Using Science to Combat Data Loss: Analyzing Breaches by Type and Industry

[security curmudgeon <jericho () attrition org>]

http://web.interhack.com/publications/interhack-breach-taxonomy.pdf

Using Science to Combat Data Loss: Analyzing Breaches by Type and Industry
C. Matthew Curtin, CISSP and Lee T. Ayres, CISSP

Abstract

Where should defenses be deployed? Security managers can answer the 
question by knowing what types of breaches there are, and the rates that 
they occur relative to one another. A number of methods for determining 
such rates have been proposed with a view to helping with this decision 
making. Unfortunately, such methods sometimes tend towards anecdote, might 
be part of a marketing campaign, or lack the context needed to drive 
informed decisions.

We propose a taxonomy to classify incidents of the loss of control over 
sensitive information. The taxonomy is hierarchical in nature, allowing 
classification of incidents to a level of precision appropriate to the 
amount of information available. Analysis of incidents using the taxonomy 
may also work with the precision appropriate given the question at hand 
and data available. We then explore the proportion of breach types in a 
subset of data losses accumulated by the Identity Theft Resource Center 
(ITRC). Using the 2002 North American Industry Classification System 
(NAICS), we classify breach events according to the industry sector in 
which they occurred.

We conclude that the taxonomy is useful and that analysis of incidents by 
type and industry yields results that can be instructive to practitioners 
who need to understand how and where breaches are actually occurring. For 
example, the Health Care and Social Assistance sector reported a larger 
than average proportion of lost and stolen computing hardware, but 
reported an unusually low proportion of compromised hosts. Educational 
Services reported a disproportionately large number of compromised hosts, 
while insider conduct and lost and stolen hardware were well below the 
proportion common to the set as a whole. Public Administrations proportion 
of compromised host reports was below average, but their share of 
processing errors was well above the norm. The Finance and Insurance 
sector experienced the smallest overall proportion of processing errors, 
but the highest proportion of insider misconduct. Other sectors showed no 
statistically significant dif- ference from the average, either due to a 
true lack of variance, or due to an insignificant number of samples for 
the statistical tests being used.
_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)

Get business, compliance, IT and security staff on the same page with
CREDANT Technologies: The Shortcut Guide to Understanding Data Protection
from Four Critical Perspectives. The eBook begins with considerations
important to executives and business leaders.
http://www.credant.com/campaigns/ebook-chpt-one-web.php