IBM's 2024 report puts the average breach cost at $4.88 million. As an IS researcher, the number I can't stop thinking about is $9.77 million in healthcare, for the 14th year running.
IBM's 2024 Cost of Data Breach report puts the global average at $4.88 million, a 10% increase and the largest spike since the pandemic. I have been sitting with this number and thinking about what it actually means for IS governance research.
The number itself is striking. But what strikes me more is the context it comes out of. IBM analyzed 604 organizations globally, so this is not a handful of high-profile incidents skewing the average. It is a broad empirical picture of what happens when information security systems fail. And when I try to read that picture through the lens of IS theory rather than security marketing, the story shifts.
DeLone and McLean (1992, 2003) built the field's most durable IS success model on six interlocking dimensions: system quality, information quality, service quality, use, user satisfaction, and net benefits. The logic runs from quality through use and satisfaction to outcomes. Most IS success research follows that logic forward: better quality predicts better use, better use predicts better outcomes. What the IBM data forces me to do is run the model backward. A breach is the inverse of IS success. It is what happens when the security system, the information security governance apparatus, fails to deliver quality and service. The net benefits become sharply negative, and they become negative in a way that is now very precisely quantified: $4.88 million on average.
The DeLone and McLean framework has always been more comfortable measuring success than failure. There is a good reason for that, since the model was designed to synthesize fragmented empirical literature on what makes IS implementations work. But if net benefits can be positive, they can also be negative, and a breach represents one of the most measurable negative net benefit events an organization can experience. I think IS governance research has not fully exploited this. We spend enormous effort studying what predicts IS success. We spend less effort studying what the failure mode looks like in measurable financial terms and working backwards from that to what governance choices produced it.
Institutional theory adds a dimension that the IBM data cannot capture but that I think explains a lot of the variance underneath that $4.88 million average. DiMaggio and Powell (1983) described three isomorphic pressures that push organizations to converge on similar structures. Normative isomorphism comes from professional norms and certification bodies: CISOs get the same certifications, attend the same conferences, adopt the same frameworks. Mimetic isomorphism operates under uncertainty: when nobody knows what the right security posture looks like, organizations copy whoever looks successful. Coercive isomorphism comes from regulations and mandates: HIPAA, GDPR, PCI-DSS.
The problem is that normative and mimetic isomorphism produce organizations that look secure rather than organizations that are secure. The governance artifacts, the policy documents, the compliance checklists, the vendor certifications, become ends in themselves. What Scott (1995) called the regulative pillar of institutional theory produces compliance. What he called the normative pillar produces professional conformity. Neither of those reliably produces effective security outcomes. An organization that has achieved SOC 2 compliance because its auditors require it and an organization that has genuinely thought through what its threat model is and built governance around that are both ticking the compliance boxes. The IBM data cannot distinguish them until the breach happens.
IBM also found that organizations using AI and automation in their security operations saved about $2.2 million per incident on average. That is a substantial number. And it fits a resource-based view logic, which I find more useful than institutional theory for explaining the variance. Barney (1991) argued that sustainable competitive advantage comes from resources that are valuable, rare, inimitable, and non-substitutable. A mature security operations capability, one with AI-driven detection, skilled analysts, and practiced incident response, fits that description. It is valuable because it reduces breach costs. It is rare because it requires sustained investment. It is difficult to imitate because it depends on organizational routines and embedded knowledge, not just purchased technology. Organizations that have built this capability see dramatically different outcomes even when breaches happen.
The internal detection finding from IBM reinforces this. Organizations that detected breaches internally had a lifecycle that was 61 days shorter than those relying on external discovery. That shorter lifecycle saved roughly $1 million on average. This is not a technology finding. It is a governance finding. Internal detection capability depends on having people who know what normal looks like and who are watching for deviations. That is an organizational capability, and it is built over time through investment decisions that look expensive before the breach and obvious after.
The staffing gap data makes the capability argument harder to make at scale. IBM found that security staffing shortages added $1.76 million to average breach costs. The ISC2 2024 Cybersecurity Workforce Study reported a global gap of 4.76 million unfilled positions, a 19.1% increase from 2023. Those two numbers sit next to each other in uncomfortable proximity. Organizations that cannot hire the security staff they need cannot build the detection capability that shortens breach lifecycles. The governance problem and the workforce problem are not separate. They are the same structural failure manifesting in two different data sets.
The number I keep returning to is healthcare at $9.77 million, the costliest sector for the 14th consecutive year. That 14-year streak is the data point that forces the institutional theory interpretation. One bad year in healthcare information security is bad luck or a particularly sophisticated attack. Two bad years is a pattern worth studying. Fourteen years in a row is a structural problem in healthcare IT governance. It is not a series of independent events. It is a sector that has consistently failed to build the security capabilities that would reduce breach costs, despite facing the same attacks, the same frameworks, and (after HIPAA) the same regulatory mandates as other sectors.
My honest read is that IS governance research has treated security governance as a special case of general IT governance, and that framing may be part of what limits our explanatory power. General IT governance is about aligning IT with organizational strategy and delivering IT value. Security governance is about managing the conditions under which IT fails in particular ways. These are different design problems, and a 14-year streak of $9-million losses in one sector suggests the governance models that work well for value delivery may not translate cleanly to failure prevention.
What the $4.88 million figure asks IS researchers to do, I think, is treat breach costs the way economists treat externalities: as the financial signal that a system has not internalized the full cost of its governance choices. Organizations that treat security as a compliance checkbox are effectively offloading the future cost of failure onto themselves at the point of breach. Institutional theory predicts they will keep doing this as long as the isomorphic pressures reward visible compliance over actual capability. The IBM data is measuring the outcome. The governance research gap is that we do not yet have a clean theoretical account of what distinguishes organizations that comply from organizations that are actually secure.
About the author
Share
More notes
Related notes