Remember those kids working on a breach-cost prediction tool? Well, both teams of students working on data breach prediction, aiming for the Analytics Cup at the Haub School of Business at St. Joseph’s University, basically nailed it.

“We were amazed about how quickly they were able to pick up the nuances of data breaches,” said Bob Siegel, CIPM, CIPP/C, CIPP/E, CIPP/US, CIPT, FIP, head of consulting firm Privacy Ref and the privacy professional who teamed with St. Joe's Professor Ronald Klimberg on the contest.

Both teams of three students created what are essentially simulation tools in Excel that ask you make general predictions about the minimum, maximum, and most likely costs of various aspects to breach response. Then, the tool triangulates the most likely cost of the breach as a whole via a thousand random simulations, derived from those data points.

The winning prediction tool, which edged out the second place finishers by virtue of a bit more elegance in the display of information, is now up and available on the Privacy Ref website, where you can grab it in exchange for a donation to the St. Joseph’s Decision Systems Sciences Department.

“One thing that I asked both teams to do was to keep it easy,” said Siegel. “If it’s too complex, it won’t be used.”

Essentially, the simulation is an 18-question survey of sorts, where privacy pros will have to gather some information they should probably be gathering anyway. What’s the likely cost for outside counsel? How much would a forensics firm likely charge to diagnose the cause of the breach? How many records could possibly be compromised in the first place. 

While all of these questions could be answered with “it depends,” the design of the tool accounts for that uncertainty.

"Looking forward, there aren’t any concrete numbers. We had to create a model where they could input their own information." Rebecca Rosati, St. Joseph's University Student

“Something that’s difficult in creating the tool,” said St. Joseph’s student Rebecca Rosati, “is that historical models have the data from the actual event, but, looking forward, there aren’t any concrete numbers. We had to create a model where they could input their own information.”

“We did look at historical data to break down the types of costs, though,” said fellow student Samantha Melnick, “and our model focused a lot on identifying specific costs as part of the total costs of the data breach. And which of those were most expensive. We built on that historical data to categorize the questions for the model.”

“Everyone has to undergo the diagnosis costs,” said Rosati, by way of example. “Everyone has to notify someone. And then there are the most specific costs, company by company, industry by industry. That’s why we included an ‘other’ section, where they can add in anything that we missed in our model.”

Further, “we broke it down,” said Melnick, “into four different cost centers: detection, escalation, notification, and then post data breach costs,” like public relations or marketing spend.

Klimberg noted that the tool’s design is also adaptable for specific situations. “If they have a good idea of what the costs are, they can actually change the tool from the triangular analysis to the distribution they do know. If they have some data, they can change what’s there very easily, and they can also add more questions very easily.”

If you’re looking to get up to speed on how to use the tool, Siegel has set up a webinar to walk you through it for Data Privacy Day, to be held January 27, at 1 p.m. EST. It will likely be repeated at a later date. Further, the winning team of students will be presenting their tool as part of the Little Big Stage programming at the IAPP Global Privacy Summit, in Washington, DC, April 19 and 20.