we can reference the Ponemon Institute’s “2015 Cost of Data Breach Study: Global Analysis.”
According to an EDUCAUSE blog post: “Research by the Ponemon Institute conducted in 2014 estimates that the average cost of responding to a network security breach in higher education is $294 per student record. This means that the compromise of 10,000 student records — relatively small in terms of the damage that can be done on a large campus — would cost almost $3 million dollars to remediate. This figure does not include future revenue losses due to the negative publicity.”
According to staff, the institution in question may have records with SSNs on about 500,000 current and former students stored somewhere in its networks. For breaches of identity information such as SSNs, overall breach costs are closely-related to the number of records breached.
In 2015, the Ponemon Institute repeated the study EDUCAUSE referenced, this time estimating higher education’s per-record breach cost at $300. Thus, in a worst case scenario – all 500,000 records breached – the cost to remediate could theoretically come to $150 million.
The Drivers of Breach Loss
Breach costs can be categorized as direct, indirect or opportunity costs. Ponemon lists the following activities an organization must undertake in the wake of a breach as drivers of overall cost.
- Conducting investigations and forensics to determine the root cause of the data breach
- Determining the probable victims of the data breach
- Organizing the incident response team
- Conducting communication and public relations outreach
- Preparing notice documents and other required disclosures to data breach victims and regulators
- Implementing call center procedures and specialized training
- Audit and consulting services
- Legal services for defense
- Legal services for compliance
- Free or discounted services to victims of the breach
- Identity protection services
- Lost customer business based on calculating customer churn or turnover
- Customer acquisition and loyalty program costs
Making Educated Assumptions
Until a breach actually occurs, all numbers pertaining to its probability and impact are hypothetical and depend on the forecaster’s assumptions. To assist our client with choosing numbers to support a business case, Security Architect Partners used the following parameters for the institution security business justification:
|$154||Ponemon # for average U.S. per record breach remediation cost|
|$300||Ponemon # for average education industry per record cost|
|22,000||Ponemon # for identity records lost in average breach in 2015|
|50,000||Institution’s approximate current student record count|
|100,000||Recent student record count|
|500,000||Maximum historical student record count|
|22%||Ponemon # for average organization’s breach probability over 24 months|
|33%||Increased breach likelihood due to institution’s many security gaps|
|2||Two 24 month periods considered for the life of the security investment|
The figure at the beginning of this post provides a sneak preview of what to expect in Part 2. After all, its easy enough to take these Ponemon numbers and multiply them by lots of personal identity records to get large loss expectancies. But how can we enable a client to tweak the assumptions and see different scenarios? How can we show that the specific security investment proposed actually mitigates the risk? And how do we decide how much security investment is enough?
Breaches are probably a clear and present danger for your organization. Security Architects Partners can significantly improve your ability to manage this risk. This post is about a real-life consulting engagement that combines:
- Full Security Program Assessment (scaled down to address the necessary domains for a comprehensive DLP solution)
- Business Case Development