You are not currently logged in.

Login through your institution for access.


Log in to your personal account or through your institution.

The True Cost of Information Security Breaches and Cyber Crime

The True Cost of Information Security Breaches and Cyber Crime

Copyright Date: 2013
Published by: IT Governance Publishing
Pages: 73
Stable URL:
Find more content in these subjects:
  • Cite this Item
  • Book Info
    The True Cost of Information Security Breaches and Cyber Crime
    Book Description:

    Most businesses are now aware of the importance of information security. However, some organisations struggle to understand what an information security breach would mean from a business management point of view. This can lead to organisations investing in expensive solutions which may not necessarily address their requirements. This pocket guide uses case studies to illustrate the possible breach scenarios that an organisation can face. It sets out a sensible, realistic assessment of the actual costs of a data or information breach and explains how managers can determine the business damage caused. This balanced view helps managers and business decision makers to form better assessments of their organisation's information security needs. It also gives readers the knowledge to fend off any security vendors who might try to make sales by spreading panic and exaggerating the consequences of a breach.

    eISBN: 978-1-84928-496-7
    Subjects: Technology
    × Close Overlay

Table of Contents

Export Selected Citations
  1. Front Matter (pp. 1-4)
  2. FOREWORD (pp. 5-6)

    The year is 2013. Not 1988, when viruses were believed to be an April Fool's joke; not 1995, when companies had to be convinced that firewalls might make sense; and not 2004, when IT forensics started to become topical. It is 2013: companies are forced to protect their data and information, and a market has risen from almost nothing over the past 20 years because of regulatory, statutory or contractual requirements. Only the most stubborn would think that information security can still be avoided altogether. This stubbornness is usually punished by media reports of breaches occurring at such organisations within...

  3. PREFACE (pp. 7-7)
  4. ABOUT THE AUTHORS (pp. 8-8)
  6. Table of Contents (pp. 10-10)
  7. INTRODUCTION (pp. 11-11)

    What is the cost of an information security breach? What is the true cost of a breach? Do you always have to make a big fuss about every kind of breach? Although the authors are firm believers in a well-established ISMS and good practices, not all breaches warrant special treatment or the fuss that’s been made about them by the security industry. However, some breaches will seem harmless at first, like ‘just a robbery of a laptop in a third-world country’, or worse, a BRICS country, but will then turn out to be the defining moment in a third-party illegally...

  8. CHAPTER 1: THE DAILY BREACH (pp. 12-16)

    The year is 2013: society has woken up to the challenges of information security, and media reports about data or information security breaches² are common. In fact, the media is so full of these reports that a new day usually brings a new breach with it. Breaches come in many shapes and sizes, from rather harmless website defacements perpetrated by hacktivist groups or bored, gifted youngsters, to data being accidentally exposed, to data being stolen by professional crackers and later traded in the black market or used to blackmail the company. Carelessness in processes, procedures and technical configurations also plays...


    As already outlined, a common fallacy for security people is to think ‘any and all’ information security risks will turn into severe risks for the organisation. This is profoundly untrue. Although every incident has an impact, the nature of said impact requires scrutiny to find whether there is a danger. Companies are not seduced into doing too much – usually they do too little – but the credibility of security professionals (be they consultants, CSOs, CISOs and so on) and their analysis, papers, statements and expert opinions suffers heavily from such generalised statements as ‘any and all’. The result is that business...


    In this chapter we will analyse and examine the diverse cost factors of a breach, ultimately comparing these with the implementation cost of an ISMS, thereby hoping to serve all those CISOs and CSOs who have to justify their budget on a daily basis. There are cases in which simply paying for the breach will actually be less costly than implementing an ISMS, but this is an absolute exception and does not work long term. Long term, if you are high-profile enough, you may well be attacked by unsophisticated or sophisticated means, and the cost of implementing an ISMS will...

  11. CHAPTER 4: CASE STUDIES (pp. 45-65)

    The security business is a strange world: revealing case studies always has a feel of storytelling to it, not because the events depicted might never have happened, but because it can be hard for someone who is not privy to the chain of events to understand that such things could even happen at all. Years ago this was much more of an issue due to a lack of media reports. Even a couple of years ago a typical reaction of a reader would have been ‘What???’ Now it is ‘Not again…’ Alas, the ‘not again’ effect will happen over and...

  12. CHAPTER 5: A BRIEF CHECKLIST (pp. 66-68)

    Here is a brief checklist on the cost assessment of a breach:

    Your impact assessment should include the following factors:

    1. Will the breach impact your company’s EBITDA?

    2. Did the breach affect a contractual or legal (regulatory) obligation?

    3. Is the breach already public or do only we know?

    4. Does the breach affect our customers directly?

    5. Does the breach affect suppliers?

    If all of your answers to these questions are ‘No’, then there is no reason to worry. If you answered ‘Yes’ at least once, you need to examine this and put a figure to it.


  13. CHAPTER 6: CONCLUSION (pp. 69-69)

    As the past couple of years have shown, cyber attacks get more sophisticated each time they occur, and companies’ dependence on IT has become much higher than five or ten years ago. Companies and organisations are increasingly affected by breaches caused by internal or external sources. The intensity of these breaches continues to rise for the reasons we described in the first two chapters, and impacts have become more intense and networked, including unwitting third parties.

    Companies must be able to protect themselves, and any good defence or protection rests on three pillars: a well-established ISMS, a thorough business examination...

  14. ITG RESOURCES (pp. 70-73)