Shostack + Friends Blog Archive


Deloitte & Touche, Ponemon Study on Breaches

According to Dark Reading, “Study: Breaches of Personal Data Now Prevalent in Enterprises:”

According to a study released yesterday by the Ponemon Institute and Deloitte & Touche, 85 percent of the security or privacy executive surveyed — some 800 individuals — claimed at least one reportable security incident in the past 12 months.

Sixty-three percent said they have experienced between six and 20 breaches affecting personally identifiable information (PII) in the past year.

Most of the reporting is on that 85% number. I think the second number is far more interesting — 63% have experiences more than 5 breaches–that shocks me. I’m way behind on Ponemon Institute research, and I hope to say more shortly.

[Update: see the comments for some excellent analysis.]

4 comments on "Deloitte & Touche, Ponemon Study on Breaches"

  • Chris says:

    10% response rate.
    I’d be interested in whether the size of the firms whose people participated is biased toward the high side. Only had 10 mins to read the paper.

  • Al says:

    In which way does the 63% shocking you? too much? too little?

  • Adam says:

    That’s very high. It means that (roughly) 3/4 of those who reported detecting a breach detected more than 5. Why did only 1/4 report one breach?

  • Al says:

    High? I suppose it really depends on the definition of a breach.
    If it involves IP leaks and financial issues, yes more than 5 seems high to me.
    however, I have seen audit reports from dlp applications that just scream false positives…based on those, yes 5 breaches is very likely.
    Also all ILP/DLP solutions are going mainstream and those reports, just like the way InfoSec surveys do in a way, create FUD.
    I am not blaming the results themselves, rather questioning the methodologies, definitions, and conclusions drawn from the results…….would the results be biased towards higher figures to push products that would “control” those leaks.

Comments are closed.