[Dave Birch] I’m still curious to see whether we can assign a cost to identity for business planning purposes. One path to take is to simply look at the market value of stolen identities. Naturally, there is a spectrum here depending on what “identity” it is that has been stolen: Credit card details up for saleemail passwords can cost as little as $1 whereas credit card details go for up to $350. There must be a wide variation in these bands though: my e-mail password would surely be worth more than $1 to someone (I’d be crushed if it wasn’t) and David Beckham‘s or Hillary Clinton‘s would be worth even more. But those are special cases where the “theft” is very personal: in reality, the overwhelming majority of identity theft isn’t.

Technorati Tags: ,

If an identity is stolen, how much is lost? Figuring would surely help bound the value, at least for the purposes of basic business planning purposes. In a recent Utica college survey of U.S. cases, the median loss was $31,000. If this seems high it’s because the study only looked at the “big jobs”, the cases that were solved by the Secret Service (which, as we all know, as founded to stop counterfeiting?). A more general Gartner survey of consumer victims found an average loss of about $3,300 in the estimated 15 million annual cases in the U.S.

Gartner also said that implementing security is cheaper in the long run than having a data breach, which I’m sure is true, although when it comes to security most finance directors subscribe to Keynes maxim: in the long run, we’re all dead. Yet if Gartner’s figures are correct, the case is overwhelming, a real no-brainer. Gartner calculates that a data breach costs companies around US$300 per exposed account because of investigations, fines and lawsuits. On the other hand, better security costs around US$16 per account for the first year, and that cost falls over time. Why would anyone not do this? Either the figures must be wrong or companies are run by people who can’t do arithmetic.

These opinions are my own (I think) and are presented solely in my capacity as an interested member of the general public [posted with ecto]


  1. For another purpose — strength of identity checking — I blog about costs of identity dox. See also the Panorama show earlier this year in UK for cute photos.
    When I was studying phishing back in its emerging days, there was sufficient evidence to say that the average loss was around $1000 in cash costs to the victim. On that one has to add provider and individual non-cash losses, and reports put the latter very high (like 100 hours).

  2. Pricing Identity Management

    The Digital Identity Forum has an interesting blog on companies pricing out Identity Management. Seems to me, with all the electronic ink spilled over various breeches and data thefts lately, I simply cannot imagine a company not taking Identity and…

Leave a Reply

Subscribe to our newsletter

You have successfully subscribed to the newsletter

There was an error while trying to send your request. Please try again.

By accepting the Terms, you consent to Consult Hyperion communicating with you regarding our events, reports and services through our regular newsletter. You can unsubscribe anytime through our newsletters or by emailing us.
%d bloggers like this:
Verified by MonsterInsights