According to the Verizon data breach investigations report released today, the average cost per breached data record is 58 cents.
That's a far cry from other estimates that put the average per-record loss at around $200.
The reason? It turns out that the relationship between the number of records lost and the total cost of the breach is logarithmic, not linear, and other models deal with this issue by excluding breaches that fall at the extremes.
"The median range, with 10,000 records lost, ranges in a per-record cost between $1 and $100," said Jay Jacobs, a senior analyst in Verizon's RISK Team.
Then, on the extremes, there were incidents with per-record costs of over $100,000, and incidents with per-record costs of less than a penny per record, he said.
"There's a lot of uncertainty beyond just the number of records," he said.
But there was also a significant amount of variation in the numbers, added Jacobs.
According to the report, the number of records only accounted for about half of the total variance in the data.
The company looked in detail at insurance claims but was unable to find any other factor that significantly impacted a company's financial losses and that was not related to the number of records lost.
"Any other difference we found, was also the difference in the number of records," said Jacobs. "Large companies have larger claims than small companies -- but also lost more records than small organizations. Breaches caused by external actors did have higher losses than those caused by internal actors -- but external actors take more records."
So where did the variability in costs come from?
"The rest of it is due to business factors," Jacob said. "And we don't have the data points for that."
The report also had some clear good news for infosec professionals -- the time to breach discovery has fallen from "months and weeks" to "hours and days."
In addition, 37 of all breaches were contained within hours, and another 30 percent within days.
However, in 24 percent of the breaches, exfiltration of data starts within seconds or minutes.
There's a lack of precise data on many attacks, said Jacobs, that prevented Verizon from offering more exact numbers.
And he warned that Verizon typically doesn't get reports about malware infections that are immediately caught by enterprises and remediated before they escalate into major security incidents.
"They're not going to report that to law enforcement," he said. The only exception is federal agencies, which are required to report even minor incidents.
Verizon broke out the discovery data for federal agencies for CSO Online.
In the public sector, 29 percent of all breaches were discovered within seconds -- compared to 8 percent overall.
Sign up for Computerworld eNewsletters.