"Organisations that experience publicly reported data breaches suffer an eight percent loss of revenue. Compounding the revenue and customer losses are additional expenses averaging $100 per lost or stolen customer record to notify customers and restore data, according to the compliance group which is made up of members from the Computer Security Institute, the Institute of Internal Auditors, Protiviti and Symantec."While it is hard to arrive at firm numbers to describe security problems (or security solutions) these numbers jibe well with some past assessments. While I have not done a study of revenue impact from security breaches, I did look closely at stock price impact about six tears ago and that worked out to about 12-14% if memory serves (hey, this is a just a blog, so memory will have to serve for now--I will dig up the actual data when I get a chance). In other words, if you were to suffer a serious and publicized security hit, your stock price would go down from 12 to 14 percent.
And Larry Ponemon did a fairly recent and pretty rigorous study which showed the cost of a security breach was about $182 per lost record (you can read about the survey here). In other words, lose 6,000 records and you have surpassed $1 million in negative impact. These numbers should help security managers convince company executives to take security seriously. (Don't forget to stress "opportunity cost" as in "Even if recovery after a security breach goes well, the money spent on recovery is money not spent on a new product launch, new ad campaign, bonuses, etc.")
Note that the study cited in the Computerworld article above found that: "The primary channels through which data is lost, in order of risk, includes PC's, laptops and mobile devices, e-mail, Instant Messaging, applications and databases."