"We think that if you can describe the impact based on your company's specific, plausible scenario and you can model your impact more accurately, that that will help guide your investment accordingly," Gelinne said.
That means that CSOs need to learn to look at the bigger picture and work with business teams to evaluate the total potential impact of cybersecurity incidents, in order to better understand which assets need the most protection.
"The budgets will never be big enough if the goal is to prevent every possible incident," he said. "Our modeling technique is adding more information to make better decisions on how to invest."
Why cost estimates vary
Three recent studies put the cost of a breach at $170,000, $861,000 and $4 million. That's already a wide range, but far below what Deloitte is suggesting.
Why the disparity?
Research typically focuses on data breaches that involve losses such as account credentials, credit card numbers, and health care information.
"Largely, studies deal primarily with what is publicly reported," Gelinne said. "The theft of personally identifiable information, personal health information -- these are widely understood. But there are other types of scenarios that may not be considered in the calculations."
Then, studies vary in their choice of what size incidents to consider, which specific costs to look at, and how those costs are calculated.
For example, last month Kaspersky estimated that the average security incident cost enterprises $861,000, based on cost estimates provided by the companies themselves, rather than a third-party analysis.
In addition, the Kaspersky report focuses specifically on breach recovery costs, with personnel-related costs accounting for 53 percent of the total and improving software and infrastructure accounting for another 14 percent.
"We also included expenses that may occur after the incident has been remediated, such as staff training and new headcount, should it be triggered by the incident," said Michael Canavan, vice president, Kaspersky Lab North America at Kaspersky Lab ZAO
The estimates also included the cost of damage to credit ratings, higher insurance premiums, and lost business, but not many of the other common breach-related expenses such as notification and legal costs, nor some of the other indirect expenses considered by Deloitte or other researchers.
Another disparity is whether a typical breach cost should be the average for all incidents, or the median.
The median cost of a breach is $170,000 -- but the average cost is $5.9 million, says a report released this Monday.
The median number is more useful, said study author Sasha Romanosky, policy researcher at Rand Corp.
The average cost is skewed upwards, he said, due to a few extremely large breaches such as Target.
Sign up for CIO Asia eNewsletters.