Guide puts a price tag on security breaches

[Jake Kouns <jkouns () opensecurityfoundation org>]

http://www.nextgov.com/nextgov/ng_20100331_6223.php

BY ALIYA STERNSTEIN 03/31/2010

Public and private sector chief financial officers should develop a
budget that calculates the gross financial risk a security breach
could pose to their organization, according to a new report from a
U.S. standards body and a security trade association.

The 76-page guide comes in response to a 60-day White House review
last year of the nation's cybersecurity infrastructure that found
quantifying the value of protection motivates organizations to address
vulnerabilities. The document -- written by the American National
Standards Institute and the Internet Security Alliance, a nonprofit
electronic industry group that is affiliated with Carnegie Mellon
University -- assigns dollar figures to information losses and advises
CFOs on the financial management of cyber risk.

The instructions apply both to federal and corporate CFOs, said Karen
Hughes, ANSI's director of homeland security standards.

"The overarching message this document puts forward is that the single
biggest threat to cybersecurity is misunderstanding," she said. "CFOs
from the public and private sectors alike must look at cybersecurity
as an enterprise- [and] agency-wide issue and not just an IT issue, to
ultimately reduce vulnerabilities to cyberattacks and their financial
implications."

The handbook is based on the premise that companies today, most of
which depend on the Internet to survive, have relegated data security
to an isolated, and often underfunded, unit.

The publication estimates a data breach of 10,000 records containing
personal identification information would cost about $1.6 million,
assuming the company carried breach insurance with an 80 percent
coverage of direct costs. That sum includes direct expenses for
investigations and forensics, consulting services, notification of
affected individuals, public relations, legal defense, and credit and
identity monitoring -- as well as the indirect cost of lost business.
The handbook cites several analytical models to help chiefs assess
costs and benefits.

[..]
_______________________________________________
Dataloss-discuss Mailing List (dataloss-discuss () datalossdb org)
Archived at http://seclists.org/dataloss/

Get business, compliance, IT and security staff on the same page with
CREDANT Technologies: The Shortcut Guide to Understanding Data Protection
from Four Critical Perspectives. The eBook begins with considerations
important to executives and business leaders.
http://www.credant.com/campaigns/ebook-chpt-one-web.php