Ponemon Data Breach Report Has No Business Intelligence

Study: Average cost of data breach is $6.5M by Ashley Carman.

From the post:

In a year already characterized by data breaches at recognizable healthcare organizations, such as CareFirst BlueCross BlueShield, and at major government entities, including the IRS, it’s no surprise that victims’ personal information is a hot commodity.

An annual study from the Ponemon Institute and IBM released on Wednesday found that the average cost per capita cost in a data breach increased to $217 in 2015 from $201 in 2014. Plus, the average total cost of a data breach increased to $6.5 million from $5.8 million the prior year.

The U.S. looked at 62 companies in 16 industry sectors after they experienced the loss or theft of protected personal data and then had to notify victims.

The Ponemon data breach study has no business intelligence. Despite a wealth of detail on expenses of data breaches, not a word on the corresponding costs to avoid those breaches.

Reminds me of saying “…solar panels provide renewable energy…,” which makes sense, if you ignore the multi-decade cost of recovering your investment. No sane business person would take that flyer.

But many will read anxiously that the “average” data breach cost is $6.5 million. If that were the cost to CareFirst BlueCross BlueShield, its charitable giving, $50,959,000 was over eight (8) times that amount, on a total revenue of $7.2 Billion dollars in 2011. Depending on the cost of greater security, $6.5 million may be a real steal.

Data breach reports should contain business intelligence. Business intelligence requires not only the cost of data breaches but the costs of reducing data breaches. And some methodology for determining which security measures reduce data breach costs by what percentage.

Without numbers and a methodology on determining cost of security improvements, file the Ponemon data breach report with 1970’s marketing literature on solar panels.

PS: Solar panels have become much more attractive in recent years but the point is that all business decisions should be made on the basis of cost versus benefit. The Ponemon report is just noise until there is a rational basis for business decisions in this area.

Comments are closed.