Analyzing Data Breaches: Can we Tolerate Status Quo?

An interesting paper on the analysis of the frequency of data breaches.  It is an attempt by Benjamin Edwards, Steven Hofmeyr, and Stephanie Forrest.  These researchers obtained the data from https://www.privacyrights.org breach info.

The PRC(Privacy Rights Clearinghouse) has compiled a Chronology of Data Breaches” dataset that, as of February 23, 2015, contains information on 4,486 publicized data breaches that have occurred in the United States since 2005.

databreachsizesimage

Our cybersecurity is dependent on risk analysis and management  and many businesses and government entities look towards the NIST(National Institute Standards) standard  of it’s cybersecurity framework. The cybersecurity framework is based on analysis of risk in your organization.  One of the possible parameters for your risk assessment should be how likely is a breach to happen.

 

The paper was trying to make some correlation with data breach size and numbers using  mathematics:

PRCdata-binomial

bayesianapproach

There is always a risk with using mathematical models (and that is what data used affects the model)

 

The culmination of their data models are  a future prediction of data breaches – in size and frequency.

predictionofbreaches

 

 

The costs of a data breach are dependant of how much data is stolen. there is a 31% chance of 10 million records or more.

As we discussed the Risk management analysis requires knowledge of cost and likelihood

The Conclusion:

In conclusion, data breaches pose an ongoing threat to
personal and financial security, and they are costly for the
organizations that hold large collections of personal data. In
addition, because so much of our daily lives is now conducted
online, it is becoming easier for criminals to monetize stolen
information. This problem is especially acute for individual
citizens, who generally have no direct control over the fate
of their private information. Finding effective solutions will
require understanding the scope of the problem, how it is
changing over time, and identifying the underlying processes
and incentives.
We have to evaluate specific risks by using cost estimates of the potential breach and the likelihood of a breach.
Only then can you answer:  Do we have enough resources in trying to prevent cybersecurity breaches.
My guess is that if you are protecting a $20mil business (with a 1mil record database and the likelihood of breach is 31%) how much should be spent on cybersecurity?
It is likely there are not enough resources spent, although every entity must decide for themselves.

 

1 thought on “Analyzing Data Breaches: Can we Tolerate Status Quo?”

Leave a Comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.