Voltage Predicts the Future

It’s easy to critique the recent Voltage report on breaches. (For example, “2009 started out to be a good year for hackers; in the first three months alone, there were already 132 data breaches reported.” That there were 132 breaches does not mean that hackers are having a good year; most breaches are not caused by hackers, and most breaches are small.)

But there’s some really interesting tidbits, including the claim that the log(10) of the size of the breach is a normal curve with an mean of 3.5 and a standard deviation of 1.2, which means the mean breach is about 3,200 people. I’ve been saying for a while that all the breaches we remember are outliers, and Voltage’s analysis would indicate that two standard deviations, or about 97%, of breaches are smaller than 10^5.9, or about 790,000 people. (It’s unclear why, having done analysis of the size of breaches, they use a order of magnitude system for rating breaches, rather than something based on deviations.)

What’s more interesting is that they’re making testable predictions about the future:

At that rate, we should expect roughly 528 data breaches in the next 12 months [from May 2009]. If that is the case, the probability of having one or more data breaches in the next year that exposes 1 million or more records is roughly 99.9951 percent, or a virtual certainty, and we should expect to see about 14 data breaches of that size in the next year – this represents 1 in 200 adults in the US being affected.

This model also tells us that the probability of any give breach exposing 10 million or more records is 0.001769, or about 0.18 percent. This means that we can expect about 0.18 percent, or about 1 in 565, of data breaches to be that big. If that is the case, then the probability of having one of more data breaches in the next year that exposes 10 million or more records is over 60 percent – this is the equivalent of 5% of the US adult population being affected.

The interesting thing about these predictions is that they can be tested in May 2010. (It would be helpful for Voltage to say exactly what period they mean by “the next 12 months.”) While Dissent says:

I am not sure that a logarithm model will be appropriate for predicting future breaches. If organizations were to actually learn lessons from known breaches … then we might expect to see fewer large breaches rather than more.

I tend to agree, but the great thing is our agreement doesn’t matter. If the prediction holds, then we know something about the model. If the prediction fails, then we know something about the model. That’s the great thing about presenting predictions which are specific and measurable. So thank you, Voltage, for putting forward predictions. I look forward to seeing how they play out.

(Mortman commented on this previously in “Voltage Security’s Breach Map.”)

On the Assimilation Process

Three years and three days ago I announced that “I’m Joining Microsoft.” While I was interviewing, my final interviewer asked me “how long do you plan to stay?” I told him that I’d make a three year commitment, but I really didn’t know. We both knew that a lot of senior industry people have trouble finding a way to be effective in Microsoft’s culture.

So I wanted to pipe up and say I’m having a heck of a lot of fun, and have found places and ways to be effective. I’m getting to develop and share things like our SDL Threat Modeling Tool, and I get to be very transparent about the drivers and decisions that shape it. I’ve got some even cooler stuff in the pipeline, which I’m hoping will be public in the next year or so. My management (which has shifted a little) is supportive of me having two external blogs.

It’s been a heck of a ride so far. Dennis Fisher asked a great question to close this Hearsay Podcast, which is what surprised me the most? I was a little surprised by the question, but I’m going to stand by my answer, which is the intensity and openness of internal debate, and how it helps shape the perception that we’re all reading from the same script. It’s because we’ve seen the debate play out, with really well-informed participants, and remember which points were effective.

I can’t wait to see what happens in the next three years.

Emergent Traffic Chaos

Paul Kedrosky has an amazing video:

As described in the New Scientist:

Researchers from several Japanese universities managed the feat by putting 22 vehicles on a 230-metre single-lane circuit (see video).

They asked drivers to cruise steadily at 30 kilometres per hour, and at first the traffic moved freely. But small fluctuations soon appeared in distances between cars, breaking down the free flow, until finally a cluster of several vehicles was forced to stop completely for a moment.

Death-related items

I’m cleaning out my pending link list with couple morbidly-thematic links.

Old-but-interesting (2007 vintage) list of relative likelihoods of death compared to dying in a terrorist attack.  For example…

You are 1048 times more likely to die from a car accident than from a terrorist attack

You are 12 times more likely to die from accidental suffocation in bed than from a terrorist attack

You are nine times more likely to choke to death on your own vomit than die in a terrorist attack

You are eight times more likely to be killed by a police officer than by a terrorist

I know that Jimi Hendrix might argue that the risk of death-by-choking-on-vomit cannot be overstated enough, but everybody gets disproportionately worked up about something.

Of course, given that death is inevitable (in the long run, anyway), Cory Doctorow challenges us with the question of what will happen to our crypto keys when we die?

What do you-all do with your cryptokeys? Keep ’em with a lawyer and hope that attorney-client privilege will protect them? Safe-deposit box? Friends? Under the mattress? Do you worry that if your friends have your keys, they can be subpoenaed or suborned?

I seriously don’t have a good answer to this question for my personal keys.  How about the rest of you?

(corrected spelling as noted in comments)

Visualization Friday & More!

OK, so this week for Visualization Friday, I’m going to point you to just one thing:

At Last, a Scientific Approach to Infographics

A blog post by the awesome visualization expert Stephen Few that praises:

Visual Language for Designers: Principles for Creating Graphics that People Understand by Connie Malamed

OK, I’ll also mention that I really enjoyed this data quality post: http://www.dataqualitypro.com/data-quality-home/introduction-to-guerilla-data-governance-an-interview-with-m.html

And also that Beautiful Security is out, I have my copy and will be posting a review here once my private and professional life settles down.  At this rate, I expect that to be Late August 🙂

Finally, did you know we have a delicious feed of stuff we find interesting?  Really!  It’s here:  http://delicious.com/NewSchoolSecurity

Science, Skepticism and Security

Rich Mogull has a great post on “Science, Skepticism and Security

In the security industry we never lack for theories or statistics, but very few of them are based on sound scientific principles, and often they cannot withstand scientific scrutiny. For example, the historic claim that 70% of security attacks were from the “insider threat” never had any rigorous backing. That claim was a munged up “fact” based on the free headline from a severely flawed survey (the CSI/FBI report), and an informal statement from one of my former coworkers made years earlier. It seems every day I see some new numbers about how many systems are infected with malware, how many dollars are lost due to the latest cybercrime (or people browsing ESPN during lunch), and so on.

Worth pondering on a Friday.

The Cost of Anything is the Foregone Alternative

The New York Times reports:

At least six men suspected or convicted of crimes that threaten national security retained their federal aviation licenses, despite antiterrorism laws written after the attacks of Sept. 11, 2001, that required license revocation. Among them was a Libyan sentenced to 27 years in prison by a Scottish court for the 1988 bombing of Pan Am 103 over Lockerbie.

It’s long been a truism of economics that the cost of anything is the foregone alternative. In this case, a huge amount of our air travel security spending goes into ensuring that you can’t fly if your name and ID don’t quite match (looking at you, Jim), rather than preventing convicted terrorists from getting aviation licenses.