Quantifying the Impact of Data Breaches: Enough Already About Records, What About Your Intellectual Property?

Contributed by:

Derek E. Brink, CISSP
Vice President and Research Fellow, Aberdeen Strategy & Research
Adjunct Faculty, Harvard University and Brandeis University
Derek.Brink@aberdeen.com | www.linkedin.com/in/derekbrink

In the research report Understanding Your Insider Risk, and the Value of Your Intellectual Property, I wrote about a straightforward way to quantify the risk of a data breach involving an organization’s digital data in the form of files.

From this perspective, it’s important to note that we’re generally not talking about data breaches involving the millions of records in the organization’s crown jewels databases. For one thing, there are already numerous reports — most of dubious usefulness, in my opinion — that estimate the total cost of a records-oriented breach. It’s just that talking about things like the average total cost per record or the average total cost per breach tells us absolutely nothing about risk, as risk is properly defined:

• Risk by definition involves uncertainty, which means a range of possible values; not a single, fixed-point value
• Each point in the range of possible values has an associated frequency of occurrence; averages tell us nothing about likelihood when the range is not symmetrical, as is typically the case in cybersecurity (using the median, instead of the mean, would at least tell us the 50% percentile on the risk exceedance curve)
• Falsely precise, fixed-point values — based on mean not median — do very little to help organizations make a better-informed business decision about risk than the default of mere intuition and gut feel; it’s just bad analysis, which unfortunately is all too common

Even more importantly, digital data in the form of files commonly captures a significant percentage of the organization’s intellectual property (IP), such as:

• Patents (e.g., inventions and discoveries)
• Trademarks (e.g., brands, logos, designs, packaging)
• Copyrights (e.g., written or recorded works, source code)
• Trade secrets (e.g., processes, formulas, methods)
• Confidential information (e.g., sales and marketing plans, production forecasts, merger and acquisition activities, pricing, customer lists, procurement data)

Should a data breach involve your organization’s IP, the potential business impact can easily be just as big as that of a breach involving records — but I haven’t found many useful estimates for the total cost of this class of breach. (Those few that do exist suffer from the same shortcomings noted above).

Quantifying the Risk of an Insider-Induced Data Breach Involving Your IP

As described in the report, a simple (but useful!) estimation of the risk of an insider-induced data breach involving your intellectual property can be made with just three basic factors:

1. How likely for a data breach to occur, in a given period of time?
2. How likely for the data breach to involve the actions of insiders (which predominantly involves IP)?
3. How much business impact from a data breach of your “crown jewels” IP?

Reasonable estimates for the first two factors are easy enough to find, and the sources are cited in the report. But what about the third factor — how can we estimate the value of our intellectual property?

Aberdeen’s simple (but useful!) approach was to estimate the value of IP based on the annual revenue generated by that IP, prior to the breach. For example:

• The business impact of a data breach involving the source code for a key application can be estimated based on the annual revenue generated by that application, prior to the breach.
• For a data breach involving the sales and marketing plans for a major new product launch, the business impact can be estimated based on the annual revenue projected for that product, prior to the breach.
• For a manufacturing company, theft of IP related to the design and manufacture of a best-selling widget can be estimated based on the annual revenue generated by that widget, prior to the breach.

Given that certain nation-states have a notoriously bad reputation for the theft of intellectual property, let’s use a hypothetical manufacturing company as an illustrative example: A global enterprise, with annual revenue of $10B, 25K employees, and $1B in annual revenue from its popular new widget.

Estimating the Value of IP, Approach #1: Present Value of a Perpetuity

As a first-pass, extremely crude estimate of the upper bound — just to calibrate our thinking about the value of our widget-related IP — let’s think of the $1B as a perpetuity (i.e., our widget will generate $1B per year, forever). From long ago in business school, I remember that the formula for the present value of a perpetuity is:

PV = (annual revenue) / (weighted average cost of capital)

Think of the weighted average cost of capital (a blend of the organization’s cost of debt, and it’s cost of equity) as the discount rate, i.e., the time value of money. Recently, typical values for enterprise WACC range between about 3% to 11%, skewed towards the lower end of the range. For our back-of-the-napkin calculation, let’s use 4%.

Using these values, we can now estimate that the total lifetime value from this “crown jewels” widget — at the extreme, high end of the scale — is about ($1B) / (4.0%) = $25B. Again, this is just a crude, upper-bound estimate of the total impact if the IP for our popular widget is compromised, and all revenue from that point forward is immediately lost. So, if we end up making estimates that are bigger than $25B, we may want to re-think our approach.

Estimating the Value of IP, Approach #2: Legal Judgments

For a more granular estimate, Aberdeen looked at an analysis of more than twenty legal judgments awarded in court cases involving intellectual property — i.e., how did the courts place a monetary value on compromised IP?

Twenty court cases may not seem like a very large number, but we can call upon the statistical Rule of Five: Based on as few as five measurements for a given factor, the actual median for that factor is more than 90% likely to fall between the lower bound and the upper bound of just these five measurements. (If you’re the type of person who likes to see the math behind such claims, I’d be happy to show it to you!)

With this in mind, an analysis of the distribution of legal judgments as a percentage of the trailing twelve months of revenue in these court cases showed that the total impact of a data breach ranged from <1% to >400% (median: about 5-10%) of the annual revenue generated by the IP immediately prior to the breach, as visualized in the following chart:

Source: Data adapted by Aberdeen, May 2021

Estimating the Value of IP, Approach #3: The “Patent Cliff”

To corroborate the estimate based on legal judgments, Aberdeen did a second analysis — based on the simple idea that a data breach involving your IP is analogous to the revenue it generates falling off the so-called Patent Cliff. The term Patent Cliff comes from numerous studies of patent-protected revenue streams upon the expiration of the patent, which show a remarkably consistent pattern:

• A 1/2 drop-off in revenue in the first year after patent expiration,
• Followed by drop-offs of 2/3, 3/4, 4/5, 5/6, and 6/7 in years two through six, respectively.

The Patent Cliff approach and Legal Judgments approach provided remarkably similar results: The total impact of a data breach ranges from 0% to 440% (median: about 5-10%) of the annual revenue generated by the IP immediately prior to the breach, as visualized in the following chart:

Source: Data adapted by Aberdeen, May 2021

Granted, the range of possible values (0% to 440% of the annualized revenue generated by the IP) is very large — but this reflects the inherent uncertainties involved. All the more reason to use the entire range in our analysis of risk, not just a fixed-point estimate based on averages!

Back to Our Illustrative Example: Quantifying the IP-Related Risk for a Manufacturing Company

Let’s go back to our hypothetical manufacturing company, which has annual revenue of $10B, 25K employees, and $1B in annual revenue from its popular new widget. What’s the risk of a data breach involving the IP of this “crown jewels” revenue stream?

Using the three factors described above, the company’s subject-matter experts make the following estimates:

1. How likely for a data breach to occur, in a given period of time? For this manufacturing / ERP context, the annualized likelihood of a data breach is estimated to be between 0% to 66% (most likely: 50%).
2. How likely for the data breach to involve the actions of insiders (which predominantly involves IP)? The company’s subject-matter experts estimate this to be between 0% to 60% (most likely: 36%).
3. How much business impact from a data breach of your “crown jewels” IP? Based on Aberdeen’s analysis, this is estimated to be between 0% to 440% (most likely: 5-10%) of the $1B in annual revenue.

Based on these estimates, a straightforward Monte Carlo analysis quantifies the IP-related risk as a range of possible values with associated likelihoods, as shown in the following chart:

• Median (50% likely to exceed): about $8M / year
• “Long tail” (5% likely to exceed): about $600M / year

Source: Monte Carlo analysis; Aberdeen, May 2021

It’s important to note that business decisions about risk are generally made towards the “long tail” end of this risk exceedance curve. That is, no one cares about a 95% likelihood to exceed $100 / year — but is a 5% likelihood to exceed $600M / year an acceptable level of risk? Different manufacturing companies, faced with the exact same estimates, may have different appetites for risk — e.g., some may decide to accept it, while others may decide to take steps to reduce it to a more acceptable level.

But the key point is that we’re helping the senior leaders to make a better-informed business decision about the risk, as opposed to a typical bad analysis based on averages that gives them no choice but to rely on their intuition and gut feel.

To this end, it’s sometimes useful to put these estimates in context — for example, Aberdeen looked up the range of annualized profitability (EBITDA, or Earnings Before Interest, Depreciation, and Amortization) for publicly-traded manufacturing companies over a 5-quarter period, which provides some useful insights. The annualized risk of a data breach involving “crown jewels” IP ($1B), as a % of total annual revenue ($10B), is as follows:

• Median (50% likely to exceed) $8M = 0.08%
• 26% likely to exceed $100M = 1.0%
• 10% likely to exceed $400M = 4.0%
• Long tail (5% likely to exceed) $600M = 6.0%
• Compare these to the range of annualized EBITA: between 7.58% to 13.86%

Source: Monte Carlo analysis; Aberdeen, May 2021

In my opinion, the fact that the long tail end of this risk exceedance curve (4-6% of annual revenue) is a material percentage of the company’s annual profitability (starting at 7.5% of annual revenue) will do a lot more to spark a meaningful discussion that the senior leadership team needs to have — what is our appetite for risk? — than a non-specific “statistic” such as “the average cost of insider incidents is $4.5M / year.”

For security and risk professionals, our job is to advise and recommend, in a way that helps them to make a better-informed business decision — their job is to decide.