I recently saw a great piece of pseudo-science courtesy of Websense describing the cost of data loss and amazing ROI for the Websense Data Security solution. (a friend who studied physics with me used to call this sort of writing “Scientific New York Post”) See Websense white paper ROI of DLP
Bruce Schneier correctly notes in his last issue of Cryptogram that “Neither ChoicePoint, Lexis Nexis, Bank of America, nor T-Mobile bears the costs of privacy violations or any resultant identity theft“. That doesn’t stop Websense from claiming ROI of millions of dollars for their technology by imagining the damage due to a major data loss event. It looks like this:
| Cost Category | Description | Cost per Record |
| Discovery, response, and notification | Outside legal fees, customer notification, increased call center activity, marketing and PR, discounted product offers | $50 |
| Lost employee productivity | Employees diverted from normal duties, contractor labor | $30 |
| Restitution | Compensating affected customers for direct losses | $30 |
| Opportunity costs | Loss of future business opportunities | $98 |
| Total Direct Cost per Record | $218 |
A simple data leak that results in the loss of 100,000 customer records can turn into a direct and immediate cost of $21,800,000. To put this number in perspective, an employee who generates $1,000 in revenue per hour would have to work for 21,800 hours-a total of 109 years-in order to compensate for the loss.
I especially like the part about “a simple data leak” – like this is a leaky faucet that you fix with some Teflon tape. If you’ve ever been involved in the forensics investigation of a data loss event, you know it is neither simple nor pretty.
It’s the same fallacious reasoning that entrepreneurs often use to calculate projected revenues – it goes like this:
You have an idea for a killer Facebook application that will help consumers find the best credit card for a particular purchase. You figure you can sell subscriptions for $50/year because it will save people so much money on their grocery bills. Here is what you put in your pitch to potential VCs:
The worldwide credit card market is 5 trillion dollars x 20 percent of the market of online users x 1 percent potential customers means that the TAM (Total available market) for our widget is 10BN dollars/year) x 1 percent penetration of our widget within 3 years – we conservatively forecast 100 million dollars in revenue by the end of year 3.
This sort of logic would get a failing grade in an undergrad course in economics. When you use real-world, bottoms-up calculations, the results are different by 3 orders of magnitude: Year 1 – no revenue, Year 2 – 1000 customers x $50 / year, Year 3 – 10,000 customers x $50/year = half a million dollars (not 100 Million dollars)
Getting back to the data loss example – out of 100,000 records leaked – let’s assume that 1 percent of the payment card holders complain to the bank. That’s 1000 calls to a national call center which are easily handled by the current operation – no incremental costs there – the cost of remunerating the card hold is already covered in the insurance that the company charged the card holder so there’s no cost there – if the call center representative does a good job – they will make the customer feel good and sell them something – so there actually might be a net positive. Websense heavily discounts their system – charging only $300,000 for 6 gateways and 1500 endpoint agents for 3 years but in our real-life case – the CFO would say that there is no ROI for spending $300,000 to prevent an event that he could not predict – for software that could be exploited by a Windows 7 rootkit in an IT help desk PC that had access to payment card files.
You get the idea. Websense is defining the problem by their product but data loss prevention is not that simple.