A study by the RAND Corporation, published in the Journal of Cybersecurity, looked at the frequency and cost of IT security failures in U.S. businesses and found that the cost of a break-in is much lower than thought, typically around $200,000 per case. With top-shelf security systems costing a lot more than that, not beefing up security looks in some ways like a smart business decision. “I’ve spent my life in security and everyone expects firms to invest more and more,” the report’s author Sasha Romanosky told The Reg. “But maybe firms are making rational investments and we shouldn’t begrudge firms for taking these actions. We all do the same thing, we minimize our costs.” Romanosky analyzed 12,000 incident reports and found that typically they only account for 0.4 percent of a company’s annual revenues. That compares to billing fraud, which averages at 5 percent, or retail shrinkage (i.e. shoplifting and insider theft), which accounts for 1.3 percent of revenues. As for reputational damage, Romanosky found that it was almost impossible to quantify. He spoke to many executives and none of them could give a reliable metric for how to measure the PR cost of a public failure of IT security systems. – P.S.