Running head: COST OF A SECURITY BREACH 1

Cost of a Security Breach

Student Name

Course Name

Instructor Name

February 7, 2021
COST OF A SECURITY BREACH 2

1. Abstract

The paper explores the indirect and direct cost factors of security violations and

provides a systematic categorization of financial shocks and impact factors for analyzing

business data breaches. This study utilizes the case study of the present security violation at

Goal to clarify direct and indirect cost factors in the proposed model. A security breach is

considered any incident that results in inappropriate access to data files, applications,

networks, or devices. It helps in accessing data without authorization. Usually, anytime an

attacker can circumvent defense mechanisms. The “Target” Company is highly affected by

the huge costs of a security breach. Data/ Security breach harmfully affect the overall

performance of the organization. In the information technology age, security breaches have

become a major issue. A vast majority of the data records compromised are data breaches

affecting commercial business organizations. Security breaches have different consequences

on both corporate organizations and individual customers, including financial costs. This

paper is a preliminary attempt to ensure that the cost of data breaches is calculated

consistently and accurately and confined to the proposed classification of financial cost

factors.

Keywords: Cost Factors, Business, Indirect Cost, Data breach, Direct Cost, and Consumer
COST OF A SECURITY BREACH 3

Table of Contents

1. Abstract...........................................................................................................................2

2. Introduction.....................................................................................................................4

3. Access Control................................................................................................................5

4. Justification for Hypotheses............................................................................................7

5. Review of Relevant Research.........................................................................................9

6. Why Does Company Need to Know.............................................................................12

7. Conclusion.....................................................................................................................13

8. References.....................................................................................................................15
COST OF A SECURITY BREACH 4

Cost of a Security Breach

2. Introduction

A data breach is a serious assault or event involving cybersecurity that can have

significant impacts and damages on individual victims and organizational. The illegal

revelation of personal information is now on the increase of data breaches. Among all

categories of plaintiffs, the degree of documents broken in corporate organizations has been

the highest, causing numerous fines and impacts on customers and enterprises, including

monetary injuries and financial consequences. The cybersecurity industry has been a crucial

research challenge to establish a useful and accurate method for estimating data breaches'

actual costs. To correctly quantify information breach costs, a massive, detailed model for

identifying the variables and sum of financial consequences of data breaches is necessary and

useful for cybersecurity decisions and affects the economy for appropriate information

security. Data breaches, therefore, have become significant cybersecurity instances incidents

or attacks that victimize many individuals and organizations.

A breach of data is described as an unauthorized move or leak to a community,

generally outside the company, of confidential information not allowed to have or see the

data. It is considered that data breaches continue to rise in cost and the number of customer

records lost or stolen every year. There is no standard agreement on a consistent technique for

evaluating the actual charges of cybersecurity attacks like data breaches. A significant part of

the problem is that there is no agreement on the cost factors for calculation: security breaches

like monetary, physical harm, enormous economic harm, psychological harm, and social

harm. Also, indirect and hidden costs can carry different types of harm and effects. Therefore,

for adequate estimation of security breach costs, a systematic model for defining the factors

and magnitude of the economic costs of security breaches is necessary and useful for proper
COST OF A SECURITY BREACH 5

cybersecurity measures and data protection strategies. This research primarily reflects the

expense of data leaks and the bulk of broken database files in multinational business

organizations.

3. Access Control

The data breach at Target Company is the biggest supermarket chain in the U.S, happened

in late 2013. For this analysis, the Target breach case is chosen because the breach requires

numerous claimants and involved parties and a range of indirect and direct cost variables

which suit the suggested classification. In an open statement on 19th Dec 2013, Target

publicly reported that about 41 million payment card bank details were compromised. 10th Jan

2014, Target revealed that PII (personal identifying information) was also leaked during the

data breach, such as the names, email addresses, phone numbers, and addresses of up to 71

million consumers. Consumer losses are also an essential aspect of the data loss occurs, and

customers are frequently under-reported on the financial consequences and effects.

In the Target case, the market victims suffered gross damages related to the financial

assets and indirect losses due to financial costs or were considered to be more beneficial than

cash holdings in specific ways. As a result of the breach, some users incurred direct financial

damages. For, e.g., one client noticed two unauthorized fees on her account, whereas another

client originates her bank account reduced from $3,541.53 to $6.01, compelling her to borrow

food and tuition from her son. For the latter part of this situation, the direct monetary losses

from the breach have created problems and unnecessary monetary hardships for the consumer

victim. Consumer plaintiffs have suffered additional immediate financial pressures and cash

damages, including increased interest rates attributable to missing deposits, the expense of

updating government ID cards, and the cost of recruiting legal assistance. To minimize the
COST OF A SECURITY BREACH 6

risks of specific attacks and guarantee identity security, organizations also take elaborate

steps[ CITATION Mor11 \l 1033 ].

For the fourth quarter of 2013, Target's gross revenue fell by 6.6 percent relative to the

prior year, and Target's stock price dropped 8.9 percent six weeks following the disclosure of

the breach. The non-compliance with the PCI-DSS, which needs two-step verification for

remote access to payment systems, Target may also face a fine of between $405 million and

$1.2 billion. In reply to complaints from clients and banks. Target had to compensate

substantial amounts of clearance charges. In November 2015, Target committed to a

$101million settlement to cover customer damages and settled Visa's lawsuit in August 2015

for $68 million, and in December 2015 with MasterCard and other banks for nearly $41

million. However, crisis coordination is an essential aspect of the organizational reaction to

an event of data loss. By January 2016, Target had paid $292 million on breach-related costs,

such as legal bills, forensic science expenses, crisis management, and cyber insurance was

supposed to cover less than one-third of that number.

Customer victims also suffered many indirect costs and damages from the Target

infringement. A mother of 5 kids was one customer quoted from a lawsuit, had two

unauthorized activity on her bank card caused by the breach, was shut out of her bank

account, failed to pay a sum and car loan fee, and had trouble getting food the table. Another

buyer had to postpone purchasing a much-needed brand new car because due to 36 suspicious

investigations on these credit reports, his credit score fell from 25 to 55 points. In the context

of the breach, these cases reflect the costs of recognizing fraud, lack of credit and comfort,

and mental disorder that customer victims had to endure. To rebuild their weakened credit

and recover their accounts, the affected customers had to waste much time communicating

with numerous agencies and organizations[ CITATION Pla18 \l 1033 ].

Research on the effect on financial institutions and consumers of information breaches,

such as the Target breach, reveals that clients are circuitously and negatively affected not

only and not actuality able to use their contactless payments throughout the suspension but

also from the slow procedure of re-registering and re-activating cards with multiple retailers

which may take many months to complete. Reputational costs are any corporate harm arising

from a lack of interest and trust with consumers and the general public in a security breach,

and third-party threats primarily relate to potential problems and related costs of managing

third-party cloud service vendor software, providers, and infrastructure elements[ CITATION

Wan19 \l 1033 ].

4. Justification for Hypotheses

Data breaches resulting in unauthorized leaks or stealing confidential personal and

financial data are familiar sources of cybercrimes. The cost of data breaches can be shown by

study attempts to calculate the costs of cybercrimes. Information security breaches are also

categorized under the following categories: breaches of secrecy of the information (i.e.,

breaches enabling unauthorized users to access sensitive information); breaches relating to

the availability of information (i.e., breaches prohibiting permitted users of information from

accessing certain information promptly, including violations that are sometimes mentioned to

as denial of service and breaks of the credibility of knowledge (i.e., breaches that threaten the

security and authenticity of a database, all of which are linked to deferring websites). For

instance, certain information security abuses coincide with two or three of the definitions

above. For, e.g., a violation of the secrecy of information will lead to a temporary shutdown

of a business's Internet operations (i.e., a secondary result is a breach of data availability).

The same secondary consequence (i.e., the immediate shutdown of a company's Internet

operations) also results from a violation of records' confidentiality. Security leaks of

knowledge also arise from viruses. Viruses appear to cause database availability

infringements, but others also cause a violation in terms of data privacy. For instance, how

attitudes about identity security violations might have changed in recent years, understand the

context where a credit card firm notifies its clients that a department store might have

breached their account numbers. Due to this alleged security violation, a new passport (with

new account numbers) is given to consumers and told to replace the old card. Below are the

three general hypotheses considered in the present analysis. A modification of the first

hypothesis is the second and third hypotheses.

H1: The Number of Records Lost Differs Across Breach Types

H0: The number of records compromised through forms of breaches does not vary

Ha: There is a difference in the number of records lost between the kinds of violations

Dependent Variable: Number of Records Lost

Independent Variable: Breach Type

An ANOVA of upper-level breach classes reveals a substantial gap in the number of

documents missing across the upper-level breach (F (2,112) = 4.037, p = 0.021). A posthoc

Tukey HSD review reveals essential variations with untransformed means of 8916 records

and 917 records, respectively, between both the following physical and operational violation

types[ CITATION Dan12 \l 1033 ]. In the table below, the full results as shown:

Table 1: Mean Number of Records Lost Across Breach Types

H2: Stock Price Impact is correlated with the Number of Records Lost

Pearson's correlation was determined for the three effect time frame variables and the

number of records missing. There was no statistically relevant strong linkage.

H3: Information security breaches related to information integrity do not affect the stock

market returns of firms.

5. Review of Relevant Research

Sharma, Oriaku, & Oriaku (2020) stated that security breach systems leading to higher

unauthorized attainments of computerized information compromise the confidentiality,

security, and reliability of individually recognizable data by several firms have developed.

There is a common perception that security breaches and the corporate activities of today are

viewed inherently as cause and effect. This paper describes the expense of data breaches,

disclosure requirements, and more significant safeguards that have been developed for many

companies and describe that "if" is not the issue of cybersecurity and data violations. Data

has emerged as one of the essential assets, creating a weakness which can be abused by bad

actors involved in hacking and other types of a security breach due to the lack of security

protocols. This paper notes that in the last century, the set of security breaches incurred by

hackers and the impact of disclosure legislation adopted by 48 states have supremely

increased. When millions of records are compromised, and billions of dollars were expended

to prevent such breaches, which might have been diverted to other ventures, the number of

security breaches was troubling. All organizations, large or small, are advised to have

cybersecurity measures and a practical business impact analysis in solution to handle data

breaches[ CITATION Sha201 \l 1033 ].

Gordon, Loeb, & Zhou (2011) defined the effect of data security breaches. They resulted

two significant findings. First, the broad class of data safety breaches on organizations'
COST OF A SECURITY BREACH 10

overall stock market returns is essential. Second, when security breaches are categorised

through their primary effect in terms of availability, confidentiality, and integrity, attacks

related to data breaches of obtainability are considered to have the biggest adverse impact on

stock market returns. Increased media coverage of security breaches without obvious

shocking consequences on targeted companies has diminished investors' estimation of the

cost of such breaches. Two common reasons for this downward shift are necessary

remediation and a perceived reduction in the tendency of consumers to refrain from doing

business with companies experiencing a security breach [ CITATION Gor11 \l 1033 ].

Ko & Dorantes (2006) examines the effect of security breaches on the overall firm

performance. Unlike prior studies that used an incident study methodology, the author used a

matched-sample contrast analysis to examine the effect of security breaches on the entire

business performance. It subsequently considered three mutual quarters with the breach of

security to analyze this critical effect and identify if the performance of the compromised

business decreased relative to that of the peer companies (control group). Simultaneously, the

entire revenue and operating profits of the violated businesses did not decline in the following

periods with the violation in the first quarter. In comparison, the results of the management

organizations in the second quarter were more detailed relative to that of the response

companies. Moreover, in the third quarter, the violated businesses' profit rose dramatically

relative to those of the monitoring firms[ CITATION KoM06 \l 1033 ].

Campbell, Gordon, Loeb, & Zhou (2003) examines the crucial economic effect of higher

security breaches reported in the magazines and newspapers on openly traded US companies.

The author has found little evidence of an enormous adverse stock market response to all

official announcements of significant safety violations. The further analysis shows that the

outcome is influenced by the essence of the breach of security. It also shows an enormously

substantial negative consumer response to core security violations, including unauthorized

access to private data, but a typical reaction. However, sensitive information is not included

in the hack. Therefore, investors in the capital exchange tend to discriminate against these

significant violations when determining their vital economic effects on impacted businesses.

Such results are constant with the statement that data security violations' economic effects

differ depending on the existence of the underlying properties impacted by the

breach[ CITATION Cam03 \l 1033 ].

Choong, Hutton, Richardson, & Rinaldo (2017) defined that cyberattacks have raised

over the years both at the business and individual level. Therefore, the organizational budgets

directed to information security becomes low. One factor is that the effects of data

infringement, like increased consumer awareness of risk and brand value degradation, remain

almost unseen to the senior executives and keyboard of directors in organizations. The second

factor is that budgets must be justified by managers. The cost of device violation is also hard

to measure. There are direct and continuing costs of an information breach. As such, it has

effects that affect not only the downtime throughout a data breach but consumer loss, morale,

loyalty, and brand value, all of which are of great concern to marketing executives. This

paper analyses the effect of a notice of violation on the company's market value. Such a study

using the methods of the event study gives a simple example of how the market responds to

the violation of information by the company. The findings of the study show that the market

punishes the company with a small but substantial negative excess returns on the violation

disclosure, and this pattern continues. This consequence, along with the indirect or

irreversible costs associated with brand degradation, provides senior managers with strong

reasons for preserving knowledge's integrity, thereby preserving its value.

6. Why Does Company Need to Know

This section describes an impressive categorization and descriptions for target entities and

consumer persons in both direct and indirect expense dimensions of security breaches. Both

for the company and the clients, the company would hear about direct and indirect costs of

security violations. Loss of profits, disability, or equivalent monetary products that result

specifically due to security violations is direct cost considerations. Indirect cost factors, such

as lost customer loyalty, are loss of money, disability, or financial equivalent products due to

one or more complicating circumstances induced by the security breach. Without any of the

real or initial data breach, secondary costs may not have happened. Sometimes these are

implicit, concealed, and impossible to quantify and calculate.

For Businesses

1. Direct Costs for Businesses

The direct cost variables for the company of Aim as a result of a security violation are

listed below. Most cost considerations in the category of the financial type are the same as the

cyber-harm sub-types and are more accurately described here in terms of their connection to

the data breach.

 Sales disruption

 Financial theft

 Legal cost

2. Indirect Costs for Businesses

As a consequence of a security violation, the indirect cost factors for Aim are clarified

and described as follows[ CITATION LuJ19 \l 1033 ]. This crucial factors caused by loss of

security lead the whole company to lose money afterward.

 Profit decline
COST OF A SECURITY BREACH 13

 Ineffective market share

 Loss of customer confidence

For Customers

1. Direct Costs for Consumers

The direct cost factors for Target’s customer’s victims of security breaches are

explained below:

 Financial theft

 Credit monitoring cost

 Extortion payments

2. Indirect cost for Customers

The indirect cost factors for Target’s customers are explained below:

 Reduced credit rating

 Loss of convenience

 Reputational cost

7. Conclusion

It is concluded that the Target Company is positively affected by the enormous costs of a

security breach. Data compromises involving commercial business enterprises are the vast

majority of the breached data information. A breach of data is described as an irregular

movement or release to a community, typically outside the secret information organization,

not allowed to have or see the data. For this analysis, the Target breach case is chosen

because the breach requires numerous claimants and involved parties and a range of indirect

and direct cost variables which suit the suggested classification. In the Target case, the

market victims suffered gross damages related to the financial assets and indirect losses due
COST OF A SECURITY BREACH 14

to financial costs or were considered to be more beneficial than cash holdings in specific

ways. Customer victims also suffered many indirect costs and damages from the Target

infringement. The cost of data breaches can be shown by study attempts to calculate the costs

of cybercrimes. There is a common perception that security breaches and the corporate

activities of today are viewed inherently as cause and effect. However, the breached

companies’ entire sales and operating income did not reduce in the subsequent quarters

having the first quarter's breach. The company must know about the direct and indirect cost

of security breaches both for the business and the customers.

8. References
COST OF A SECURITY BREACH 15

Campbell, K., Gordon, L. A., Loeb, M. P., & Zhou, L. (2003). The economic cost of publicly

announced information security breaches: Empirical evidence from the stock market.

Journal of Computer Security, 431–448. Retrieved from

http://citeseerx.ist.psu.edu/viewdoc/download?

doi=10.1.1.83.7735&rep=rep1&type=pdf

Dane, K. (2012). Considering data breaches: Public information, corporate responsibility,

and market valuations. University of Washington. Retrieved from

https://digital.lib.washington.edu/researchworks/bitstream/handle/1773/20957/Kristop

her%20Dane%20Capstone.pdf?sequence=1&isAllowed=y

Gordon, L. A., Loeb, M. P., & Zhou, L. (2011). The impact of information security breaches:

Has there been a downward shift in costs? Journal of Computer Security, 33-56.

Retrieved from

https://www.researchgate.net/publication/220065392_The_Impact_of_Information_S

ecurity_Breaches_Has_There_Been_a_Downward_Shift_in_Costs

Ko, M., & Dorantes, C. (2006). The impact of information security breaches on financial

performance of the breached firms: An empirical investigation. Journal of

Information Technology Management. Retrieved from https://jitm.ubalt.edu/XVII-

2/article2.pdf

Lu, J. J. (2019). Assessing the cost, legal fallout of capital one data breach. Economic study

and financial analysis for data assets, privacy breach, and cybersecurity. Retrieved

from

https://www.researchgate.net/publication/335210159_Assessing_The_Cost_Legal_Fa

llout_Of_Capital_One_Data_Breach
COST OF A SECURITY BREACH 16

Morse, E. A., Raval, V., & Wingender, J. R. (2011). Market price effects of data security

breaches. Information Security Journal A Global Perspective, 20(6), 263-273.

doi:10.1080/19393555.2011.611860

Plachkinova, M., & Maurer, C. (2018). Teaching case security breach at target. Journal of

Information Systems Education, 29(1), 11-20. Retrieved from

https://www.researchgate.net/publication/324454307_Teaching_Case_Security_Breac

h_at_Target

Sharma, N., Oriaku, E. A., & Oriaku, N. (2020). Cost and effects of data breaches,

precautions, and disclosure laws. International Journal of Emerging Trends in Social

Sciences. Retrieved from

https://www.researchgate.net/publication/338836538_Cost_and_Effects_of_Data_Bre

aches_Precautions_and_Disclosure_Laws

Wang, P., D’Cruze, H., & Wood, D. (2019). Economic costs and impacts of business data

breaches. Issues in Information Systems, 20(2), 162-171. Retrieved from

https://www.iacis.org/iis/2019/2_iis_2019_162-171.pdf