Do Consumers Really Bail On Breached Merchants


There was a recent blog post on the PCI Guru blog, but it was a bit off the beaten path since it had seemingly nothing to do with PCI compliance; at least not directly. Dr. Brandon Williams decided to investigate if customers leave after a retailer suffers a breach. Did you stop shopping at Winners after their breach? For how long?

There are a number of interesting tidbits in the final report. But in general most customers come back after about six months. Breaches do not seem to create an incentive to leave a retailer permanently. This research may give some merchants the idea that breaches don’t matter as much as they think. And I agree with them, but only in this one aspect of their risk profile. There are other aspects to consider.

Our favoured risk analysis approach here at NCI is the OpenFAIR method. It categorizes losses into primary and secondary. Primary losses are the costs the company bears directly: i) response, ii) productivity, and iii) replacement. This is not what we are talking about when we consider loss of customers.

To have that discussion we need to talk about secondary losses. Secondary losses are due to a 2nd party acting based on the outcome of a breach. These three types of loss are:

  • Fines & Judgements – e.g. fines from banks for violating your PCI agreement
  • Competitive Advantage – e.g. a competitor stole your product designs and gets to market before you
  • Reputation – e.g. a breach leading to customers leaving

What this paper talks about is the impact on reputation. Based on this research it would appear that the cost of reputational damage is not as great as many of the executive suite would fear. (Incidentally I have seen research that indicates that reputational damage is one of the top 3 things executives fear). You’ll take a hit, but as long as you can weather the storm of a couple of bad quarters you’ll be OK in the medium term.

It would appear, at first glance, that we can’t rely on reputation damage to move the needle on improving cyber security. At least if you view cyber security as a cost centre that has no possibility to generate competitive advantage on its own (but that’s another blog post). So if we do want to move the needle how to go about that? Market forces alone aren’t sufficient, perhaps regulation and compliance are going to be needed after all.

But what should your response be? Should you implement the risk mitigation that your security team is saying you should? As with everything in business it depends.

  • If you are can weather the storm and absorb the hit to your bottom line then you may choose to do nothing.
  • But you really should investigate just what the possible impacts of that 6 month decline would be (part of a quantitative risk analysis). Then weigh that against the cost of implementing the tools to reduce the chance of the breach in the first place. A $10k investment might reduce the chance of a $100k loss of revenue. 10% return is a pretty good deal.
  • If you’re a small firm, the loss of that much revenue might mean you are out of business, or have to go to the bank for a short term loan. In that case you should seriously consider implementing some kind of security control(s) to reduce the impacts of a breach.

Notice the common theme here? You’d be forgiven for missing it, I deliberately didn’t hit you over the head with it. You should do a quantitative risk assessment in order to make an informed decision. If you aren’t you’re doing your business a disservice.

Written By: Jason Murray, Manager of Professional Services, NCI

Follow Jason on twitter @andrecrabtree