Misconceptions about data breach costs and the ripple effects of those breaches can have far-reaching impacts. To clarify these misconceptions, two security researchers set out to determine the more common falsehoods about the cost of breaches and find more accurate cost metrics.
By studying publicly available breach data, the team also discovered that assumptions about third-party contractors being the weak links in a supply chain overshadowed the significant impact a breach at a larger organization can have on those same contractors and suppliers. These ripple events -- defined by Severski and Baker as "direct or indirect losses incurred by parties beyond the central victim organization in a cyberincident" -- mean data breaches with multiple affected parties can cost up to 13 times more than if only the original victim is taken into account.
Severski and Baker published their findings on the cost of data breaches in the Cyentia Information Risk Insights Study (IRIS 20/20) and the ripple effects of breaches in Ripples Across the Risk Surface (in collaboration with automated risk assessment firm RiskRecon). They discussed the topic at Black Hat 2020.