Comments on: Insider Breach Stats: Bogus, Biased, or Believable? http://securityblog.verizonbusiness.com/2008/07/07/bogus-biased-or-believable/ Risk Intelligence from Verizon Business Security Solutions powered by Cybertrust Tue, 06 Jan 2009 07:10:14 +0000 http://wordpress.org/?v= By: Russ Cooper http://securityblog.verizonbusiness.com/2008/07/07/bogus-biased-or-believable/#comment-23 Russ Cooper Mon, 21 Jul 2008 14:49:37 +0000 http://securityblog.verizonbusiness.com/?p=126#comment-23 @Hawke: You bring up an interesting point and, to a certain extent, we agree - managing risk is clearly the right focus. We do not, however, think the number of breaches is the “wrong” statistic. Since risk is the product of likelihood (number of incidents) and impact, statistics on both parameters are necessary. Concentrating solely on impact or damage quickly leads to a form of decision making we like to call “WIBiHI” (Wouldn’t It Be Horrible If…”) and can often result in gross overspending. As you suggest, managing security based on likelihood, alone, isn’t a winning strategy either. Keep in mind the original blog post is in response to public reaction to our findings regarding the percentage of breaches involving insiders. We’re not suggesting likelihood is more important than impact (or damage); it’s just that nobody seemed to argue against or misconstrue the latter parameter. @Hawke: You bring up an interesting point and, to a certain extent, we agree - managing risk is clearly the right focus. We do not, however, think the number of breaches is the “wrong” statistic. Since risk is the product of likelihood (number of incidents) and impact, statistics on both parameters are necessary. Concentrating solely on impact or damage quickly leads to a form of decision making we like to call “WIBiHI” (Wouldn’t It Be Horrible If…”) and can often result in gross overspending. As you suggest, managing security based on likelihood, alone, isn’t a winning strategy either.

Keep in mind the original blog post is in response to public reaction to our findings regarding the percentage of breaches involving insiders. We’re not suggesting likelihood is more important than impact (or damage); it’s just that nobody seemed to argue against or misconstrue the latter parameter.

]]> By: Hawke http://securityblog.verizonbusiness.com/2008/07/07/bogus-biased-or-believable/#comment-19 Hawke Fri, 11 Jul 2008 15:45:28 +0000 http://securityblog.verizonbusiness.com/?p=126#comment-19 Is number of breaches indider vs. outsider relevant, or are we looking at the wrong statistic. If I'm managing risk instead of metrics, I want to know the amount of damage (exposure) done by one or the other. The data clearly shows that the insiders _do the most damage_ to an organization in terms of data exposure. My experience is that it is also more costly to clean up after an insider. Is number of breaches indider vs. outsider relevant, or are we looking at the wrong statistic.

If I’m managing risk instead of metrics, I want to know the amount of damage (exposure) done by one or the other. The data clearly shows that the insiders _do the most damage_ to an organization in terms of data exposure.

My experience is that it is also more costly to clean up after an insider.

]]>