By Wade Baker

Today, we released a supplement to our 2008 Data Breach Investigations Report (DBIR) that focuses on four major industry groups. As many of you know, the original document compiled four years of data from over 500 cases worked by our Investigative Response team and was intended to be a kind of “state of the union” look at recent security breach and data compromise trends.

The DBIR presented statistics in aggregate across all organizations in our caseload and did not delve into the state of affairs within each of the industries represented. Drawing from the same data set as the original, the Supplemental Report provides this analysis for the financial, technology services, retail, and food and beverage industries.

You probably can’t read it on the miniature cover shot above (you can if you download the full report here) but part of the subtitle reads “Industry Focus. More Analysis. Greater Insight.” It might sound like unadulterated marketing mumbo-jumbo but it’s actually a fitting description of what we feel the report accomplishes. Sure, it looks more closely at a few industries and provides more analysis, but the real value is greater clarity and insight into the original data. Why? Well, you can read the report for a complete answer to that question but one of the major reasons involves that age-old enemy of statistics, The Flaw of Averages. Any time you average a bunch of data points, the result is a middle-of-the-road expression of the data. Variations, fluctuations, and groupings (which often provide great insight) are lost. That’s not to say we shouldn’t average whole sets of data – this certainly has value – but other methods of slicing up and analyzing data are important to the understanding of what’s really going on.

We hope the new Supplemental Report sheds more light on the findings presented in the DBIR in ways that are helpful to your organization. Even if your industry is not included among the four discussed throughout the report, perhaps you can identify with certain characteristics of them or experience similar challenges in your business environment. At the very least, it should reinforce the notion that an efficient and effective information security program cannot be achieved through a standardized template applied without regard to the unique risks faced by each organization.

Tags: Data Breach, Data Breach Report, forensics, Information Security, risk, statistics

This entry was posted on Thursday, October 2nd, 2008 at 3:17 am and is filed under Studies & Whitepapers. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.