Re: Educational Security Incidents Year in Review - 2007 is now available

[John Kristoff <jtk () DEPAUL EDU>]

On Mon, 11 Feb 2008 06:57:00 -0600
Adam Dodge <adam () ADAMDODGE COM> wrote:

> 2007 marked a significant change for information security incidents reported

This could be an interesting resource.  It might be useful to examine
things such as time between disclosure and when the incident actually
happened.  Perhaps there are trends year-by-year.  You may also want
to research various legal requirements on a state-by-state basis and
provide that as a resource, at least for the US insitutions. You might
also consider taking into account the type of institution and its
responsibilities for disclosure since they are not all the same (e.g.
public versus private institution reporting requirements).  Correlation
between statutes, disclosure and incidents could prove enlightening.

Your comment:

  What I (Adam Dodge) discovered was shocking. As far back as the late
  1990's, educational institutions have been one of the most compromised
  industry sectors. Unfortunately, this trend continues today.  I (Adam Dodge) hope that by sharing my collected 
research though ESI
  this trend will change.

"Most compromised" is an interesting comment.  A number of others have
made similar claims in the past.  They often fail to take into account
disclosure policies of educational insitutions versus prviate companies.
In my experience they also fail miserably at providing an apples to
apples comparison.  My advice would be to report what you find and try
to avoid biasing your results and editorializing your findings.  I can
give you numbers of security-related issues from a single corporate
entity that will blow all eduational institutions out of the water, but
its a pointless comparison in my view.  There is too much else to factor
in.

John