One of the enduring questions in cybersecurity is how much failures cost and who pays. Many companies see cybersecurity as a cost with no return; as in housekeeping only the failures are noticeable.
Certainly, a data breach, bungled software update, or ransomware attack can ding a company’s share price in the short term – but a year later, often they seem to have fully recovered. Meanwhile, the company’s customers may have spent hours monitoring credit reports, replacing credit cards, and other admin to remediate the effects.
Take, for example, Crowdstrike. In July 2024, it rolled out a buggy software update to all its 29,000 clients, many of them large businesses. One of those was Microsoft, which automagically incorporated it into Windows. Result: widespread paralysis. Crowdstrike fixed the error in 79 minutes; it took the rest of the world days to fully recover as each affected machine had to be manually restarted.
The company’s shares soon recovered. In November 2024, Matt Kapko reported at Cybersecurity Dive that the company had retained almost all its customers (which could just be a sign of dangerous market concentration). Similarly, the 2017 Equifax breach didn’t move it out of the heart of consumer credit scoring.
Soon after the Crowdstrike outage, David Jones reported at Cybersecurity Drive estimates that it had cost Fortune 500 companies a collective $5.4 billion, and that only 10% to 20% of that was covered by insurance. At the same time, at Bank Info Security, Matthew J. Schwartz estimated the cost to cyberinsurers at $1.5 billion.
But what about the patients unable to book doctors’ appointments, the airline crews who lost work, the train passengers stuck on platforms? Or, in a data breach, the years-long worry about where the data is now and how it’s being used.
Cyberattacks on companies leave us with what Ryan Calo and Veronica Paternolli called “shadow work” at We Robot a couple of months ago. They proposed that agentic AI might be able to reverse 30 years of companies offloading work onto us. You might – though I doubt it – be able to trust agentic AI to automate generating requests for refunds and new credit cards or rebooking canceled airline flights. But no way will it enable you to recoup the lost hours in an airport, the stress of being unsure what happened, or the ongoing consequences of identity theft.
At this week’s Workshop on the Economics of Information Security, University of Michigan researchers Lina Alkarmi, Armin Sarabi, and Mingyan Liu called these imposed indirect costs the “social cost” of data breaches and noted that typically none of it is measured. In two of the three breaches they studied, their math indicated that the eventual settlements the companies paid to consumers was below their estimate of the lower bound of the actual cost.
An odd finding from their study of three major breaches is that the social cost dropped over the period they studied, 2008-2021. They suggest that the 2015 introduction (in the US) of chip and PIN helped lower the utility of the stolen data. They also surmise that the later breaches added less to an already-saturated black market for data. There is doubtless a lot more work to do on this. Nonetheless, they estimate the national social cost at $7 billion in 2021, for an average per victim of nearly $300.
In a second paper, University of Tulsa researchers Teyyub Mutallimov, Dana Itzhaki, and Tyler Moore examined the long-term impact on corporate results following cyber attacks, looking at financial statements rather than share prices There, it seems that companies don’t recover as fully as you might think. Depending on the type of attack – data breaches trigger financing and investment; ransomware attacks are operationally disruptive. Both involve ongoing costs: remediation, system upgrades, external advice, potentially legal settlements.
In the meantime, it remains unclear whether generative AI will be a net win or a net loss for cybersecurity – finding vulnerabilities, as Anthropic claims Claude Mythos does, exposes them to attackers, although it also offers developers an opportunity to close them (I recall a similar panic in 1995 when Dan Farmer released SATAN). A 2025 report from the Turing Institute found that AI had begun to accelerate crime by enabling it to scale more effectively and exploit personal vulnerabilities. In January, Carly Page reported at The Register that the cost to criminals of renting AI infrastructure was as cheap as a Netflix subscription, based on a paper from researchers at Group-IB. Self-hosted “dark LLMs” are optimized for creating scams and deepfakes for as little as $30 a month.
However, at WEIS, in another paper, Ben Collier, Jack Hughes, and Daniel Thomas studied vibe coding’s early impact on the cybercrime business. So far, they found, it doesn’t seem to be making much change; it’s not yet time to fear “vibercriminals”. One could even imagine that over time generative AI could disrupt the junior-level pipeline that produces senior, skilled workers, as it’s doing in other industries. On the other hand, there’s already long been a lot of automation at the lower levels. So, wash? But if something works, crime will adopt it. Cue Willie Sutton, whose name was invoked at WEIS several times to explain why people pursue cybercrime: “That’s where the money is.”
Illustrations: Willie Sutton (via FBI).
Wendy M. Grossman is an award-winning journalist. Her Web site has an extensive archive of her books, articles, and music, and an archive of earlier columns in this series. She is a contributing editor for the Plutopia News Network podcast. Follow on Mastodon or Bluesky.