More Data is Necessary to Make Defending Against Security Breaches a Rational Cost-Benefit Calculation

ARLINGTON, Virginia, June 18, 2017 – The key to defending against security breaches is collecting more data, said a University of Illinois at Chicago professor during a June 8 panel at the on the law and economics of privacy and data security.

Hosted at George Mason University here and moderated by Brenda Leong, director of strategy for the Future of Privacy Forum, the panel touched upon the often-overlooked issue of bringing cost-benefit analysis to the consideration of data security.

The two panelists were Robert Sloan, the Illinois professor, and Geoffrey Manne, executive director of the International Center for Law and Economics at GMU.

Companies don’t have to face liability for the many security breaches they face, said Sloan, who urged that businesses be responsible for their own cyber-security and that of their consumers.

Not much is being done by the medium to large companies, he said, adding that security employees are treated like they are just an extra cost that doesn’t bring revenue. The famous credit card breach by Target in 2013 is such an example.

With the chance of actually having a breach being around one-tenth of 1 percent, Sloan said, companies generally find it cost-effective not to focus on cyber-security.

“Not spending $10 million to ward off the $250 million storm is a very rational decision,” he said.

Therefore, the answer to limiting the impact of security breaches is to collect more data, he said. Although there is a cost to do security defense research, there is often not enough data to actually defend against security breaches.

(Photograph by Casey Ryan)