Crisis Severity

Genuinely Understanding What’s Happening

It is critically important that organizations pay close attention to the loss history -- both within their own organization, and outside their organization -- in order to get a sense for what is actually happening in the fast-changing information security and privacy field. Loss history data points of note should include not just the security and privacy breaches reported, but also:

  • internal accounting frauds suffered
  • related insurance claims filed
  • security vulnerability reports received
  • staff grievances about security and privacy submitted
  • third party reported vulnerabilities not addressed
  • shareholder lawsuits filed
  • budget overruns occasioned by security or privacy problems
  • lost staff days due to system downtime
  • lost business deals caused by inadequate intellectual property controls
  • government regulator interventions triggered
  • adverse external audit reports received

Fig. 1

Emerging fraud trends related specifically to payments.

"According to the the Federal Reserve Bank Systems, 2013 Payments Study, in 2012, 13.7 million fraudulent transactions involved credit cards, totaling $2.3 billion; 14.9 million involved debit or prepaid cards, totaling $1.5 billion; and 1.3 million, totaling $300 million, were categorized as fraudulent ATM withdrawals."

Fed Issues New Study of Payments Fraud- Tracy Kitten


Comparison of Card Fraud to ACH and Check Fraud


SOURCE: Federal Reserve Bank




Fig. 2

The increasing cost of cyber crime.

A new study by the Ponemon Institute shows average annual losses to companies worldwide now exceed $7.7 million, with studied companies losing up to $65 million. 


The number of attacks is increasing.

Number of successful attacks per year per company.

Attacks Are Costly

Most costly kinds of attack, by losses in thousands of dollars


Fig. 3

Origin of Security Incidents

According to a Price Waterhouse Coopers report, "employees still remained the main human cause of breaches, with 84% of all incidents being attributed to them." -Beth Hull


Percent of Incidents by Category



Establishing an organizational governance structure to ensure that information security and privacy are adequately addressed, on an ongoing basis, is a multi-project endeavor. One often overlooked part of this endeavor is the establishment of a loss history record-keeping process, a related analysis process, and a related report generation process. Only when a multi-dimensional view of what’s happening is compiled via this loss history management process, can top management have confidence that they truly understand the nature of the problems, and that their efforts are indeed showing positive results.