How much should the “yayhoos” at Yahoo have been spending on cybersecurity?

October 07, 2016

A rough statistical analysis

It was revealed today that Verizon plans to cut their bid for Yahoo by $1 billion which begs the question — how much should those “Yayhoos” have spent on cybersecurity?

It’s been a long time since my undergraduate degree in economics, but I did get an A on a paper by making this exact same argument. If Yahoo knew that a big data breach would cost them $1,000,000,000 in cash, then they should have been willing to spend up to $999,999,999 to stop that breach from happening — at least then they could have kept that last $1.00, and logically they would have been better off.

That’s the problem right there though — Yahoo made an assumption that a big data breach leading to a direct hit for $1 billion was very unlikely, and they would have performed some simple math (perhaps subconsciously) to calculate backwards to what they should have been spending. For example, if Yahoo had determined that there was a 1% chance of suffering a $1 billion breach then the logical outcome from a simple statistical perspective is that they should have multiplied the cost by it’s likelihood [1B * 0.01 = $10 million]. Meaning that $10 million would be a theoretical cost of such a data breach.

But therein lies the rub, who could have really judged the true likelihood of such a data breach? It has become clear over our recent history of major data breaches that a more rigorous approach to valuing the likelihood of a data breach must be created.

who could have really judged the true likelihood of such a data breach

According to the Ponemon Institutes 2015 Cost of Data Breach study, “the average global cost of data breach per lost or stolen record is $154.So let’s suppose for a moment that you are Yahoo and you are storing a total of 500 million users, then the upward bound for the cost of a potential data breach would be $77,000,000,000.

the upward bound for the cost of a potential data breach would be $77,000,000,000

Any 1st year statistics student could tell you then, that if there was a 1% chance of a data breach where all 500 million records were stolen that the expected cost would be [500M * 0.01 = $770 million]. Some portion of that $770 million would get covered under an insurance policy, and for rough numbers lets say that Yahoo’s out of pocket cost would only be 10% of the total expected cost, in which case Yahoo should have been spending $77 million.

cybersecurity whistic security yahoo Article

About the author

Andrew Watanabe
Andrew Watanabe

Chief Product Officer @ Whistic

Hate security reviews?
Want FREE AirPods?*

Offer valid for any decision-maker/influencer in relation to your company’s third-party risk management strategy. Company size must exceed 100 employees. Exclusions apply. Limit 1 pair per company.