Re: seriously flawed U Washington breach study getspress making claims

["James Childers" <james () iqbio net>]

Bill,

Don't be too quick to knock "vendors fanning the flames".  We need a to
get a serious bon-fire going to get people to realize what is actually
going on and to secure the data to which they have been entrusted.
Bring on the gasoline.  

Only when the "market" truly decides people actually need to secure
their data will they do so - and this usually happens when the
Government makes an example out of someone or some company (Martha
Stewart, Enron, etc...) and people are shocked out of their complacency
- DON'T be that guy should be the motto.  

Until then the best we can do is "Educate the Consumer".  

This is Capitalism at its best - Find a need and fill it.  Just don't
make outrageous claims or promote snake oil.  Having a better mousetrap
that works as advertised is not necessarily a bad thing.  

James (Jim) Childers
President / Owner
Artemis Solutions Group (USA)
BioCert(r) - iQBio(tm) - BioSaf(r)
www.iqbio.com 

-----Original Message-----
From: dataloss-bounces () attrition org
[mailto:dataloss-bounces () attrition org] On Behalf Of B.K. DeLong
Sent: Wednesday, March 14, 2007 2:35 PM
To: Bill Yurcik
Cc: dataloss () attrition org
Subject: Re: [Dataloss] seriously flawed U Washington breach study
getspress making claims

Some good insight, Bill. The key thing with getting the word out,
(though there are a number of journalists on this list), is to set
this study to a Google Alert and email your points to any reporters
who cover said. It wouldn't hurt to get a few more sharp folks to
"sign on" to the points.

Of course, certain vendors may fan the flames by pointing out that
corporations need to buy more products and services but hopefully that
trend continues to be less useful the more educated everyone becomes.

On 3/14/07, Bill Yurcik <byurcik () ncsa uiuc edu> wrote:
> "Hackers Get a Bum Rap for Corporate America's Digital Delinquency"
> University of Washington News and Information (03/12/07)
> http://uwnews.washington.edu/ni/article.asp?articleID=31264
>
> I saw this press announcement of a study (also included in summary at
end
> of this Email) getting publicity and it looks seriously flawed. The
> academics searched news articles about computer breaches going back to
> 1980 and then make claims.
>
> (1) the authors, who are not techies (communications and geography
> academics), should realize that there are significant disincentives
for
> any organization to have breaches of any type publicly reported - this
> makes any aggregate news data about breaches they assembled extremely
> suspect.
>
> for instance, the authors claim there were *zero* breaches each year
for
> the years 1988-91, 1993-94; less than 10 breaches each year from
> 1995-1999; and less than 25 breaches each year from 2000-2004.
> this does not pass the smell test!!!
>
> (2) I would also argue only since state breach disclosure laws have
> started to provide accurate data on "privacy breaches" can one begin
to
> make claims - there is not valid data before state disclosure laws
kicked
> in.  Even state breach disclosure data is relatively new to being
> analyzed and not perfect since there is still non-reporting and
> disclosures are not publicly recorded although the press does pick up
a
> significant portion of the disclosures between organizations and the
> parties affected. Also there are skewing effects due to state
> breach disclosure laws not being uniform and having different
technical
> requirements such as who must report, what they must report, etc.
>
> (3) The study in question mixes news events with
> recent reports to comply with state disclosure laws so this changes
any
> statistical analysis (multiple sources from different distributions)
>
> I am very disappointed to see this poor scholarship/analysis
> especially that it is getting press (primarily due to the University
of
> Washington's public relations).  Of course consider the source where
the
> study will evemtually be published is not at the forefront in
> this area, "Journal of Computer-Mediated Communication", however, due
> dilligence should have sent the editors of JCMC to seek out some of us
> from this dataloss list for peer-review.
>
> any feedback in agreement or disagreement?
>
> Cheers! - Bill Yurcik
>
> ---
>
> "Hackers Get a Bum Rap for Corporate America's Digital Delinquency"
> University of Washington News and Information (03/12/07)
> http://uwnews.washington.edu/ni/article.asp?articleID=31264
>
> University of Washington communications professor Phil Howard
conducted a
> review of data-breach incidents reported in major U.S. news outlets
between
> 1980 and 2006 and found that organizational flaws in businesses, not
> hackers, should receive the most blame.  "The surprising part is how
much
> of those violations are organizationally prompted--they're not about
lone
> wolf hackers doing their thing with malicious intent," Howard says.
His
> study revealed that malicious intrusions represent only 31 percent of
550
> confirmed incidents, while mismanagement, such as missing or stolen
> hardware, insider abuse or theft, administrative errors, or accidental
> exposure of data online was responsible for 60 percent of the
incidents
> reported.  State laws that require companies to report breaches
enabled the
> study to be done with greater accuracy.  "We've actually been able to
get a
> much better snapshot of the spectrum of privacy violations," says
Howard.
> The study also found that while universities make up less than 1
percent of
> the total records lost, they make up 30 percent of the reported
incidents.
> Corporate America claims that market forces should be allowed to solve
the
> problem of data breaches and reporting them, but Howard believes that
this
> strategy is not sufficient, especially since identity theft is the
nation's
> fastest growing crime.  He also believes that states seem more capable
of
> passing laws on the matter than the federal government.
>
> ---
> _______________________________________________
> Dataloss Mailing List (dataloss () attrition org)
> http://attrition.org/dataloss
> Tracking more than 149 million compromised records in 598 incidents
over 7 years.
>


-- 
B.K. DeLong (K3GRN)
bkdelong () pobox com
+1.617.797.8471

http://www.wkdelong.org                    Son.
http://www.ianetsec.com                    Work.
http://www.bostonredcross.org             Volunteer.
http://www.carolingia.eastkingdom.org   Service.
http://bkdelong.livejournal.com             Play.


PGP Fingerprint:
38D4 D4D4 5819 8667 DFD5  A62D AF61 15FF 297D 67FE

FOAF:
http://foaf.brain-stream.org
_______________________________________________
Dataloss Mailing List (dataloss () attrition org)
http://attrition.org/dataloss
Tracking more than 149 million compromised records in 598 incidents over
7 years.

-- 
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.


-- 
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.

_______________________________________________
Dataloss Mailing List (dataloss () attrition org)
http://attrition.org/dataloss
Tracking more than 149 million compromised records in 598 incidents over 7 years.