Is the Bottom Line Impacted by Security Breaches? Sep 28 2005 02:22PM
Kenneth F. Belva (ken ftusecurity com)
White and Case, a top NYC law firm, posted a survey on Data Security
Breach Notifications on September 26, 2005.

From the press release: "Victims of personal data security breaches are
showing their displeasure by terminating relationships with the companies
that maintained their data, according to a new national survey sponsored
by global law firm White & Case. The independent survey of nearly 10,000
adults, conducted by the respected privacy research organization Ponemon
Institute, reveals that nearly 20 percent of respondents say they have
terminated a relationship with a company after being notified of a
security breach."

White and Case Press release:

White and Case Paper:

My research takes a macro approach: "The keynote address will cover
reputational risk in light of recent disclosures of high profile security
incidents at such institutions as CitiFinancial (Citigroup), Bank of
America and Wachovia, Choicepoint, DSW Shoe Warehouse and Polo Ralph
Lauren. The presentation will create a framework for understanding
reputational risk in light of these recent events that may be applicable
to responding to future incidents."

In the paper I ask: "If 40 million customer credit card numbers are
exposed in a security breach at the credit card processor CardSystems, why
do a significant number of people not cancel their Visa and/or

Reputational Risk Keynote Presentation:

I am concerned that the survey is self-selecting. In other words, the
people responding to the survey already have a disposition one way or the
other. Of 51,433 people, only 17.8% (9,154) replied. That means 82.2%
(42,279) did not reply!

I'm not a statistician; is 17.8% statistically significant to determine a
general consensus?

The papers may not be directly contradictory to one another. Please keep
that in mind.

I would be interested to know other's opinions on the matter.

Kenneth F. Belva, CISSP

[ reply ]


Privacy Statement
Copyright 2010, SecurityFocus