Shostack + Friends Blog Archive


Notes to the Data People

Over on his Guerilla CISO blog, Rybolov suggests that we ask the folks for infosec data using their Suggest a data set page. It sounds like a good idea to me! I took his request and built on it. Rather than breaking the flow with quotes and edit marks, I’ll simply say the requests are mostly his work, the context mine.

I’d love feedback before I submit this next week.


Thank you for the opportunity to suggest data which would be in the public interest to release or make more available. I applaud your mission of improving and updating your site with a wide variety of data.

Today, the public is sorely lacking in data about information security outcomes, that is, what really goes wrong, and how often. The government gathers a great deal of data on federal enterprise security under FISMA and many regulations. It gathers a good deal of information about consumer issues at the FBI and FTC. It may seem that this sort of information falls under the sensitive data exemption which you call out on your suggestion page. I believe that’s not the case, and so before summarily rejecting this request, I ask that you consider the following.

First, it is understood that enterprise security is a challenge, and security failures are widespread. These range from tax records unsecured to sensitive plans showing up on peer to peer filesharing networks are widespread. A great many government security failures are documented in the, a project of the Open Security Foundation. It is disgraceful that hobbyists must comb through news reports to make this data available in a better way than

Second, security failings are consistent and not improving. Failings are documented as far back as a GAO report, “Computer Related Crimes in Federal Programs” submitted to Congress in April, 1976. Stripped of jargon and brands, and updated to reflect re-organizations of government departments, the issues and recommendations could be issued today and few people would notice. could make available data about what goes wrong that would allow researchers and scientists to assess their advice. The importance of cyber-security has caused President Obama to dedicate a speech to it, order a 60 day special review, etc. The general availability of this data would support and enhance the President’s goals in securing cyber-space.

Third, some small subset of the data may represent on-going issues which are not yet remediated, rather than past issues which have been addressed. These are clearly sensitive, and drawing attention to them would have negative operational consequences. At the same time, there is a public interest in oversight and accountability, and I urge you to consider partial, redacted, or summarized data releases as you balance that sensitivity. For example, information on how many issues each department has open, how long they have been open, and how severe they are is unlikely to change the daily flood of attacks focusing on the Federal information infrastructure.

Therefore, most of the data I am requesting is not sensitive, and its rapid release serves an important public interest.

I am requesting:

Complete responses from the Departments and Agencies to the FISMA reporting requirements for FY2004-2009 based on OMB Memoranda 04-25, 05-15, 06-20, 07-19, 08-21, and 09-29.

Raw incident data for years 2005-2007 as reported to OMB and summarized in their report to Congress on FY2007 FISMA performance and published at

Raw incident data for years 2007 and later in any type and format which would allow a researcher to compile data similar to the Verizon Data Breach Incident Report available at

Data collected by the FTC and/or FBI on identity theft, broken down by type and duration, making clear the differences between credit card and other short term thefts and SSN, drivers license, or other longer term impersonation.

This information is necessary for researchers to study the effectiveness of information security management techniques and regulatory schemes and for industry to propose changes to national-level information security management frameworks and legislation such as FISMA. This information for the most part has been released in a summary format to Congress and the release of the complete dataset on would greatly aid the information security community.

One comment on "Notes to the Data People"

Comments are closed.