Ponemon Institute
Sign Up for the Ponemon News Feed for special reports and important updates regarding privacy and security

News & Updates

Ponemon Institute is pleased to announce the release of Flipping the Economics of Attacks, sponsored by Palo Alto Networks. In this study, we look at the relationships between the time spent and compensation of today’s adversaries and how organizations can thwart attacks. As revealed in this research, while some attackers may be motivated by non-pecuniary reasons, such as those that are geopolitical or reputational, an average of 69 percent of respondents say they are in it for the money.


Understanding the Methodology and Staggering Costs in the Annual Cost of Failed Trust Report

February 21, 2013, 12:00 am


Some staggering numbers

Every Global 2000 enterprise faces a total exposure of almost U.S. $400 million over 24 months due to new and evolving attacks on failed cryptographic key and digital certificate management. And adjusting for probability established by survey participants, we found every enterprise risks losing $35 million.

This findings cap our First Annual Cost of Failed Trust Report: Trusts and Attacks, which quantifies, for the first time, the financial impact of impact of new threats and attacks on our ability to control trust.

I’ve worked at the forefront of IT security research for years, but the numbers still stunned me. The audited results from 2,234 respondents in five countries clearly show the very real impact of a whole new set of exploits can have on enterprises.  This level of risk demands immediate attention and remediation.  Especially since every respondent reported their organization has already been the victim of at least one of these exploits.

I don’t just want to knock you out of your chair with these numbers—even though I almost fell out of mine—I want you to understand what they really mean. With that goal in mind, let’s take a closer look into the data and methodologies we used to produce the report.

How we obtained the numbers

We began our data collection using many of the same practices that we have applied over years of research. We created a large sample, drawing data from 2,342 mostly Global 2000 enterprises in five geographic regions and 16 vertical industries. We requested IT security professionals, experienced in the field.

Well aware that we were breaking new ground, I paid careful attention to the methodology, selecting the expected value approach as the most appropriate. This well-established, risk based approach helps you assess how much you can expect to lose from incidents that have wide-ranging, hard-to-pin-down effects and also occur at unknown intervals.

Here’s the formula:

Total Exposure x Likelihood of Occurrence = Expected Exposure

You can think of the costs that your business incurs as the result of a series of bets. The total exposure is the size of the bet—how much you stand to lose, in terms of operational costs, productivity, revenue and reputation, if an issue occurs. The odds of the game correspond to the likelihood of that issue actually occurring, which depends in no small part on how well you manage your assets. The expected exposure indicates how much you can expect to lose on average.

Take an example from the report: you’re a Global 2000 enterprise betting $125 million, the potential total impact from the attack, that a hacker won’t exploit a key that uses weak legacy encryption. The likelihood that you’re wrong is 18% - the percentage of respondents who believe in the next two years their organization will be impacted by this attack. As long as you keep playing that game with those odds, you’re going to lose about $22.5 million. Of course, you could be lucky and lose less—or unlucky and lose more.

That’s the quick look at the methodology. If you interested in the details, dive in here.  

What the numbers mean for you

I hope that this insight into our methodology helps you to understand the Cost of Failed Trust Report and better put it to use.

Now consider your own organization. Are you among the 51% of respondents who don’t know how many keys and certificates they have or where they’re used? If you are, our research shows there’s on average over 17,000 keys and certificates in your infrastructure and cloud services. Not knowing will greatly impact your risk and likelihood of being a victim of exploits on key and certificate management.

Earlier, I compared the risk of incurring costs due to failed trust to placing a bet. Unlike at Vegas, though, you can’t change the size of the bet—that’s fixed by the crucial service that the keys and certificates provide and the impact of what losing control over the trust they establish can have.  You can only change the odds.

So we might find a more productive analogy in an asteroid hitting the earth, as we were so recently reminded could happen. We can’t change the devastating consequences of such an event. But we can change the likelihood by tracking asteroids and changing their path well before disaster strikes. Similarly, you can change the odds of losing control of trust, and thus minimize your likely losses, actively managing your keys and certificates in the enterprise, on mobile devices, and out in the cloud.

A deeper dive into the methodology

For those readers who want to learn even more, I’ve put together a deeper look at how we created real-world scenarios and then assessed the costs and likelihood for each.

Real-world scenarios

A quantitative risk assessment requires concrete incidents. For this report, we examined four very real scenarios related to attacks on key and certificate management, such as a phishing attacks using a certificate signed by a compromised certificate authority (CA). The survey presented generalized scenarios; however, every scenario was rooted in an incident that has actually occurred.

Exposure, or incident cost, assessment

Assessing the impact of new and emerging attacks isn’t easy, however, the expected value methodology gave us a time-proven, risk-based technique.

Survey respondents reported a range of expected costs over 24 months for each type of incident. We judged 24 months as the most reasonable time frame for covering most of the long-standing effects while still ensuring that costs could be traced back to the incident.

We wanted respondents to think in concrete, real-world terms, so we provided specific cost categories, for which enterprises often already have assessment methods:

·       Incidence response such as the costs of finding and remediating the issue

·       Lost productivity due to unavailable services or lost data

·       Lost revenue due to unavailable services or lost data

·       Brand and reputational damage due to high-profile outages or attacks

The respondents’ answers did align with what I know about keys and certificates. No important data can—or should—be transmitted without keys and certificate being involved to ensure its privacy, integrity and authenticity.  We should expect, as clearly many IT security professionals are expecting, a staggering cost to losing control of them.

Likelihood assessment

Whether an individual enterprise will actually suffer the costs reported depend on whether it is unlucky enough for the incident to occur. The question is: just how unlucky does it have to be?

To answer that question, we continued with the expected value approach. Looking at each scenario separately, respondents assessed the likelihood of at least such one incident occurring at their enterprise over 24 months. They then assigned the scenario a likelihood between 0 and 10, which we converted to percentages.

Although some of the expected likelihoods might seem startlingly high, other survey data support the outcomes. Fully 51% of the respondents admitted that they do not know precisely how many keys and certificates they have. These are IT security professionals with a vested interest in overestimating their knowledge and control over these assets. It is likely, then, that significantly more than half of enterprises have unmanaged keys and certificates waiting to be exploited. They’ve lost control over the trust these technology help establish. The costs and likelihood then identified by this research are spot on.

Complete study is available -


Security (23)
Privacy (22)
global security (1)
Providers (1)