Wednesday, April 15, 2009

Cyber

After a once over, I'm curious as to the value of the Verizon Business "Data Britches Report."
http://securityblog.verizonbusiness.com/2009/04/15/2009-dbir/

A couple questions/comments I had on the first read:
1. The document really needs a glossary. It's hard to parse the special meaning assigned to certain words and phrases as they recur throughout the document. For example: "data breach" "record" "incident" and "errors and omissions," the last of which didn't mean what I thought it would mean ("negligence and "non-compliance" seem to convey more of what was intended. When I think E&O, I think "malpractice.")
2. Is the skew toward "outsider" threats due to the type of service that VB offers? Actually, is the skew of all the data because of the type and quality of service that VB offers? Hell, VB admits to whacked out skew. So give me some damages! Or, at least give me a standard deviation, if you are going to skew that way.
3. Where are my scatter plots? Some get these guys some visualization skills.
4. Lumping intellectual property breaches with credit card and NPI in cumulative stats seems wrong to me. I reminds me of an article I read about computer crime that included statistics on hacking, toll fraud and the hijacking of trucks that carried computer chips. That was maybe 12 years ago, or more. This sort of loose affiliation of crimes, torts and misbehavior shovelled under a skirt called "cyber" makes less sense everytime I read a "cyber" this or that. How about words like fraud, impersonation, crime, non-compliance?
5. About half way through, I got the feeling that I was reading a DEA document about the War on Crime. A focus on the incident, without a look at what caused the incident. Who got the money? Why are they stealing data? Is this "cyber" or just fraud? Is it a war we can win? Have we just turned the corner?

Gimme something substantive for a conversation, not just re-hashed status reports that may be misleading.

(Just noticed that Brooke at New School wrote similar comments. I am not alone.

2 comments:

Alex Hutton said...

Hey Dutcher!

1.) Point well taken.

2.) It's skewed towards the sort of breaches that you would call in an external IRT for, skewed towards organizations that would need and IRT.

I hope we made that apparent.

3.) You have no idea about what it took to get even those visualizations done in an inoffensive manner :)

Seriously, though, I have to ask which data sets you feel would be better represented by a scatterplot? We tried to steer the design guys as much as possible towards Stephen Few's principles of data visualization. But even trying hard to adhere to those, data representation is in the eye of the beholder and I'd love to get your perspective re: scatterplot use.

4.) That may be. We have to find a fine line between protecting the client anonymity, and releasing useful data. Sometimes "lumping" is done in a protective manner, and sometimes it's done just to represent "here's the full data set, interpret how you wish".

5.) Unfortunately, our ability for the IRT team to gather data ends at containment, when the engagement ends. I too, would love to have impact information to correlate this with but this is only the second year we've done this and getting participation for that level of disclosure by the client base is even more difficult (as I'm sure you can imagine).

Hope you're well.

Dutcher Stiles said...

Alex -
Thanks for the comment. Unfortunately, I don't think I was alone in interpreting the data according to my expectations rather than what it actually is, possibly because I can't think offhand of anything just like it. My guess is that it may be used to change the focus of controls primarily to the exterior because of the Verizon data. I suspect (primarily based on occupational crime stats - http://www.acfe.com/resources/publications.asp?copy=rttn ) that companies may handle insider breaches in a way that would not include an incident response team.

W/R/T visualizations, I guess I'd like to see more than two data elements represented at a time, at least where it makes sense. Maybe even tying incidents to time - time of day or week of year. Does the data support adages about hackers attacking on holidays or in the middle of the night? (It could have been there and I missed it. Toddler wrangling does take its toll.)