Estimating the cost of an intrusion has never been easy. It is something that IT managers grapple with regularly, particularly when fighting for budgets. This article will attempt to explore some of the considerations when contemplating the cost of a systems breach, or indeed the cost of a possible ‘future’ breach.
At a basic level, the most obvious cost component associated with a security incident of any kind is the cost of human labour that will be inevitably required to investigate the breach (if indeed there was one). Add to this the fact that these ‘investigators’, assuming they are employees, will be taken away from their normal work activities, resulting in lost productivity. Time will be spent analysing what has happened, re-installing operating systems, restoring installed programs and data files, reviewing log files, writing incident reports, interfacing with vendors or suppliers etc. And don’t forget that all this will be relatively disruptive, possibly resulting in users being prevented from accessing the systems they need to do their jobs. More lost productivity and ultimately wasted time.
Thankfully, most organisations have a very accurate indication of how much each and every employee’s time costs, so putting a monetary figure on this component is straightforward enough.
One of the major challenges of the security community is to develop an effective return on investment calculation that will allow them to justify security expenditures before catastrophic incidents occur. Ask the following questions:
- Who worked on responding to or investigating the incident?
- How many hours did each of them spend?
- How many people were prevented from working because of the incident?
- How much productive time did each of them lose?
- How much do you pay each of those people to work for you?
- How much overhead do you pay (insurance, sick leave, etc.) for your employees?
Take the time to work out the cost of an imaginary security breach for your organisation. Suddenly, you will find yourself armed with some compelling and, most importantly, factually based, data to impress your management and fight your corner. Better still, turn the data into a fancy pie chart. That will as good as guarantee results! It seems fair to say that with a little preparation, some policies and procedures in place, and a little discipline during incident handling, a reasonably accurate picture of the damage estimates are easily achievable.
It is much more difficult to put an accurate and realistic figure on many of the other ‘softer’ knock-on effects of a security breach. Something else that must be added in (for companies who use computers as part of their business) is lost revenue. This can vary wildly, depending on the nature of an organisations business. Online retailers, or others whose central business model relies on online sales, will find it easy to calculate loses. Others may not be so concerned.