Comments on: Why TJX and Ponemon disagree http://thurston.halfcat.org/blog/2007/08/17/why-tjx-and-ponemon-disagree/ We are the people your IT department warned you about Mon, 15 Mar 2010 00:25:47 +0000 http://wordpress.org/?v=2.0.5 by: Mike Spinney http://thurston.halfcat.org/blog/2007/08/17/why-tjx-and-ponemon-disagree/#comment-115996 Thu, 06 Sep 2007 02:48:38 +0000 http://thurston.halfcat.org/blog/2007/08/17/why-tjx-and-ponemon-disagree/#comment-115996 Chris - Thanks for asking the question. Customer turnover is based on observable changes to the affected company's normal turnover rate. It's a simple calculation. Another TJX-related issue that Ponemon has discussed with those who bothered to ask, rather than make rash assumptions, is how TJX could report an increase in sales after the breach when we've done studies that consistently show that a breach will result in customer defections. It's an easy question to answer: those studies were specific to retail banking, where the issues are much different. TJX can lower prices and increase advertising/marketing post-breach. Banks can't simply knock a few points off their loan rates, or increase interest for depositors. The issues of trust run much deeper where financial services are involved, and the options for responding to the customer are highly restricted. Mike Chris - Thanks for asking the question. Customer turnover is based on observable changes to the affected company’s normal turnover rate. It’s a simple calculation.

Another TJX-related issue that Ponemon has discussed with those who bothered to ask, rather than make rash assumptions, is how TJX could report an increase in sales after the breach when we’ve done studies that consistently show that a breach will result in customer defections. It’s an easy question to answer: those studies were specific to retail banking, where the issues are much different. TJX can lower prices and increase advertising/marketing post-breach. Banks can’t simply knock a few points off their loan rates, or increase interest for depositors. The issues of trust run much deeper where financial services are involved, and the options for responding to the customer are highly restricted.

Mike

]]> by: Why the “$182 Per Record” Lost Number is Garbage, And You Don’t Need It Anyway | securosis.com http://thurston.halfcat.org/blog/2007/08/17/why-tjx-and-ponemon-disagree/#comment-112860 Tue, 28 Aug 2007 17:11:44 +0000 http://thurston.halfcat.org/blog/2007/08/17/why-tjx-and-ponemon-disagree/#comment-112860 [...] I’m still catching up on my blogroll, and caught this article over at Emergent Chaos, which also referenced this one by Thurston. Both articles discuss the infamous Ponemon study that claimed the average losses in a breach were $182 per record. [...] […] I’m still catching up on my blogroll, and caught this article over at Emergent Chaos, which also referenced this one by Thurston. Both articles discuss the infamous Ponemon study that claimed the average losses in a breach were $182 per record. […]

]]> by: Chris http://thurston.halfcat.org/blog/2007/08/17/why-tjx-and-ponemon-disagree/#comment-110530 Wed, 22 Aug 2007 00:35:30 +0000 http://thurston.halfcat.org/blog/2007/08/17/why-tjx-and-ponemon-disagree/#comment-110530 So Mike, what about the turnover values? Is the 2-7% incremental, or is it turnover observed post-breach but not taking into account the pre-breach normal turnover level, or is it something else (like a best guess by respondents, say?) So Mike, what about the turnover values? Is the 2-7% incremental, or is it turnover observed post-breach but not taking into account the pre-breach normal turnover level, or is it something else (like a best guess by respondents, say?)

]]> by: Chandler Howell http://thurston.halfcat.org/blog/2007/08/17/why-tjx-and-ponemon-disagree/#comment-110274 Mon, 20 Aug 2007 22:15:49 +0000 http://thurston.halfcat.org/blog/2007/08/17/why-tjx-and-ponemon-disagree/#comment-110274 Hi Mike, Thanks for confirming what I had suspected but was too lazy to look up and what Chris cared enough to look up. Hi Mike,

Thanks for confirming what I had suspected but was too lazy to look up and what Chris cared enough to look up.

]]> by: Mike Spinney http://thurston.halfcat.org/blog/2007/08/17/why-tjx-and-ponemon-disagree/#comment-110250 Mon, 20 Aug 2007 19:38:48 +0000 http://thurston.halfcat.org/blog/2007/08/17/why-tjx-and-ponemon-disagree/#comment-110250 My recent reply to the post at Emergent Chaos for those who might have missed it: For those reporters (and there were only a few) who bothered to ask Larry Ponemon about the costs, they got an answer that was in-line with the estimates TJX just announced. Ross Kerber's reporting in the Boston Globe back in April (http://www.boston.com/business/personalfinance/articles/2007/04/12/analysts_tjx_case_may_cost_over_1b/) should serve to demonstrate Ponemon's grasp of the issue, and his own research. Others weren't so bright, opting instead to simply multiply a breach that represented a statistical anomaly on the high end with the $183/per figure from our 2006 report. While the resulting figure was certainly sensational it was, as others have already pointed out, a misread of the information in the report. Economies of scale take over when the incident leaps from a sampling that included incidents numbering in the tens of thousands to a breach that was over 45 million. Mike My recent reply to the post at Emergent Chaos for those who might have missed it:

For those reporters (and there were only a few) who bothered to ask Larry Ponemon about the costs, they got an answer that was in-line with the estimates TJX just announced. Ross Kerber’s reporting in the Boston Globe back in April (http://www.boston.com/business/personalfinance/articles/2007/04/12/analysts_tjx_case_may_cost_over_1b/) should serve to demonstrate Ponemon’s grasp of the issue, and his own research. Others weren’t so bright, opting instead to simply multiply a breach that represented a statistical anomaly on the high end with the $183/per figure from our 2006 report. While the resulting figure was certainly sensational it was, as others have already pointed out, a misread of the information in the report.

Economies of scale take over when the incident leaps from a sampling that included incidents numbering in the tens of thousands to a breach that was over 45 million.

Mike

]]> by: Chris http://thurston.halfcat.org/blog/2007/08/17/why-tjx-and-ponemon-disagree/#comment-109492 Sat, 18 Aug 2007 03:41:52 +0000 http://thurston.halfcat.org/blog/2007/08/17/why-tjx-and-ponemon-disagree/#comment-109492 Ponemon sez $54 out of $182 were direct costs. (p.7) Average breach size was 26,300 records (p.9) ("2006 Annual Study: Cost of a Data Breach", October 2006) The biggest component of cost ($98) was so-called "opportunity cost", which is how they label "turnover of existing customers and increased difficulty in acquiring new customers". (p.2) It is unclear whether the turnover values used in the report represent numbers above and beyond typical turnover (Adam blogged about this, IIRC). It'd be nice to have the raw data and some more methodological detail. Ponemon sez $54 out of $182 were direct costs. (p.7)
Average breach size was 26,300 records (p.9)
(”2006 Annual Study: Cost of a Data Breach”, October 2006)

The biggest component of cost ($98) was so-called “opportunity cost”, which is how they label “turnover of existing customers and increased difficulty in acquiring new customers”. (p.2) It is unclear whether the turnover values used in the report represent numbers above and beyond typical turnover (Adam blogged about this, IIRC). It’d be nice to have the raw data and some more methodological detail.

]]>