Ponemon Institute
Sign Up for the Ponemon News Feed for special reports and important updates regarding privacy and security

News & Updates


Welcome to my new blog. I look forward to providing interesting content from our latest research studies. Please stay tuned to some very thought provoking research!

A Few Challenges in Calculating Total Cost of a Data Breach Using Insurance Claims Payment Data
April 19, 2015, 1:34 pm

Let me first state that I am a big fan of the Verizon DBIR and have read every one. I also have a great deal of respect for the NetDiligence Cyber Claims Study and like many in the insurance industry, find it extremely valuable. I was, however, taken by surprise when I read the latest Verizon report and saw that their cost of a data breach analysis was based on the NetDiligence data set. Here’s why:

All insurance policies have limits and nearly all have sub-limits. So for example, XYZ Company might buy a cyber liability policy with a $1M limit. Generally speaking, that means the policy would cover qualified expenses up to $1M. All costs exceeded the $1M mark would be the responsibility of XYZ Company. (This is why it’s so important to try to calculate and purchase the right amount of coverage for your specific situation.) So the first problem with using payment claims data to calculate the total cost of a breach is that it will exclude costs beyond the limit of the policy and only include amounts actually paid by the insurance company. Think Target with $100M in cover (less $10M self-insured retention) but total breach costs in excess of $252M and counting. But it gets more complicated than that.

Back to XYZ Company and their $1M policy. It would not be unusual for the policy to have a sublimit of $250,000 for First Party Privacy, $25,000 for Crisis Management, $250,000 for Regulatory Coverage, $250,000 for Legal and Forensic, etc. Likewise, there may be specific deductibles like $5000 for Privacy Notification Costs, etc.  If XYZ Company experienced a breach and submitted claims that exceed the sublimits for any of the above categories, the insurance company is only obligated to pay up to the specified sublimit and not beyond. Looking at payment claims data alone will not tell you whether XYZ Company’s total expense is accurately reflected in the number. The terms of each policy must be reviewed to determine if a sublimit has been exceeded, and if so, the researcher would have to turn to XYZ Company to find out what additional expenses were not included in the data.

To further complicate the picture, all insurance policies have exclusions as well, which would disallow reimbursement for certain costs, even though they may be a direct consequence of the breach. These exclusions can be all over the map, but one easy example would be business interruption expense, which is optional coverage, typically only provided at additional cost. Only three companies bought it in NetDiligence's 2014 data set, but it's quite likely that many companies incurred such expenses. It can get even more complicated if you look at whether another separate policy, possibly from another carrier, provides umbrella coverage or coverage for some other piece of breach related costs. Even if we assume the NetDiligence data set includes only straight forward claims situations, there is no single standard across cyber insurance policies regarding limits, sublimits, exclusions, etc.

So it seems that in order to move beyond calculations describing insurance company costs for claims paid, to arrive at a formula for total breach related costs for each company, would have required that every breach in the NetDiligence data set had every claim paid in full, and all companies submitting claims had zero uninsured breach-related expenses. Assuming this was not the case, such a calculation of total breach costs would further require a review of the terms of each company’s insurance policy and an analysis of the claims submitted, paid and rejected by the insurance company. This sounds a lot like the kind of in depth interviewing and analysis that the Ponemon institute conducts with breached companies, but with the addition of discussions with the claims teams handling these breaches.

Again, these comments do not diminish in any way the value of NetDiligence's data nor the Verizon DBIR – both are superb reports. The cyber security community must continue to test current assumptions and common practices, and to experiment with new ways of quantifying cyber risk. Incorporating cost data into Verizon’s DBIR is an entirely welcome development, but it appears that the current report lacks a method of accounting for the artificial cost caps and other excluded costs that are not part of the NetDiligence insurance claims payment data. This could result in a significant under estimation of the total cost of a breach. Unfortunately, it is not readily apparent how to quantify this without a lot more digging…

# # #

Ben Goodman, CRISC, is the founder of Enterprise Risk Associates, a licensed insurance agency, and a member of the Casualty Actuarial Society’s Cyber Risk Task Force. He also serves as President of 4A Security and Compliance, a firm that helps clients strengthen their information security while managing cyber risk and meeting compliance requirements. With over 25 years of experience in information technology, technology strategy and risk management, he is dedicated to strengthening the cyber defenses and resiliency of US organizations, institutions and critical infrastructure.

Ben is the recipient of ISACA’s CRISC, Worldwide Achievement Award, and a founding member of Drexel University’s College of Computing and Informatics Cybersecurity Institute’s Advisory Board.

Why Ponemon Institute’s Cost of Data Breach Methodology Is Sound and Endures
April 16, 2015, 5:01 pm

This week, Verizon released its annual 2015 Data Breach Investigations Report. We respect the amount of effort and resources Verizon devotes to its annual report. In the past, Ponemon Institute has reached out to the researchers at Verizon because of what I believe should be a shared and collaborative goal to continuously improve and refine the research being conducted about data breaches and other security incidents. In fact, we were pleased to have Wade Baker from the Verizon DBIR team speak to our Institute’s RIM Council of sponsoring companies and Fellows in December 2012. By the way, Verizon is a sponsoring company of the Institute.


Ponemon Institute releases new study on how organizations can leapfrog to a stronger cyber security posture
April 10, 2015, 4:00 pm

Is your company’s security strategy stuck in a rut? Are you concerned that the competition is outpacing you in its ability to deal with increasingly sophisticated and stealthy cyber criminals. Ponemon Institute with sponsorship from Accenture spent several months interviewing senior level IT and IT security practitioners in 247 companies to identify the main factors that contribute to an organization’s improved security posture—or leapfrogging from a level of low to high performance in its security ecosystem.

2014: A Year of Mega Breaches
January 28, 2015, 10:00 am

2014 will long be remembered for a series of mega security breaches and attacks starting with the Target breach in late 2013 and ending with Sony Pictures Entertainment. In the 2014: A Year of Mega Breaches study sponsored by Identity Finder, the following findings reveal changes companies are making to their security strategies.

• More resources are allocated to preventing, detecting and resolving data breaches. According to 61 percent of respondents, the budget for security increased by an average of 34 percent. Most was used for SIEM, endpoint security and intrusion detection and prevention.

• Senior management gets a wake up call and realizes the need for a stronger cyber defense posture. Sixty-seven percent of respondents say their organization made sure the IT function has the budget necessary to defend it from data breaches.

• Operations and compliance processes are changing to prevent and detect breaches. Sixty percent of respondents say they made changes to operations and compliance processes to establish incident response teams, conduct training and awareness programs and use data security effectiveness measures.

We hope you will read the full report.

Ponemon Institute Announces Results of 2014 Most Trusted Companies for Privacy Study
January 28, 2015, 9:00 am

In recognition of Data Privacy Day, Ponemon Institute is pleased to announce the results of the 2014 Most Trusted Companies for Privacy Study, an annual study that tracks consumers’ rankings of organizations that collect and manage their personal information. This year, the most trusted company is Amazon. 

The Open Source Collaboration Study: Viewpoints on Security & Privacy in the US & EMEA
January 28, 2015, 8:30 am

Ponemon Institute is pleased to present the Open Source Collaboration Study conducted in the US & EMEA. The study found that overall, IT professionals' perceptions of commercial open source software for messaging and collaboration are more positive than their perceptions of proprietary software. Common to both the US and EMEA, is IT professionals' dissatisfaction with their current messaging and collaboration platforms, the majority of which are proprietary solutions. And, while IT professionals in the US and EMEA disagree on the relative importance of security versus privacy, there is agreement among IT professionals that commercial open source software offers better cost, control, quality and business continuity than proprietary software. To learn more about this research sponsored by Zimbra, please download the webinar.

Corporate Data: A Protected Asset or a Ticking Time Bomb?
December 9, 2014, 10:00 am

In the pressure to be productive, many employees are putting confidential corporate information at risk. Is it possible to have both a productive workforce and a strong security posture? Our latest study, Corporate Data: A Protected Asset or a Ticking Time Bomb? discusses the dilemma facing IT practitioners charged with stopping data leakage and offers solutions on how to keep critical business information secure without diminishing the productivity of employees. We hope you will read the full report.

Can a data breach in the cloud result in a larger and more costly incident?
June 5, 2014, 9:00 am

Can a data breach in the cloud result in a larger and more costly incident? Our latest study,
Data Breach: The Cloud Multiplier Effect sponsored by Netskope reveals how the risk of a data breach in the cloud is multiplying. According to the IT and IT security practitioners participating in this study, the proliferation of mobile and other devices with access to cloud resources and more dependency on cloud services without the support of a strengthened cloud security posture and visibility of end user practices is making it difficult to stop the loss or theft of sensitive data in the cloud. We hope you will download the complete report at:

To register for the webinar featuring Dr. Larry Ponemon and Netskope Founder and CEO, Sanjay Beri, on July 16 at 1 PM EST, please click here:

Warmest regards,

Dr. Larry Ponemon

Ponemon Institute and Raytheon Release New Study on the Insider Threat
May 21, 2014, 2:00 pm

Well-publicized disclosures of highly sensitive information by wiki leaks and former NSA employee Edward Snowden have drawn attention and concern about the insider threat caused by privileged users. We originally conducted a study on this topic in 2011 and decided it was time to see if the risk of privileged user abuse has increased, decreased or stayed the same.  Unfortunately companies have not made much progress in stopping this threat since then. Our latest study commissioned by Raytheon, “Privileged User Abuse & The Insider Threat,” looks at what companies are doing right and the vulnerabilities that need to be addressed with policies and technologies. One area that is a big problem is the difficulty in actually knowing if an action taken by an insider is truly a threat. Sixty-nine percent of respondents say they don’t have enough contextual information from security tools to make this assessment and 56 percent say security tools yield too many false positive. To learn more, we hope you will read the full report:

Ponemon Institute Releases 2014 Cost of Data Breach: Global Analysis
May 5, 2014, 10:15 am

Throughout the world, companies are finding that data breaches have become as common as a cold but far more expensive to treat. With the exception of Germany, companies had to spend more on their investigations, notification and response when their sensitive and confidential information was lost or stolen. As revealed in the 2014 Cost of Data Breach Study: Global Analysis, sponsored by IBM, the average cost to a company was $3.5 million in US dollars and 15 percent more than what it cost last year.

Will these costs continue to escalate? Are there preventive measures and controls that will make a company more resilient and effective in reducing the costs? Nine years of research about data breaches has made us smarter about solutions.

Critical to controlling costs is keeping customers from leaving. The research reveals that reputation and the loss of customer loyalty does the most damage to the bottom line. In the aftermath of a breach, companies find they must spend heavily to regain their brand image and acquire new customers. Our report also shows that certain industries, such as pharmaceutical companies, financial services and healthcare, experience a high customer turnover. In the aftermath of a data breach, these companies need to be especially focused on the concerns of their customers.

As a preventive measure, companies should consider having an incident response and crisis management plan in place. Efficient response to the breach and containment of the damage has been shown to reduce the cost of breach significantly. Other measures include having a CISO in charge and involving the company’s business continuity management team in dealing with the breach.

In most countries, the primary root cause of the data breach is a malicious insider or criminal attack. It is also the most costly. In this year’s study, we asked companies represented in this research what worries them most about security incidents, what investments they are making in security and the existence of a security strategy.

An interesting finding is the important role cyber insurance can play in not only managing the risk of a data breach but in improving the security posture of the company. While it has been suggested that having insurance encourages companies to slack off on security, our research suggests the opposite. Those companies with good security practices are more likely to purchase insurance.

Global companies also are worried about malicious code and sustained probes, which have increased more than other threats. Companies estimate that they will be dealing with an average of 17 malicious codes each month and 12 sustained probes each month. Unauthorized access incidents have mainly stayed the same and companies estimate they will be dealing with an average of 10 such incidents each month.

When asked about the level of investment in their organizations’ security strategy and mission, on average respondents would like to see it doubled from what they think will be spent—an average of $7 million to what they would like to spend—an average of $14 million. This may be a tough sell in many companies. However, our cost of data breach research can help IT security executives make the case that a strong security posture can result in a financially stronger company.

To download the complete report please use the following link:


Records 1 - 10 of 60 — Jump to page First 1 2 3 4 5 6 Last
Security (23)
Privacy (22)
global security (1)
Providers (1)