Ends March 1! GIAC Certification Attempt Included or $400 Off with SANS OnDemand and vLive Training!

SANS Security Trend Line

Imaginary Numbers: Useful for Solving Quadratic Equations - Not So Much for Security Problems

Reuters reports today that CSIS will today release a study, funded by Intel/Mcafee, that says:

"A $1 trillion estimate of the global cost of hacking cited by President Barack Obama and other top officials is a gross exaggeration, according to a new study commissioned by the company responsible for the earlier approximation.


A preliminary report being released Monday by the Center for Strategic and International Studies and underwritten by Intel Corp's security software arm McAfee implicitly acknowledges that McAfee's previous figure could be triple the real number."

So, maybe the cost of hacking is more like $300B than $1T, or maybe it is really $110B per some other studies, or maybe it is really $72T, which according to the CIA World Fact book is the total size of world Gross Domestic Product. It is somewhere in there, anyway.

Now, the global GDP estimate is created by summing up the individual country GDP estimates, which are totally inaccurate. But. let's use that $72T figure for a bit of our own math:

  • Typical "shrinkage" level (losses due to shoplifting and employee theft) in retail: 1.5% of revenue
  • 1.5% of $72T equals $1.08 Trillion
  • Sanity check: UN estimate of total global organized crime impact in 2012: 1.5% of global GDP or $870M or about $1T

That 1.5% figure of crime as a % of business revenue has a lot of historical data behind it - and of course, that data is just as inaccurate as the rest of all this data. But, over time companies have realistically learned to accept losses of 1.5% of revenue due to crime as a cost of doing business, since crime will always exist.For a $1B company, that is $15M - not a headline-grabbing number, but a much more important number relative to security decisions that company will need to make.

Because, what's actually more important: how much do you need to spend to keep your losses down to 1.5%? In retail, that is typically around 1.5% - making the total acceptable cost of losses typically about 3% of revenue. A security team getting losses down to 1% by spending 2% of revenue hasn't really improved the bottom line - and if those mechanisms to reduce shrinkage also reduced sales, the "improvement" in security would be a negative impact to the company's bottom line.

Think of it this way: does it really matter that 1T raindrops fell on my property in last night's storm? Or should I focus on the $100 of caulking and flashing and gutter cleaning that kept all of those raindrops outside of my house - much cheaper than the $2000 cost of dealing with a flooded basement.

Post a Comment


* Indicates a required field.