Breach Impact

We may be asked what the impact would be if we suffered a breach. The following questions are useful to ask when thinking through a model.

  • Did we discover this breach? Are we talking about response costs?
  • Are we talking about costs from an undiscovered breach?
    • IP theft / Corporate espionage / competitive threats
  • Do we strictly mean financial costs?
    • Or measurements in engineering hours, days offline, etc
  • Are we counting costs imposed to others (imposed risk)?
  • Are we also speculating on legal costs?
  • Are we talking about operational costs?
  • Do sales and growth from reptuation hits and future business losses count?

Example forecasts

  • There’s a 30% chance we’d have to pay a fine to a regulator
  • If the breach accessed a host in production, 85% chance we’d disclose to a regulator.
  • If the breach accessed a dev host, a 15% chance we’d disclose to a regulator

Example intervals

  • A fine to a regulator would be between $100K and $300M (95%)
  • The total costs of our breach would land between $500K-$80M (90%)
  • We’d spend between 5 and 200 engineer days on incident response. (95%)
  • There could be zero newspaper headlines, or up to 10 (70%)
  • Our customer churn would be between 5-12% the month after public disclosure. (75%)

Example distributions

  • A legal settlement would follow a lognormal distribution with an average of $1M and a 5% chance of exceeding $100M
  • A legal settlement would follow a pareto distribution with an average of $1M and a 5% chance of exceeding $100M
  • A legal settlement would follow a zipf’s distribution with an average of $1M and a 5% chance of exceeding $100M.
← Intervals
New Product Review →