Guides
The reasoning behind the numbers — how breach cost and risk are modeled, and how to read the calculators.
How data breach cost is calculatedThe model behind every estimate: fixed plus variable cost, the five IBM cost components, and why breach cost is not linear in the number of records.The true cost of a data breach for a small businessWhy small businesses face a higher cost per record, how fixed and variable costs split, and what an SMB breach really adds up to.US breach notification laws: what they cost youThe 50-state patchwork, attorney-general thresholds and deadlines, and the per-record cost of notifying affected people.GDPR, HIPAA, CCPA & PCI: which penalties apply to an SMBWhich regulation covers which data, the published penalty thresholds, and how maximum exposure differs from what an SMB is likely to face. Informational, not legal advice.Annual Loss Expectancy: putting a dollar figure on breach riskALE = ARO × SLE: how to estimate the rate of occurrence and single-loss expectancy, and the limits of the model.Does security spending pay off? The ROI of controlsHow to weigh the cost of a control against the breach loss it avoids, using IBM cost-mitigation factors and your own ALE.Why faster detection saves money: the cost of dwell timeThe IBM finding that breaches taking over 200 days to contain cost about $1.88M more — and why detection speed is one of the highest-ROI investments.