Thursday, February 05, 2009

Indirect Hard Losses

Indirect Hard Losses is an estimation of the decrease in Web transactions of a certain class of customer, specifically those whose security/privacy have been compromised in the past, compared to those who have not. I first learned about this metric from Robert "RSnake" Hansen (SecTheory), but didn’t know it had a name until I spoke with Laura Mather (Silver Tail Systems). Indirect Hard Losses is rarely discussed, though I suspect it is internally measured, but not published publicly. As stated by InformationWeek regarding a Ponemon Institute study on the Cost of a Data Breach, “Customers, it seems, lose faith in organizations that can't keep data safe and take their business elsewhere.” The next logical question is how much?

Web page malware infections, phishing scams, and website data compromises are common and effective cyber crimes. All the largest online brands have suffered at least one incident compromising the security/privacy of some portion of their customer base. While victimized customers can be made whole again by reimbursing money stolen, replacing lost merchandise, restoring account access, and paying for credit monitoring -- the event undoubtedly makes a lasting impression about the brand. A business may not lose the customer completely, but from my conversations, a nontrivial decline in revenue-generating activity can clearly be measured. Unfortunately I’m unable to reveal names or cite figures as evidence.

Consider for a moment if a social network user’s account is taken over and offensive messages are sent, privacy is violated, and general embarrassment ensues. This is a frequent occurrence, just ask Soulja Boy, Kayne West, Lil Kim, Britney Spears, Fox News and scores of other non-celebrities. Would it be unreasonable to expect this might cause a user to spend less time on the website? For banking customers, perhaps they’d carry smaller account balances and refrain from signing up for new services. Ecommerce retail customers could potentially spend less, less often. All these tendencies would lead to Indirect Hard Losses.

Anonymously or otherwise, anyone want to provide some anecdotal loss percentages that they’ve seen?


Anonymous said...

EggHead Software = ~100%... as I recall after a bad "hack" they basically closed their doors and re-invented themselves as right?

Anonymous said...

EggHead != NewEgg

Wikipedia indicates that Egghead was bought out by Amazon, and that NewEgg's a spin off of ABS.