Quick: Where do you go to find the cost-per-record of a data breach? Reports from the Ponemon Institute? The annual Verizon Data Breach Investigations Report? How about the NetDiligence Cyber Claims Study? These are all credible and popular sources for breach cost benchmarking, but they give drastically different answers to the question. The Verizon report shows pennies per record for breaches, while Ponemon has shown hundreds of dollars per record. NetDiligence breaks down the analysis with a smaller sample of  large and small organizations to explain the difference.

Now imagine that you bring an executive Ponemon’s recent estimate of $245 per record and you hold four million consumer records. “Are you telling me a breach would cost us a billion dollars?” the executive would ask. “Who pays a billion dollars for a breach?”

What if you brought the Verizon report’s number of $.58 per record. The executive would ask, “A cyber insurance policy for $2.5 million means we don’t need to spend on cybersecurity!”

The numbers you have at our disposal vary so greatly because the methods that analysis use vary so greatly. Ponemon typically looks at smaller organizations, while Verizon looks at organizations of all sizes. NetDiligence looks at organizations whose insurance claims are confidentially offered to their report.

These discrepancies are not limited to breach costs. They are also found in studies that try to establish benchmarks for cybersecurity budgets. Boston Consulting Group recently found that cybersecurity budget benchmarking as a percentage of the IT budget varied between PwC’s 3.7% estimate,  Gartner’s 5.9% and Forrester’s 10%.

This is why we get lost while looking for benchmarks that answer our executives’ questions. But we don’t have to be prisoners of this dilemma if we think about what executive are actually asking.

“We find that executives are really asking, ‘what is expected of us?’ and they seek those answers by looking for common practices,” says Jim Mirochnik, CEO of HALOCK. “But do you really want to set your cybersecurity metrics to your peers if your peers are getting hacked?”

Chris Cronin, partner at HALOCK and the developer of the DoCRA (Duty of Care Risk Analysis) Standard answers the question differently. “We need to manage security so that everyone will be OK. This means reducing the likelihood of harm to others using controls that are acceptably burdensome to us.”

The construct in law for “reasonable” security is to use safeguards that are not more burdensome than the risks they are meant to reduce. Use a cure that is not worse than the disease. “Analyze the risks you are trying to prevent, then analyze the risks to you and others that your proposed safeguards pose. Your risks can include your costs, lost efficiency, lost benefit to customers … any burden on you or your value that the safeguard creates. If those burdens are not greater than the risks you pose, then prioritize them into annual budgets, and there’s your metric.”

Cybersecurity benchmarks do not provide reliable numbers. Moreover, they do not answer the question executives are actually asking.

 

reasonable security

 

Frequently Asked Questions (FAQs) on Reasonable Security

What Is Reasonable Security?

Reasonable Security is appropriate cybersecurity protection for your organization. Based on your size, data types, and risk profile, reasonable security can be a legal standard of care and a cybersecurity best practice, both of which show that you took defensible steps to protect information.

 

Why is “Reasonable” Security Important?

“Reasonable security” language is found in most state and federal privacy laws, and regulators have ruled that you must show you took “reasonable” steps to protect sensitive information.

Reasonable security does not mean perfect security, but rather security that makes sense based on your risks and resources.

Organizations with reasonable security:

  • Have a better chance of avoiding regulatory action after a breach
  • Are better positioned during litigation and investigations
  • Have more support from cyber insurance carriers and adjusters
  • Instill more confidence with clients, partners, and stakeholders

 

What Laws Reference “Reasonable Security”?

In the United States, a variety of state and federal laws require organizations to have “reasonable security practices and procedures.” These include, but are not limited to:

  • California Consumer Privacy Act (CCPA / CPRA)
  • New York SHIELD Act
  • Illinois Personal Information Protection Act (PIPA)
  • Massachusetts 201 CMR 17.00
  • Connecticut Data Privacy Act
  • Gramm-Leach-Bliley Act (GLBA)
  • Federal Trade Commission (FTC) Safeguards Rule
  • General Data Protection Regulation (GDPR) – references “appropriate technical and organizational measures”

The laws do not specify exactly what controls you should use, but they do typically require some defensible evidence that you assessed and mitigated risk appropriately.

 

How Do You Demonstrate Reasonable Security?

The most effective way is through a documented, risk-based assessment process that allows you to show how your organization identifies, prioritizes, and mitigates risks.

A legally defensible risk assessment provides a fact-based argument that your actions were prudent, informed, and proportionate.

Key elements include:

  1. Risk identification: What data, systems, and processes are impacted?
  2. Threat and vulnerability analysis: What risks are credible and foreseeable?
  3. Impact assessment: What could cause harm to customers, partners, or operations?
  4. Control evaluation: What safeguards are reasonable under current conditions?
  5. Documentation: Written records of your findings, decisions, and mitigations.

Security and legal frameworks such as NIST SP 800-30, ISO 27005, CIS Controls, and DoCRA (Duty of Care Risk Analysis) can help define and prove what “reasonable” looks like in practice.

 

What Is the Duty of Care Risk Analysis (DoCRA)?

The Duty of Care Risk Analysis (DoCRA) standard is an approach to establish and document reasonable security for an organization. It states that reasonable security is:

“Security that balances the interests of the organization with the interests of others who may be harmed if security fails.”

DoCRA helps organizations to review and justify risk decisions, not only from a compliance point of view but also with respect to fairness, proportionality, and legal defensibility. In essence, it considers an organization’s mission, objectives, and obligations. It effectively bridges security, business, and legal aspects in one defensible framework.

 

 

How HALOCK Helps Organizations Demonstrate Reasonable Security

HALOCK offers cybersecurity assessments that are risk-based, legally defensible, and aligned with the Duty of Care Risk Analysis (DoCRA) standard.

HALOCK assessment helps you to:

  • Identify, quantify, and prioritize cyber risks
  • Select and balance controls with business impact
  • Document a reasonable security posture for regulators, courts, and clients
  • Establish an accountability and continuous improvement process

 

How Can You Define “Reasonable Security”?

Reasonable security means implementing safeguards that are:

Appropriate: Based on your business size, industry, and data sensitivity

Proportionate: Controls balance protection with business practicality

Recognized: Align with accepted frameworks (NIST, ISO 27001, CIS, DoCRA)

Documented: You can prove decisions, policies, and risk management actions

Adaptive: Regularly reassessed as technology, threats, and operations evolve