Cost of Loss Due to Security Incidents Elusive

Return to Demonstrating Value

Security Leadership Research Institute / Resolver Research Results

The Security Executive Council's (SEC) Security Leadership Research Institute (SLRI) recently partnered with Resolver to conduct a survey investigating organizational cost of loss. The goal of the initiative was to collect enough data to find an industry average of cost of loss that includes fraud and other types of events such as armed robbery, assault, abuse, product contamination/tampering, and theft. (While the Association of Certified Fraud Examiners tracks cost of loss for occupational fraud, there is currently no public research that includes fraud along with other loss categories.)

Unfortunately, low participation hampered the SLRI's ability to find a reliable, representative average. Some of the most detailed questions were answered by only 24% of respondents. It is possible that security leaders didn't feel comfortable sharing the data the survey requested.

This is disappointing, says Bob Hayes, Managing Director of the SEC. "The security industry lacks the ability to quantify the business impact and results of risk mitigation. One of the SEC's initiatives is to establish a common language and common measurements to support the security industry. Until we get behind this, we are subject to senior management's interpretation and definition of the scope of the problem of loss."

Though the survey couldn't provide the average cost of security-related loss as designed, it still offered some interesting insight into how loss value calculation is being conducted.

chart

Only 52% of respondents reported that they capture or calculate incident loss values.

When asked why not, the majority answered that some other function calculates it. The survey did not ask if, in this case, Security is aware of the method of loss quantification, or whether Security has access to the loss data and calculations. Having access to this information can help practitioners inform their security mitigation program decisions.

chart

That said, Corporate Security is still by far the most likely function to investigate loss, which appears to imply that the function that could most likely take responsibility for both loss recovery and loss prevention is not keeping track of the monetary/business value of those activities.

chart

In that same vein, results only 6% of respondents reported that they calculate loss avoidance figures.

chart

Are you calculating cost of loss or loss avoidance for your organization? We would like to hear from you if so. Contact us at contact@secleader.com.

Return to Demonstrating Value