Independent educational resource. Not affiliated with IBM, Ponemon Institute, or any security vendor.
IncidentCost.com
Reference / Trust surface

How we source the incident-cost components

Cost ranges on this site are based on public reference material across the relevant landscape. The publishers below are representative of the kind of source that informs our positioning, not an exhaustive extraction map per figure. A specific figure on a specific page is not necessarily anchored to a single named publisher.

Sources

  • Public breach-cost research. IBM Cost of a Data Breach Report (annual, by industry and country), Ponemon Institute breach-cost research, Verizon Data Breach Investigations Report (DBIR) — the cost-of-breach component on this site is anchored to these published averages.
  • IR firm public retainer guidance. Mandiant, CrowdStrike Services, Kroll, Stroz Friedberg, Coveware, Arete, Unit 42 (Palo Alto) — published retainer or per-hour rates inform the response-cost component.
  • Downtime cost research. Atlassian incident-management research, PagerDuty State of Digital Operations, Gartner downtime-cost benchmarks (where pricing context is published) for the downtime-impact component.
  • Regulatory fine references. GDPR fine bands (CMS Enforcement Tracker, GDPRhub), HIPAA Breach Notification fine bands (HHS OCR), PCI-DSS non-compliance fee bands (card networks) — for the regulatory-fine component.

What we deliberately do not publish

  • Specific named-organisation breach figures. Where a specific organisation's breach cost is known to us through public reporting, it is described in band terms only.
  • Predictions of specific-incident cost. Calculator outputs are working figures. Actual cost depends on local jurisdiction, contract structure and incident specifics — none of which the calculator can fully model.
  • Personal organisation data. Calculator runs entirely in your browser. Your inputs are not transmitted, logged, or stored.

Update cadence

Site values update only when the underlying reality changes. Triggers:

  • New IBM Cost of a Data Breach Report edition (annual)
  • New Verizon DBIR edition
  • Material movement in IR firm published rates
  • Major regulatory fine schedule change (GDPR, HIPAA, PCI)

Cosmetic date bumps are not made.

Editorial position

This site is operated by Digital Signet, an independent AI-development studio. Digital Signet does not sell incident-response retainers, does not run a forensics practice, does not broker cyber insurance, and does not accept paid placements from any IR firm, insurer or breach-response vendor. See /about for the operator and the wider network.

Editorial direction is set by Oliver Wakefield-Smith. Drafts are produced via Digital Signet's autonomous AI development methodology and reviewed against the editorial framework before publication.

Contact

For methodology questions, corrections, or scenarios that don't fit cleanly: [email protected].

Updated 2026-04-27