Business cost of security incidents

Companies treat IT Security similar to someone driving a car. We all know about the rules and the sense behind it. We also know the risks if we don’t follow the rules. Still we tend to push the speed limits, talk on the phone while driving or park beyond the time limit. Why?
Because following the rules is hard, we have other priorities and above all, we think we can get away with it.

Often we do get away. And we push the limits some more.


That is until we get hit. It could be a Denial of Service attack bringing down your operations for a day or more. It could be a malware attack infecting hundreds of your systems. It may be data theft or fraudulent transactions on your website robbing you of your revenues – and more importantly eroding your trust.


There is no single or simple method for calculating the impact of security incidents. Sometimes the impact spans across multiple functions of the organizations that it becomes too theoretical. There are also soft costs involved – which does not affect any cash outflow.


Why should you assess an incident cost?
The question is why bother? From the organization point of view, assessing the impact helps in understand the real value of security. It also helps in committing right amount of priority and resources to security. Third, you can make informed decisions on the right processes and tools to prevent future incidents


How can you ensure that assessment is fair and realistic?
How can we assess a realistic and fair impact of a security incident? Following are some often missed out aspects of incident assessments.

• To begin with, focus on “business cost” of the incident and not the technical cost of it. To an organization business impact is more relevant and meaningful.
• Do not ignore the long-term impact. A Security incident has both short-term and long-term impact on an organization. A fair assessment approach deals with both. Like an earthquake, the after-shocks are felt long after the main tremor is over. The short-term impact is measured by the immediate loss of revenue, the cost of restoring your operations as well as productivity loss. The long-term impact is more soft - it needs to address the loss of market reputation, legal impact, market share erosion, as well as the cost of reclaiming your position. You may need a PR campaign, public outreach programs, changes in policies to restore market confidence, money back guarantees to alleviate customer concerns, free offers to overcome prospects’ hesitation, and other marketing promotions. Sometimes it could also impact market value. Another long term impact is the cost and effort of investigating the incident.
• Create an open and safe environment for your employees to ensure that assessment data is accurate. Calculating real impact cost requires candidness & management commitment. The aftermath creates a climate of stress filled with apprehensions about the blame games.
• Set up procedure and policies before a security incident actually happens. This is a good way to ensure that a) a fair and balanced approach is applied when it happens and b) you are prepared to collect enough data to measure the impact accurately.
• Communicate the objective of the incident assessment clearly. Ensure that employees understand that this exercise is to help organization understand and prepare for such incidents and not to blame individuals.
• Look at the motivation of the team estimating the impact. Ensure that the people can take a balanced view.
• Avoid over-estimation and under-estimation. Both are equally probable and dangerous. Both of them result in management taking wrong decisions. Wrong assessment model, and wrong data results is wrong estimation.