In this chapter we will analyse and examine the
diverse cost factors of a breach, ultimately
comparing these with the implementation cost of
an ISMS, thereby hoping to serve all those CISOs
and CSOs who have to justify their budget on a
daily basis. There are cases in which simply
paying for the breach will actually be less costly
than implementing an ISMS, but this is an absolute
exception and does not work long term. Long
term, if you are high-profile enough, you may well
be attacked by unsophisticated or sophisticated
means, and the cost of implementing an ISMS will
always be lower than the cumulated cost of caring
for breaches.
We can differentiate between two types of cost
factors: those that can be well estimated or even
calculated, and those that can only be
guesstimated, at best. The former category
comprises direct and indirect financial cost, while
the latter comprises reputational cost and third-
party risks and associated costs (the cost
originating from a breach affecting one or several
third parties, but not the originally affected
Direct financial cost
Direct financial cost comprises all cost that can be
directly attached to the breach, although there is a
leeway in regard to some activities; for example,
3: Cost Factors of a Breach
the time your administrators and security staff
spend on investigating a breach is clearly attached
to the breach, but some more business-minded
people would argue there is no costbecause your
staff have to work anyway and caring for a breach
is simply a part of daily business. This point of
view negligently downplays the effect of a breach.
If this definition were accepted, a breach would
never create any cost.
Therefore, we will define direct cost as any cost
directly attached to the occurrence of the breach
and comprising all cost that would not have
occurred had the breach not occurred.
Subsequently, all work time, overtime, external
cost, equipment leases (for example bug-searching
equipment), legal costs and so on fit into this
category. A usual reference (based on the authors’
extensive experience of corporate cases) would be
to estimate about £10,000 to £100,000 for an easy-
to-remedy breach, £100,000 to £500,000 for a
more complex breach that affects a cross-section
of a complex organisation and £500,000+ for
targeted attacks using APTs (Advanced Persistent
Threats). These estimates do not include fines by
any government regulatory authority as these are
hard to measure, but, if the breach is high-profile
enough, they are likely to end up as five or six
figure sums.
Indirect financial cost
Indirect financial costs are those that are tied to the
breach by causality (if the breach hadn’t occurred,
these costs would not occur), but are removed
from the original case scenario.
3: Cost Factors of a Breach
For example, if your organisation suffers a denial-
of-service attack then the costs of lost productivity
are indirect costs as well, for example, penalties
you suffer from a client who brings charges
against you because your company did not fulfil
its service level obligations.
Indirect costs are indeed hard to measure, but a
general guideline would look like this:
Include all costs not directly related to the
breach, but which would not have occurred
had the breach not taken place.
Indirect costs are usually related to processes
that connect to the business process affected
by the breach.
Higher degree (further removed from the
original point of impact) indirect costs
occur in processes that were not known to
connect to the affected process(es), but the
existence of that connection comes to light
only during breach remediation.
Indirect costs increase logarithmically within
the first three days to two weeks and then
depending on the customer base and business
model will approach a limit (slowly or
quickly) or increase exponentially depending
on how many processes and entities are
involved. Indirect costs are extremely
dangerous as their full extent is unknown in
advance and usually only becomes known as
things unfold.

Get The True Cost of Information Security Breaches: A Business Approach now with the O’Reilly learning platform.

O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.