Industry Differences in Types of Security Breaches
Interhack has been working on a taxonomy of security breaches, and has an interesting conclusion:
The Health Care and Social Assistance sector reported a larger than average proportion of lost and stolen computing hardware, but reported an unusually low proportion of compromised hosts. Educational Services reported a disproportionally large number of compromised hosts, while insider conduct and lost and stolen hardware were well below the proportion common to the set as a whole. Public Administration’s proportion of compromised host reports was below average, but their proportion of processing errors was well above the norm. The Finance and Insurance sector experienced the smallest overall proportion of processing errors, but the highest proportion of insider misconduct. Other sectors showed no statistically significant difference from the average, either due to a true lack of variance, or due to an insignificant number of samples for the statistical tests being used
Full study is here.
Bill • June 10, 2009 7:10 AM
I’m skeptical the raw data is complete verbose and accurate, so it follows any conclusion will not be either. And that’s with or without disclosure laws too.
Another interpretation is it illustrates which areas different market sectors are least uncomfortable ‘fessing-up to.
They’ve devised a taxonomy fit for their purpose; but stripping ‘motive’ from the equation is like stripping ‘asset value’ from risk management.
i.e. Was the laptop stolen for the hardware, or the data? It matters!
So yes, good effort but I’m not going to drink their kool-aid…. this time.