Is the average cost of a data breach misleading?

The average cost of a data breach is one of the most quoted figures in security, and one of the most misleading for a small business. The headline US number — around 10.22 million dollars in IBM’s most recent analysis, against a global average nearer 4.44 million — is a true arithmetic mean, but it describes a population dominated by large enterprises and is dragged upward by a small number of enormous incidents. The typical breach costs hundreds of thousands of dollars, not the millions. This guide explains why the average overstates the risk for most organizations, how the mean and the median diverge, and which number you should actually plan around.

An average is a summary, not a forecast

When a report says the average breach cost is several million dollars, it is answering a specific statistical question: if you add up what every breach in the study cost and divide by the number of breaches, what do you get? That is the arithmetic mean. It is a legitimate summary of the whole sample. The trouble begins when the mean is read as a prediction for one particular company — because breach cost is one of the most skewed quantities in business, and for skewed data the mean is a bad description of the typical case.

Skew means the distribution is lopsided: most breaches cluster at the low end, a few sit enormously higher, and there is no symmetric tail on the cheap side to balance them out. A breach cannot cost less than zero, but it can cost hundreds of millions. That asymmetry pulls the mean far above the middle of the pack.

Mean versus median: a worked example

Suppose five organizations suffer a breach in a year, with total costs of $180,000, $240,000, $310,000, $520,000 and one large enterprise incident of $48,000,000. Add them and divide by five and the mean is $9,850,000 — nearly ten million dollars. Yet four of the five firms spent under $550,000, and not one of them spent anywhere near the average.

Now sort the same five numbers and take the middle one. The median is $310,000. That figure — the cost of the organization squarely in the middle — is a far better description of what a typical firm in this group actually faced. The single $48 million outlier moved the mean by more than nine million dollars but moved the median by nothing at all. This is the whole story of the headline average in miniature: one class of very large, very expensive breaches drags the reported average into the millions while the median firm sits in the low-to-mid six figures.

Mean = $9,850,000  ·  Median = $310,000
Same five breaches — the mean is dominated by one outlier; the median is not.

Published breach studies generally report the mean, because it is the figure most people expect and because it feeds neatly into per-record math. But the honest reading of a skewed average is: “most organizations pay far less than this, and a few pay far more.”

Why the average is weighted toward big companies

Beyond the mean-versus-median problem, the sample behind the average is not a random cross-section of businesses. Large-scale breach studies over-represent organizations big enough to have a formal incident-response process, a security budget, and the willingness to participate in a survey. Those firms hold more records, operate in more heavily regulated sectors, and carry the kind of class-action and regulatory exposure that a thirty-person company rarely faces. The Verizon DBIR catalogues breaches across the size spectrum, but the dollar averages that make headlines lean heavily on the larger, costlier end.

There is a second, structural reason the average runs high, explained in full in how data breach cost is calculated. The fixed cost of responding to a breach — forensics, legal counsel, crisis management — barely changes with the size of the company. Spread that fixed cost over millions of records and the per-record figure is tiny; spread it over a few thousand and it balloons. Big firms therefore post low per-record costs but gigantic totals, and it is those totals that dominate the mean.

Per-record cost is skewed too — in the opposite direction

The global average cost per record is often cited at about $164. Read carelessly, that invites a tempting but wrong calculation: multiply your record count by the per-record average and call it your breach cost. For a small business the result understates the total, because the fixed response cost has not been included; for a large enterprise the same multiplication overstates it. Cost per record is not a constant you can scale linearly — it falls as record counts rise. A small firm almost always sees a per-record cost well above the all-sizes average, while its total lands well below the headline. The cost-per-record calculator and the cost-per-record dataset show that spread by industry, and the true cost of a breach for a small business works through the fixed-and-variable math in detail.

So which number should you use?

Not the headline average, and not the median of someone else’s sample either — because neither was built from businesses like yours. The right approach is to model a figure from your own inputs and treat every published statistic as context around it:

  • Start from your profile. Enter your industry, record count, data type, company size and existing controls into the data breach cost estimator. It keeps fixed and variable costs separate, so the total scales sensibly with your size instead of borrowing an enterprise average.
  • Compare against your sector, not the global mean. The cost-by-industry tool gives an industry-appropriate benchmark that is far closer to your reality than an all-sectors headline.
  • Read the range, not a single point. Because breach cost is so dispersed, a responsible estimate is a band — optimistic, expected and pessimistic — not one number. Plan against the expected figure and stress-test against the pessimistic one.
  • Put it on an annual footing. A per-incident cost is only half of risk; the other half is how likely a breach is. Combine your modeled cost with your sector’s probability using annual loss expectancy to get a figure you can compare against the cost of prevention.

Frameworks for quantifying loss — from the NIST Computer Security Resource Center and the broader risk-analysis literature — all make the same underlying point: a single average is the weakest possible input to a risk decision. A model built from your own numbers, expressed as a range and paired with a probability, is far stronger.

The bottom line

The multi-million-dollar average is not a lie; it is a mean of a skewed, enterprise-heavy sample, and it answers a question that is not yours. For most small and mid-sized organizations the realistic figure is measured in hundreds of thousands of dollars, dominated by fixed response cost and lost business, with per-record figures higher than the average but totals well below it. Use the average as a ceiling-level reference and a reminder that the tail is real, then estimate the number that actually fits your business with the breach cost by company size tool — and read the per-record figure as carefully as the total.

Frequently asked questions

Is the headline average data breach cost accurate?

It is accurate as an arithmetic mean, but it is not representative. The widely quoted US figure of about $10.22 million is the average across a population dominated by large enterprises, and a mean is pulled upward by a handful of enormous incidents. So the number is a correct summary of the whole sample yet a poor description of any single small business, which will almost always sit far below it.

What is the difference between the mean and median cost of a data breach?

The mean adds every breach cost and divides by the number of breaches, so one $48 million incident can drag it into the millions. The median is the middle value once the costs are sorted, so a few giant outliers barely move it. For a heavily skewed quantity like breach cost, the median is much closer to what a typical organization actually experiences — which is why a small firm should anchor on a typical figure, not the mean.

Why is the reported average cost of a data breach so high?

Three reasons compound: the sample is weighted toward large enterprises with millions of records; the mean is skewed upward by rare mega-breaches; and the fixed cost of responding to any breach is spread over a large denominator for big firms and a tiny one for small firms, inflating per-record figures that then feed back into totals. None of those forces describe a small business well.

Which number should a small business plan around?

Plan around a figure matched to your own size, records and data type rather than any published average. Model your expected cost with the data breach cost estimator, read the per-record figure against your industry, and treat the range as a band rather than a point. The headline average is context, not a forecast.

Disclaimer. BreachCostLab provides cost and risk estimates for informational purposes only, based on published industry benchmarks (e.g. IBM/Ponemon Cost of a Data Breach, Verizon DBIR) and publicly available statutory figures as of the verification date shown (Jun 25, 2026). These figures are estimates for planning, not a prediction of the cost of any specific incident, and are not legal, financial, insurance, or compliance advice. Actual breach costs vary widely; for regulatory obligations consult qualified counsel. Always verify current figures with the cited sources.