A methodology for estimating the tangible cost of data breaches

Robert Layton, Paul A. Watters*

*Corresponding author for this work

Research output: Contribution to journalArticlepeer-review

49 Citations (Scopus)


Concerns are increasing that data breaches are occurring more frequently, as technologies like the web, social media and the cloud become more integrated within standard business processes, often without rigorous security controls. A key question for business is determining the potential cost of a future data breach, since this will help in assessing the risk that data breaches pose - most importantly - to the bottom line (Watters, 2012). Although many studies in this area rely on subjective data (surveys and interviews) (Analytics, 2012), we use objective case studies to fit parameters from a general model of data breach costs, derived from applied econometrics (Schechter, 2005). This helps triangulate the findings of previous papers, but also overcomes some of the limitations with surveys, most notably self-selecting/reporting biases that can occur. Further, our results allow for interested parties to reproduce our results, including changing any figures as may be needed for their own circumstances. One example is to use consultancy rates instead of in-house rates, if the company does not have computer security engineers on staff. While many studies identify the intangible costs to businesses as the key source of variation in cost, our key finding is that the tangible costs are very significant in their own right. Indeed, while many experts predict that loss of reputation is one consequence of a data loss (Campbell et al., 2003), we find that some firms continue to grow, whilst having to write-off tangible expenditure for remediation work. Regardless of whether tangible or intangible costs are the greater or lesser contributors, firms need to focus on the total bottom line cost, and put in place measures to reduce the risk of a data breach in the most cost-effective way.

Original languageEnglish
Pages (from-to)321-330
Number of pages10
JournalJournal of Information Security and Applications
Issue number6
Publication statusPublished - Dec 2014
Externally publishedYes


  • Data loss
  • Econometrics
  • Mathematical models
  • Risk assessment


Dive into the research topics of 'A methodology for estimating the tangible cost of data breaches'. Together they form a unique fingerprint.

Cite this