My theory is that information security breaches are an indicator of a lack of management competence. Moreover, as discussed previously, information security breaches are like cockroaches, they rarely travel alone and seeing one guarantees there are more that can’t be seen. The question becomes: does the bad security mean bad security, or bad management?
I refer (again) to “Is There a Cost to Privacy Breachs? An Event Study,” by Alessandro Acquisti, Allan Friedman, and Rahul Telang. Nick, why are they wrong? Why aren’t TJX and CPS outliers?
I also don’t buy the bad management argument. Allocating resources to security is an art, not a science. I’ll offer up a simple experiment to illustrate that shortly.
(Thanks to the several readers who sent in links.)
[Update: Don't miss Allan's informative reply in the comments.]