The organizations and companies that have the leakage of personal identifiable information (sometimesabbreviated as PII) should take a lot of necessary actions such as investigation, public relations,and compensation for customers. Especially, in Japan, mass media tend to broadcast security newsand these information leakage incidents as daily news. Therefore, the organizations or companies arealso interested in incident prevention and incident handling planning. On the other hand, it is pointedout that there is the difficulty of understanding cost-benefit of security investments. On top of that,the compensation for the victims in personal identifiable information leakage is not prescribed in regulationor guidelines, and there are only few cases of the civil trials for the compensation. Therefore,compensations are determined by past examples. In this paper, firstly, the authors briefly exploresthe model for security incidents cost-benefit analysis. Secondly, by the evaluation of real examplesand JO model, which is a current famous estimation model of compensation for personal identifiableinformation leakage, the authors show that the actual compensation in Japan, and then the gap betweenthe model and real examples. Finally, the authors points out the considerable points for modelin future sophistication.