Image

- The average total cost of a data breach decreased from $4.00 to $3.62 million.
- The average cost for each lost or stolen record containing sensitive and confidential information also decreased from $158 in 2016 to $141. (The strong USD played a role in reducing the costs.)
- The average size of the data breaches investigated in the research increased 1.8 percent.
- The usual limitations of these types of studies – Ponemon and IBM Security do absolutely amazing work, but all studies of this type have inherent limitations. Therefore, using them as a baseline for an industry, or country even, is ill-advised.
- Studies like this are absolutely no good at predicting the future – More specifically, they tell us little about what could happen during “fat-tail” events (more on that below).
"Risk management as practiced is the study of an event taking place in the future, and only some economists and other lunatics can claim—against experience—to 'measure' the future incidence of these rare events, with suckers listening to them—against experience and the track record of such claims."Before we jump in, a quick word on the meaning of “antifragile”: according to Taleb, it differs from resilience and robustness where that the “resilient resists shocks and stays the same; the antifragile gets better.” We like the antifragile concept for two main reasons. First, when it comes to cybersecurity, what concerns people like us are these low-probability/high-impact events, sometimes called “fat-tail” events, that are difficult to account for and even harder to predict. Sure, we can say that a spear-phishing campaign could be catastrophic, but identifying which spear-phishing campaign will be the straw that broke the camel’s back is a whole lot harder if not impossible. Second, we like the antifragile concept because it is not only about resisting the breach, but rather, it is also about learning from the breach attempt. We like that, and that’s where we would like all organizations to be when it comes to their cyber posture. (Note: we are giving you the super oversimplified version of the antifragile concept.) So, if we want to become an “antifragile cyber organization,” where do our concerns lay? Actually, it is not so much with the technical capabilities. We see a lot of investment in the technical space, and there are organizations that are taking it a step further. By using AI, machine learning and threat intelligence, these companies are doing exactly what antifragility suggests—getting better. What is worrying us is the intangible like human interaction with and dependence on machines, human decision-making (ranging from clicking the wrong link to not patching in time), the wholesale loss of intellectual property, and the massive and increasing expenditure on cybersecurity, something which is untenable and unsustainable. In this space, we actually feel we are doing the opposite of getting better; instead, we are getting worse. We are becoming even more fragile. That’s what makes “calculating” the cost of a cyber breach a near impossible task. It’s a future event impacted by so many variables that not only can we not give value to all these variables, but we almost certainly do not even know what all the variables are! A network being taken down by failure versus it being taken down by terrorists or a rogue state may, in the most benign sense, have the same “operational” cost, but in terms of actual cost, it could be incredibly different. To illustrate our point, here are just a few of the factors you have absolutely no control over:
- What else is in the news cycle that day?
- Is a social media mob going to come after you?
- How will the markets react?
- Are any people injured or killed as a result of the cyberattack?
Image

Image
