Shostack + Friends Blog Archive


Paying for Privacy: Enterprise Breach Edition

We all know how companies don’t want to be named after a breach. Here’s a random question: how much is that worth to a CEO? What would a given organization be willing to pay to keep its name out of the press? (A-priori, with at best a prediction of how the press will react.) Please don’t say a lot, please help me quantify it.

Another way to ask this question: What should a business be willing to pay to not report a security breach?

(Bonus question: how is it changing over time?)

3 comments on "Paying for Privacy: Enterprise Breach Edition"

  • ivan says:

    done a sort of similar (unsuccessful) exercise before. If we assume disclosure would have a negative impact on forward revenues that, after disclosure, diminishes over time then the company should be willing to pay as much as the net present value of overall sum of potentially negative impact on forward revenues. For a company on a high growth business, the amount it is willing to pay will increase over time if the expected loss by initial disclosure in the 2nd year is greater than the loss due to disclosure in the first years plus the residual loss in the second year (depends on the function that models diminishing impact of disclosure over time)

  • hrbrmstr says:

    I still stand by a previous comment and posit that it’s going to be a badge of honor vs a scarlet letter. The potential gain from a good spin campaign is too much to pass up.

  • Florindo says:

    None. I can’t name one retailer, for example, who has suffered any serious reputation loss due to a breach. And as hrbrmstr said, the potential gain can be good. “Sure, we were hacked but we implemented these advanced security measures, so now we’re more secure than others.” The general public just doesn’t care that much.

Comments are closed.