New Study Casts Doubt on Data Breach Cost Estimates

Data breach cost estimates from the Ponemon Institute suggest a breach of sensitive data costs an average of $4 million to resolve. However, a new study published in the Journal of Cybersecurity suggests otherwise. Far from costing millions of dollars to resolve, the study suggests the cost to the average firm is only around $200,000 per incident.

The study was conducted by Sasha Romanosky from the thinktank RAND. Romanosky analyzed more than 12,000 security incidents that took place between 2005 and 2015 and determined the cost of breach resolution was far lower than most data breach cost estimates suggest. For the study, Romanosky took data from the US. Insurance analytics firm Advien. The sample was taken from a database of more than 300,000 data security incidents.

Romanosky determined that the cost of resolving a data breach equates to approximately 0.4% of annual revenues – approximately the same as most organization’s IT security budgets. The cost was determined to be much lower than losses due to corruption, retail shrinkage, online fraud, billing fraud, and financial misstatements.

Romanosky’s data breach cost estimates seem low, especially considering the large data breaches at Sony, Home Depot, and Target cost tens of millions of dollars to resolve. However, the study confirmed that these breach costs still equated to less than 1% of each company’s annual revenues.

If the data breach cost estimates are correct and the cost of resolving breaches is so low, there is little incentive for organizations to increase their cybersecurity budgets to prevent data breaches. Romanosky believes that with the cost of resolving data breaches being so low for the average company, it is unlikely that many small to medium sized organizations will voluntarily adopt the National Institute for Standards and Technology (NIST) Cybersecurity Framework. It would be more cost effective not to do so and simply absorb the costs of data breaches should they occur.

However, in highly regulated industries such as healthcare and finance, where there is the threat of large fines for data breaches, organizations have a much bigger incentive to invest more heavily in cybersecurity defenses and voluntary adoption of the NIST Cybersecurity Framework are likely to be higher.

According to the report, “Given these relatively low costs (i.e. again, not every breach is a “Target”), it may be the case that firms are, indeed, engaging in a privately optimal level of security – that they are properly and efficiently managing cyber risks as they do with other forms of corporate risk.”

Author: Richard Anderson

Richard Anderson is the Editor-in-Chief of