Guide puts a price tag on security breaches

Melissa Hathaway, who conducted the review for the White House, is promoting the handbook. Mandel Ngan/Newscom

Public and private sector chief financial officers should develop a budget that calculates the gross financial risk a security breach could pose to their organization, according to a new report from a U.S. standards body and a security trade association.

The 76-page guide comes in response to a 60-day White House review last year of the nation's cybersecurity infrastructure that found quantifying the value of protection motivates organizations to address vulnerabilities. The document -- written by the American National Standards Institute and the Internet Security Alliance, a nonprofit electronic industry group that is affiliated with Carnegie Mellon University -- assigns dollar figures to information losses and advises CFOs on the financial management of cyber risk.

The instructions apply both to federal and corporate CFOs, said Karen Hughes, ANSI's director of homeland security standards.

"The overarching message this document puts forward is that the single biggest threat to cybersecurity is misunderstanding," she said. "CFOs from the public and private sectors alike must look at cybersecurity as an enterprise- [and] agency-wide issue and not just an IT issue, to ultimately reduce vulnerabilities to cyberattacks and their financial implications."

The handbook is based on the premise that companies today, most of which depend on the Internet to survive, have relegated data security to an isolated, and often underfunded, unit.

The publication estimates a data breach of 10,000 records containing personal identification information would cost about $1.6 million, assuming the company carried breach insurance with an 80 percent coverage of direct costs. That sum includes direct expenses for investigations and forensics, consulting services, notification of affected individuals, public relations, legal defense, and credit and identity monitoring -- as well as the indirect cost of lost business. The handbook cites several analytical models to help chiefs assess costs and benefits.

Steps to bolster protection also include learning to view digital safety as a business strategy rather than as an operational responsibility and leading a cyber risk team of appropriate subordinates organizationwide. This team should meet in person, if possible, the publication notes. Face-to-face interactions can prevent the confusion that often occurs when separate business units speak in jargon.

Melissa Hathaway, who conducted the White House review as the former acting senior director for cyberspace at the National Security Council, is promoting the handbook.

"This excellent guide for the C-suite puts forth the right questions to help organizations be proactive in managing their risk and exposure that is derived from their digital dependence," she wrote in an endorsement at the end of the publication.

The publication was underwritten by Symantec Corp., an information security firm.