So now that we have these numerical values, let's go ahead and help translate these technical threats into business risk. Because the cost considerations are obviously a business risk, we're gonna have to unique line items direct and indirect.
So direct basically means What would the cost to remediate at the point of discovery be
versus incident response?
Indirect. Maybe, You know you have heard while pony, Montes says, If you get breached, its $203 a record.
But the problem with that is, if you sit there and try to say to your system owners, Well, we need to spend $85,000 on this new product or we could lose $3.5 million
you're probably gonna get that guy Earlier in the slide deck that was saying, Get the heck out of my office.
So what we're trying to be able to do, and this is actually coming from a riel assessment that I've done previously
that shows a correlation between the direct and indirect
As you can see, the cost of remediation was dramatically less than the cost of instant response and recovery.
This gives the type of detail in information that system owners need to help justify their security program spend.
It's part of this assessment. There were also indirect risks that were identified.
The remediation of those efforts were about $3000
the cost for instant response and recovery. While you cannot put a definitive dollar value on that, it is important to note that since this took place in Georgia,
there is a potential claim for a violation of the Georgia Personal Identity Protection Act.
HIPPA sanctions, improved notifications
and, of course, potential litigation costs.
So now you're able to provide your senior leaders with a more holistic picture on what the direct and indirect costs.
Actually, it looked like.