BreachBytes

There have been several blog posts and articles that have come out lately that have to do with compiling the statistics behind the cost of a breach and the probability of data loss. There is no shortage of these types of statistics but they seem to be getting more granular and informative.

On the Data Auditing Blog there is a good two part series authored by Prat Moghe the founder of Tizor. In the first part of the series he compiles a report from a ITRC (Identity Theft Resource Center) press release on the number of losses. What’s impressive about Moghe’s work is that he not only cites the ITRC numbers be he goes on to compare them against some of his own research and analysis based on information in the Attrition database. Here are to interesting snippets from the post:

1. “They [ITRC] concluded that 2007 had 443 breaches with 127MM losses, vs. 315 breaches and 20MM losses in 2006. This means 40% growth in breaches between 2006 and 2007. “
2. “It turns out that the average loss per moderate loss incident is roughly constant! Yes - across all three years - it is roughly 50,000 losses per incident. (Precisely, this loss was 55K (2005) vs. 50K (2006) vs. 45K (2007)).”

While it seems counter-intuitive, Moghe points out that there may even be a “loss constant” (ie what an enterprise can expect in terms of the number of losses per incident based on the average over the past three years).

In Moghe’s second post of the series he puts an actual dollar value to the potential of a breach by extrapolating the cost of breaches over the past three years as they apply to the Fortune 5000. He draws additional conclusions about the driver of security spending moving from compliance to breach prevention and incident response as the cost of an incident continues to rise.

I frequently have wondered what percentage of companies experience a breach. This quote by Moghe will be something I will call upon frequently:

“…the breach stats discussed in my last post are measured over the last three years, across Fortune 5000 companies. There were a total of 813 breaches. This means that the probability that a Fortune 5000 company will see a breach is roughly 813/5000 or 16%.”

If you’re interested in digging through the nitty gritty of all of the reported breaches in 2007, here is the ITRC Report in PDF format.

Not exactly statistics but Eric Sinrod put together an impressive list of this years breaches and data loss reports just at Universities. Our esteemed institutes of higher education appear to be bitten by the breach bug pretty badly based on lackadaisical adherence to policy.

I will continue to post interesting places where you can find information, statistics and analysis of breaches.

This entry was posted on Sunday, February 17th, 2008 at 8:04 am and is filed under Breaches, Links to articles. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.