Methodology · Updated April 2026

How to Calculate the True Cost of an Incident

Q: How do you calculate the cost of an IT incident?

The standard formula for incident cost has four components: (1) Direct Costs: forensics, remediation, legal retainer, PR, notification; (2) Revenue Loss: hourly customer-facing revenue times downtime hours, plus lost contracts and churn; (3) Productivity Loss: employees affected times fully loaded hourly rate times hours lost; (4) Second-Order Costs: regulatory fines, legal settlements, credit monitoring for victims, reputation damage, and insurance premium increases. The IBM Cost of a Data Breach Report uses a 4-activity model (detection/escalation, notification, post-breach response, lost business) that covers the same components.

Incident cost is not just the ransom payment or the vendor invoice. A complete cost model has four components. Missing any one of them typically understates the true cost by 30-50%. This page explains each component, provides the formula, and walks through a worked example. For an interactive tool that does the calculation for your specific scenario, use incidentcostcalculator.com.

The Four-Component Formula

Total Incident Cost =

1.Direct Costs
+Revenue Loss
+Productivity Loss
+Second-Order Costs (regulatory, legal, reputation)

Direct Costs

Forensics and investigation

$15,000-$500,000 depending on scope and firm tier

Remediation and system rebuild

$10,000-$2M depending on scope (ransomware rebuild vs contained malware)

Legal retainer and regulatory counsel

$20,000-$300,000 initial engagement; $500-$1,500/hr ongoing

PR and crisis communications

$10,000-$200,000 for a media-facing incident

Ransom payment (if applicable)

Avg $2.2M demand; actual payment negotiated down; see /types/ransomware

Revenue Loss

Customer-facing downtime

(Hourly revenue) x (hours of downtime) = direct revenue loss. Hourly revenue = annual revenue / 8,760

Lost contract revenue

Deals lost or delayed due to breach or outage; customer churn from dissatisfied customers

Customer churn impact

Annual value of lost customers x churn rate increase x average customer lifetime value

Productivity Loss

Formula

(Employees affected) x (fully loaded hourly rate) x (hours lost to incident response and downtime)

Fully loaded hourly rate benchmark

$100-$125/hr for US senior engineer; $60-$80/hr for support staff

Who counts

All staff unable to work due to system outage; IR response team hours; management time on incident

Second-Order Costs

Regulatory fines

GDPR up to 4% of global revenue; HIPAA Tier 4 up to $2.19M per violation; PCI $5K-$100K/month

Legal settlements

Class action settlements (Equifax $1.4B, 23andMe $30M); customer/partner claims

Credit monitoring for victims

$10-$15/person/year; standard offer for 1-2 years post-breach

Insurance premium increase

+$50K-$200K/yr for mid-market; +$200K-$1M/yr for enterprise post-major-breach

Stock price / market cap impact

5-10% decline in first week post-breach (academic studies); partially recovers over 12-18 months

The IBM CODB Methodology

IBM's Cost of a Data Breach Report uses a 4-activity cost model that maps closely to the four-component formula above. Understanding their methodology is essential for correctly interpreting their published averages.

IBM Activity	Maps To	What It Includes
Detection and escalation	Direct Costs	Security investigation, forensic analysis, crisis team communication, executive escalation, crisis management
Notification	Direct Costs + Second-Order	Notification to regulators, affected individuals, credit monitoring setup, legal counsel for notification
Post-breach response	Direct Costs	Helpdesk setup, inbound inquiries from affected individuals, identity protection, regulatory response, legal defence
Lost business	Revenue Loss + Second-Order	Customer churn, revenue during downtime, reputational impact measured as lost business, new business lost

Key IBM exclusion: IBM CODB does not include ransom payments in breach cost figures. IBM treats ransomware as a separate category from data breach. This means the $4.44M global average is specifically breach costs, and does not represent total ransomware incident cost (which averages $5.75M when ransom is included).

Worked Example: Mid-Sized Data Breach

Scenario: 500-person tech company. 50,000 customer records exposed. 48 hours of system downtime. $50M annual revenue.

1. Direct Costs

Forensics (mid-tier firm, 3 weeks)$85,000
Legal counsel (30 hours @ $600/hr)$18,000
System remediation and hardening$75,000
PR and crisis communications$25,000
Direct costs subtotal$203,000

2. Revenue Loss

Hourly revenue ($50M / 8,760 hrs)$5,708/hr
48 hours downtime$273,984
Customer churn (est. 3% x $1,500 avg LTV)$225,000
Revenue loss subtotal$498,984

3. Productivity Loss

100 engineers unable to work (48 hrs @ $110/hr)$528,000
25 IR response team members (200 hrs avg @ $110/hr)$550,000
Productivity loss subtotal$1,078,000

4. Second-Order Costs

Regulatory notification and response$40,000
Credit monitoring for 50K records (2 yrs @ $12/person/yr)$1,200,000
GDPR fine (moderate case, 0.5% of EU revenue)$150,000
Insurance premium increase (+$80K/yr × 5yr impact)$400,000
Legal settlement (class action, if filed)$4,000,000
Second-order costs subtotal$5,790,000

Total Incident Cost$7,569,984

Compare to IBM CODB 2025 US average: $10.22M. Our example is smaller scale (50K records vs IBM avg), which explains the lower total. The class action settlement is the largest single cost component.

Calculate Your Specific Scenario

The worked example above uses generic assumptions. For an interactive calculation tailored to your organisation size, industry, incident type, and specific parameters, use the dedicated calculator tool.

incidentcostcalculator.com - Scenario-Specific Incident Cost Calculator

Frequently Asked Questions

How do you calculate the cost of an IT incident?

Total cost = Direct Costs + Revenue Loss + Productivity Loss + Second-Order Costs. Direct costs include forensics, remediation, legal. Revenue loss is hourly revenue times downtime hours plus churn. Productivity loss is (employees affected x hourly rate x hours). Second-order costs include fines, settlements, credit monitoring, and insurance increases.

What is often missed in incident cost calculations?

The most commonly missed component is second-order costs, particularly credit monitoring obligations (can cost $1-2M for 50K records over 2 years), insurance premium increases over the following 3-5 years, and the legal settlement tail that can arrive 18-36 months after the incident.

How does the IBM Cost of a Data Breach methodology work?

IBM uses a 4-activity model: detection and escalation, notification, post-breach response, and lost business. This covers all four cost components but reports them as activities rather than categories. The 'lost business' activity is the largest and most variable component, averaging 46% of total breach cost.