Yesterday I saw a presentation from a sales rep of PointSec at a local ISSA meeting. Aside from the fact that it was, I suspect, largely a straight copy of their standard sales deck, there were a few interesting points, the most interesting of which weren't really made in the presentation, but more made about the presentation. He talked a lot about data loss, data value, and the cost of data recovery. The interesting thing is that the usage of these very distinct terms was haphazard. Data loss, specifically the loss of data via equipment loss, was highlighted to emphasize frequency; "These things occur all the time!" Data value was highlighted to emphasize severity; "And they are very serious!" Finally, the cost of data recovery was presented as the usual 'infinite brand damage' metric; "And one loss could drive your company out of business!" It's a favorite of mine, incidentally.
There are several problems here. First, he never quite manages to connect the data loss to data compromise, i.e. the fraudulent use of stolen data. I'm not saying the connection doesn't exist, but that the focus on loss over compromise is misleading. Data compromise is a serious problem that seems underreported, probably because it's hard to measure. That doesn't mean it isn't important to measure. Secondly, data value isn't the same as cost of recovery, or at least it's not reported as such. Look at this recent incident in Alaska. They lost a $38 billion file, but the cost of recovery was closer to $200,000.
And last, but not least, there's the 'infinite brand damage' metric. Let's look at a few examples via a three point analysis. For these purposes, the 'date of incident' is the date it became public. Stock prices are at the close of the market around the same date in the appropriate month. I picked four relatively high profile incidents, but there are more.
TJX (1/17/2007)
Stock Price 3 months before incident (October 2006): 28.97
Stock Price today (March 2007): 26.46
Stock Price 6 months after incident: N/A
Ameriprise AMP (1/29/2006)
Stock Price 3 months before incident (October 2005): 37.10
Stock Price 3 months after incident (April 2006): 49.04
Stock Price 6 months after incident (July 2006): 44.54
Choicepoint CPS (2/15/2005)
Stock Price 3 months before incident (November 2004): 44.01
Stock Price 3 months after incident (May 2005): 37.16
Stock Price 6 months after incident (August 2005): 43.22
ADP (7/6/2006)
Stock Price 3 months before incident (April 2006): 46.78
Stock Price 3 months after incident (October 2006): 47.47
Stock Price 6 months after incident (January 2007): 48.76
Using stock price as an indicator, one can conclude that either the brand damage isn't very significant or these four companies worked very hard at recovery. Clearly, I can't measure the direct increase in money spent on brand recovery by each of these organizations, but also clear is that none of them were irreparably damaged by their respective incidents.
The thing is, brand damage is driven by public perception. The more data loss disclosures that occur, the more the public perceives them as normal and, in turn, the less likely becomes the risk of brand damage. This is why (appropriate) punitive damages are an important part of the regulatory environment. The public can only react in a significant way to outliers in the incident arena, and if data loss is normal, then the fear of public reaction is not a valid incentive.
*UPDATE*
With perfect, yet unplanned, timing: "Data from TJX Security Breach Fuels Fraud Scheme"
Comments (6)
Tim:
You're headed in the right direction on this, I think.
The question of data loss leading to a reputational hit and subsequent decrease in share price has been looked at a few times by academics.
The current view seems to be that the damage is real, but short-lived.
However, the entire literature rests on publicly-reported breaches. From an economic perspective this makes sense, particularly if you believe (and it is dogma in some circles) that in a competitive market prices reflect all relevant information about a good.
From an infosec practitioner's standpoint, reliance on current data is unsatisfying, because those data may not (I would say almost certainly do not) represent the actual population of breaches. Thus, we hear only of the more "newsworthy" breaches. It is obvious that the definition of "newsworthy" changes over time, making analysis of trends extremely problematic methodologically.
Cost of recovery, cost of notification, and reputational damage (leading to decreased expected profits and hence a lower share price) all matter analytically, but it's hard for me to get excited about recovery costs unless the means of exposure was such that a zillion endpoints need to be touched to fix it (which I would hope is a rarity). Direct notification costs I have seen estimated at $2 per person (http://www.infopolicy.org/pdf/data-breach.pdf).
I don't know who the main buyers of whole disc encryption gear are, but the "one loss can ruin you" thing makes sense for certain specific cases, like Apple having the iPhone business plan and specs stolen. However, I would argue that instances of that kind of info being handled recklessly are 1) rare and 2) appropriately punished by the market.
The whole "reputational risk" angle misses a rather important point. Sure, if Nokia loses a laptop with a new phone design on it then their shareholders lose. Seems fair to me. However, when a data aggregator loses info about hundreds of thousands of people, those people suffer the injury. The costs of this economic externality need to be accounted for in order for the market to effectively handle this issue. There's a powerful argument to be made that this isn't happening. One reason for that is that we really have no idea how much actual damage the exposure of, say, my SSN and so on, cause me. Maybe my risk of ID theft is increased, but by how much? Nobody really knows, and the information which would help us find out is in private hands. Moreover, it might be embarrassing to reveal it, so it stays locked up.
Sorry for the longwinded comment.
Posted by Chris | March 21, 2007 6:49 AM
Posted on March 21, 2007 06:49
Excellent points Chris, and no need to apologize for the length of the comment.
You said "[I]f Nokia loses a laptop with a new phone design on it then their shareholders lose," but I'm not sure that's a given. To your point, solid data about the conversion of loss to compromise is hard to come by. In fact, something as specific as a phone design would be less likely to move from loss to compromise than a large chunk of SSNs, I would think. The avenues for use of the data would be much more specific and limited.
It's worth mentioning that I think the value of whole disk encryption stands without the specious argument of reputational loss. As you point out, there are cases where specific data is of particular value, but more interesting to me is the potential to recover data from supposedly cleared drives. Perhaps this makes it more important for home users who are less likely to adequately destroy used media.
Posted by Tim Erlin | March 21, 2007 7:51 AM
Posted on March 21, 2007 07:51
Imprecise wording on my part. I should have said "at most, their shareholders lose".
Posted by Chris | March 21, 2007 9:24 AM
Posted on March 21, 2007 09:24
Great post, Tim. I had been looking at evaluating a stock's beta before and after a breach as a way to measure the change in a company's weighted-average-cost-of-capital, but found the data inconclusive (and too time consuming ;). Your post made me think: well, a stock can be down only 1.8%, but that means nothing unless you compare it to the market. And that got me thinking about using stock price/sales to show that the companies have to work harder to keep their stock price up, which is somewhat of a proxy for a higher WACC.
I have posted more on my blog: http://www.wikidsystems.com/WiKIDBlog/brand-damage-stock-prices/. (If the trackback worked, then you know this already.)
Nick
Posted by Nick Owen | March 22, 2007 8:09 AM
Posted on March 22, 2007 08:09
A paper presented at FC about 5 years back measured breach v. market prices and concluded that the cost was around 3-4% of the stock price ... but it rebounded shortly after that and the actual cost as measured by the long run stock price was zero. (This from memory...)
Which makes sense. The breach punishment is about perception; once the market assesses the actual likelihood of losses, it realises that they are very low (to the company). So the price rebounds after the initial kerfuffle.
Still, that said, even if we can show the reputational loss as no more than a chimera, there is another force working here in the market for silver bullets: as the only substantial force directing security expenditure is the public perception and reputational punishment of the market, this force drives the internal security model of the company.
In the absence of any good knowledge or analytical tools for security expenditure, on the side of buyers or sellers, then the industry cooperates to create a basket of standard goods. Once the basket is implemented, this grants a status to CSOs of "as good as others."
Hence, the market for silver bullets is characterised by a basket known as best practices which has less to do with own security, and more to do with CYA.
Posted by Iang (Market for Silver Bullets) | March 27, 2007 9:12 AM
Posted on March 27, 2007 09:12
Adam points to a 2006 paper by Acquisti, Friedman, and Telang that says the same thing as my earlier comment on market prices.
Posted by Iang | March 27, 2007 9:20 AM
Posted on March 27, 2007 09:20