Security Basics mailing list archives
Fwd: Using Science to Combat Data Loss: Analyzing Breaches by Type and Industry
From: Jeffrey Walton <noloader () gmail com>
Date: Wed, 10 Jun 2009 15:41:54 -0400
From the folks at Attrition and the DataLossDB.
---------- Forwarded message ---------- From: security curmudgeon <jericho () attrition org> Date: Jun 10, 2009 2:40 PM Subject: Using Science to Combat Data Loss: Analyzing Breaches by Type and Industry To: dataloss-discuss () datalossdb org, dataloss () datalossdb org http://web.interhack.com/publications/interhack-breach-taxonomy.pdf Using Science to Combat Data Loss: Analyzing Breaches by Type and Industry C. Matthew Curtin, CISSP and Lee T. Ayres, CISSP Abstract Where should defenses be deployed? Security managers can answer the question by knowing what types of breaches there are, and the rates that they occur relative to one another. A number of methods for determining such rates have been proposed with a view to helping with this decision making. Unfortunately, such methods sometimes tend towards anecdote, might be part of a marketing campaign, or lack the context needed to drive informed decisions. We propose a taxonomy to classify incidents of the loss of control over sensitive information. The taxonomy is hierarchical in nature, allowing classification of incidents to a level of precision appropriate to the amount of information available. Analysis of incidents using the taxonomy may also work with the precision appropriate given the question at hand and data available. We then explore the proportion of breach types in a subset of data losses accumulated by the Identity Theft Resource Center (ITRC). Using the 2002 North American Industry Classification System (NAICS), we classify breach events according to the industry sector in which they occurred. We conclude that the taxonomy is useful and that analysis of incidents by type and industry yields results that can be instructive to practitioners who need to understand how and where breaches are actually occurring. For example, the Health Care and Social Assistance sector reported a larger than average proportion of lost and stolen computing hardware, but reported an unusually low proportion of compromised hosts. Educational Services reported a disproportionately large number of compromised hosts, while insider conduct and lost and stolen hardware were well below the proportion common to the set as a whole. Public Administrations proportion of compromised host reports was below average, but their share of processing errors was well above the norm. The Finance and Insurance sector experienced the smallest overall proportion of processing errors, but the highest proportion of insider misconduct. Other sectors showed no statistically significant dif- ference from the average, either due to a true lack of variance, or due to an insignificant number of samples for the statistical tests being used. _______________________________________________ Dataloss Mailing List (dataloss () datalossdb org) Get business, compliance, IT and security staff on the same page with CREDANT Technologies: The Shortcut Guide to Understanding Data Protection from Four Critical Perspectives. The eBook begins with considerations important to executives and business leaders. http://www.credant.com/campaigns/ebook-chpt-one-web.php ------------------------------------------------------------------------ This list is sponsored by: InfoSec Institute Need to pass the CISSP? InfoSec Institute's CISSP Boot Camp in both Instructor-Led and Online formats is the most concentrated exam prep available. Comprehensive course materials and an expert instructor means you pass the exam. Gain a laser like insight into what is covered on the exam, with zero fluff! http://www.infosecinstitute.com/courses/cissp_bootcamp_training.html ------------------------------------------------------------------------
Current thread:
- Fwd: Using Science to Combat Data Loss: Analyzing Breaches by Type and Industry Jeffrey Walton (Jun 12)