in #technology8 months ago



The ‘bad stat’ example used for this discussion comes from a blog post by Morphisec’s Andrew Homer on August 28, 2020. The article is titled ‘COVID-19 Reveals The Dirty Truth About Security Spending’.

Morphisec is a cybersecurity solutions provider. Although I question most of the stats Homer produces within the article, even the one taken from Gartner, I will focus on his reference to cybercrime costs. He states that cybercrime can cost enterprises $2.9 million every minute, or $1.5 trillion every year (Andrew Homer, 2020).


According to Rosencrance (2000), 79% of the 461 respondents to a ‘National Survey on Managing the Insider Threat’ said that one or more data breaches went unreported at their company (Linda Rosencrance, 2006). Rounding up, this meant that 97 companies had one or more unreported data breaches. And this is only out of a sample of 461 respondents.

Another survey found that only 1 in 5 data breaches are made public (Kaspersky Lab, 2015). This survey result aligns with the ‘National Survey on Managing the Insider Threat’ results referenced by Rosencrance and discussed in the previous paragraph.

Using this additional data from Rosecrance and Kaspersky Lab, I find the total cost of cybercrime to be significantly underestimated. I find the cost of cybercrime could be reported at $14.5 million every minute and $7.5 trillion every year.

Kapersky Lab (2015) says that “on average, it costs more than half a million US dollars to recover from a security breach for an enterprise. The average expected loss for SMBs is $38,000.” They go on to talk about these numbers just being the direct costs and do not include the indirect cost, like damage to their brand, upgrades, additional personnel hires, etc.


This ‘bad stat’ from Morphisec’s Andrew Homer does not do justice to the actual damage of data breaches and cyber threats to a business. Even my calculations still underestimate the real cost of cybercrime. My calculations only take into account data breaches and no other cybercrimes and their impact on a business.
Data breaches can be catastrophic to a business if made public, so unless required by law, most will keep the knowledge of breaches in-house, primarily if caused by an insider.

The actual cost of cybercrime to business, and damage to our global economy may never be known.


Andrew Homer. (2020, 8 28). Morphisec. Retrieved from Moving
Target Defense Blog:

Kaspersky Lab. (2015). Damage Control: The Cost of Security Breaches. Moscow: Kaspersky.

Linda Rosencrance. (2006, September 12). ComputerWorld. Retrieved from Survey: Most insider-related data breaches go unreported:

This is a continuation of my series of posts I will be making in which I share some of my course work toward my Doctor of Technology degree with a concentration in Leadership and Innovation. Please share any thoughts you may have or information you would like to add on this topic.


Joe B.

Joe's Social Presence


indirect cost, like damage to their brand

Especially when it concerns a breach of sensitive data like PHI which an entity may never recover.

Ounce of prevention equals a pound of cure.

That is exactly right! Most see IT and Cybersecurity as an overhead cost when it is actually an investment into the business itself. Appreciate the vote and reblog!

Agreed 100%!