The Truth in the Numbers: Data Breach Analysis

Posted by Mark Greisiger

A Q&A with Patrick Florer of Risk Centric Security
While it’s easy to get caught up in the splashiest current news story about a particular breach, analyzing a broader swath of cyber security data can give us a more vivid and sometimes more precise picture of the real risks facing organizations today. I spoke with Patrick Florer of Risk Centric Security about what precisely constitutes a data breach and what the statistics show us.

How did you become interested in data breaches?
I had a classics and linguistics background but have worked in IT for nearly 35 years. I got involved with information security in 2007, when I started reading about the TJX data breach and how either 45 or 90 million records of credit cards and personal information were lost. At the same time I came across a Ponemon Institute study that claimed the average cost of a record stolen in that fashion was $200. I did a back of the envelope calculation and saw that, according to these figures, the breach would cost TJX either $9.5 billion or $19 billion, and I knew it just wasn’t possible. (As it turns out, the company spent perhaps $200 million.) I realized you have to approach these calculations with a measure of skepticism, and if you multiply averages times averages you end up with a vastly distorted extrapolation. That’s when I started Risk Centric Security, which offers state of the art tools and training for quantitative risk and decision analysis. I now research breaches and analyze the data for companies such as Ponemon and NetDiligence, and I also work with other data sets that give me a unique point of view.

How do you define “data breach?”
As a linguist I consider definitions to be important and right now there’s no universally accepted definition of data breach. The one I use is this: A data breach is the inadvertent disclosure of data, either through accident or the work of malicious parties. Data breaches can happen as a result of equipment failure, human error, or the bad intentions of someone working inside or outside the company.

The National Security Agency recently had a pretty major breach and if they can’t stop something like that from happening, I’m not sure anyone can.

What kinds of impact do data breaches have on their victims?
Since there’s no such thing as “a” data breach, the impact can vary widely. The impact can be financial, psychological or emotional. It can be short-lived or persist for years. On a practical level, it can mean stolen M&A plans, marketing information and/or product design that’s sold to a competitor. A disgruntled employee can take a flash drive of information to their new company. Data can be accidentally leaked through a lost device. The data itself might involve Social Security numbers or credit card information.

How that impact is felt is largely dependent on your situation. Now, if you’re an individual and your credit card is stolen, you’re protected by law, but if you’re a business and someone gets your credit card you don’t have those same protections. Even a small breach can be enough to put a small company out of business. So the impact can be quite dramatic.

Can we predict or estimate the likelihood or impact of a data breach?
If you have cyber data and most companies do, you have the potential for a breach. Frequency is hard to predict—it’s not as though we have 100-year flood or hurricane histories in the cyber security world. However, when you consider that a group of bad guys will pick a company and spend up to a year researching, investigating and probing around, it’s only a matter of time until that company is hit. With all of the automated tools people have at their disposal today the attacks are often opportunistic and that means it’s guaranteed to happen to practically everyone. The National Security Agency recently had a pretty major breach and if they can’t stop something like that from happening, I’m not sure anyone can.

When estimating the impact, some aspects are much easier to get a handle on. Any costs associated with a breach—credit monitoring, counseling, forensics, crisis resolution—can be estimated and quantified. The same goes for time spent by employees internally on marketing, public relations, IT services and security after a breach. When it comes to areas such as brand damage, stock valuation, lost partners or vendors, and lost business, these things are much more difficult to predict and they will greatly depend on the kind of business and customers involved. Even with the Target breach, many customers don’t even use credit cards, and even though the stock went down after the breach the company attributed it only in part to the breach. But I find that when I’m talking to a company about risk analysis and we’ve already itemized the other costs it’s sufficiently troubling. By the time we get to the less quantifiable stuff, they’re saying, “do you have to keep hitting me?”

What are some sources of information for further reading?
NetDiligence
Ponemon Institute

Verizon Data Breach Investigations Report

Mandiant

IBM X-Force

Dataloss DB

Identity Theft Resource Center

In summary…
We wanted to interview Patrick on this subject because we value his insights and because he is such a valued partner to NetDiligence, assisting us with our annual cyber claims study that we conduct with our insurance carrier partners. With Patrick (and Sharon Lyon, President of Lion’s Share Marketing Group, Inc.) we strive to improve this study each year in an effort to better educate CFOs, risk managers and our insurance industry clients about the very real loss trends as they relate to cyber risk.