Do we spend too much to protect information?

Or: How Should We Interpret Large Data Breaches?

The financial crisis has reminded everyone of the importance of risk management, and of watching out for “black swans.”  It is tempting for CISOs to attach to the recent failures of risk management in the financial world as a way to argue that we are not doing enough to reduce information risk. However, a back-of-the-envelope look at current information risk spending versus residual risk suggests that large organizations may already be spending too much.

Current Information Risk Exposure of Large Organizations

Financial risks and information risks are both poorly quantified, but the analogy ends there. While credit default swaps hid risks that could put firms out of business, few CISOs can argue that information risks pose a similar existential threat to their firms. Even the worst breach so far, suffered by retailer TJX in 2007, cost less than $300M and has left no lasting impact on its revenue or share price. The well publicized recent breach at Heartland may cost only a small fraction of that.

As far as we know, events like these represent the “long tail” of information risk incidents. If one member of the Fortune 500 has a $500M incident each year, that’s $1M/year on average. (This is something we are not seeing, and in fact Heartland doesn’t even make the Fortune 1000, so the divisor should probably be much higher and the average therefore lower.) The average IREC member company loses $1-2M a year in non-long tail security incidents (of course, most lose much less and a few lose much more), so the total expected loss is something like $3M/year for organizations of this size.

Current and Optimal Security Spend for Large Organizations

  • Companies of this size spend on the order of $10-20M annually in mitigation activities.
  • If companies only have $3M of unmitigated risk, they shouldn’t spend more than $3M more than they are spending now on reducing that risk.
  • Two things we can be pretty sure of: 1) you can’t get rid of all risk, and 2) the law of diminishing returns applies to security measures.

Because of diminishing returns, even $3M would be too much to spend for $3M of risk, because this is not going to get us anywhere close to reducing our risk to zero. If you had more money to spend, it would probably be better to put it in a rainy day fund to pay for a breach you might have some years in the future than to try to reduce the risk of an incident by a little.

See below for a graphical version of this argument.


1) How sure are we that TJX is the true long tail? One might say that for companies that do nothing but deal in sensitive information, or do security as a business, a breach could destroy trust enough to kill the company. This might be true.

1a) We can watch Heartland’s experience to inform us about the former.

1b) So far the frequent incidents on security vendor websites don’t seem to have hurt them much.

2) Another factor not accounted for above is that companies that deal more with intellectual property than customer data are less likely to report it, so we are not taking IP losses into account (estimated at $4.6M/year).

3) The biggest caveat is that this is a point-in-time view of a dynamic situation. Unmitigated risk might be $3M today, but as new vulnerabilities arise, if we don’t do anything that figure is going to balloon.


As always, in the end it is not possible to know for sure how much to spend on information risk reduction, but given these figures, it does not look like most CISOs should be arguing for bigger budgets. Instead they should focus on improving the efficiency and effort allocation of their existing activities. New projects with new spending should usually focus on either future cost savings or enabling business activities that are currently avoided due to risk.


Graphical Version of the Investment Argument

Obviously we don’t know exactly what these curves look like, but here’s an example of what they must look like schematically. As the intensity of the security program increases, risk goes down, and spend goes up.  We know that because of diminishing returns, the spend line is curving upwards, and the risk curve is leveling off.  Any time the upward slope of the spend line is greater than the downward slope of the risk curve, we are spending too much.


Click for larger

It’s possible to draw it the other way, but you must say there is very little diminishing return to security spend.


Click for larger

Explore posts in the same categories: Risk Management

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: