[Dataloss] seriously flawed U Washington breach study

Bill Yurcik byurcik at ncsa.uiuc.edu
Wed Mar 14 22:35:33 UTC 2007


On Wed, 14 Mar 2007, Adam Shostack wrote:
> On the other hand, they could definetly have been more clear about the
> difference between 0 breaches and 0 reported breaches.

the authors did not identify (maybe because they did not recognize) how 
incredibly bad their data is (years of data that are not even close),
they then went on to make bold claims! trash-in trash-out


> On Wed, Mar 14, 2007 at 03:32:40PM -0500, Bill Yurcik wrote:
> |
> | "Hackers Get a Bum Rap for Corporate America's Digital Delinquency"
> | University of Washington News and Information (03/12/07)
> | http://uwnews.washington.edu/ni/article.asp?articleID=31264
> |
> | I saw this press announcement of a study (also included in summary at end
> | of this Email) getting publicity and it looks seriously flawed. The
> | academics searched news articles about computer breaches going back to
> | 1980 and then make claims.
> |
> | (1) the authors, who are not techies (communications and geography
> | academics), should realize that there are significant disincentives for
> | any organization to have breaches of any type publicly reported - this
> | makes any aggregate news data about breaches they assembled extremely
> | suspect.
> |
> | for instance, the authors claim there were *zero* breaches each year for
> | the years 1988-91, 1993-94; less than 10 breaches each year from
> | 1995-1999; and less than 25 breaches each year from 2000-2004.
> | this does not pass the smell test!!!
> |
> | (2) I would also argue only since state breach disclosure laws have
> | started to provide accurate data on "privacy breaches" can one begin to
> | make claims - there is not valid data before state disclosure laws kicked
> | in.  Even state breach disclosure data is relatively new to being
> | analyzed and not perfect since there is still non-reporting and
> | disclosures are not publicly recorded although the press does pick up a
> | significant portion of the disclosures between organizations and the
> | parties affected. Also there are skewing effects due to state
> | breach disclosure laws not being uniform and having different technical
> | requirements such as who must report, what they must report, etc.
> |
> | (3) The study in question mixes news events with
> | recent reports to comply with state disclosure laws so this changes any
> | statistical analysis (multiple sources from different distributions)
> |
> | I am very disappointed to see this poor scholarship/analysis
> | especially that it is getting press (primarily due to the University of
> | Washington's public relations).  Of course consider the source where the
> | study will evemtually be published is not at the forefront in
> | this area, "Journal of Computer-Mediated Communication", however, due
> | dilligence should have sent the editors of JCMC to seek out some of us
> | from this dataloss list for peer-review.
> |
> | any feedback in agreement or disagreement?
> |
> | Cheers! - Bill Yurcik
> |
> | ---
> |
> | "Hackers Get a Bum Rap for Corporate America's Digital Delinquency"
> | University of Washington News and Information (03/12/07)
> | http://uwnews.washington.edu/ni/article.asp?articleID=31264
> |
> | University of Washington communications professor Phil Howard conducted a
> | review of data-breach incidents reported in major U.S. news outlets between
> | 1980 and 2006 and found that organizational flaws in businesses, not
> | hackers, should receive the most blame.  "The surprising part is how much
> | of those violations are organizationally prompted--they're not about lone
> | wolf hackers doing their thing with malicious intent," Howard says.  His
> | study revealed that malicious intrusions represent only 31 percent of 550
> | confirmed incidents, while mismanagement, such as missing or stolen
> | hardware, insider abuse or theft, administrative errors, or accidental
> | exposure of data online was responsible for 60 percent of the incidents
> | reported.  State laws that require companies to report breaches enabled the
> | study to be done with greater accuracy.  "We've actually been able to get a
> | much better snapshot of the spectrum of privacy violations," says Howard.
> | The study also found that while universities make up less than 1 percent of
> | the total records lost, they make up 30 percent of the reported incidents.
> | Corporate America claims that market forces should be allowed to solve the
> | problem of data breaches and reporting them, but Howard believes that this
> | strategy is not sufficient, especially since identity theft is the nation's
> | fastest growing crime.  He also believes that states seem more capable of
> | passing laws on the matter than the federal government.
> |
> | ---
> | _______________________________________________
> | Dataloss Mailing List (dataloss at attrition.org)
> | http://attrition.org/dataloss
> | Tracking more than 149 million compromised records in 598 incidents over 7 years.
>


More information about the Dataloss mailing list