Re: Universities riskiest place for SSN

[Allison F Dolan <adolan () MIT EDU>]

I want to second John's comments about the Verizon report - some people have taken the conclusions  to apply to all 
breaches (and based on the Verizon report, laptop loss is low, because most organizations do not call in Verizon for 
cases of lost laptop).  Also, the Verizon report includes a wide variety of data breaches, including intellectual 
property, which is part of the reason 'insider threat' shows up relatively high.

......Allison  Dolan (617-252-1461)



On Nov 8, 2010, at 6:38 PM, John Ladwig wrote:

> Before drawing the conclusion that higher-ed doesn't have a lot of data breaches based on the DBIR, note the 
> methodology of data collection for the DBIR; "paid forensic investigations performed by Verizon [Business]", and (as 
> of the 2010 report) US Secret Service investigations.
>
>  http://www.verizonbusiness.com/resources/reports/rp_2010-data-breach-report_en_xg.pdf
>
> There's good reason to believe that higher-ed breaches might not end up in either corpus of incident information, on 
> average, and thus not into the VERIS database upon which the reports are based.
>
> The DBIR is noteworthy and very interesting for what it tells us about attacker methodologies and how they play out 
> across a variety of business environments, but it shouldn't be taken for a comprehensive overall study.  The latest 
> report heavily caveats (page 8) the demographic assumptions which may be drawn from the VERIS database.
>
>  -jml
>
> > > > Judith House <housej () GEORGETOWN EDU> 2010-11-08 16:23 >>>
> [ ... ]
>
> Agreed, universities are open about data loss, potential loss, and breach.
> I just read a report from Verizon
> (http://www.verizonbusiness.com/resources/security/databreachreport.pdf)
> which shows Higher Ed is a very small proportion of the actual data loss
> over all -- it's a very interesting report in many ways.

Attachment: smime.p7s
Description: