Independent and vendor-neutral. Every figure on this site is either a source-cited published statistic or a reader-controlled bounded calculation. No vendor averages presented as fact.

ShadowITCost

Last verified April 2026

Category 2: Breach exposure

Probabilistic Breach Exposure: Estimating Shadow IT Security Risk

Annualized loss expectancy applied to shadow IT. The inputs: breach cost from IBM's public benchmark, probability from your threat model or insurance, and a shadow-IT attribution assumption stated openly rather than hidden in an invented number.

Definition and formula

Annualized loss expectancy, adapted for shadow IT: ALE = breach probability x breach cost x shadow-IT attribution. The product is your estimated annual expected loss attributable to shadow-IT-related breach exposure. The formula is standard risk management; the adaptation is splitting the probability into 'overall breach probability' (for which public data exists) and 'shadow-IT attribution' (for which you must disclose an explicit assumption).

Sourcing each input

Breach cost. IBM's Cost of a Data Breach report

IBM CODB

IBM Cost of a Data Breach Report 2024 (research conducted by Ponemon Institute) (2024)

Measures: Average total cost of a data breach across surveyed organizations globally, by industry, region, and breach attribute.

Methodology: Annual study by Ponemon Institute, sponsored by IBM. Activity-based costing across roughly 600 organizations that experienced a breach in the prior year. Methodology disclosed in the report appendix.

Trust: Primary research, peer-reviewed or official

https://www.ibm.com/reports/data-breach
is the standard public benchmark. It is a primary-source measurement (Ponemon Institute activity-based costing across roughly 600 organizations that experienced a breach in the prior year) with methodology disclosed in the report appendix. Use the industry-specific figure where possible: healthcare is consistently highest; financial services is second; retail and public sector are lower. If you have cyber insurance, your policy's per-incident limit is an alternative anchor; the two figures should be within a factor of two of each other for a well-sized policy.

Breach probability. Three defensible sources. (1) Your cyber insurance carrier's actuarial rate from your quote materials. (2) Your organization's threat model output if you maintain one. (3) A threat-model estimate anchored by Verizon DBIR

Verizon DBIR

Verizon Data Breach Investigations Report 2024 (2024)

Measures: Confirmed data breaches and security incidents analysed across thousands of organizations, with breach pattern, action, and asset breakdowns.

Methodology: Aggregated incident data from Verizon and 80-plus contributing organizations including law enforcement and CSIRTs. Methodology disclosed in the report. Counts incidents and breaches; not a cost study.

Trust: Primary research, peer-reviewed or official

https://www.verizon.com/business/resources/reports/dbir/
incident pattern data at the industry level, adjusted for your organization's size and security maturity. Common defensible ranges are 5 to 25 percent per year depending on industry and posture.

Shadow-IT attribution. This is the hardest input to source and the one most often skipped. There is no public benchmark for what fraction of breach probability is specifically attributable to shadow IT because the counterfactual (what the probability would be without shadow IT) is not measured in any primary research. State your assumption explicitly. Common defensible ranges are 10 to 30 percent of total breach probability for organizations with meaningful shadow IT exposure. Run sensitivity analysis across that range rather than picking a single point.

Worked calculation

Inputs for an illustrative 1,000-employee mid-market financial services firm: breach cost (industry average): $6.08 million (IBM 2024 financial services); breach probability: 10 percent per year (carrier-quoted actuarial rate); shadow-IT attribution: 15 percent (labelled assumption, centre of the 10 to 30 percent typical range).

ALE = $6.08M x 10 percent x 15 percent = $91,200. Low-bound (probability 5 percent, attribution 10 percent): $30,400. High-bound (probability 20 percent, attribution 30 percent): $364,800. Report the expected value with the range visible.

How shadow IT actually contributes to breach probability

The usual channels, in rough priority order. Credential reuse: shadow apps with no SSO often lead to work-email credentials reused across unmanaged apps, amplifying the impact of any credential compromise. Data in unmanaged apps: regulated or confidential data ends up in apps without DLP, with no backup, and with unclear data retention. Offboarding gaps: employees leave with access to shadow apps that IT never had on the offboarding checklist, creating lingering access. Third-party processor chains: shadow SaaS often sub-processes further vendors; each additional processor is a breach pathway.

None of these are quantified in peer-reviewed literature with attribution percentages. They are operational narratives that justify the range 10 to 30 percent as plausible rather than a narrower or wider range. The sensitivity analysis across that range is where the board conversation actually happens.

Common mistakes to avoid

Quoting $4.88 million (or similar IBM global average) as 'what shadow IT costs' without multiplying by probability and attribution. That overstates by an order of magnitude. Claiming a specific attribution percentage (for example 'shadow IT causes 35 percent of breaches') without labelling it as an assumption; that is not supported by primary research. Using a vendor-published breach premium figure as if it were a measurement of shadow IT specifically; vendor content often paraphrases IBM's findings in ways that lose the methodology.

The defensible framing

IBM's figure is the public cost benchmark for a breach. Your expected annual shadow-IT-attributable breach loss is IBM industry figure times your annual breach probability times your explicitly-disclosed shadow-IT attribution percentage. All three inputs are cited or labelled as assumptions. The output is a bounded estimate, not a forecast.

Category 1

Observable spend ->

Category 3

Compliance ->

Reference

Statistics ledger ->

Frequently asked questions

Can I really attribute breach probability specifically to shadow IT?+
Not precisely. The attribution of breach probability specifically to shadow IT contribution is not a solved problem in the security literature; any specific percentage is a judgement, not a measurement. The defensible approach is to state your attribution explicitly (typical range 10 to 30 percent), show a sensitivity analysis across that range, and identify it as an assumption rather than a finding. That is more defensible than quoting a big IBM number and calling it shadow IT cost.
How do I source breach probability if I do not have insurance?+
Use Verizon DBIR incident pattern data as the anchor for your threat-model estimate. DBIR publishes annual incident volumes and pattern distributions across industries. Convert DBIR industry-level incident rates to an organization-level probability by adjusting for your organization's size, security maturity, and exposure. If you have a threat model, the output of that model is the defensible input. If you have neither insurance nor a threat model, a 5 to 25 percent annual probability range is a defensible planning assumption to cite with a 'subjective threat-model estimate' label.
Why does IBM's headline figure show up everywhere and what does it actually measure?+
IBM's Cost of a Data Breach report (conducted by Ponemon Institute) publishes an annual global average total cost across approximately 600 organizations that experienced a breach in the prior year. The most-quoted figure is the global average ($4.88 million in the 2024 report). It is a primary-source measurement of those 600 organizations, using activity-based costing, with methodology disclosed in the report appendix. It is a defensible benchmark for breach cost; it is not a measure of what a breach would cost your organization specifically.
Should I use the industry-specific IBM number rather than the global average?+
Yes. IBM publishes industry splits. Healthcare consistently reports the highest per-breach cost (typically $9 to 12 million in recent reports), financial services is the second highest ($5 to 7 million), public sector and retail are typically lower ($2 to 4 million). Use the industry figure closest to your organization, and document the year you drew it from because the numbers move year over year.
What about the IBM 'shadow data' premium figure I have seen quoted?+
IBM has in recent years published a specific finding that breaches involving 'shadow data' cost more than average, typically cited as a double-digit percentage premium. That finding is citable from the IBM report with the same primary-source label as the global average. What is not citable is specific claims that circulate in vendor content such as 'shadow IT breaches cost X dollars' without linking to the IBM finding directly; those are typically paraphrases that lose the methodological context.
How do I present breach exposure on a board deck without over-claiming?+
Three lines: (1) IBM public benchmark: $X million per breach at our industry level [cite IBM 2024]; (2) our annualized breach probability: Y percent [cite insurance or threat model]; (3) our shadow-IT attribution assumption: Z percent [cite as an explicit assumption, not a measurement]. Multiply to get an expected value with a range. Present the three inputs visibly so any board member can challenge a specific assumption. That transparency is the point.