Study Shows Finance, Education, Healthcare, and Government Lose Sensitive Personal Data Differently

[security curmudgeon <jericho () attrition org>]

http://web.interhack.com/news/n2009/taxonomy

Study Shows Finance, Education, Healthcare, and Government Lose Sensitive 
Personal Data Differently

APRIL 23, 2009Proposing a taxonomy for classifying data loss incidents 
with public information, Interhack has examined publicized data breaches 
by type and industry and found significant results for Finance, Education, 
Public Administration, and Health Care.
We believe we can make a science of finding likelihood and helping 
defenses to be properly focused.Matthew Curtin, Founder Interhack

We discovered a statistically significant distinction between the types of 
breaches that occur in several of the industry sectors. Matthew Curtin, 
founder of Interhack and co-author of the study said. Curtin and Interhack 
Senior Analyst Lee Ayres created the taxonomy for the hierarchical 
classification of data losses and then applied it to a set of data 
breaches accumulated by the Identity Theft Resource Center. Curtin and 
Ayres classified breach events according to industry sector using the 2002 
North American Industry Classification System (NAICS).

The Health Care and Social Assistance sector reported a larger than 
average proportion of lost and stolen computing hardware, but reported an 
unusually low proportion of compromised hosts.  Educational Services 
reported a disproportionally large number of compromised hosts, while 
insider conduct and lost and stolen hardware were well below the 
proportion common to the set as a whole. Public Administration's 
proportion of compromised host reports was below average, but their 
proportion of processing errors was well above the norm. The Finance and 
Insurance sector experienced the smallest overall proportion of processing 
errors, but the highest proportion of insider misconduct. Other sectors 
showed no statistically significant difference from the average, either 
due to a true lack of variance, or due to an insignificant number of 
samples for the statistical tests being used.

The taxonomy and data breach study have many applications.  For one, 
finding likelihood of security incidents has been a sort of guessing game 
for information security practitioners.  We believe we can make a science 
of finding likelihood and helping defenses to be properly focused, Curtin 
said.  We have the analytical tools, and we see promise in the approach.

Curtin unveils the taxonomy and data breach study at RSA Conference 2009 
in San Fransisco, California on April 23 in the presentation Using Science 
to Battle Data Loss: Analyzing Breaches by Type and Industry.

[..]
_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)

CREDANT Technologies, a leader in data security, offers advanced data encryption solutions.
Protect sensitive data on desktops, laptops, smartphones and USB sticks transparently 
across your enterprise to ensure regulatory compliance.
http://www.credant.com/stopdataloss