After all the focus of the last few decades, it should be surprising that information risk is still one of the least well understood risks most organisations have to deal with. Mature industries are used to looking at issues like capital, finance and operations as business risks, but information security is still often seen as an issue for the IT department. Alternatively, it’s seen a regulatory issue with compliance, rather than customers, in the driving seat. Reputations take a long time to build but companies like Sony have proved that a security incident can cost you that reputation overnight. Despite this, few business understand what security breaches really cost.

McAfee’s 2012 security report suggests that incidents cost on average $0.5 – $1m, but also reveals that only a third of respondents had any idea what the cost was to them, and that a quarter of respondent’s didn’t feel they knew what security risks their controls were protecting them against. Until we can make an accurate quantitative assessment of security risk Boards and security professionals alike will find it hard to decide what level of resource to deploy, or how best to deploy it.

information risk management, security metrics