Has anyone performed a cost benefit analysis related to risk reduction for security tools?  If so, how did you go about it?

Determining the cost benefit investment in security tools can be tricky and rather subjective. Especially considering some of the risk being mitigated by the tool can be due to human acts. For security tool evaluations, two scenarios are most likely: a random event or an intentional/unintentional human act. The most common cost valuations for security tools are: costs of non-compliance, cost/impact of a hacking event/data breach or the cost of reputational risk. Quantifying any of these costs can also be a challenge but losing customer trust can ultimately be the worst outcome and lead to a loss of revenue. According to IBM, nearly 40% of the average total cost of a data breach stems from lost business. Penalties against organizations that collect and manage personal data or health data can be very costly. Projecting the cost of a data breach to an organization could be quantified by using published penalties under whatever regulatory rules an organization must comply with. However, the regulatory landscape is very complex in the US and can vary from state-to-state, especially when breach notification is involved. According to IBM, the average costs associated with data breaches in 2019 were approximately $8M PER breach. In evaluating a security tool, a reasonable metric for use in a cost benefit analysis may be the penalty cost per record the tool is used to protect. According to IBM, in the US, the average cost of each lost record was approximately $146 in 2019. The most expensive type of record to lose was customer PII records, which are involved in around 80% of all data breaches. Therefore, the tool evaluation needs to address: mitigation of the adverse consequences associated with a breach (penalties, loss of reputation, etc); mitigation of any likely causes of a data breach (events, human acts) and management of the risk going forward (prevention of lost business).

8 views
1 comments
3 upvotes
Related Tags
Anonymous Author
Determining the cost benefit investment in security tools can be tricky and rather subjective. Especially considering some of the risk being mitigated by the tool can be due to human acts. For security tool evaluations, two scenarios are most likely: a random event or an intentional/unintentional human act. The most common cost valuations for security tools are: costs of non-compliance, cost/impact of a hacking event/data breach or the cost of reputational risk. Quantifying any of these costs can also be a challenge but losing customer trust can ultimately be the worst outcome and lead to a loss of revenue. According to IBM, nearly 40% of the average total cost of a data breach stems from lost business. Penalties against organizations that collect and manage personal data or health data can be very costly. Projecting the cost of a data breach to an organization could be quantified by using published penalties under whatever regulatory rules an organization must comply with. However, the regulatory landscape is very complex in the US and can vary from state-to-state, especially when breach notification is involved. According to IBM, the average costs associated with data breaches in 2019 were approximately $8M PER breach. In evaluating a security tool, a reasonable metric for use in a cost benefit analysis may be the penalty cost per record the tool is used to protect. According to IBM, in the US, the average cost of each lost record was approximately $146 in 2019. The most expensive type of record to lose was customer PII records, which are involved in around 80% of all data breaches. Therefore, the tool evaluation needs to address: mitigation of the adverse consequences associated with a breach (penalties, loss of reputation, etc); mitigation of any likely causes of a data breach (events, human acts) and management of the risk going forward (prevention of lost business).
0 upvotes