When it comes to data breaches, 2014 was a banner year. However, if Benjamin Dean, Fellow for Internet Governance and Cyber-security, School of International and Public Affairs at Columbia University, did his math right, 2015 will be more of the same.
In a March 2015 column on The Conversation, Dean provided a hard to disagree with defense of why things security-wise "ain't gonna change" soon. "When we examine the evidence, though, the actual expenses from the recent breaches at Sony, Target and Home Depot amount to less than 1% of each company's annual revenues," wrote Dean. "After reimbursement from insurance and minus tax deductions, the losses are even less."
Dean then administered the knockout punch: "This indicates that the financial incentives for companies to invest in greater information security are low and suggests that government intervention might be needed."
The costs of the Target, Home Depot, and Sony data breaches
Target's data breach in late 2013 involving 40 million credit- and debit-card records, plus 70 million customer records (including addresses and phone numbers), came under Dean's microscope. A Target financial statement revealed the data breach cost Target $252 million. "When we subtract insurance reimbursement, the losses fall to $162 million," explained Dean. "If we subtract tax deductions (yes, breach-related expenses are deductible), the net losses tally $105 million."
Dean pointed out that this sum equaled 0.1% of Target's 2014 sales.
Home Depot suffered a data breach in 2014 where attackers stole 56 million credit- and debit-card numbers plus 53 million email addresses. According to Dean after an insurance reimbursement of $15 million, the data breach cost Home Depot $28 million or .01% of its sales in 2014.
Dean also looked at Sony's data breach that occurred near the end of 2014. Sony at first suggested losses exceeded $100 million. However, Dean found some equally-interesting numbers in Sony's third-quarter financial statement, "$15 million in 'investigation and remediation costs' and that it [Sony] doesn't expect to suffer any long-term consequences."
A senior general manager at Sony later said the figure would be closer to $35 million for the fiscal year ending March 31. Dean offered some perspective about the losses: "To give some scale to these losses, they represent from 0.9% to 2% of Sony's total projected sales for 2014 and a fraction of the initial estimates."
As to the question of Sony's reputation, Dean provided the following numbers on the movie "The Interview":
- It cost $44 million to make the film; and
- it has grossed $46.7 million in online sales and cinemas worldwide.
"If anything, the free publicity for a new movie on cable news, across social networks and daily newspapers, at Christmas to boot, represents a net financial benefit to Sony," mentioned Dean. "There's no such thing as bad press, after all."
The moral hazard response
Dean then introduced a concept I had not heard of: moral hazard. There are several versions of the definition, but this one from Wikipedia is relevant to this discussion:
"In economics, moral hazard occurs when one person takes more risks because someone else bears the burden of those risks."
Dean applied the concept of moral hazard to Target, Home Depot, and Sony. "These companies are able to invest less in information security," said Dean in an email exchange with me. "Because, in the event of a breach, other parties (banks, customers, etc) bear the lion's share of the costs of the breach."
In the case of Home Depot, Dean said credit- and debit-card providers plus Home Depot customers caught the brunt of the fallout. "Credit unions claim to have spent $60 million in September 2014 alone replacing compromised cards," Dean added. "Each customer whose card had to be replaced also incurred a cost in terms of inconvenience."
Dean then concluded it does not make economic sense for companies like Target, Home Depot, and Sony to invest heavily in information security, especially when insurance payments and tax deductions cut the financial outlay to where it is less than what it would cost to improve information security.
What is the answer?
Removing the moral hazard seems to be the logical answer. But how would that come about -- government intervention? "It's important to make sure the intervention doesn't make the problem of moral hazard worse," cautioned Dean. "This is a huge problem because as we plough billions of dollars into intelligence agencies, supposedly to keep us all safe from 'cyber-attacks', it has the effect of further weakening the already low incentives for companies to invest in information security themselves."
"Unintended consequences of policies, even in instances where the case for government intervention is strong, can be worse than the consequences of doing nothing at all," further cautions Dean. "I'm not saying that we do nothing at all -- just that we need verifiable and reliable data on which to begin making these complex policy decisions."
- The thorny world of moral hazard: what to do when a company does wrong? (The Guardian)
- Cybersecurity spending: How to know when enough is enough (ZDNet)
- Cybersecurity spending: Here's where the money goes (ZDNet)
- Half of enterprises have no budget at all for mobile security, survey finds (ZDNet)
- Security and privacy: New challenges (ZDNet/TechRepublic special feature)
- Inside the secret digital arms race: Facing the threat of a global cyberwar
Note: TechRepublic and ZDNet are CBS Interactive properties.