This week, Verizon released its annual 2015 Data Breach Investigations Report. We respect the amount of effort and resources Verizon devotes to its annual report. In the past, Ponemon Institute has reached out to the researchers at Verizon because of what I believe should be a shared and collaborative goal to continuously improve and refine the research being conducted about data breaches and other security incidents. In fact, we were pleased to have Wade Baker from the Verizon DBIR team speak to our Institute’s RIM Council of sponsoring companies and Fellows in December 2012. By the way, Verizon is a sponsoring company of the Institute.
We would have appreciated it if the DBIR researchers had given Ponemon Institute the same courtesy. No one from the DBIR team took the time—even for a brief call--to confirm the assumptions they made about our methodology. Apparently their single-minded goal was to “bust the myth” of our annual cost of data breach research. We stand by our research, now in its 10th year. Following are the reasons why the conclusions made by the DBIR team about our costing methodology are flawed.
Ponemon Institute’s Cost of Data Breach Study is based on actual data collected at the company level using field-based research methods and an activity-based costing framework. Our approach looks at hundreds of cost categories within each participating company. Our cost framework has been validated from the analysis of more than 1,600 companies that experienced a material data breach over the past 10 years in 12 countries.
When I read the DBIR report I was surprised to learn that their entire cost analysis was based upon a secondary source (191 insurance claims). There was no effort to produce their own cost study based on their own analysis of data breach incidents analyzed in their research.
They criticized our average cost as an inaccurate representation of our cost data. Our research presents both average and total cost making it easy for the reader to interpret the economic impact of a data breach. We believe our methods are a fair representation of the economic impact to the company. Our framework includes both direct and indirect costs and it is the indirect cost that potentially contributes to the greater percentage of the total cost.
Moreover, our framework is broader than looking at insurance claims. The problem with relying on insurance claims is that they provide an incomplete picture of what costs companies are incurring as a result of a data breach. First, only direct costs are available, not all organizations have insurance and there is no test that the claims are accurate. In fact, insurance companies and their actuaries have used our cost of a data breach to underwrite risk and specify premiums.
Further, it has been our policy to publish the actual cost of each company participating in the research. All information that could identify the participating company has been redacted. In short, we bend over backwards to provide transparency of the data we use to construct our cost figures.
It is ironic that after all the criticism, our estimate of a total cost of data breach falls within DBIR’s confidence interval shown in Figure 23 of the report. DBIR’s own prediction model for a data breach involving between 10,000 and 100,000 records fits our global total cost of data breach.
One last minor point, the researchers are using a logarithmic regression. While this is an interesting approach, it is hard to justify because the data collected is not derived from a scientific sample. Further, small sample sizes make it difficult to create an accurate precision interval. This is why we use simple metrics and non-parametric statistics to describe the significance of our work.
In the spirit of collaboration and goodwill, we welcome the opportunity to meet with the DBIR team in order to clarify their misunderstandings about our research.
Dr. Larry Ponemon
Chairman and Founder