A recent paper by Professor Stephanie Forrest and Ph.D. student Benjamin Edwards from the Department of Computer Science at University of New Mexico, and Steven Hofmeyr from the Lawrence Berkeley National Laboratory (Berkeley Lab), suggests that data breaches are not happening any more frequently than they did a decade ago, and are not, in general, growing in size.
“Cybersecurity has become a global problem, and to tackle it effectively will require careful analysis of complex datasets from diverse sources,” said Forrest. “This study illustrates how modern data science can shed light on one of today’s most challenging problems.”
UNM: “In their paper, titled “Hype and Heavy Tails: A Closer Look at Data Breaches,” which won the Best Paper Award at the Workshop on the Economics of Information Security in June, the researchers looked at both malicious and negligent breaches. Malicious breaches occur when attackers specifically target someone’s personal information. Negligent breaches occur when someone’s private information is accidentally exposed for example if a database of personnel records is stored on a laptop that is lost or stolen.
They used information published by the Privacy Rights Clearinghouse, a private non-profit that tracks public reports of data breaches, and they note that their results are drawn from publicly acknowledged data breaches.
The researchers constructed a statistical model based on public data about breaches collected over the last decade and used the model to analyze trends and make predictions about future breaches. The data clearly showed that information is exposed twice as often through negligence as it is from malicious attacks. Using expanded data that includes high profile data breaches form this summer, the model also predicts that there is a 98.2 percent chance of a breach that exposes more than 5 million records during the next three years.
9: P. R. Clearinghouse. Chronology of data breaches: Faq.
What is the bottom line, that is, what is the real cost in dollars of these data breaches? Estimating financial costs of breaches accurately also requires analyzing their cost. The research team applied some existing cost models to project that over the next three years, data breaches could cost individuals, companies and public entities up to $180 billion.
“With this work, our goal was to answer the questions: Are security breaches getting bigger? Are they happening more frequently? And when they do happen, are the impacts more catastrophic? When we fit the cyber security data to the statistical model, we found a ‘long tail’ distribution, which is liable to distort public perception,” says Hofmeyr. “It’s kind of like if you’ve just experienced a big earthquake, you may suddenly be scared of big earthquakes, even though the probability for big earthquakes hasn’t changed.
“It’s the same for security. And, the reason that we can say that is because we have this principled statistical model, which gives us a more comprehensive and contextual view than simply looking at averages.”
There’s a take away message for public policy experts in this. Industry reports, which are widely circulated and difficult to confirm, often use inappropriate statistical techniques and should be taken with a large grain of salt. Policies that encourage uniform reporting of security problems would provide clarity in this very murky area.
Edwards summed it up. “So much of our current understanding about security problems relies on private data and opaque analysis methods. Studies like ours provide a rational counterpoint for policy makers and they show the benefit of putting data about security problems into the public domain.”
Source: Is your digital information more at risk today than 10 years ago? The University of New Mexico.
Photo Credits: Network Operating Center, by QSC AG / FlickR