The Cost Benefit Analysis of Data Security

The Cost Benefit Analysis of Data Security

In this high-tech modern world, how do companies determine how much money and resources they should devote to data security? Data is created at greater speeds and in greater volumes than we can comprehend. According to a TechSpot article from March 2013, in one minute, nearly 640 terabytes of IP data are transferred across the globe. In that same time frame, Google responds to more than 2 million search queries, YouTube streams more than 1.3 million videos, and 204 million emails are sent. Given how quickly technology improves, these numbers are sure to be underestimated.

Such a massive volume of data is highly beneficial for industries and businesses that want to leverage data to understand more about their customers. Data affects us daily and is often used to make our lives more convenient. Sending boarding passes to customers’ smart phones makes for a more seamless flight experience, frequent shopper cards that track purchases and give discounts at the gas pump provide a more delightful shopping experience, and online credit card transactions that allow customers to purchase items online satisfy those who don’t like to shop but still need to make purchases. Companies that leverage data are able to use it to target customers more effectively, create better user experiences, and ultimately earn more profits as they become more efficient.

With more and more data created and stored every day, some of it is bound to leak into the wrong hands, whether intentionally or not. Sometimes the positive aspects of data creation are shadowed by stories of financial fraud, confiscation of personally identifying data or identity theft, and breaches of security that lead to compromise of trade secrets, defense secrets, and intelligence secrets, among others.

Recent data security breaches are concerning and call into question the need for privacy of data, much of which is created without the knowledge or consent of the individuals or businesses from which it is collected. Last year Target was hacked on Black Friday, and the data for 40 million credit cards was compromised. Likewise, JPMorgan’s customer data was stolen recently, and as many as four other banks may have had personal financial information stolen. Financial institutions throughout the world, including numerous German and Swiss banks, the International Monetary Fund, NASDAQ, and the European Central Bank, have all been attacked just this year. Stories like these are increasingly gaining media attention, and are becoming more and more common.

The bottom line is that cyber-attacks happen all the time. Most of the business world works within a state of almost perpetual cybersiege at a level few consumers can grasp. The obvious solution would be to invest more in data security, but data security is complicated. There are unlimited ways to hack into a system, and malicious actions may not be discovered until long after the data was compromised. Practically every major organization already has some kind of data security package included with their Internet or technical service.

The increasing number of cyber-attacks has created demand for comprehensive cyber-insurance products and for insurance companies willing to commit capital to the risk of catastrophic cyber losses.  After all, if current measures are not sufficient to keep out malicious users and programs, how will we ever know if bigger threats are on the horizon until it is too late? And yet, cyber insurance may not be sufficient. How will insurance companies evaluate risk when threats so easily slide under the surface? If a major cyber-attack cripples an entire industry or two, could the insurance companies swallow the bill?

Ultimately, data security becomes a business question. Will additional benefits be gained as additional resources are spent on data security? Data security is a real threat, and businesses and individuals need to be strategic in their approaches. Data risk is different from financial risk—with oversight and correct measures in place, financial risk can be identified relatively simply. Data security risk is far more elusive.

This post is part of an ongoing series of data-driven commentary on current events. It was originally published in the Zion’s Bank Economic Outlook Newsletter and the Deseret News.

Randy Shumway

Founder and Chairman

Randy Shumway founded Cicero Group ( in 2001. It began humbly, with four people working out of Randy’s house. At the beginning of 2017, when Randy stepped down as CEO, Cicero had grown to a highly-respected, global management consulting firm.