Is the Bottom Line Impacted by Security Breaches?
White and Case, a top NYC law firm, posted a survey on Data Security
Breach Notifications on September 26, 2005.
>From the press release: "Victims of personal data security breaches are
showing their displeasure by terminating relationships with the companies
that maintained their data, according to a new national survey sponsored
by global law firm White & Case. The independent survey of nearly 10,000
adults, conducted by the respected privacy research organization Ponemon
Institute, reveals that nearly 20 percent of respondents say they have
terminated a relationship with a company after being notified of a
security breach."
White and Case Press release:
http://www.whitecase.com/news/news_detail.aspx?newsid=11731&type=News%20Releases
White and Case Paper:
http://www.whitecase.com/files/tbl_s5107Materials/FileUpload5837/151/Security_Breach_Survey.pdf
My research takes a macro approach: "The keynote address will cover
reputational risk in light of recent disclosures of high profile security
incidents at such institutions as CitiFinancial (Citigroup), Bank of
America and Wachovia, Choicepoint, DSW Shoe Warehouse and Polo Ralph
Lauren. The presentation will create a framework for understanding
reputational risk in light of these recent events that may be applicable
to responding to future incidents."
In the paper I ask: "If 40 million customer credit card numbers are
exposed in a security breach at the credit card processor CardSystems, why
do a significant number of people not cancel their Visa and/or
Mastercard?"
Reputational Risk Keynote Presentation:
http://www.ftusecurity.com/pub/FiTechSummit_final_paper.pdf
I am concerned that the survey is self-selecting. In other words, the
people responding to the survey already have a disposition one way or the
other. Of 51,433 people, only 17.8% (9,154) replied. That means 82.2%
(42,279) did not reply!
I'm not a statistician; is 17.8% statistically significant to determine a
general consensus?
The papers may not be directly contradictory to one another. Please keep
that in mind.
I would be interested to know other's opinions on the matter.
Sincerely,
Kenneth F. Belva, CISSP
http://www.ftusecurity.com