Methodology · Sources verified June 2026

How we source incident cost figures

Every figure on this site triangulates three input streams: published industry research (IBM, Ponemon, Verizon, Resilience), practitioner data (PagerDuty, Atlassian, FireHydrant, Coveware, Mandiant), and public-incident reference (SEC filings, regulatory disclosures, court settlements). The list below is the complete source map: a specific figure on a specific page traces back to one of the named publishers via the inline citation on that page.

Primary sources

IBM Cost of a Data Breach Report
Annual (Jul-Aug)
Global avg $4.44M, US avg $10.22M, per-industry breach cost ($7.42M healthcare through $2.86M public sector), 241-day lifecycle, $1.9M AI savings, four-activity cost model (detection/escalation, notification, post-breach response, lost business).
Ponemon Cost of Insider Risks Global Report
Annual
Per-incident $779K credential theft, $715K malicious, $677K negligent. Annual organisational total $17.4M. 55/25/20 frequency split. Containment-time-as-cost-driver model (under 31 days $10.6M vs over 91 days $18.7M annually).
Verizon Data Breach Investigations Report
Annual (May)
Attack-vector mix, breach action frequency, dwell-time distribution. Cross-checks IBM CODB findings with a different methodology (Verizon analyses confirmed breaches; IBM survey-respondents per-breach cost).
PagerDuty State of Digital Operations
Annual
P1 incident average cost $794K; 25 P1 incidents/yr per typical organisation; downtime cost per minute by company size ($425-$9K/min SMB, $9K-$23.75K/min mid-market, $23.75K-$40K/min enterprise).
Atlassian Incident Management Handbook
Periodic refresh
Severity-tier framework (SEV1-SEV5), incident response process model, MTTR practitioner benchmarks, postmortem and blameless review framework. Anchors our severity-mapping in /incident-cost-index and /by-size.
Google SRE Workbook + Site Reliability Engineering book
Periodic refresh
Error-budget economics, MTTD x MTTR x per-day-of-dwell cost model, toil-vs-engineering trade-off framing. The $24K/day-of-dwell anchor on /mttd-mttr derives from the IBM $1.9M AI savings / ~80 days reduction quotient, framed in Google SRE terms.
Mandiant M-Trends Report
Annual
Global median dwell time 11 days (2024 report); per-region and per-sector breakdowns; attribution to threat-actor families. Cross-checks IBM 181-day MTTI figure (IBM measures breaches end-to-end; Mandiant measures attacker dwell in confirmed incidents).
Resilience Cyber Risk Report
Annual
Average insured ransomware loss $1.18M 2025 (+17 percent YoY, up from $1.01M); insurer-claims-anchored figures. Cross-checks the Sophos recovery-cost and Coveware payment data on /types/ransomware.
Coveware Quarterly Ransomware Report
Quarterly
Ransom payment data: Q4 2025 average payment $591,988, median $325,000, payment rate ~20% (a historic low). Pay-vs-no-pay outcome data by quarter.
ITIC Hourly Cost of Downtime Survey
Annual
91 percent of enterprises over $50M revenue report downtime cost above $300K/hr. High-end bands $1M-$5.6M/hr. Cross-checks PagerDuty per-minute figures via a different sample frame.
FireHydrant State of On-Call
Annual
On-call team size distribution, page volume per on-call engineer, MTTA distribution. Anchors the on-call staffing cost component of the /incident-management-cost page.
NIST SP 800-61 Rev 2 (Computer Security Incident Handling Guide)
Periodic (Rev 3 in development)
Four-phase IR framework (preparation, detection/analysis, containment/eradication/recovery, post-incident activity). Maps cleanly onto IBM CODB four-activity cost model.
ITIL 4 Foundation
Periodic refresh
Incident-vs-problem distinction, change-as-incident-driver framing, severity classification practice. Anchors the operational-incident framing on /types/service-outage and the glossary entries for incident vs event.
Public IR firm guidance (tier bands only)
On change
Mandiant, CrowdStrike Services, Kroll, Stroz Friedberg, Coveware, Arete, Unit 42 (Palo Alto), Sygnia, NCC Group. Used for tier-band hourly and retainer ranges only. We do not publish per-firm price points where the firm has not disclosed them publicly.
Regulatory fine schedules
Continuous
GDPR (CMS Enforcement Tracker, GDPRhub), HIPAA Breach Notification Rule (HHS OCR), PCI-DSS non-compliance fees (card networks). Drives the /types/compliance figures.

Calculation framework

Four-component incident cost formula
Total = Direct + Revenue Loss + Productivity Loss + Second-Order. Maps onto the IBM CODB four-activity model (detection/escalation, notification, post-breach response, lost business). Worked example on /how-to-calculate.
MTTD x MTTR x per-day-of-dwell
Lifecycle cost component used on /mttd-mttr. IBM $1.9M AI saves over ~80 days reduction = ~$24K per day of dwell. Google SRE Workbook frames this as error-budget burn rate per unit time.
Severity-tier multipliers (SEV1-SEV5)
From Atlassian Incident Management Handbook + PagerDuty severity model. SEV1 = full outage, all-hands response. SEV5 = informational. Drives the severity-banded entries in /incident-cost-index.
Per-industry multipliers (calibrated to IBM CODB 2025)
Healthcare 1.67x global average, financial 1.37x, technology 1.23x, energy 1.19x, industrial 1.06x, services 1.06x, retail 0.78x, public sector 0.61x, education 0.56x. Used on /by-industry to derive sector-specific bands.
Hourly downtime model
Downtime cost = (Revenue / 8760 x IT-dependency factor x industry multiplier x time-of-day multiplier) + (Employees affected x loaded hourly rate x duration) + SLA penalties + recovery ramp. Worked on /types/service-outage. Cross-validated against PagerDuty per-minute bands and ITIC hourly bands.
Response-cost tier bands
IR firm public guidance gives hourly bands. Without retainer: $800-$1,500/hr senior consultant top-tier firms; $300-$800/hr mid-tier. With retainer: $175-$400/hr. Annual retainer $10K-$100K. MDR $100K-$500K/yr. We do not publish per-firm price points where the firm has not disclosed them publicly.

In scope

  • Per-incident cost figures with named primary-source citation.
  • Tier bands for IR firms (Mandiant, CrowdStrike, Kroll, Coveware, Arete, Unit 42, Sygnia, NCC Group) where publicly disclosed.
  • Industry and company-size segmentation of cost where the underlying source provides it.
  • MTTD, MTTR, MTTC benchmarks from IBM CODB, Mandiant M-Trends, PagerDuty, and FireHydrant.
  • Regulatory fine schedules with named statute or framework citation (GDPR Article 83, HIPAA Tier 1-4, PCI DSS card-brand fees).
  • Public-incident retrospective in band form, sourced to SEC filings, 10-K disclosures, court settlements, or regulatory enforcement actions.

Out of scope

  • Per-firm IR pricing where the firm has not disclosed it publicly. We name the band, not invented per-firm rates.
  • Specific organisations' breach costs beyond what they have disclosed in SEC filings or court records. Where a public figure exists we cite it; where it does not we report band-only.
  • Ransomware payment recommendations. We publish published guidance from US Treasury OFAC, FBI IC3, and CISA. We do not advise on whether to pay.
  • Specific cyber-insurance broker or carrier recommendations. We publish market shape and claims-trend data; we do not steer to named brokers.
  • Per-vendor SIEM/XDR/EDR/MDR pricing beyond named vendor list pricing. Negotiated enterprise rates are excluded.
  • Loaded internal hourly rates. We use BLS OEWS occupation 15-1212 (Information Security Analysts) as the public anchor.

Refresh cadence

Every figure on the site is re-verified in the first business week of each month. The site has a single LAST_VERIFIED_DATE constant (lib/schema.ts) that drives every date stamp in the footer, the schema, and the per-page banners. Current verified date: June 2026.

Out-of-cycle refreshes are triggered by:

  • New IBM Cost of a Data Breach Report edition (annual Jul-Aug)
  • New Verizon DBIR edition (annual May)
  • New Ponemon Cost of Insider Risks edition
  • New Mandiant M-Trends edition
  • Material movement in IR-firm public retainer pricing (greater than 10 percent across the tier)
  • New ransomware-payment guidance from US Treasury OFAC or equivalent
  • Major regulatory fine schedule change (GDPR, HIPAA, PCI DSS)

Cosmetic date bumps without underlying figure changes are not made. Where a correction shifts a published band by 10 percent or more we roll LAST_VERIFIED_DATE forward across footer, schema, and banners in a single commit so the change is auditable.

Limitations

  • IBM and Ponemon are respondent-recall surveys. The cost figures are self-reported by organisations recalling breaches in the previous 12 months. Recall bias and selection bias both apply. Cross-checks against Verizon DBIR (action-frequency) and Mandiant M-Trends (dwell time) help triangulate but do not fully eliminate the bias.
  • Over-statement risk for very small organisations. IBM CODB's sample skews toward organisations with formal incident response programmes. Pure SMB sub-50-employee figures are extrapolated; treat the SMB band ($120K-$1.24M on /by-size) as approximate.
  • Under-statement risk for catastrophic-loss scenarios. The Change Healthcare $2.87B+ and CrowdStrike BSOD $5.4B+ events fall outside the IBM CODB / Ponemon distribution. Catastrophic outliers are covered on /famous-incidents in band form, not folded into the averages.
  • IR firm public guidance drifts. Mandiant, CrowdStrike Services, and Kroll do not publish a formal rate card. Tier bands move with market conditions; we refresh on disclosed changes plus the monthly verification cycle.
  • Regulatory fine schedules can shift mid-year. HIPAA penalty caps adjust annually; GDPR enforcement priorities evolve; PCI DSS v4 transition completed March 2025 with knock-on fee implications. Out-of-cycle refresh triggers apply.

Editorial position

This site is operated by Digital Signet, an independent AI-development studio. Digital Signet does not sell incident-response retainers, does not run a forensics practice, does not broker cyber insurance, and does not accept paid placements from any IR firm, MDR provider, SIEM vendor, or cyber insurer. See /about for the operator and the wider portfolio.

Editorial direction is set by Digital Signet's editor. Drafts are produced via Digital Signet's autonomous AI development methodology and reviewed against the editorial framework before publication. Where a figure is derived rather than quoted, the inputs and the calculation are visible on the source page (most prominently /how-to-calculate).

Corrections process

For corrections, methodology questions, or scenarios that do not fit cleanly: [email protected]. We aim to acknowledge correction requests within five business days. Where a correction shifts a published band by 10 percent or more we roll LAST_VERIFIED_DATE forward across footer, schema, and banners in a single commit so the change is auditable. For the interactive calculator that translates a hypothetical scenario into a budget figure, see sister site incidentcostcalculator.com.

IncidentCost.com is an independent educational resource. All cost figures are drawn from published industry research including IBM's Cost of a Data Breach Report, Ponemon Institute Cost of Insider Risks Report, Verizon Data Breach Investigations Report, Atlassian incident management research, and PagerDuty incident surveys. This site is not affiliated with IBM, Ponemon Institute, Verizon, Atlassian, PagerDuty, or any security vendor. Figures are for educational and planning purposes only.