By Adam Dodge
There has been a lot of discussion around the value of breach statistics and breach reporting. Personally, I feel that organizations can find a lot of value by monitoring reported breaches. By studying what breaches are being reported, especially within the same industry vertical. Organizations can get a feel for how common breaches are among like institutions. Leadership can gain insight into if the organization’s current security controls will help protect against commonly occurring breach patterns and discover areas of their current security programs that need improvement. Organizations can even gain a better understanding of what steps are taken by fellow institutions in response to the breach, since these common response will most likely be expected by customers should the organization itself suffer a breach.
However, the one area that breach reporting and most breach statistics fail to cover is what happens to the business after a breach. Questions remain surrounding the long term impact of data breaches on organizations in terms of increased regulatory oversight, loss of consumer confidence and difficulty attracting new business. After all, nothing makes the case for increased security quite as strongly as reductions in the bottom line and increased red tape.
Fortunately, two recent studies help shed some light on what exactly happens to consumer confidence in an organization after a data breach. In April, ID Experts and the Ponemon Institute released a study that looked at consumer response to data breach notices. (Please note for this post I am respecting the disclaimer of this study and will only use information available in the press release.) Two months later, Debix and Javelin Strategy & Research released the results of a consumer survey surrounding data breach notifications in June.
The topics and titles are not the only similarities between these two studies. Even though the methodologies cited in the studies were completely different (Pomemon used responses from a survey of 1,795 adult-aged respondents throughout the US while Javelin used an online survey of 400 data breach victims as well as in-depth interviews with two breached institutions) the numbers reported by both are shockingly similar. In fact, they are so similar that even as I write this I have this nagging feeling that somehow these might be the same report.
The results of the two reports (one report?!?) show that 55% (Javelin)/57% (Ponemon) of the individuals lost trust in the organization. Even worse, 30% (Javelin)/31% (Ponemon) of individuals notified of a breach terminate their relationship with that organization. Think about that for a second. Roughly 1 out of 2 customers will lose trust in an organization while 1 out of 3 will discontinue business with the organization following a data breach.
What do these numbers mean to us? Well, if you are in an organization that relies on continued customer revenue, these number mean a lot.
These numbers are a great starting point for computing the impact of breaches beyond clean-up and notification costs. Ignoring any security ROI proof of impossibility magic, the simple fact that 1 out of 3 individuals ends their relationship following a breach is something needs to be communicated to business leadership. These reports were not some academic exercise of what may happen. The reports looked at what real people did following breach notifications. Real people leaving real businesses can be a powerful selling point for professionals stressing the importance of security in their organizations.
If an organization does suffer a breach, this information is ideal to for helping leadership understand what is coming in the long run. Instead of simply running off guess work, gut feelings and “truthinessâ€, the organization can plan for an average reduction in repeat sales and use this information to develop compensating controls on how to cope with the loss. While the likelihood of suffering a loss of exactly 30% is low, it is a starting point to help business weather the post-breach storm.
With consumers quickly becoming aware of the importance of security, organizations have started using security as a selling point. Don’t believe me? Take a look at the Bank of America, Wells Faro and Citibank web sites. See those little locks signifying “secure†access to accounts? Why would these companies bother with this unless there was no benefit?
The general public is starting to gain an awareness of security in a way that did not exist a few years ago.* What this means is that if organizations start to become secure (real security not security theater), this selling point could be used to draw in those 30% of customers that leave competing organizations following a breach. How’s that for security enabling business?
*This excellent point was actually thought up by David Mortman over a recent dinner with Andy Willingham, Adrian Lane and myself.
If you haven’t already, I strongly urge to all of you to go read the full ID Experts/Ponemon and Debix/Javelin reports. Each report is full of great information that I didn’t touch on here such as do customers find breach notifications helpful, what do customers expect in terms of fraud protection and how soon do customers expect to be notified following a breach.
Adam
While your analysis of these reports is very helpful, I’d be cautious of blindly recommending these studies by Ponemon and Javelin. These “institutes” are funded by identity theft protection and breach response service providers ID Experts and Debix, and although their studies have useful information, their presentation of results are heavily biased to promote their products. While more serious studies would state that there is no sufficient data to conclude with certainty the relative costs of breach recovery since many are not reported or measured, these reports will unshamelessly present cost components around lost costumers or costs of indemnification, scaring us into buying their products. The threat is real and your analysis is correct. I just want to recognize these institutes for what they are.
Adam
While your analysis of these reports is very helpful, I’d be cautious of blindly recommending these studies by Ponemon and Javelin. These “institutes” are funded by identity theft protection and breach response service providers ID Experts and Debix, and although their studies have useful information, their presentation of results are heavily biased to promote their products. While more serious studies would state that there is no sufficient data to conclude with certainty the relative costs of breach recovery since many are not reported or measured, these reports will unshamelessly present cost components around lost costumers or costs of indemnification, scaring us into buying their products. The threat is real and your analysis is correct. I just want to recognize these institutes for what they are.
eChain (I’d use your name, if I knew it),
I’ve always considered Ponemon to be fairly straightforward and accurate – but will hold your suggestion in consideration when reading his research. What intrigues me is the comment ‘more serious studies’ — since this is an area with emerging data, I would appreciate some links to the ‘more serious studies,’ since they may help to inform us all. Besides, having more (and more accurate) data benefits us all – it’s something I would like to amplify, if possible.
Thanks!
Michael
eChain (I’d use your name, if I knew it),
I’ve always considered Ponemon to be fairly straightforward and accurate – but will hold your suggestion in consideration when reading his research. What intrigues me is the comment ‘more serious studies’ — since this is an area with emerging data, I would appreciate some links to the ‘more serious studies,’ since they may help to inform us all. Besides, having more (and more accurate) data benefits us all – it’s something I would like to amplify, if possible.
Thanks!
Michael
eChain,
As with Michael, I would appreciate links or the titles of the studies that you cite as this is an area that I am very interested in. However, I strongly disagree with your viewpoints on the validity of Ponemon and Javelin. The Ponemon study, for example, not only provides the analysis of their study, but also provides the methodology used, the sample size, the frequency responses and the questions used. All of this allows the reader to interpret the data for themselves if they choose to do so.
eChain,
As with Michael, I would appreciate links or the titles of the studies that you cite as this is an area that I am very interested in. However, I strongly disagree with your viewpoints on the validity of Ponemon and Javelin. The Ponemon study, for example, not only provides the analysis of their study, but also provides the methodology used, the sample size, the frequency responses and the questions used. All of this allows the reader to interpret the data for themselves if they choose to do so.
FBI and Verisign reports of actual data breaches and investigations. I’m not saying Ponemon and Javelin don’t have a valid point. But, I personally won’t use their statistics in my business case.
FBI and Verisign reports of actual data breaches and investigations. I’m not saying Ponemon and Javelin don’t have a valid point. But, I personally won’t use their statistics in my business case.