Document Type


Publication Date

January 2018


A cost/benefit approach to privacy confronts two tradeoff issues. One is making appropriate tradeoffs between privacy and many goals served by the collection, distribution, and use of information. The other is making tradeoffs between investments in preventing unauthorized access to information and the variety of other goals that also make money, time, and effort demands. Much has been written about the first tradeoff. We focus on the second. The issue is critical. Data breaches occur at the rate of over three a day, and the aggregate social cost is extremely high. The puzzle is that security experts have long explained how to defend better. So why does society tolerate a significant loss that it has the means to avoid?Some may object that society does not tolerate breaches. Laws—current and proposed—impose requirements aimed at improving information security. However, as Thomas Smedinghoff notes, most of the laws “simply obligate companies to establish and maintain ‘reasonable’ or ‘appropriate’ security measures, controls, safeguards, or procedures, but give no further direction or guidance.” The approach has so far failed to provide an adequate incentive to improve information security. As one commentator notes, the “bad guys basically go where they want to go and do what they want to do, and they're not being stopped. Maybe for every one organization that's effectively stopping attacks, there are 100 that are being breached.”We argue that the problem is not so much a lack of legal guidance as it is a lack of information. A standard cost/benefit approach is particularly suitable here. In the information security context, a business should adopt the following risk management goal: choose the most effective defense meeting the condition that the defense cost is not greater than the expected (business and relevant third-party) losses thereby avoided (over some appropriate short- or long-term time period). Businesses fall far short of a good approximation to business risk management goal. Applying this standard requires reasonably accurate information about the probability of a breach and the losses that will occur if it happens. Unfortunately, we are currently very far from having adequate information about either. The World Economic Forum report paints an accurate, if disturbing, picture of the consequences: “businesses are increasingly delaying the adoption of technological innovations due to inadequate understandings of required countermeasures. . . . A vicious circle results: uncertainty regarding proper levels of preparedness leads to forestalled investments in safeguards as interconnection expands exponentially.”A lack—even a severe lack—of objective information about probability and cost does not imply a complete inability to make better and worse decisions about information security. One can turn to subjective expert judgments and a variety of sophisticated analytic techniques that make use of them. Security outsourcing companies like AllClearID, BayDynamics, Healthguard Cyber Risk Management, and FireEye take this approach. Whatever its virtues, the “subjective judgment” approach can still spend far less or far more than the risk management goal requires. It is not a reliable guide to the optimal investment.We think the best course is to turn the unanswerable question into an answerable one by taking steps to discover the information need to adequately approximate the risk management goal. We see no alternative to the slow road of discovering the necessary information. This solution may seem singularly unappealing. Isn’t there a quicker fix? Data breach notification laws may seem to offer just that. There are at least two reasons to have breach notification laws. One is that the notifications are a source of precisely the information we need. The second is—so it is claimed—that they improve security. We focus on the second claim, which we argue is likely false. Indeed, such laws may make security worse (by focusing resources on avoiding reportable breaches, not on meeting the risk management goal). Breach notification laws are at best an uncertain road to improving risk management.The more certain, if longer, road is to get the information risk management needs. We argue for mandatory anonymous report by businesses of relevant information about data breaches.