Whenever mega-hacks like the Yahoo! fiasco hit the news, inevitably the question gets asked as to why the IT security systems weren't good enough. The answer could be that it's not in a company's financial interest to be secure.
A study by the RAND Corporation, published in the Journal of Cybersecurity, looked at the frequency and cost of IT security failures in US businesses and found that the cost of a break-in is much lower than thought – typically around $200,000 per case. With top-shelf security systems costing a lot more than that, not beefing up security looks in some ways like a smart business decision.
"I've spent my life in security and everyone expects firms to invest more and more," the report's author Sasha Romanosky told The Reg. "But maybe firms are making rational investments and we shouldn't begrudge firms for taking these actions. We all do the same thing, we minimize our costs."
Romanosky analyzed 12,000 incident reports and found that typically they only account for 0.4 per cent of a company's annual revenues. That compares to billing fraud, which averages at 5 per cent, or retail shrinkage (ie, shoplifting and insider theft), which accounts for 1.3 per cent of revenues.
As for reputational damage, Romanosky found that it was almost impossible to quantify. He spoke to many executives and none of them could give a reliable metric for how to measure the PR cost of a public failure of IT security systems.
He also noted that the effects of a data incident typically don't have many ramifications on the stock price of a company in the long term. Under the circumstances, it doesn't make a lot of sense to invest too much in cyber security.
It's this kind of thinking that led to the infamous Pinto Formula. In 1973, a memorandum was prepared by Ford examining the costs of issuing a fix for its Pinto compact cars. In tests, the cars were shown to have a dangerously unshielded fuel tank, meaning they had a tendency to burst into flames when hit from behind at more than 20 miles per hour.
The boffins at Ford estimated that the cost to the company of doing a recall on the model would be $137.5m. But if the recall wasn't held, the company would only have to pay out an estimated $49.5m in damages for the expected 180 deaths from fire, so the firm decided not to perform the recall.
The memo was discovered by investigative journalist Mark Dowie and caused a massive problem for Ford. It was forced to issue a recall and pay out millions in damages, and the case dogged Ford's reputation for years.
However, it may be that the lack of security could have an effect on the burgeoning cyber insurance market. Romanosky pointed out that insurance costs would provide a more direct incentive for companies to protect their data.
Insurance companies would also be in an ideal position to judge what IT security systems work best, he pointed out. After all, their job is to price risk and they would have the data on incidents and how they occurred. But so far that hasn't happened.
"We don't get a lot of feedback from them; either they don't understand or they don't care so much," he said. "I get the sense they are a little complacent. Maybe they think they are overcharging. I don't know if they are being strategic that way." ®