Degrees of Ignorance About the Costs of Data Breaches: What Policymakers Can and Can't Do About the Lack of Good Empirical Data

Abstract

Estimates of the costs incurred by a data breach can vary enormously. For instance, a 2015 Congressional Research Service report titled “The Target and Other Financial Data Breaches: Frequently Asked Questions” compiled seven different sources’ estimates of the total losses resulting from the 2013 Target breach, ranging from $11 million to $4.9 billion. The high degree of uncertainty and variability surrounding cost estimates for cybersecurity incidents has serious policy consequences, including making it more difficult to foster robust insurance markets for these risks as well as to make decisions about the appropriate level of investment in security controls and defensive interventions. Multiple factors contribute to the poor data quality, including that cybercrime is continuously evolving, cyber criminals succeed by covering their tracks and victims often see more risk than benefit in sharing information. Moreover, the data that does exist is often criticized for an over-reliance on self-reported survey data and the tendency of many security firms to overestimate the costs associated with security breaches in an effort to further promote their own products and services. While the general lack of good cost data presents a significant impediment to informed decision-making, ignorance of the economic impacts of data breaches varies across categories of costs, events, and stakeholders. Moreover, the need for precision, accuracy, or concurrence in data estimates varies depending on the specific decisions the data is intended to inform. Our overarching goals in this paper are to clarify which types of cybersecurity cost data are more easily collected than others; how policymakers might improve data access and why previous policy-based efforts to do so have largely failed; and what differential ignorance implies for cybersecurity policy and investment in cyber defenses and mitigation. Our prognosis is that important data gaps, especially as those relate to the $-impacts of cybercrime, including data breaches, will endure and are not fully solvable. Certain cost categories are relatively easily estimated, while others will forever remain difficult if not impossible to estimate precisely. Furthermore, much of the best data that will exist will in the hands of Information Security (InfoSec) and Cybersecurity Insurance (CyberIns) providers and will remain private. We do not view this as a problem in need of correction; however, we do see a role for government in helping make some of this cybersecurity market intelligence data available to other market participants. Although data gaps for publicly available data will continue to remain severe, in many cases, this will not be an impediment to evidence-based decision-making so long as the government can encourage a flow of good third-party research.