[Dataloss] seriously flawed U Washington breach study gets press making claims

B.K. DeLong bkdelong at pobox.com
Wed Mar 14 21:35:18 UTC 2007 

Some good insight, Bill. The key thing with getting the word out,
(though there are a number of journalists on this list), is to set
this study to a Google Alert and email your points to any reporters
who cover said. It wouldn't hurt to get a few more sharp folks to
"sign on" to the points.

Of course, certain vendors may fan the flames by pointing out that
corporations need to buy more products and services but hopefully that
trend continues to be less useful the more educated everyone becomes.

On 3/14/07, Bill Yurcik <byurcik at ncsa.uiuc.edu> wrote:
>
> "Hackers Get a Bum Rap for Corporate America's Digital Delinquency"
> University of Washington News and Information (03/12/07)
> http://uwnews.washington.edu/ni/article.asp?articleID=31264
>
> I saw this press announcement of a study (also included in summary at end
> of this Email) getting publicity and it looks seriously flawed. The
> academics searched news articles about computer breaches going back to
> 1980 and then make claims.
>
> (1) the authors, who are not techies (communications and geography
> academics), should realize that there are significant disincentives for
> any organization to have breaches of any type publicly reported - this
> makes any aggregate news data about breaches they assembled extremely
> suspect.
>
> for instance, the authors claim there were *zero* breaches each year for
> the years 1988-91, 1993-94; less than 10 breaches each year from
> 1995-1999; and less than 25 breaches each year from 2000-2004.
> this does not pass the smell test!!!
>
> (2) I would also argue only since state breach disclosure laws have
> started to provide accurate data on "privacy breaches" can one begin to
> make claims - there is not valid data before state disclosure laws kicked
> in.  Even state breach disclosure data is relatively new to being
> analyzed and not perfect since there is still non-reporting and
> disclosures are not publicly recorded although the press does pick up a
> significant portion of the disclosures between organizations and the
> parties affected. Also there are skewing effects due to state
> breach disclosure laws not being uniform and having different technical
> requirements such as who must report, what they must report, etc.
>
> (3) The study in question mixes news events with
> recent reports to comply with state disclosure laws so this changes any
> statistical analysis (multiple sources from different distributions)
>
> I am very disappointed to see this poor scholarship/analysis
> especially that it is getting press (primarily due to the University of
> Washington's public relations).  Of course consider the source where the
> study will evemtually be published is not at the forefront in
> this area, "Journal of Computer-Mediated Communication", however, due
> dilligence should have sent the editors of JCMC to seek out some of us
> from this dataloss list for peer-review.
>
> any feedback in agreement or disagreement?
>
> Cheers! - Bill Yurcik
>
> ---
>
> "Hackers Get a Bum Rap for Corporate America's Digital Delinquency"
> University of Washington News and Information (03/12/07)
> http://uwnews.washington.edu/ni/article.asp?articleID=31264
>
> University of Washington communications professor Phil Howard conducted a
> review of data-breach incidents reported in major U.S. news outlets between
> 1980 and 2006 and found that organizational flaws in businesses, not
> hackers, should receive the most blame.  "The surprising part is how much
> of those violations are organizationally prompted--they're not about lone
> wolf hackers doing their thing with malicious intent," Howard says.  His
> study revealed that malicious intrusions represent only 31 percent of 550
> confirmed incidents, while mismanagement, such as missing or stolen
> hardware, insider abuse or theft, administrative errors, or accidental
> exposure of data online was responsible for 60 percent of the incidents
> reported.  State laws that require companies to report breaches enabled the
> study to be done with greater accuracy.  "We've actually been able to get a
> much better snapshot of the spectrum of privacy violations," says Howard.
> The study also found that while universities make up less than 1 percent of
> the total records lost, they make up 30 percent of the reported incidents.
> Corporate America claims that market forces should be allowed to solve the
> problem of data breaches and reporting them, but Howard believes that this
> strategy is not sufficient, especially since identity theft is the nation's
> fastest growing crime.  He also believes that states seem more capable of
> passing laws on the matter than the federal government.
>
> ---
> _______________________________________________
> Dataloss Mailing List (dataloss at attrition.org)
> http://attrition.org/dataloss
> Tracking more than 149 million compromised records in 598 incidents over 7 years.
>


-- 
B.K. DeLong (K3GRN)
bkdelong at pobox.com
+1.617.797.8471

http://www.wkdelong.org                    Son.
http://www.ianetsec.com                    Work.
http://www.bostonredcross.org             Volunteer.
http://www.carolingia.eastkingdom.org   Service.
http://bkdelong.livejournal.com             Play.


PGP Fingerprint:
38D4 D4D4 5819 8667 DFD5  A62D AF61 15FF 297D 67FE

FOAF:
http://foaf.brain-stream.org

More information about the Dataloss mailing list