Professor Sanjay Bakshi published the below list in response to the Maggi issue that Nestle is dealing with in India:
We can use the same decision tree to figure out impact from breaches or other security events:
1. Will the size of the addressable market be larger or smaller than it size just before the breach?
2. Will the company’s market share be larger or smaller than her market share before she landed in a jam?
3. Would the company need to spend more money on fixed assets and working capital to defend its market share?
4. Would the company have to spend more on Advertising to gain back its reputation? Would it be appropriate for value investors to treat ad spend as an investment instead of expense?
5. Would owner earnings generated from each product/service be higher or lower than before?
6. Would the company have to raise prices to compensate for better quality?
7. If yes,then would that result in shrinkage of market size and its market share?
8. Would the company have to pay significant penalties and fines to get out of this mess?
9. If the company is guilty, would customer forgive her?
10 Is this a strong signal to companies that,in this age of instant information dissemination, they can no longer have have different quality standards for their products sold online versus offline?
11. Are there other cockroaches in the kitchen?
This a very good start at the important questions to ask and substantially more detailed than cost per record or how much it costs to pay for credit monitoring. I mentioned in my previous breach impact analyses that the places to look include revenue, margins, cash flow, debt and customer retention, those metrics and others are a good way to measure the impact (if any) to the above questions