How to Avoid Costly Mistakes on Using Ponemon to Report Risk

January 23, 2019  Isaiah McGowan

Have you ever been marginalized in a meeting because the results were laughable to an executive? I have. I want to tell you a story that I hope helps you avoid reliving my embarrassment.

On my first use of Ponemon

It's very common in the cybersecurity world to use the  Ponemon record cost number to calculate the risk of a criminal stealing all of your customer records.

In my early days (back when cybersecurity was still called information security), I gave a presentation to a large group of company employees as part of security awareness training. I recently learned about Ponemon and thought it would make sense to teach employees a thing or two about risk. They just didn’t understand how bad it was to click on those pesky phishing emails.

At the time, the average per capita cost of data breaches - as reported by Ponemon - was something like $144. I simply multiplied that number by the 4 million customer records in the mainframe and, voila, risk! I was armed with a big, scary number in hand for my presentation: $576 million.

A teachable moment for me

I went through my normal presentation and saw the regular, disinterested faces of the crowd. All heads perked up when I got to the part about how bad clicking those phishing emails can be. True to form, I blasted my audience with the $576 million dollar number and eyes swelled. I could see it on their faces, “I’m never opening an email again!” I was proud.

But, also true to form, pride always comes before the fall. In my audience that day, I had the Chief Credit Officer. He took one look at my number and scratched his head. The ensuing conversation went like this:

CCO - Isaiah, that number doesn’t stack up. Are you saying that’s what it would cost us if a hacker stole all our data?

Me - Yes, sir.

CCO - Do you realize that’s significantly greater than our market capitalization?! That would put us out of business!

Me - I didn’t know about the market number, but it would be very scary; I could see us going out of business because of it.

CCO - Has any organization like ours gone out of business due to a data breach? Has any data breach resulted in losses above market capitalization?

Me (sheepishly) - I don’t know of any businesses going under because of a breach.

CCO - You need to rework your calculations. Let’s move on with the rest of the training.

The Chief Credit Officer was well versed in the financials of the organization. He also had peers that went through breach events and didn’t experience anything like what I was describing. It was a teachable moment for me.

An opportunity at redemption

I wasn’t sure what ‘rework your calculations’ meant. Not at the time, anyway. I did what every other security professional was doing; I thought I was faithfully quantifying risk for my company. After learning  Factor Analysis of Information Risk (FAIR) I learned why I was so drastically wrong. The simple algebraic calculation I used could not have possibly been accurate. Using FAIR, I learned to decompose risk into pieces so I could calculate risk in a more meaningful way. In a future post, I’ll give concrete examples showing how using  RiskLens to quantify risk is powerful in comparison to common Ponemon-based calculations.

A final word on the dangers of using Ponemon There is a good reason why the Ponemon value does not work to model breaches involving over 100,000 records: their studies don’t include breaches larger than slightly above 101,000 compromised records. That's a problem because the per record number doesn't work at scale. Let’s shed light on this with one last example:

If you are a Fortune 100 company with a market capitalization of approximately $160 billion and caring for upwards of 900 million customer records, you would be mistaken to use the Ponemon number to describe the cost of a full record breach. Using the 2015 reported cost of $217 per record, your resulting calculation would be over $195 billion - approximately $35 billion over market capitalization.

Like I was, you might be marginalized by senior executives and board members when claiming this is your risk of a breach.

Join the conversation 

If this story resonated with you, please consider scheduling a demo . Please select  ‘Cyber Risk Quantification’  as the solution, and let us know in the comments that you want to talk more about how we quantify risk compared to Ponemon. A member from our team will follow up with you. We want to hear your stories and explore how we can help you quantify and communicate cyber risk.