As I looked at it, I had a couple of thoughts.
- The first is that he doesn’t reference Attrition DLDOS numbers. (Then again, Pogo doesn’t either.) I think this is a mistake. When we founded CVE, it was because there were lots of independently maintained data sets like this, and correlation had become a problem. It feels like this is the same sort of data, and so getting coordination around cross-referencing would be great.
My second thought is that in posts like his “The Breach Blog Month in Review November, 2007,” he attempts to derive cost information from the Ponemon Institute’s $197 number and multiplying it by the number affected. I think it’s possible to do better in several ways:
- The numbers are broken out in the reports, and some of them are per-individual, and others are per breach. People deriving numbers should use the detailed information that the Institute offers.
- There’s also the cost of lost business. Of the 5 organizations reporting a second (or later) breach, 4 were governments or government agencies: HMRC, Montana State University, the US Department of Veterans Affairs, and the Commonwealth of Massachusetts. It’s quite difficult for someone to stop interacting with HMRC or Massachusetts. It’s not possible to lose veteran status. It may be possible to get Montana State to destroy all personal data about you, but I doubt it. The fifth, Capital Health, is likely one or one of a very few health care options available to their customers. Given that the 2007 Ponemon report states:
The cost of lost business continued to increase at more than
30 percent, averaging $4.1 million or $128 per record compromised. Lost business now accounts for 65 percent of data breach cost
For those organizations, the cost of a breach could justifiably be counted as no more than $69. ($197-$128=$69)
Anyway, it’s great for a wide spectrum of breach analysis to emerge. That chaos and competition will lead to better analysis and better security for us all.
Image: “The Breaking Dam,” by ReubenInStt