It has been a busy month in cyberspace. TJX, the massive worldwide fashion retailer, is finally releasing some of the gory details of the recent hack which saw over 45 million credit and debit card details stolen from their databases. It seems that the entire fiasco has cost the company an estimated $17 million to date. Interestingly, in a statement, the company goes on to say that “Beyond these costs, TJX does not yet have enough information to reasonably estimate the losses it may incur arising from this intrusion, including exposure to payment card companies and banks, exposure in various legal proceedings that are pending or may arise, and related fees and expenses, and other potential liabilities and other costs and expenses”.

Estimating the cost of an intrusion has never been easy. It is something that IT managers grapple with regularly, particularly when fighting for budgets. This article will attempt to explore some of the considerations when contemplating the cost of a systems breach, or indeed the cost of a possible ‘future’ breach.

At a basic level, the most obvious cost component associated with a security incident of any kind is the cost of human labour that will be inevitably required to investigate the breach (if indeed there was one). Add to this the fact that these ‘investigators’, assuming they are employees, will be taken away from their normal work activities, resulting in lost productivity. Time will be spent analysing what has happened, re-installing operating systems, restoring installed programs and data files, reviewing log files, writing incident reports, interfacing with vendors or suppliers etc. And don’t forget that all this will be relatively disruptive, possibly resulting in users being prevented from accessing the systems they need to do their jobs. More lost productivity and ultimately wasted time.


Thankfully, most organisations have a very accurate indication of how much each and every employee’s time costs, so putting a monetary figure on this component is straightforward enough.

One of the major challenges of the security community is to develop an effective return on investment calculation that will allow them to justify security expenditures before catastrophic incidents occur. Ask the following questions:

• Who worked on responding to or investigating the incident?
• How many hours did each of them spend?
• How many people were prevented from working because of the incident?
• How much productive time did each of them lose?
• How much do you pay each of those people to work for you?
• How much overhead do you pay (insurance, sick leave, etc.) for your employees?

Provide the answers to these questions and, believe it or not, you will ultimately arrive at an actual monetary value. Knock the number down by around 20% and you will probably have a true and fair reflection.