Hey, I know it’s late notice, but I’ll be speaking at 10:30 EST today on EBRM and the Verizon DBIR: https://www.techwebonlineevents.com/ars/eventregistration.do?mode=eventreg&F=1002809&K=CAA1BC&tab=agenda AlexRead More Dark Reading Virtual Event & Evidence-Based Risk Management
I have fundamental objections to Ponemon’s methods used to estimate ‘indirect costs’ due to lost customers (‘abnormal churn’) and the cost of replacing them (‘customer acquisition costs’). These include sloppy use of terminology, mixing accounting and economic costs, and omitting the most serious cost categories.Read More Another critique of Ponemon's method for estimating 'cost of data breach'
Both Dissent and George Hulme took issue with my post Thursday, and pointed to the Ponemon U.S. Cost of a Data Breach Study, which says: Average abnormal churn rates across all incidents in the study were slightly higher than last year (from 3.6 percent in 2008 to 3.7 percent in 2009), which was measured by…Read More A critique of Ponemon Institute methodology for "churn"
The visual metaphor of a dashboard is a dumb idea for management-oriented information security metrics. It doesn’t fit the use cases and therefore doesn’t support effective user action based on the information. Dashboards work when the user has proportional controllers or switches that correspond to each of the ‘meters’ and the user can observe the effect of using those controllers and switches in real time by observing the ‘meters’. Dashboards don’t work when there is a loose or ambiguous connection between the information conveyed in the ‘meters’ and the actions that users might take. Other visual metaphors should work better.Read More Dashboards are Dumb
PHIPrivacy asks “do the HHS breach reports offer any surprises?” It’s now been a full year since the new breach reporting requirements went into effect for HIPAA-covered entities. Although I’ve regularly updated this blog with new incidents revealed on HHS’s web site, it might be useful to look at some statistics for the first year’s…Read More Lessons from HHS Breach Data
@pogowasright pointed to “HOW many patient privacy breaches per month?:” As regular readers know, I tend to avoid blogging about commercial products and am leery about reporting results from studies that might be self-serving, but a new paper from FairWarning has some data that I think are worth mentioning here. In their report, they provide…Read More Fair Warning: I haven't read this report, but…
Richard Bejtlich has a post responding to an InformationWeek article written by Michael Healey, ostensibly about end user security. Richard upbraids Michael for writing the following: Too many IT teams think of security as their trump card to stop any discussion of emerging tech deemed too risky… Are we really less secure than we were…Read More Michael Healey: Pay Attention (Piling On)
As I was reading the (very enjoyable) “To Engineer is Human,” I was struck by this quote, in which Petroski first quotes Victorian-era engineer Robert Stephenson, and then comments: …he hoped that all the casualties and accidents, which had occurred during their progress, would be noticed in revising the Paper; for nothing was so instructive…Read More Petroski on Engineering
In Verizon’s post, “A Comparison of [Verizon’s] DBIR with UK breach report,” we see: Quick: which is larger, the grey slice on top, or the grey slice on the bottom? And ought grey be used for “sophisticated” or “moderate”? I’m confident that both organizations are focused on accurate reporting. I am optimistic that this small…Read More The Visual Display of Quantitative Information
On December 9th, Verizon released a supplement to their 2009 Data Breach Investigations Report. One might optimistically think of this as volume 2, #2 in the series. A good deal of praise has already been forthcoming, and I’m generally impressed with the report, and very glad it’s available and free. But in this post, I’m…Read More Comments on the Verizon DBIR Supplemental Report