# data breach has occurred
1. track the damage, how much data was lost? what's the price tag?
2. find the weak spots. which systems and regions took the hardest hit?

In [1]:
#data pipeline - collect incidents
#clean missing values
#standardize: attack type, severity, impacted system

In [2]:
#analytics dashboard
#incidents per attack type
# misconfiguations vs external attacks
#average resolution time
#top impacted systems
#severity distribution

In [3]:
#rule based decision system
#since ml not feasible, implement rules

In [4]:
#prepare for ml when more data arrives

In [5]:
import pandas as pd
import matplotlib.pyplot as plt
import seaborn as sns

In [6]:
df = pd.read_excel('MINI ITC 2025.xlsx')

In [7]:
df.info()

<class 'pandas.core.frame.DataFrame'>
RangeIndex: 100 entries, 0 to 99
Data columns (total 10 columns):
 #   Column                         Non-Null Count  Dtype  
---  ------                         --------------  -----  
 0   system_name                    100 non-null    object 
 1   region                         100 non-null    object 
 2   attack_type                    100 non-null    object 
 3   data_sensitivity_level         100 non-null    int64  
 4   records_exposed                100 non-null    int64  
 5   estimated_cost_per_record_usd  100 non-null    float64
 6   estimated_total_cost_usd       100 non-null    float64
 7   detection_delay_days           100 non-null    int64  
 8   response_time_days             100 non-null    int64  
 9   notification_required          100 non-null    object 
dtypes: float64(2), int64(4), object(4)
memory usage: 7.9+ KB


In [8]:
df.isna().sum()

system_name                      0
region                           0
attack_type                      0
data_sensitivity_level           0
records_exposed                  0
estimated_cost_per_record_usd    0
estimated_total_cost_usd         0
detection_delay_days             0
response_time_days               0
notification_required            0
dtype: int64

In [9]:
df.duplicated().sum()

0

In [10]:
df.head()
#each row represents a single security breach event

Unnamed: 0,system_name,region,attack_type,data_sensitivity_level,records_exposed,estimated_cost_per_record_usd,estimated_total_cost_usd,detection_delay_days,response_time_days,notification_required
0,CRM,latam-south2,External Hacker,4,56681,17.91,1014973.29,18,7,Yes
1,CRM,ca-central1,Misconfiguration,4,97901,18.07,1769502.68,10,9,Yes
2,Support,africa-south1,Misconfiguration,3,16274,13.34,217074.77,3,3,Yes
3,Billing,asia-south1,Insider,5,41640,21.44,892759.36,9,4,Yes
4,HR,eu-north1,Misconfiguration,5,45484,21.09,959464.03,7,7,Yes


In [11]:
df['system_name'].value_counts()

system_name
Billing      22
Support      21
Analytics    20
CRM          19
HR           18
Name: count, dtype: int64

In [12]:
df['region'].value_counts()

region
ca-central1      5
eu-north1        5
ap-south1        5
ap-northeast2    5
ap-northeast1    5
us-east1         5
asia-east1       5
latam-south2     4
latam-south1     4
ap-south2        4
eu-central2      4
eu-west2         4
ap-southeast1    4
us-west2         4
us-central2      4
me-central1      4
latam-north1     4
us-east3         3
us-west1         3
us-east2         3
africa-south1    3
ap-southeast2    3
us-central1      3
eu-central1      3
eu-west1         2
asia-south1      2
Name: count, dtype: int64

In [13]:
df['attack_type'].value_counts()
#misconfiguration - internal mistake where a system is set up incorrectly, leaving it exposed
#external hacker - someone outside the organization who breaks in intentionally
#insider - someone inside the organization misusing their access (can be malicious or negligent)

attack_type
Misconfiguration    68
External Hacker     16
Insider             16
Name: count, dtype: int64

In [14]:
df['data_sensitivity_level'].value_counts()

data_sensitivity_level
5    32
4    24
3    24
2    14
1     6
Name: count, dtype: int64

In [15]:
df.sort_values(by='estimated_total_cost_usd', ascending=False)

Unnamed: 0,system_name,region,attack_type,data_sensitivity_level,records_exposed,estimated_cost_per_record_usd,estimated_total_cost_usd,detection_delay_days,response_time_days,notification_required
6,Billing,latam-north1,Misconfiguration,5,121863,20.98,2556820.26,8,10,Yes
70,Billing,ap-northeast1,Misconfiguration,5,111309,22.20,2471140.33,12,8,Yes
84,Billing,ap-south1,Misconfiguration,5,119149,20.65,2460599.64,16,10,Yes
18,Billing,us-west2,Misconfiguration,5,97122,20.02,1944103.28,11,7,Yes
50,Billing,me-central1,Misconfiguration,4,95700,19.97,1911226.49,16,4,Yes
...,...,...,...,...,...,...,...,...,...,...
94,CRM,ap-northeast1,Misconfiguration,4,4753,14.88,70718.62,17,12,Yes
47,Support,latam-south2,Misconfiguration,4,3798,17.26,65557.41,9,10,Yes
80,Analytics,us-west2,External Hacker,1,11403,5.01,57098.71,9,5,No
97,Analytics,eu-central2,Misconfiguration,1,11120,3.49,38762.46,15,8,Yes


In [16]:
df.sort_values(by='estimated_cost_per_record_usd', ascending=False)

Unnamed: 0,system_name,region,attack_type,data_sensitivity_level,records_exposed,estimated_cost_per_record_usd,estimated_total_cost_usd,detection_delay_days,response_time_days,notification_required
77,HR,us-central2,Misconfiguration,5,56835,23.63,1342820.04,16,7,Yes
24,CRM,us-east3,Misconfiguration,5,38174,22.96,876624.38,7,9,Yes
79,Billing,ca-central1,Misconfiguration,5,22032,22.90,504431.92,12,11,Yes
13,Billing,us-central2,External Hacker,5,67983,22.40,1523155.45,14,6,Yes
70,Billing,ap-northeast1,Misconfiguration,5,111309,22.20,2471140.33,12,8,Yes
...,...,...,...,...,...,...,...,...,...,...
65,Analytics,us-east3,Insider,1,21948,6.11,134065.58,11,8,No
59,Analytics,ap-northeast1,Misconfiguration,1,20397,5.43,110760.18,12,8,No
80,Analytics,us-west2,External Hacker,1,11403,5.01,57098.71,9,5,No
86,Analytics,ap-southeast1,External Hacker,1,2764,4.62,12777.50,11,10,No


In [17]:
#calculate total and average cost by system, region, and attack_type

In [20]:
avg_cost_by_system = df.groupby(['system_name'])['estimated_total_cost_usd'].mean().reset_index()
avg_cost_by_system

Unnamed: 0,system_name,estimated_total_cost_usd
0,Analytics,135841.8
1,Billing,1305647.0
2,CRM,866119.3
3,HR,1092697.0
4,Support,288095.7


In [21]:
total_cost_by_system = df.groupby(['system_name'])['estimated_total_cost_usd'].sum().reset_index()
total_cost_by_system

Unnamed: 0,system_name,estimated_total_cost_usd
0,Analytics,2716835.05
1,Billing,28724234.86
2,CRM,16456266.25
3,HR,19668537.43
4,Support,6050008.76


In [24]:
avg_cost_by_region = df.groupby(['region'])['estimated_total_cost_usd'].mean().reset_index()
avg_cost_by_region

Unnamed: 0,region,estimated_total_cost_usd
0,africa-south1,480011.0
1,ap-northeast1,885040.8
2,ap-northeast2,735044.0
3,ap-south1,823180.4
4,ap-south2,578442.1
5,ap-southeast1,426867.4
6,ap-southeast2,811892.2
7,asia-east1,496993.7
8,asia-south1,523565.9
9,ca-central1,677959.6


In [25]:
total_cost_by_region = df.groupby(['region'])['estimated_total_cost_usd'].sum().reset_index()
total_cost_by_region

Unnamed: 0,region,estimated_total_cost_usd
0,africa-south1,1440033.04
1,ap-northeast1,4425203.97
2,ap-northeast2,3675220.11
3,ap-south1,4115902.05
4,ap-south2,2313768.59
5,ap-southeast1,1707469.7
6,ap-southeast2,2435676.61
7,asia-east1,2484968.72
8,asia-south1,1047131.86
9,ca-central1,3389798.08


In [26]:
avg_cost_by_attack = df.groupby(['attack_type'])['estimated_total_cost_usd'].mean().reset_index()
avg_cost_by_attack

Unnamed: 0,attack_type,estimated_total_cost_usd
0,External Hacker,723930.538125
1,Insider,573452.64
2,Misconfiguration,777319.875


In [27]:
total_cost_by_attack = df.groupby(['attack_type'])['estimated_total_cost_usd'].sum().reset_index()
total_cost_by_attack

Unnamed: 0,attack_type,estimated_total_cost_usd
0,External Hacker,11582888.61
1,Insider,9175242.24
2,Misconfiguration,52857751.5


In [28]:
#top 3 costliest incidents + characteristics
top_3_costliest = df.sort_values(by='estimated_total_cost_usd', ascending=False).head(3)
top_3_costliest

#all happened in billing, all misconfigurations, all high data sensitivity levels
# 100k+ records exposed each event
#took 8-16 days for company to notice
#took 8-10 days for company to fix

Unnamed: 0,system_name,region,attack_type,data_sensitivity_level,records_exposed,estimated_cost_per_record_usd,estimated_total_cost_usd,detection_delay_days,response_time_days,notification_required
6,Billing,latam-north1,Misconfiguration,5,121863,20.98,2556820.26,8,10,Yes
70,Billing,ap-northeast1,Misconfiguration,5,111309,22.2,2471140.33,12,8,Yes
84,Billing,ap-south1,Misconfiguration,5,119149,20.65,2460599.64,16,10,Yes
