About BreachCostLab

BreachCostLab is a hub of free, source-cited calculators for the cost and economic risk of a data breach, built for small and mid-sized businesses. Two things make the numbers trustworthy: a named author who builds the model in the open, and the sourcing rigor behind every coefficient.

Francesco Zinghinì

Francesco Zinghinì

Engineer & builder of computational tools

LinkedIn · GitHub · tuttosemplice.com

Who I am — and what I am not

I'm Francesco Zinghinì, an engineer and a builder of deterministic online calculators, with open-source projects in Python. Let me be precise about the authority behind this site, because in a money-and-risk subject that honesty matters:

I am not a CISO, a security consultant, a lawyer, a compliance auditor, or a threat analyst, and I won't pretend to be. I don't sell incident response, I don't audit your controls, and nothing here is legal or compliance advice.

What I do well is the thing a breach-cost calculator actually needs: model a problem correctly, write the arithmetic down, cite every input, and verify the result. The value of this site is not insider security expertise — it is a correct, transparent cost model in which every figure is traceable.

Why this site exists

"What would a data breach cost us?" is one of the most-asked questions a small business has, and most of the answers online are lead-generation widgets: gated behind a form, not indexable, with numbers nobody dated and a method nobody published. I wanted the opposite — a tool that treats the reader like an engineer: show the formula, show the source, show the date, and let me change every assumption.

The two pillars of trust

  • A named, honest author. Real person, real credentials, stated limits. If something is a modeling choice rather than a measured benchmark, I say so.
  • Sourcing rigor. Every coefficient is dated and linked to its primary source — IBM/Ponemon Cost of a Data Breach, the Verizon DBIR, and the statutes themselves (GDPR Art. 83, HIPAA, CCPA). The whole model is published, not hidden.

How I keep it trustworthy

  • Every formula is public. The full model — estimator, range band, regulatory math — is documented on the methodology page. Nothing is a black box.
  • Every coefficient is dated and sourced. See the sources page for the primary references, each with a verification date. Benchmarks are convenience defaults you can override in any tool.
  • Numbers are verified. Each calculator is checked against worked examples before it ships, and the live recalculation in your browser mirrors the server math exactly.
  • I correct mistakes in the open. If a coefficient is stale or a formula is wrong, tell me and I'll fix it — corrections are credited.

What this site is not

It is not security advice, not legal or compliance advice, not a prediction of any specific incident, and not a sales funnel. It is one focused thing, done transparently: the economics of a data breach for an SMB. For regulatory obligations or incident response, consult qualified professionals.