The ROI of Prevention vs. the Cost of Reaction? by James J. DeLuccia IV

Over the past few weeks I have done research into the past security breaches that have occurred and their origins (or vector of attack). It is important to understand the threats that exist to our enterprises, and even more their source when we are protecting sensitive information that can be used in both illegal and harmful ways. This post focuses on the type of breaches that have occurred over the past 16 months, their origins, cost, and what would have mitigated that event (with dollar figures).

In total the disclosures amount to just shy of 100,000,000 breaches in just under 16 months. To investigate beyond 16 months is hard; as most organizations did not disclose these types of breaches (what we didn’t know didn’t hurt us?). We can thank California SB-1386 for providing some transparency into these criminal activities and clear deficiencies in IT Controls. There are a number of new state level regulations and some Federal laws that are kicking in that will make disclosure more mandatory, and (un)fortunately may demonstrate more lapses in security. I have pulled a listing of all the state laws under consideration and added it to the end of this posting.

Organizations that implement enterprise control frameworks adhering to standards such as PCI DSS and / or meet the intent of the IT controls mandated by SOX, HIPAA, and such FFIEC regulations have experienced pushback from their business units due to restrictiveness of controls and the general cost factor. (recent SEC IT Controls roundtable discussion) These focuses on IT Controls as being too costly and burdensome are done so without regard for the damages that occur from breaches described above due to a lacking of these necessary controls. Solely focusing on the financial damages, as these are by far the easiest to quantify and are non-subjective, we can demonstrate the cost of not having these types of controls, and using a few figures from Gartner and recent public disclosures demonstrate a simple ROI. The names of the unfortunate are changed, but thanks go to the SEC, Gartner (Avivah Litan recently did a nice piece for Congress on encryption), and journalists who got these key details. The figures presented are conservative estimates, as we are only using disclosed costs and not presuming to add subjective gibberish to this presentation.

First off we need to determine what the fixed fines will be resulting from a breach of systems where account data is stolen. Each card processor is likely to fine the organization that suffered the breach, and may do so up to $500,000. We will assume that the major three processors fine the non-compliant company a low figure of $50,000 each. In addition, there will certainly be fines or mandates imposed upon the company by regulatory and watchdog groups. While we cannot assume what a minimal fine may amount to in this study, we can expect that the organization will be subject to 3rd party audits for around 20 years. This is based on the historic rulings of the FTC on those that have suffered breaches, and at a nominal rate of $10,000 these figures are not unreasonable.


Once we have a reasonable base of fines we must compute the variable cost. For instance the company must absorb the cost of reissuing the cards to all the accounts that were subject to the breach, and the fees for notification. Notification fees are estimated at $35 / account based on J.E. Gold Associate figures. These notification requirements are unique to every state and the company must adhere to each in order to minimize additional damages. Civil suit fines and implementation of IT Controls are not included. IT Control costs should be considered fixed costs that the non-compliant organization should have had implemented prior to the incident, and therefore are not applicable in these calculations.


Finally we have listed organizations from different sectors and listed the number of credit accounts that were breached and the expected total fines. These fines are considerably higher than the cost of compliance that will be demonstrated in the next section.


So, by every figure published regarding PCI compliance costs the highest number for an Level 1 Merchant was $800,000 and around $1,000,000 for a Level 1 Service Provider. Consider CardSystems ~ they were disconnected from the payment transaction systems thereby killing their business. CardSystems in 2005, “…it [CardSystems] processed about 210 million card purchases, totaling more than $15 billion, for more than 119,000 small and mid-size merchants.” according to the FTC.

The key to mitigating the risks detailed above are the proper application of preventive controls throughout the environment. Unfortunately, nearly all of these breaches were the consequence of a sequence of compliance violations. This stated there is a conceivable manner of eliminating the impact of these threats to nearly zero, and that would be encryption. If the data tapes, online databases, emailed files, and portable hard drive were encrypted using appropriate methods the impact would be nearly zero. This, of course, is true and relative to the power of computing power and the strength of the encryption along with the proper management of keys. As the computing power increases the less time encryption takes to break, and if keys are mismanaged they may become accessible to those we are trying to defend against.

The simple lesson is – compliance costs less than a breach, and the potential damages of not adhering to these standards is negligence on the side of management to the point of corporate malfeasance.

Below is a quick listing of the laws in works or under consideration: statelaws.png

Feedback, Comments?

James J. DeLuccia IV


3 responses to “The ROI of Prevention vs. the Cost of Reaction? by James J. DeLuccia IV

  1. I agree with some of your comments, especially the Gartner report, but you cannot simply state potential fines as part of the ROI when it’s something that may or may not be leveraged. It should be weighted based on the compliance status of the company.

  2. Yes and no… I recognize that fines are always potential, but is it not reasonable to expect at least the minimum fines for violating the standard? If we take the position that, the card companies will NOT fine the company. We still have the re-issuance expense of $60/Account/Identity. This is a significant expense, and as such regardless of the card companies / FCC / Civil Lawsuits / Federal scrutiny / or loss of business-goodwill supports the case for compliance and specific controls. Is this not reasonable? What other expenses are people seeing in the industry as a result? Is the cost of compliance too high?

    Seeking answers,
    James DeLuccia

  3. Yes, the cost per card compromise is there, but it’s not a flat rate; instead it varies per card association and may require litigation to obtain.

    The thing to realize is that the fines are more meaningfull to smaller companies while the other tangible costs (card reissuance, FTC constraints, chargebacks, state notification laws, litigation) are more meaningful for larger companies.

    Did you mean FTC instead of FCC? How does the FCC come into play?

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s