As cyber attacks become increasingly common, regulators and legislators have criticized the limited information companies make public about cybercrimes they experience. Experts note, though, that it’s often a challenge for companies to put a dollar value on the damage they’ve suffered.
A U.S. Executive Order on cybersecurity last year described the cyber threat to the nation’s critical infrastructure as “one of the most serious national security challenges.” But David Burg, global and U.S. advisory cybersecurity leader at PwC, noted that despite that characterization, “what we do not see is significant disclosures in public filings. There is this disparity.”
When the institute collects the data for its studies, it uses models it built based on a technique called activity-based costing, which Ponemon says is helpful when dealing with fuzzy costs. The process of assessing what data breaches or cyber crimes have cost an organization may involve talking to as many as 20 or 30 people at a single company, he says.
He notes that companies can’t rely on their financial systems when it comes to estimating costs for cybercrimes. “It’s not something that you could have an add-on module to your financial accounting system and get the report on the cost of cyber security or cost of a data breach,” he said. “To my mind, it still has to be done through talking and tackling, the way we do it.”