[Dataloss] seriously flawed U Washington breach study

Adam Shostack adam at homeport.org
Fri Mar 16 00:16:39 UTC 2007 

What I'm saying is that the paper has more in it.  It's not
particularly snip-friendly, but it's a reasonably easy 30 page read.

"The fourth possibility, and the most plausible one, is that mandatory
reporting legislation has exposed both the severity of the problem and
the common circumstances of organizational mismanagement."

I agree that we're far from knowing the totality of circumstances, and
my read of the paper is that the authors understood that.

Adam

On Thu, Mar 15, 2007 at 11:54:39AM -0500, Bill Yurcik wrote:
| 
| Adam:
|        not much to confuse really,
|        in the clip from the paper below the authors say the breach events
|        were either lost from archives or they did not search well enough
|        or media selection of which events to report is an explanation,
|        well the simple fact is breach events were not being reported in
|        the media to be found by the authors prior to the state
|        breach disclosure laws which recently were legislated.
| 
|        thus the authors miss this primary point that breach
|        events were not being announced by organizations to then be
|        reported by the media. its a simple point but a dominant one that
|        would appear to explain the dearth of events used in their study
|        upon which they later make claims.
| 
| > *zero* breaches each year for the years 1988-91, 1993-94; less than 10 
| > breaches each year from 1995-1999; and less than 25 breaches each year 
| > from 2000-2004.
| 
|       Chris Walsh and I just had a thread on dataloss where we
|       agreed that *even with* the recent data from state breach disclosure
|       laws it is still hard to make general claims about breach disclosures
|       although the situation is better with the data not worse.
| 
| Cheers! - Bill Yurcik
| 
| On Wed, 14 Mar 2007, Adam Shostack wrote:
| >> On "page 22 of 31," starting from line 37:
| >>
| >> Several factors might explain the pattern of increasing incidents
| >> and volume of compromised data over time. First, there is the
| >> possibility that the results are skewed due to the relative growth
| >> of new, fresh news stories devoted to this issue, and the loss of
| >> older stories that disappeared from news archives as time
| >> passed. Perhaps there have always been hundreds of incidents every
| >> year, but only in recent years has the severity of the problem been
| >> reported in the news. If this were the case, we would expect to see
| >> a gradually decaying pattern with greater number of reported cases
| >> in 2006 than in 2005, 2004, and so on. However, the dramatic
| >> difference in reported incidents between later years and early years
| >> suggests that this effect does not adequately explain ...
| >>
| >> So I'm confused by your claim that they don't recognize the issue.
| 
| > On Wed, Mar 14, 2007 at 05:35:33PM -0500, Bill Yurcik wrote:
| > |
| > | the authors did not identify (maybe because they did not recognize) how
| > | incredibly bad their data is (years of data that are not even close),
| > | they then went on to make bold claims! trash-in trash-out
| 
| 
| _______________________________________________
| Dataloss Mailing List (dataloss at attrition.org)
| http://attrition.org/dataloss
| Tracking more than 149 million compromised records in 598 incidents over 7 years.

More information about the Dataloss mailing list