Free Tool
Data Breach Cost Calculator
Pick your industry, set your identity count, and give an honest read of your IAM maturity. The calculator applies the annualized loss expectancy model from the AXIS methodology and shows what one level of maturity improvement is worth in dollars. No signup, nothing leaves your browser.
Breach cost calculator
Employees, contractors, service accounts, and customers combined.
Defaults to one level above your current score and never drops below it.
Annualized loss expectancy $2,000,000 to $2,490,000 at maturity 1.5.
Annualized loss expectancy
$2.0M to $2.5M ($2,000,000 to $2,490,000)
Modeled annual identity breach exposure for 25,000 identities in Technology/SaaS at maturity 1.5.
- Cost per record (Technology/SaaS)
- $160
- Potential annual risk reduction at maturity 2.5
- $340.0K to $400.0K ($340,000 to $400,000)
- Operational drag at current maturity
- 15,393 hrs/yr (7.4 FTE, $1.2M)
These are model outputs. They apply the ALE parameters from the AXIS methodology to what you entered above, nothing more. The weakest input is the maturity slider: most teams place themselves higher than a control-by-control review supports, which understates the exposure shown here.
Get Your Assessed ScoreThe Model
How This Is Calculated
The headline figure is an annualized loss expectancy: the breach cost the model expects your identity estate to accrue in a typical year, given your maturity. Four inputs drive it. The exact parameterization is part of the licensed AXIS methodology; here is what each input does and why.
1. Identity count
Every identity your organization manages is a record that can be exposed: employees, contractors, service accounts, customers. You set this number directly. It multiplies everything else, which is why identity sprawl shows up so quickly in breach cost research.
2. Cost per record
Each industry carries its own cost per exposed record, taken from IBM and Ponemon breach cost research as adopted in the AXIS methodology. Regulated industries sit at the top of the range. The calculator shows the figure it applied for your selection, so nothing about your result is a black box.
3. Risk factor
This is where maturity enters. The risk factor is the share of your theoretical exposure the model expects to materialize in a given year, and it falls as maturity rises. The calculator runs a conservative slope and an optimistic one and reports both, which is why you see a range rather than a single number.
4. Breach scale factor
Very large breaches cost less per record than small ones, so past 100,000 identities the model applies a documented discount that grows with breach size. Below the threshold the factor changes nothing, and the calculator notes when it is in play.
About the operational drag figure
The hours estimate uses a separate model from the same methodology section: manual IAM work scales with your maturity gap and with the size of your identity estate, priced at a fully loaded labor rate. It was calibrated against a published case study of a large health system. Full derivations for both models ship with the licensed AXIS methodology.
FAQ
Common Questions
Where do the cost-per-record numbers come from?
From IBM and Ponemon breach cost research, as adopted in the AXIS methodology. Each of the 7 industries in the model carries its own research-derived figure, with regulated industries at the top of the range. The calculator shows the figure it used for your selected industry; the full parameter set ships with the licensed methodology.
Why do I get a range instead of a single number?
Because the effect of maturity on breach cost is itself uncertain. The model runs two slopes for how strongly maturity reduces realized risk: a conservative one in line with published findings on what mature security controls actually save, and an optimistic one that assumes improvements across several IAM controls compound. Your true exposure most likely sits between the two.
What is the breach scale factor?
An adjustment for very large identity counts. Past 100,000 identities, the model applies a documented discount that grows with breach size, because per-record costs fall as breaches get bigger. Below the threshold it changes nothing, and the calculator tells you when it kicks in.
How do I get my real maturity score?
Run the AXIS assessment. It scores 37 controls across 9 identity domains, applies the same weighting and domino logic consulting firms use with clients, and takes about 20 minutes. The self-rated slider on this page grades intent; the assessment grades evidence.
The Model Is Only as Good as the Maturity Score You Feed It
A slider guess gets you a ballpark. The AXIS assessment scores 37 controls across 9 identity domains and gives you a defensible maturity score to put into this model, in about 20 minutes. No signup required to start.