[Dave Birch] I’m still curious to see whether we can assign a cost to identity for business planning purposes. One path to take is to simply look at the market value of stolen identities. Naturally, there is a spectrum here depending on what “identity” it is that has been stolen:
Credit card details up for saleemail passwords can cost as little as $1 whereas credit card details go for up to $350. There must be a wide variation in these bands though: my e-mail password would surely be worth more than $1 to someone (I’d be crushed if it wasn’t) and
David Beckham‘s or
Hillary Clinton‘s would be worth even more. But those are special cases where the “theft” is very personal: in reality, the overwhelming majority of identity theft isn’t.
Technorati Tags: fraud, identity
If an identity is stolen, how much is lost? Figuring would surely help bound the value, at least for the purposes of basic business planning purposes. In a recent Utica college survey of U.S. cases, the median loss was $31,000. If this seems high it’s because the study only looked at the “big jobs”, the cases that were solved by the Secret Service (which, as we all know, as founded to stop counterfeiting?). A more general Gartner survey of consumer victims found an average loss of about $3,300 in the estimated 15 million annual cases in the U.S.
Gartner also said that implementing security is cheaper in the long run than having a data breach, which I’m sure is true, although when it comes to security most finance directors subscribe to Keynes maxim: in the long run, we’re all dead. Yet if Gartner’s figures are correct, the case is overwhelming, a real no-brainer. Gartner calculates that a data breach costs companies around US$300 per exposed account because of investigations, fines and lawsuits. On the other hand, better security costs around US$16 per account for the first year, and that cost falls over time. Why would anyone not do this? Either the figures must be wrong or companies are run by people who can’t do arithmetic.
These opinions are my own (I think) and are presented solely in my capacity as an interested member of the general public [posted with ecto]
Like this:
Like Loading...
Written by 
For another purpose — strength of identity checking — I blog about costs of identity dox. See also the Panorama show earlier this year in UK for cute photos.
When I was studying phishing back in its emerging days, there was sufficient evidence to say that the average loss was around $1000 in cash costs to the victim. On that one has to add provider and individual non-cash losses, and reports put the latter very high (like 100 hours).
If the expected value falls to $15 because there is only a 5% chance of breach, it’s a good deal to ignore the increased security 🙂
Pricing Identity Management
The Digital Identity Forum has an interesting blog on companies pricing out Identity Management. Seems to me, with all the electronic ink spilled over various breeches and data thefts lately, I simply cannot imagine a company not taking Identity and…