How we source incident cost figures
Every cost band on this site triangulates three independent streams: published industry-research benchmarks (IBM CODB, Verizon DBIR, Ponemon, ITIC), incident-response practitioner data (FBI IC3, NIST SP 800-61), and public-incident reference cases (SolarWinds, Kaseya, MOVEit, Snowflake, CrowdStrike outage). Where streams disagree, bands widen rather than narrow. Every figure has a documented source path, and the calculation framework below shows which input feeds which page.
Primary sources
Global average breach cost ($4.44M, 2025), US average ($10.22M), per-industry breach cost (healthcare $7.42M, financial $5.56M, manufacturing $5.00M, energy $4.83M, technology $4.79M, pharma $4.61M, retail $3.54M), 241-day average breach lifecycle, $1.9M AI/automation savings, 38% lost-business / 27% response / 29% detection / 6% notification cost share.
Attack-vector frequency mix (vulnerability exploitation now the top initial access vector at 31%, ahead of stolen credentials at 13%; plus BEC, phishing, cloud misconfiguration), ransomware share of breaches (48% in 2026 DBIR, up from 44%), third-party involvement in 48% of breaches, time-to-detect distribution.
Insider threat per-incident bands ($747K negligent, $742K malicious, $842K credential theft), 53% / 27% / 20% frequency split, 67-day average containment (13% contained within 30 days), $19.5M average annual organisational cost across 25 incidents per year.
Ransomware non-payment recommendation (FBI's published position is do not pay), recovery rate on payment context, BEC loss figures, total reported cybercrime losses by category.
The four-phase incident response framework (preparation; detection and analysis; containment, eradication, and recovery; post-incident activity) that the response-phases page cost percentages map to.
The widely-cited over-90-percent of mid-size and large enterprises greater than $300K/hr downtime figure (ITIC 2024 edition) used in home FAQ; high-end bands ($1M-$5.6M/hr large-enterprise) used in DDoS/downtime calculator industry tier modelling.
Named IR firms whose published rate guidance and retainer mechanics inform tier bands (Mandiant, CrowdStrike Services, Kroll, Stroz Friedberg, Coveware, Arete, Unit 42 / Palo Alto Networks). Tier bands only; no fabricated per-firm price points.
Ransom demand bands by victim revenue ($250K under $10M revenue; $800K mid-market; $1.5M+ enterprise; $2.1M+ large enterprise), ransomware sector mix, downtime-day distribution.
GDPR fine bands (CMS Enforcement Tracker, GDPRhub), HIPAA Breach Notification fine bands (HHS OCR), PCI-DSS non-compliance fee bands (card networks). Used in the data-breach calculator regulatory-fine component (4 percent EU turnover cap, $100/record HIPAA, etc.).
Calculation framework
Six load-bearing methodology rules. Each calculator on the site composes these rules differently; the inputs and assumptions are visible inline on every calculator page.
Single Loss Expectancy times Annual Rate of Occurrence. Calculator uses base SLE figures from IBM CODB (per-industry breach cost) and Coveware (per-revenue ransomware demand), with ARO floors derived from Verizon DBIR sector frequency. The home quick-estimate widget shows the math inline; the FAIR risk quantification page allows custom scenarios.
Healthcare 1.67, financial services 1.25, manufacturing 1.13, energy 1.09, technology 1.08, pharma 1.04, education 0.86, retail 0.80, government 0.64, other 1.0. Multipliers derived from IBM CODB 2025 per-industry breach cost ratios against the $4.44M global midpoint. Conservative cross-source where IBM and Ponemon disagree.
Healthcare $614/record, financial $402, pharma $387, energy $372, technology $348, education $305, manufacturing $286, retail $233, government $224, transportation $217. Calibrated to IBM CODB per-record cost where available; otherwise interpolated from breach-total / typical-records-exposed ratios published in regulatory disclosures.
Revenue / 8,760 hours x IT-dependency fraction x industry-multiplier x time-of-day multiplier (peak 1.5x, business 1.0x, offpeak 0.4x, weekend 0.3x). Productivity component priced at $75/hr loaded blended cost. SLA penalty thresholded at $25K/hr for greater-than-$100M revenue and $5K/hr below. Recovery base $50K + $8K/hr ramp.
Detection 29 percent, investigation 18 percent, containment 15 percent, eradication 8 percent, recovery 18 percent, post-incident 12 percent. Percentages anchored to IBM CODB phase-of-lifecycle cost share with NIST SP 800-61 phase boundary mapping.
Type multipliers: software supply chain 1.5x, data supply chain 1.0x, service supply chain 0.8x. Maturity multiplier: assessed-vendor 0.6x, unassessed 1.0x. Data sensitivity: IP 1.8x, financial 1.5x, PII 1.2x, public 1.0x. Vendor scale: greater-than-200 vendors 1.6x, 50-200 vendors 1.2x, less-than-50 1.0x. Calibrated against public costs from SolarWinds, Kaseya, MOVEit, Snowflake incidents.
In scope
- Working estimates for ransomware, data breach, DDoS / downtime, insider threat, and supply chain attack cost. Component-level breakdown showing how each total is built.
- Industry-multiplier and per-record-cost benchmarks anchored to IBM CODB 2025 and Ponemon Cost of Insider Risks 2026.
- Regulatory fine estimates for GDPR (EU), HIPAA (US healthcare), generic US state-AG breach response, and UK ICO bands.
- FAIR-style ALE quantification for board-level cyber risk reporting.
- Severity-tier (P1-P5) annual cost ranges with MTTR bands.
- NIST SP 800-61-aligned response-phase cost share with external consultant rate context.
Out of scope
- Specific named-organisation breach cost figures. Where a specific organisation's breach cost is known to us through public reporting (10-K disclosure, SEC 8-K, news settlement), it appears in band terms only.
- Prediction of a specific named incident's cost. Calculator outputs are working estimates against industry midpoints. Actual cost depends on local jurisdiction, contract structure, vendor mix, and incident specifics the calculator cannot model.
- Cyber insurance premium estimation. Premium economics depend on broker relationships, retention layers, and policy wording we cannot price publicly.
- Personal organisation data. Calculator inputs run entirely in the browser. Nothing is transmitted, logged, or stored. No analytics on input values; only on which calculator page was visited.
Refresh cadence
Cost bands update only when the underlying public research moves. Cosmetic date bumps are not made. The LAST_VERIFIED date constant in src/lib/schema.ts is the single source of truth: footer label, schema dateModified, and on-page banners all resolve from it. Current value: June 2026.
Out-of-cycle refresh triggers:
- New annual edition of IBM Cost of a Data Breach Report (typically mid-year). Triggers full recalibration of industry multipliers and per-record costs.
- New annual edition of Verizon Data Breach Investigations Report (May). Triggers ransomware-share and attack-vector mix refresh.
- New annual edition of Ponemon Cost of Insider Risks: Global Report. Triggers insider-threat per-incident band recalibration.
- Material movement (10 percent or more) in publicly cited IR firm published rates or retainer-hour rates.
- Major regulatory fine schedule change (GDPR ceiling adjustment, HIPAA OCR settlement floor change, PCI DSS non-compliance fee schedule revision).
Limitations
IBM CODB and Ponemon both rely on respondent recall and confidential interviews; both publish methodology notes acknowledging selection bias toward larger, more security-mature organisations. The figures here inherit that bias. Working estimates from the calculator are likely to overstate cost for very small organisations (less than 50 employees, less than $10M revenue) where economic floors push response cost below benchmark midpoints, and likely to understate cost in heavily regulated catastrophic-loss scenarios (large HIPAA breach with class action, GDPR maximum penalty, OFAC sanction overlay).
Where this site contradicts an IR vendor sales calculator, the difference is usually that the vendor figure includes scenarios that justify their service. The figures here include the same scenarios but at industry-midpoint cost rather than worst-case ceiling.
Editorial position
This site is operated by Digital Signet, an independent AI-development studio. Digital Signet does not sell incident response retainers, does not run a forensics practice, does not broker cyber insurance, and does not accept paid placements from any IR firm, insurer, or breach-response vendor. See /about for the operator and the wider network.
Editorial direction is set by Digital Signet's editor. Drafts are produced via Digital Signet's autonomous AI development methodology and reviewed against the editorial framework before publication. Named research belongs to its publishers: IBM Cost of a Data Breach Report is published by IBM Security and Ponemon Institute; Verizon DBIR by Verizon Business; Ponemon Cost of Insider Risks by Ponemon Institute; FBI IC3 Annual Report by the FBI Internet Crime Complaint Center; NIST SP 800-61 by the National Institute of Standards and Technology. Trademarks belong to their respective owners.
Corrections process
For methodology questions, source-attribution corrections, or scenarios that do not fit cleanly: [email protected]. Five-business-day acknowledgement. Band shifts of 10 percent or more update the LAST_VERIFIED_DATE constant and roll forward across the entire site footer, schema, and on-page banner in a single commit.