About The Blog

Debate at the intersection of business, technology and culture in the world of digital identity, both commercial and government, a blog born from the Digital Identity Forum in London and sponsored by Consult Hyperion



  • Add to
Technorati Favorites


  • Creative Commons

    Attribution Non-Commercial Share Alike

    This work is licensed under a Creative Commons Attribution - Noncommercial - Share Alike 2.0 UK: England & Wales License.

    Please note that by replying in this Forum you agree to license your comments in the same way. Your comments may be edited and used but will always be attributed.

« The real stuff | Main | Come and join in the conversation »

More data points

By davebirch posted Oct 29 2007 at 9:26 PM
[Dave Birch] I'm still curious to see whether we can assign a cost to identity for business planning purposes. One path to take is to simply look at the market value of stolen identities. Naturally, there is a spectrum here depending on what "identity" it is that has been stolen: Credit card details up for saleemail passwords can cost as little as $1 whereas credit card details go for up to $350. There must be a wide variation in these bands though: my e-mail password would surely be worth more than $1 to someone (I'd be crushed if it wasn't) and David Beckham's or Hillary Clinton's would be worth even more. But those are special cases where the "theft" is very personal: in reality, the overwhelming majority of identity theft isn't.

Technorati Tags: ,

If an identity is stolen, how much is lost? Figuring would surely help bound the value, at least for the purposes of basic business planning purposes. In a recent Utica college survey of U.S. cases, the median loss was $31,000. If this seems high it's because the study only looked at the "big jobs", the cases that were solved by the Secret Service (which, as we all know, as founded to stop counterfeiting?). A more general Gartner survey of consumer victims found an average loss of about $3,300 in the estimated 15 million annual cases in the U.S.

Gartner also said that implementing security is cheaper in the long run than having a data breach, which I'm sure is true, although when it comes to security most finance directors subscribe to Keynes maxim: in the long run, we're all dead. Yet if Gartner's figures are correct, the case is overwhelming, a real no-brainer. Gartner calculates that a data breach costs companies around US$300 per exposed account because of investigations, fines and lawsuits. On the other hand, better security costs around US$16 per account for the first year, and that cost falls over time. Why would anyone not do this? Either the figures must be wrong or companies are run by people who can't do arithmetic.

These opinions are my own (I think) and are presented solely in my capacity as an interested member of the general public [posted with ecto]


TrackBack URL for this entry:

Listed below are links to weblogs that reference More data points:

» Pricing Identity Management from Twenty-Four Seven Security
The Digital Identity Forum has an interesting blog on companies pricing out Identity Management. Seems to me, with all the electronic ink spilled over various breeches and data thefts lately, I simply cannot imagine a company not taking Identity and... [Read More]


For another purpose -- strength of identity checking -- I blog about costs of identity dox. See also the Panorama show earlier this year in UK for cute photos.

When I was studying phishing back in its emerging days, there was sufficient evidence to say that the average loss was around $1000 in cash costs to the victim. On that one has to add provider and individual non-cash losses, and reports put the latter very high (like 100 hours).

If the expected value falls to $15 because there is only a 5% chance of breach, it's a good deal to ignore the increased security :)

The comments to this entry are closed.