During the holiday shopping season a few years ago, Target’s systems were hacked, compromising credit and debit card data of some 40 million customers, and exposing the names and contact information of 70 million people.

Target estimated the total cost of the breach at $252 million. An outside firm, however, added another $38 million for an estimate closer to $290 million. Why the millions in difference?

It turns out that estimating the cost of a security breach is still more art than science, according to research by Colorado State University computer science faculty.

And the issue of assessing hacks is important – to companies as well as to consumers. Security failures might not always be as highly publicized as those at major retailers, such as Target or Home Depot (which suffered a similar incident in 2014). But data breaches occur at more than four in 10 companies in the U.S. each year.

CSU study on security risks

Despite this prevalence – and the increasing amount of sensitive information transmitted digitally every day – “we found out that there has been very little attention paid to the impact,” said Yashwant Malaiya, professor of computer science in the College of Natural Sciences at CSU.

He and colleague Abdullah Algarni, a doctoral researcher in the same department, are among the first researchers to tackle this thorny issue. In studying overall security risk (an organization’s risk being defined as the probability of a breach multiplied by the impact of the breach), they noticed that models to predict the actual financial impact of these data breaches can be radically different.

“Existing approaches can yield widely different values,” Malaiya said – some by two full orders of magnitude. For instance, some companies peg breach costs largely to the cost of personnel time to rectify the situation. Others include additional ramifications, such as lawsuits, increased insurance premiums, lower stock prices, systems security fixes and improvements, and even passing intangibles, such as loss of brand value and market share.

Making matters even stickier is that the few organizations involved in estimating costs, keep their cost models as proprietary, which means their factors and methods remain hidden. How did numbers such as $252 million and $290 million for Target’s breach emerge? The answers are still unclear.

A standard, public model

Malaiya hopes to bring this process into the light, creating a standard, public – and evolving – model. “An open and published model will document the assumptions and the methodology,” he said. And that is a benefit to all. “That will allow methods to be evaluated and refined using further data and further research.” Such a model will permit companies and consumers to compare apples to apples, instead of comparing, say, an apple to a mystery fruit. And perhaps we will one day be able to finally agree on the true cost of hacks – both big and small.

These ideas, for Malaiya, also go beyond corporate offices and consumer purchases. More open models like the ones he hopes to create might also help us better understand economic markets as a whole. “A significant part of the market operates in mysterious ways,” he said. “Hopefully academic studies like ours will help add transparency and reduce the risks to society.”

Their work on the topic was published for the Second International Conference on Information Management earlier this year in London.