Each time a company like yahoo is exposed in the news for being the victim of a mega hack people ask the question: Why didn’t they invest more in security? The answer is that investing in security doesnt make financial sense. RAND corporation performed a study that they published in the Journal of Cybersecurity. It took a look at the expenses involved in IT Security Failures and what they discovered was that the financial cost of being hacked was lower than expected. The typical price was $200,000 on average.
High end secuirty systems that could have prevented those security breaches cost far more than the $200,000 lost. This makes not investing in an expensive security system a smart move. Sasha Romanosky, the author of the report, says that she has spent her life in the security industry and people are expected to continually invest more each year to protect themselves. Yet, businesses are taking a rational perspective by adding up the expected costs of the security system and not investing in them blindly. They just want to minimize costs and remaining vulnerable to some hacks might be the smartest thing for them to do. Romanosky took a look at more than 12,000 incidences of hacking and saw that they only cost company’s 0.4 percent of their yearly revenue. Compared to something like billing fraud, which costs companies 5%, the amount is insignificant. It is also less than retail shrinkage which costs 1.3% of yearly revenues.
There is also damage to the reputations of these companies after they have fallen victim to a hack. This damage is not possible to quantify because each case is very different. After interviewing many company executives, Romanofsky could not estimate a consistent figure or percentage. One thing of note is that being hacked did not seem to have an adverse effect on the stock prices of the victim companies.
Security Analysits use something called the pinto formula to estimate the cost of fixing the problems. If the cost of fixing the problem happened to be more than the cost of dealing with the fallout of the problem then the companies did not fix the problem. They are primarily concerned with saving money so this makes the most business sense. You can read more about this IT security issue here