Hack Attacks: Cyberattacks Not As Expensive As Thought, Rand Study Finds

Cyberattacks generate a lot of publicity, especially when large companies like Sony, Target and Home Depot are hit, but a study released Tuesday by Rand Corp. finds the cost to American businesses is far lower than estimated, removing the incentive for companies to do more to dissuade hackers.

Researchers, who published their findings in the Journal of Cybersecurity, found the typical cost of a breach is $200,000, and most attacks cost companies less than 0.4 percent of annual revenue.

Sasha Romanosky, author of the study and a policy researcher at Rand, said businesses “lack a strong incentive to increase their investment in data security and privacy protection.”

“Relative to all the other risks companies face, the cyber risks often aren't as big a deal as we think,” Romanosky said in a press release. “It may be bad for you if you are the victim, but it doesn't change the behavior or strategy of a company. Like you and me, companies are self-interested and operate in ways that minimize their costs. You can't begrudge them for working that way.”

Romanosky studied 12,000 cyberattacks, which fell into four categories: breaches that disclosed personal information, theft of intellectual property or disrupted business services, phishing or skimming attacks, and privacy violations. The data showed security breaches were increasing, going from 64 in 2012 to 250 in 2014. Finance, insurance, healthcare and government entities were the main targets.

He analyzed the financial impact, including investigation costs, consumer notification, customer support, paying for identity theft insurance or credit monitoring, and legal actions, and found the costs were lower than losses to fraud, theft, corruption or bad debt.

“If it is true that on average that businesses lose 5 percent of their annual revenue to fraud, and that the cost of a cyber event represents only 0.4 percent of a firm's revenues, then one may conclude that these hacks, attacks and careless behaviors represent a small fraction of the costs that firms face, and therefore only a small portion of the cost of doing business,” Romanosky said.