Wisconsin Accounting Office In Desktop Computer Security Breach And Expected Values.

The office of Kurt Bischoff Tax & Accounting, Inc. in Wisconsin was burglarized last week.  A desktop computer got stolen.  The office being what it is, there was a lot of sensitive data stored on that computer, including names, addresses, birthdates, SSNs, and bank account numbers of 600 individuals.


Was the burglar going after the computer because it contained all that data?  There’s no way to know.  There’s no mention on whether something other than the one computer was stolen.  But this is indicative of why computers ought to be encrypted lest something happen to them.  Now, Kurt will have to spend quite a bit of time getting in touch with customers who may decide not to use his services anymore.  Plus, the negative publicity will probably have an effect when it comes to attracting new business.


You know, for MBA types as well as for anyone who’s had a course in statistics (and don’t let that last word make your eyes glaze over if you haven’t), there is something called expected value that is mighty useful in such instances.  It’s also called expected risk by some. It’s essentially asking one?self, what are the chances of my having to shell out this much cash if the probabilities are such?and?such?


For example, if you have a coin toss game, and heads I win $5 and tails I lose $1, then my expected value is ((0.5) x $5) – ((0.5) x $1) = $2.  In other words, in the long run, I expect to make on average $2 per toss.  After 100 tosses, I’m expecting $200 in my pocket.  The 0.5 represents the 50% chance of getting heads (or tails).  Each chance is multiplied by the payout, be it a gain or a loss, and this total gives me an expected value—again, either a gain or a loss.


So, if I have a 1 in 10 chance of losing a computer and it is worth $1 million, then the expected loss is $100,000.  Of course, the actual loss is $1 million; however, supposedly such exercises allows one to place an expected value to an outcome.  For example, you could interpret the $100,000 to mean that you should set aside $100,000 every year, since in ten years you’ll have to replace that computer.


Of course, this doesn’t quite work for theft of data and information security breaches; there’s nothing to replace there.  One way of using the above results, however, is to make a value comparison.  Let’s say that I’ve got $1 million worth of data in that computer, and my probabilities of having that data stolen is 1 in 10.  Then on any given year I expect to “lose” $100,000.  If I can find a way to ensure that my data doesn’t get lost and costs $100,000 per year or less, then I’ve actually found a solution to my problem that is worth spending money on.  The lower the price I spend on preventing the loss, the more value I’m getting out of my solution.


The hard part in the above is figuring out the probability of losing something.  The easier part is hypothesizing about and calculating the various costs of a data breach—including replacement of the computer; mailing customers; setting up a toll?free answering service for questions; sales lost to teed?off customers; etc.  The easiest part?  Selecting a provider of whole disk encryption services.  AlertBoot allows you to quickly and easily deploy advanced encryption services across your company, be it 10 computers or 1000 computers.  And it’s a very cost?effective solution, not only because of its cost per computer, but also because it doesn’t require the IT department to get involved directly—eliminating operational and support-related costs of the encryption program.

Comments (0)

Let us know what you think