A rough statistical analysis
It was revealed today that Verizon plans to cut their bid for Yahoo by $1 billion which begs the question — how much should those “Yayhoos” have spent on cybersecurity?
It’s been a long time since my undergraduate degree in economics, but I did get an A on a paper by making this exact same argument. If Yahoo knew that a big data breach would cost them $1,000,000,000 in cash, then they should have been willing to spend up to $999,999,999 to stop that breach from happening — at least then they could have kept that last $1.00, and logically they would have been better off.
That’s the problem right there though — Yahoo made an assumption that a big data breach leading to a direct hit for $1 billion was very unlikely, and they would have performed some simple math (perhaps subconsciously) to calculate backwards to what they should have been spending. For example, if Yahoo had determined that there was a 1% chance of suffering a $1 billion breach then the logical outcome from a simple statistical perspective is that they should have multiplied the cost by it’s likelihood [1B * 0.01 = $10 million]. Meaning that $10 million would be a theoretical cost of such a data breach.
But therein lies the rub, who could have really judged the true likelihood of such a data breach? It has become clear over our recent history of major data breaches that a more rigorous approach to valuing the likelihood of a data breach must be created.
who could have really judged the true likelihood of such a data breach
According to the Ponemon Institutes 2015 Cost of Data Breach study, “the average global cost of data breach per lost or stolen record is $154.” So let’s suppose for a moment that you are Yahoo and you are storing a total of 500 million users, then the upward bound for the cost of a potential data breach would be $77,000,000,000.
the upward bound for the cost of a potential data breach would be $77,000,000,000
Any 1st year statistics student could tell you then, that if there was a 1% chance of a data breach where all 500 million records were stolen that the expected cost would be [500M * 0.01 = $770 million]. Some portion of that $770 million would get covered under an insurance policy, and for rough numbers lets say that Yahoo’s out of pocket cost would only be 10% of the total expected cost, in which case Yahoo should have been spending $77 million.
Whistic is an award winning risk assessment and analytics platform that makes it easy for companies to assess service providers or self assess against compliance and security standards (e.g. PCI, DSS). Headquartered in Orem, Utah at the heart of the Silicon Slopes, Whistic is the creator of the CrowdConfidence TM scoring algorithm that leverages the wisdom of crowds to assess the residual risk of sharing data with a vendor. Whistic was the recipient of the “Best Enterprise” award at the World’s Largest Startup Event: Launch Festival 2016.
For more information about Whistic, visit: https://www.whistic.com.