Educause Security Discussion mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Universities riskiest place for SSN

From: John Ladwig <John.Ladwig () CSU MNSCU EDU>
Date: Mon, 8 Nov 2010 17:38:01 -0600
Before drawing the conclusion that higher-ed doesn't have a lot of data breaches based on the DBIR, note the 
methodology of data collection for the DBIR; "paid forensic investigations performed by Verizon [Business]", and (as of 
the 2010 report) US Secret Service investigations.

  http://www.verizonbusiness.com/resources/reports/rp_2010-data-breach-report_en_xg.pdf

There's good reason to believe that higher-ed breaches might not end up in either corpus of incident information, on 
average, and thus not into the VERIS database upon which the reports are based.

The DBIR is noteworthy and very interesting for what it tells us about attacker methodologies and how they play out 
across a variety of business environments, but it shouldn't be taken for a comprehensive overall study.  The latest 
report heavily caveats (page 8) the demographic assumptions which may be drawn from the VERIS database.

  -jml


Judith House <housej () GEORGETOWN EDU> 2010-11-08 16:23 >>>

[ ... ]

Agreed, universities are open about data loss, potential loss, and breach.
I just read a report from Verizon
(http://www.verizonbusiness.com/resources/security/databreachreport.pdf)
which shows Higher Ed is a very small proportion of the actual data loss
over all -- it's a very interesting report in many ways.
Previous By Date Next
Previous By Thread Next

Current thread: