Following the Diginotar breach, FOX-IT has released analysis and a nifty video showing OCSP requests. As a result, lots of people are quoting a number of “300,000”. Cem Paya has a good analysis of what the OCSP numbers mean, what biases might be introduced at “DigiNotar: surveying the damage with OCSP.” To their credit, FoxIt…Read More Diginotar Quantitative Analysis ("Black Tulip")
So I haven’t had a chance to really digest the new DBIR yet, but one bit jumped out at me: “86% were discovered by a third party.” I’d like to offer up an explanatory story of why might that be, and muse a little on what it might mean for the deployment of intrusion detection…Read More Why Do Outsiders Detect Breaches?
Hey, I know it’s late notice, but I’ll be speaking at 10:30 EST today on EBRM and the Verizon DBIR: https://www.techwebonlineevents.com/ars/eventregistration.do?mode=eventreg&F=1002809&K=CAA1BC&tab=agenda AlexRead More Dark Reading Virtual Event & Evidence-Based Risk Management
I have fundamental objections to Ponemon’s methods used to estimate ‘indirect costs’ due to lost customers (‘abnormal churn’) and the cost of replacing them (‘customer acquisition costs’). These include sloppy use of terminology, mixing accounting and economic costs, and omitting the most serious cost categories.Read More Another critique of Ponemon's method for estimating 'cost of data breach'
Both Dissent and George Hulme took issue with my post Thursday, and pointed to the Ponemon U.S. Cost of a Data Breach Study, which says: Average abnormal churn rates across all incidents in the study were slightly higher than last year (from 3.6 percent in 2008 to 3.7 percent in 2009), which was measured by…Read More A critique of Ponemon Institute methodology for "churn"
The visual metaphor of a dashboard is a dumb idea for management-oriented information security metrics. It doesn’t fit the use cases and therefore doesn’t support effective user action based on the information. Dashboards work when the user has proportional controllers or switches that correspond to each of the ‘meters’ and the user can observe the effect of using those controllers and switches in real time by observing the ‘meters’. Dashboards don’t work when there is a loose or ambiguous connection between the information conveyed in the ‘meters’ and the actions that users might take. Other visual metaphors should work better.Read More Dashboards are Dumb
PHIPrivacy asks “do the HHS breach reports offer any surprises?” It’s now been a full year since the new breach reporting requirements went into effect for HIPAA-covered entities. Although I’ve regularly updated this blog with new incidents revealed on HHS’s web site, it might be useful to look at some statistics for the first year’s…Read More Lessons from HHS Breach Data
@pogowasright pointed to “HOW many patient privacy breaches per month?:” As regular readers know, I tend to avoid blogging about commercial products and am leery about reporting results from studies that might be self-serving, but a new paper from FairWarning has some data that I think are worth mentioning here. In their report, they provide…Read More Fair Warning: I haven't read this report, but…
Richard Bejtlich has a post responding to an InformationWeek article written by Michael Healey, ostensibly about end user security. Richard upbraids Michael for writing the following: Too many IT teams think of security as their trump card to stop any discussion of emerging tech deemed too risky… Are we really less secure than we were…Read More Michael Healey: Pay Attention (Piling On)
As I was reading the (very enjoyable) “To Engineer is Human,” I was struck by this quote, in which Petroski first quotes Victorian-era engineer Robert Stephenson, and then comments: …he hoped that all the casualties and accidents, which had occurred during their progress, would be noticed in revising the Paper; for nothing was so instructive…Read More Petroski on Engineering