How to Balance Data Retention vs Data Protection – Answers from Quantitative Analysis in the RiskLens 2023 Cybersecurity Risk Report

February 22, 2023  Benjamin Gowan

Data Center - Data Retention vs Data ProtectionData is the “oil” of the digital age, the saying goes, but it’s also a cyber risk, a target for data breach as well as regulatory fines for privacy violations. Data retention policy vs. data protection – what’s the right balance at your organization that meets the needs of the business and cybersecurity? 

We created the RiskLens Cybersecurity Risk Report to give CISOs decision support with data-driven risk reporting. This is built using FAIR™ (Factor Analysis of Information Risk) risk-scenarios populated with data gathered from trusted industry sources, such as the Verizon DBIR, Security Scorecard, and Zywave insurance claims and settlements. 

Benjamin Gowan - RiskLens Data ScienceBen Gowan is a Senior Data Scientist at RiskLens. Learn more about data science at RiskLens.

CISOs and other security and risk leaders looking to begin quantifying risk reduction affiliated with a change in data retention policy can download the report and find some guidance, starting on page seven, showing Average Effect of Security and Records. 

(Note the representative/reference organization used for this simulation study is a mid-sized organization in North America of 500-1,000 employees and USD $100M-$1B in revenue with personally identifiable information (PII) records at risk.)

The left column shows a hypothetical organization’s security-level score (A, C or F) from our partner Security Scorecard and a range of records held by the organization. (You can find your organization’s score by entering your web address in the RiskLens My Cyber Risk Benchmark tool or on the Security Scorecard website). The two columns in the center show the averages for loss and probability of a loss event, which together yield the average loss exposure (or risk). 

RiskLens Cybersecurity Risk Report 2023 - Average Effect of Security and RecordsDetail from the chart Average Effect of Security and Records. Download the full report.

How to Use the Cybersecurity Risk Report on a Data Retention vs Data Protection Issue 

Let’s work through a hypothetical where someone with a limited budget and resources is put in charge of an aging web application. It has frankly poor security, and since it has been around for a while, has accumulated a lot of stale sensitive records, over 1M. 

Using the report and thinking in FAIR terms, we can consider record count as a key driver of Loss Magnitude, and security score as a key driver of Loss Event Probability. We consider both together to get a good picture of the Risk Exposure. 

But, with constrained resources, would it be better to improve security first, or reduce data retention first? 

RiskLens Cybersecurity Risk Annual Report 2023 CoverFor simplicity, we’ll assume similar intervention costs for a one range retention reduction and a one grade security improvement in this hypothetical scenario. Starting at F-1M_10M, a first step of reducing the number of records to the 100K_1M range would reduce average risk exposure more (to $3.5M) than improving security from F to a C (only to $3.9M). Remember that these values are not meant to be predictions, but rather show the average effect of reducing record retention vs improving security across 1,000s of simulations of 1,000s of scenarios.

Continuing on from F-100K_1M, the next best step in terms of risk exposure would be to improve security from an F to a C, even more so than further reducing the records. 

From C-100k_1M records, the next best step would once again be to improve security to A-100K_1M records.

And for a final step, an additional data retention reduction would further reduce exposure, even with already excellent security. 

In the context of this hypothetical and all its assumptions, the safest and most effective way to reduce loss exposure for an aging web application started with a record reduction, proceeded with successive incremental improvements to security, and then closed with a final record reduction.

So, protection or retention? As always, it depends! The message in this chart – and throughout the RiskLens 2023 Cybersecurity Risk Report – is that only quantitative risk analysis based on a standard model like FAIR and drawing on data from real cyber events gives CISOs the best insights they need to make truly informed choices. Download the free report now.

RiskLens offers quantitative cyber risk management solutions built on the FAIR™ standard. Leverage RiskLens to understand your cyber risks in financial terms. Contact us for a demo.