Costs in hacking cases are mostly measured by time spent investigating & repairing * fully loaded employee costs. If you have to dump a bunch of servers and reload everything and audit your backups the costs rise very quickly.
True, but companies on the receiving end often end up also including the cost of things that they would need to do even in a responsible-disclosure scenario. For example, if you discover a major flaw in a company's system that allows high levels of access, and disclose it to them, they'll typically incur considerable costs patching it, rolling out the updates, doing a security audit to make sure it wasn't already quietly discovered earlier by a blackhat who might've backdoored something, etc.
When they do all those same things upon an actual intrusion, they often attribute the expenses to the hacker, but imo they're really attributable to the security flaw, since they'd be incurred even in the whitehat case. I'd only attribute to the hacker the delta between what blackhat disclosure and whitehat disclosure would cost.
You're absolutely correct - there are a lot of things that get rolled into damage cost estimates that aren't legitimate. I was just trying to explain how it's pretty easy for the actual & legitimate costs to be quite high as well.
