These are two striking recent examples which have one thing in common…risk. There is no consensus on the real level of cybersecurity risk we are living with, because data sets and ways to calculate risk vary from firm to firm.
Consider this hypothetical example by Jason Spaltro (Sony’s then executive director of information security) in a 2007 article:
A company relies on legacy systems to store and manage credit card transactions for its customers. The cost to harden the legacy database against a possible intrusion could come to $10 million, he says. The cost to notify customers in case of a breach might be $1 million. With those figures, says Spaltro, “it’s a valid business decision to accept the risk” of a security breach. “I will not invest $10 million to avoid a possible $1 million loss,”
“The cost of notification is only a small part of the potential cost to a company. Damage to the corporate brand can be significant. And if the FTC rules that the company was in any way negligent, it could face multimillion-dollar fines.”
If you would like to read more you can find the full article HERE