http://emergentchaos.com/archives/2006/06/how-damaging-is-a-breach.html The Emergent Chaos Jazz Combo Wed, 01 Feb 2012 19:20:40 +0000 hourly 1 http://wordpress.org/?v=3.3.1 http://emergentchaos.com/archives/2006/06/how-damaging-is-a-breach.html/comment-page-1#comment-2257 Adam Thu, 08 Jun 2006 11:48:33 +0000 http://emergentchaos.com/?p=1754#comment-2257 Did they announce it, or tell the SEC? Companies suffering decliing sales love to blame outside factors, rather than exec failures. Did they announce it, or tell the SEC?
Companies suffering decliing sales love to blame outside factors, rather than exec failures.

]]> http://emergentchaos.com/archives/2006/06/how-damaging-is-a-breach.html/comment-page-1#comment-2256 Alex Hutton Wed, 07 Jun 2006 21:28:57 +0000 http://emergentchaos.com/?p=1754#comment-2256 Speaking of the cost of a breach, yesterday DSW announced that earnings were down because of their incident. Has anyone seen how much money loss they allocate to the breach? I'm searching and I can't find anything off their investor relations site. Speaking of the cost of a breach, yesterday DSW announced that earnings were down because of their incident. Has anyone seen how much money loss they allocate to the breach?
I’m searching and I can’t find anything off their investor relations site.

]]> http://emergentchaos.com/archives/2006/06/how-damaging-is-a-breach.html/comment-page-1#comment-2255 Chris Walsh Tue, 06 Jun 2006 19:51:49 +0000 http://emergentchaos.com/?p=1754#comment-2255 In related news...veterans' (note apostrophe use, Adam) groups are seeking $26.5 billion from the VA in a class-action suit. <a href="http://www.internetnews.com/bus-news/article.php/3611586" rel="nofollow">http://www.internetnews.com/bus-news/article.php/3611586</a> In related news…veterans’ (note apostrophe use, Adam) groups are seeking $26.5 billion from the VA in a class-action suit.
http://www.internetnews.com/bus-news/article.php/3611586

]]> http://emergentchaos.com/archives/2006/06/how-damaging-is-a-breach.html/comment-page-1#comment-2254 Adam Mon, 05 Jun 2006 20:43:00 +0000 http://emergentchaos.com/?p=1754#comment-2254 Alex, I'm looking for a baseline of risk for identity theft that's not the "1.5%" number that includes account takeover and fraud by impersonation. <a href="http://spiresecurity.typepad.com/spire_security_viewpoint/2006/05/100.html" rel="nofollow">http://spiresecurity.typepad.com/spire_security_viewpoint/2006/05/100.html</a> Alex,
I’m looking for a baseline of risk for identity theft that’s not the “1.5%” number that includes account takeover and fraud by impersonation.
http://spiresecurity.typepad.com/spire_security_viewpoint/2006/05/100.html

]]> http://emergentchaos.com/archives/2006/06/how-damaging-is-a-breach.html/comment-page-1#comment-2253 Alex Hutton Mon, 05 Jun 2006 14:57:22 +0000 http://emergentchaos.com/?p=1754#comment-2253 Are you looking for data or "baseline risk" of a breach? Data, as you say, is problematic. The trouble I see with determining baseline risk (assuming you like your definition of risk to be "amount you will probably lose and how frequently you stand to lose that amount") is that risk calculations normally require that data. Welcome to catch-22. However, I think you can use probabilistic modeling to get a good range with which to arrive at "baseline risk". Got a link to Mr. Lindstrom? Are you looking for data or “baseline risk” of a breach?
Data, as you say, is problematic. The trouble I see with determining baseline risk (assuming you like your definition of risk to be “amount you will probably lose and how frequently you stand to lose that amount”) is that risk calculations normally require that data. Welcome to catch-22.
However, I think you can use probabilistic modeling to get a good range with which to arrive at “baseline risk”. Got a link to Mr. Lindstrom?

]]> http://emergentchaos.com/archives/2006/06/how-damaging-is-a-breach.html/comment-page-1#comment-2252 Chris Walsh Mon, 05 Jun 2006 11:45:19 +0000 http://emergentchaos.com/?p=1754#comment-2252 Since broadly speaking there is no requirement to report to anyone but the victims and the three CRAs, the information is either locked up (at the credit bureaus) or so widely dispersed that it is difficult to collect. I assert that we learn of only the "most newsworthy" breaches, since these are the ones individuals who have been notified actually pipe up about. "Newsworthy" in the preceding sentence I think means: Shocking to the conscience Affecting very large number of people Having some quirky aspect The state of the art in gathering "comprehensive" data on breaches (forget about individual-level impact for now) amounts to using Google, Lexis/Nexis, and Edgar On-Line. My assertion in the second paragraph may be semi-testable, but it requires making some potentially unwarranted assumptions about how "representative" breaches reported to the NY State government are of breaches nationally. I'll have more to say about this soon (ideally, in Vancouver, oh powerful program committee luminaries) Since broadly speaking there is no requirement to report to anyone but the victims and the three CRAs, the information is either locked up (at the credit bureaus) or so widely dispersed that it is difficult to collect.
I assert that we learn of only the “most newsworthy” breaches, since these are the ones individuals who have been notified actually pipe up about.
“Newsworthy” in the preceding sentence I think means:
Shocking to the conscience
Affecting very large number of people
Having some quirky aspect
The state of the art in gathering “comprehensive” data on breaches (forget about individual-level impact for now) amounts to using Google, Lexis/Nexis, and Edgar On-Line.
My assertion in the second paragraph may be semi-testable, but it requires making some potentially unwarranted assumptions about how “representative” breaches reported to the NY State government are of breaches nationally. I’ll have more to say about this soon (ideally, in Vancouver, oh powerful program committee luminaries)

]]>