C. Warren Axelrod

The VerizonBusiness Report – Interesting, But is It Useful?

Each year, the VerizonBusiness RISK Team issues its “Data Breach Investigations Report.” For the 2009 edition, see …

www.verizonbusiness.com/resources/security/reports/2009_databreach_rp.pdf

I was fortunate enough to attend the September 2009 Metro New York ISSA Meeting to hear a presentation on the report and to think more about how it is developed and what it means. I have felt for some time that there is a significant bias in the report as it analyzes only those cases – admittedly a large number – for which VerizonBusiness was called in.

One Comment

  1. Alex Nov 1, 2009 at 11:06 pm | Permalink

    Warren,

    When I (and I hope others) present around the report, we mention this bias explicitly. I hope nobody ever told you it was a random sample. Also, it might be worth noting that page four of the report states:

    “We would like to reiterate that we make no claim that the findings of this report are representative of all data breaches in all
    organizations at all times. These statistics are based solely upon our caseload and any conclusions or inferences we make are
    drawn from this sample. Although we believe many of these results to be appropriate for generalization, bias undoubtedly
    exists. Even so, there is a wealth of information here and no shortage of valid and clear takeaways. As with any study, readers
    will ultimately decide which findings are applicable within their organization. ”

    I also work in my presentations to discuss the nature of the threat sources – giving the same reasons you do describing why the results might look like they do. Again, from the report itself:

    “It is true that these results are based upon our caseload—which is consumer data-
    heavy—and may not be reflective of all data breaches. Perhaps insiders are more apt to target other types of data such as
    intellectual property. It is also true that many insider crimes may never be detected, though one would think any breach
    causing material harm would eventually be noticed. It is also feasible they are more likely handled internally. ”

    I hope that you found the presentation informative. If you’d like, please feel free to drop me an email with any questions you might have. I can’t comment on any specific cases, only on the aggregate data set, of course, but if there’s something you’d like clarification on, I’m happy to help.

    yours,

    Alex

Post a Comment

Your email is never published nor shared. Required fields are marked *

*
*