Given the situations described above, it should come as no surprise that, for one reason or another, the statistics that are bandied about by news media and security professionals are likely gross underestimates. Another reason for this is the bias in the samples that are taken. The much-touted CSI and (formerly) FBI reports of security events have always been based on a relatively small sample. While the number may be statistically significant, one can easily misinterpret the figures as applying to the population as a whole if you do not read the fine print. The annual VerizonBusiness Data Breaches report also receives a lot of attention. It, too, is limited in that it is based on those situations in which clients engage VerizonBusiness to conduct forensics and follow-up. One might argue that certain classes of incident, such as insider events, may be underrepresented because either the victims do not know that they have been compromised (since they can be extremely difficult to detect) or because companies might tend to keep insider hacks quiet and not have outsiders become involved.
It should also be recognized that it is very difficult to extrapolate from the results of a small sample to the population as a whole, particularly when you don’t necessarily have agreement that the sample is indeed small. Nevertheless, based upon my personal experience as to when and how malfeasance is detected and reported, I am reasonably confident that we, the public, are made aware of only a very small fraction of actual events. If I am correct in this, then we are basing important cyber security decisions upon numbers that do not come near to representing reality. No wonder cyber security continues to be so underfunded.
Popularity: unranked
