Security Cost-Mitigation Factors
This table lists, for each security control, the average cost reduction IBM associates with having it in place, and the modeled expected-cost reduction this site uses when scoring security posture. Across the controls shown, IBM's measured average saving ranges from about $110,000 to $1,900,000 per breach. The two columns are different in kind, and reading them correctly is the whole point of this page.
| Control | Avg. cost reduction | Modeled expected-cost reduction |
|---|---|---|
| Encryption of sensitive data | $208,087 | 6.0% |
| Multi-factor authentication (MFA) | $142,000 | 5.0% |
| Tested incident-response plan | $248,000 | 7.0% |
| SIEM / EDR security analytics | $212,061 | 6.0% |
| Security-awareness training | $110,000 | 4.0% |
| AI & automation (extensive) | $1,900,000 | 18.0% |
| Tested, isolated backups | $120,000 | 4.0% |
1 − reduction for each control,
subject to an overall floor). The modeled fractions are deliberately conservative and are documented in full on our
methodology page. They are not the same as the IBM dollar figure, and they are not
additive without bound — combining controls compounds multiplicatively and is capped, so stacking every control does
not drive expected cost to zero.
How to use these factors
The reason for showing both columns is honesty about what is measured and what is modeled. IBM's average dollar saving answers the question "how much less, on average, did breaches cost at organizations that had this control?" — a real, observed difference, but one that mixes correlation with causation and reflects a population very different from a typical small or mid-sized business. The modeled reduction answers a narrower, more defensible question: "by what bounded fraction should we lower an SMB's expected breach cost for having this control, given the uncertainty?" Keeping the two separate lets us cite the benchmark while being explicit that our model makes its own, conservative assumptions.
A worked reading helps. A control with an IBM average saving of $142,000 and a modeled reduction of 5.0% does not mean every business saves that exact amount; it means the benchmark population saw roughly that difference, and our model lowers the expected breach cost by that bounded fraction. Where a control has an outsized benchmark figure — extensive AI and automation, for instance, at $1,900,000 — the modeled reduction (18.0%) is still bounded, because no single control should be allowed to dominate the estimate. The point is to weigh controls against each other and against their cost, not to treat any one number as a guaranteed saving.
To put this to work, the security control ROI calculator takes the breach loss a control avoids — derived from your annual loss expectancy and the control's reduction — and sets it against the control's annual cost to tell you whether it pays for itself. As with every figure on this site, the reduction and the dollar saving are overridable inputs in the tools, so you can substitute your own estimates and recompute.
Figures verified on Jun 25, 2026 against IBM Cost of a Data Breach 2025 — cost mitigation factors. Every value shown is overridable in the tools.
Disclaimer. BreachCostLab provides cost and risk estimates for informational purposes only, based on published industry benchmarks (e.g. IBM/Ponemon Cost of a Data Breach, Verizon DBIR) and publicly available statutory figures as of the verification date shown (Jun 25, 2026). These figures are estimates for planning, not a prediction of the cost of any specific incident, and are not legal, financial, insurance, or compliance advice. Actual breach costs vary widely; for regulatory obligations consult qualified counsel. Always verify current figures with the cited sources.