Skip to main content

An article published by Reuters a couple weeks back caught my eye: Davos executives see data theft as too costly, too hard to beat. From the article, dated 24 January 2014:

Fighting online data fraudsters is almost impossible as their ability to hack into new technology often outpaces companies efforts to protect it, senior businessmen and bankers gathering for the World Economic Forum (WEF) said.

The mammoth data breach at U.S. No. 3 retailer Target (TGT.N) has made executives even more aware of the need to improve safety standards, but the cost is often prohibitive.

[...]

While losses on complex derivatives transactions could punch a big hole in a banks' balance sheet or even compromise its stability, the potential losses resulting from the theft of retail customers' data are often minimal.

Really? Minimal on whose balance sheet?

Follow me while I take a look below the fold......

A study sponsored by security behemoth Symantec, and conducted by the Ponemon Institute measured costs of data breaches to business. From 2013 Cost of Data Breach Study: Global Analysis (PDF), published in May 2013 and reporting on cost per data breach victim in calendar year 2012:

As the findings reveal, the average per capita cost of data breach (compiled for nine countries and converted to US dollars) differs widely among the countries. Many of these cost differences can be attributed to the types of attacks and threats organizations face  as well as the data protection regulations and laws in their respective countries. In this year’s global study, the average consolidated data breach increased from $130 to $136. However, German and US organizations on average experienced much higher costs at $199 and $188, respectively.
Contrast that with an NBC article (on Today.com) published the following month, Data breaches cost consumers billions of dollars:
A new report from Javelin Strategy and Research released on Wednesday concludes that a single massive data breach can result in “billions of dollars” in consumer fraud losses. [...]

Hackers were after Social Security numbers when they attacked the South Carolina Department of Revenue last year. They got 3.6 million of them. Javelin puts the total loss from this fraud at $5.2 billion dollars, making the breach one of the most costly ever.

The average fraud victim in this case will spend $776 out of pocket and take 20 hours to resolve their problems, the report estimated.

$188 is the cost to businesses per victim per data breach incident in the United States, from the Symantec sponsored study. NBC reports, from an incident in South Carolina, a cash cost to consumers of $776 plus whatever 20 of your hours are worth, applied to following up some company's compromise of your data by contacting banks, writing to credit agencies, trying to get the attention of law enforcement, and other such entertainments.

What are those 20 hours worth? The Social Security Administration calculated average U.S. wage data at $42,498.21 for 2012, or a little over $20/hr for a full 52-week year of 40-hour work weeks.

So let's peg the worth of those 20 hours at $400, for a total cost to data breach victims of $1,176 per incident.

Admittedly, this is arithmetic, not methodologically sound statistics I'm batting around here. But by my rough and sketchy comparisons, a data breach costs U.S. individuals over six times what such an incident costs a U.S. business for each affected person.

And yet: Davos executives see data theft as too costly, too hard to beat.

Uh huh.

In case it's not obvious yet that what "Davos executives see" is different from what you, an individual, are at risk of experiencing, let's go back to that Symantec sponsored study for a moment.

From the study's Executive Summary, bold emphasis added:

Factors that increase the cost. US companies realized the greatest increase in data breach costs if caused by a third party error or quick notification of data breach victims, regulators and other stakeholders. [...]
And from the Key Findings section of the report, bold emphasis added again:
In many countries, regulations dictate the notification of data breach victims. However, if organizations are too fast in contacting individuals it can actually result in higher costs. In this year’s study, in the US quick notification added as much as $37 per record , as shown in Figure 11c. It is understandable that this factor would have little impact on Brazil and India, because data breach notification regulations are non-existent.
No regulations, no need to notify data breach victims. No need to notify, lower cost to business. Hmmmm.... I believe what we're seeing here is what a certain category of spin-doctor might call, with respect to the United States, unfriendly business environments resulting from over-regulation, no?

The World Economic Forum's February 2013 report, Unlocking the Value of Personal Data: From Collection to Usage (PDF) contains an airbrushed sound-byte framing the old and insidious concept that what's good for the CEOs attending WEF meetings is good for the countries from which they extract wealth. From a chapter cozily titled "The World is Changing," here's the last point in a figure summarizing "New perspectives on the use of data":

Traditional approach: Policy framework focuses on minimizing risks to the individual

New perspective: Policy focuses on balancing protection with innovation and economic growth

Balance. We like balance, right?

Full disclosure: I am over-simplifying some long and complex analyses.

For example, just a couple of pages past the bit quoted just above from the WEF report, a series of figures asserts that health care outcomes for individuals is significantly improved by "personalised individual interventions based on health data" and "public disclosure of aggregated, anonymized patient outcome data."

Yes, there are not only costs, but benefits as well that accrue to individuals when vast data stores are aggregated and mined. It's complicated, and I acknowledge that.

The WEF report contains, for example, this reasonable and nuanced passage in Chapter 2:

This new approach also needs to carefully distinguish between using data for discovery to generate insight and the subsequent application of those insights to impact an individual. Often in the process of discovery, when combining data and looking for patterns and insights, possible applications are not always clear. Allowing data to be used for discovery more freely, but ensuring appropriate controls over the applications of that discovery to protect the individual, is one way of striking the balance between social and economic value creation and protection.

However, just as the discovery of new opportunities for growth is unknown, so are the possibilities for unleashing unintended consequences. Principled and flexible governance is required to assess the risk profile of actions taken in the use of data analytics.

But I would argue that this nuance is used as a self-interested prop to justify current and contemplated data collection and retention practices, on the grounds that, paraphrasing, we'll figure out how to protect people eventually.

I'm skeptical, okay? YMMV.

But here, setting aside reasonable nuance, figures and appendices, footnotes, and kumbaya use cases, let's consider this unsettling video, circa 2009, courtesy of the ACLU. What happens when you, an individual, call up a retailer to place the simplest order -- for takeout pizza -- and they know pretty much everything about your home, habits, relationships, work, and health. To wit:

It's a perspective worth balancing against the carefully groomed reports coming out of Davos.

I'll close with a report from just yesterday, 9 Feb 2014, Reuters again, titled Barclays launches investigation after customer data leak:

Barclays said it had launched an investigation after a newspaper reported that the personal details of 27,000 customers had been stolen and sold, raising the prospect of new fines for the bank. [...]

Barclays thanked the Mail on Sunday for bringing the data leak to its attention.

"Protecting our customers' data is a top priority and we take this issue extremely seriously," Barclays said in its statement.

"We would like to reassure all of our customers that we have taken every practical measure to ensure that personal and financial details remain as safe and secure as possible."

Yessiree, Bob. Every practical measure.







This diary is cross-posted from the author's blog, One Finger Typing.

Originally posted to Steve Masover on Mon Feb 10, 2014 at 08:43 AM PST.

Also republished by Community Spotlight.

EMAIL TO A FRIEND X
Your Email has been sent.
You must add at least one tag to this diary before publishing it.

Add keywords that describe this diary. Separate multiple keywords with commas.
Tagging tips - Search For Tags - Browse For Tags

?

More Tagging tips:

A tag is a way to search for this diary. If someone is searching for "Barack Obama," is this a diary they'd be trying to find?

Use a person's full name, without any title. Senator Obama may become President Obama, and Michelle Obama might run for office.

If your diary covers an election or elected official, use election tags, which are generally the state abbreviation followed by the office. CA-01 is the first district House seat. CA-Sen covers both senate races. NY-GOV covers the New York governor's race.

Tags do not compound: that is, "education reform" is a completely different tag from "education". A tag like "reform" alone is probably not meaningful.

Consider if one or more of these tags fits your diary: Civil Rights, Community, Congress, Culture, Economy, Education, Elections, Energy, Environment, Health Care, International, Labor, Law, Media, Meta, National Security, Science, Transportation, or White House. If your diary is specific to a state, consider adding the state (California, Texas, etc). Keep in mind, though, that there are many wonderful and important diaries that don't fit in any of these tags. Don't worry if yours doesn't.

You can add a private note to this diary when hotlisting it:
Are you sure you want to remove this diary from your hotlist?
Are you sure you want to remove your recommendation? You can only recommend a diary once, so you will not be able to re-recommend it afterwards.
Rescue this diary, and add a note:
Are you sure you want to remove this diary from Rescue?
Choose where to republish this diary. The diary will be added to the queue for that group. Publish it from the queue to make it appear.

You must be a member of a group to use this feature.

Add a quick update to your diary without changing the diary itself:
Are you sure you want to remove this diary?
(The diary will be removed from the site and returned to your drafts for further editing.)
(The diary will be removed.)
Are you sure you want to save these changes to the published diary?

Comment Preferences

  •  Here's where you went wrong (1+ / 0-)
    Recommended by:
    gjohnsit

    You spent a lot of time talking about the costs of breaches, and zero time talking about the (in)effectiveness of whatever measure you feel like advocating.  

    The Reuters article at least mentioned the chip-and-PIN scheme, of which there is no evidence of effectiveness beyond an dubiously sourced number (admitted by its champions) and plenty of evidence that the scheme is nowhere near as secured as advertised.

    Sorry, but this diary just struck a nerve.  One, I'm recently in this business and two the tone and argument strikes me as the same sort that produced the failed safety culture that ran our space program into the ground.  It's time to stop pretending we can legislate wishes into existence and deal with facts.

    •  Wrong? I don't think so. Perhaps ... (2+ / 0-)
      Recommended by:
      DrLori, The Technomancer

      .... "not a comprehensive analysis and recommendation of What Is To Be Done"?

      I don't know what is to be done.

      IMO, a required step in figuring that out is to understand the fact that what CEOs of large and powerful corporations tend to think of as "solutions" to data security risks are solutions to their risks, which are not the same as risks faced by individuals. I don't believe that is obvious to everyone (not even all DK readers!) who think about data security issues. I do believe that MSM reports are likely to report what CEOs of large and powerful corporations tend to think as the long and short of the matter, which suggests that a critical read of those views is pretty important.

      There is so much smoke-blowing and disinformation around questions of data breaches, data security, and surveillance that clearer understanding of the players and their interests seems worthwhile to me. Sorry you didn't think so, rduran.

      •  It's not a required step at all (0+ / 0-)

        Universities, non-profits, activists, and private individuals are actively involved in the study of information security.  In fact, griping about a point of view expressed in one venue is completely tangential to the question of what can be done (if anything) to curtail security breaches moving forward.

        What you haven't done is report what actual experts think about these matters.  I'll say right here now that you're in for some disappointment.

        •  What? (2+ / 0-)
          Recommended by:
          DrLori, nathanfl

          Data security is very possible.  Companies specialize in this.  The one that I work for, in fact, does.

          It can be expensive, especially if all companies or governments try to do it themselves.  Farmed out to a company that specializes in it that can bring down cost per GB with scale, and combined with analysis of said data?

          Very possible.

          Companies and governments that design data acquisition and storage from the ground up thinking about security, or farm that task out to companies that do, have very good records on it.

          Remember, you don't have to perfectly secure data.  You have to secure it for long enough that by the time anything can be done with it, the data's worthless.  Money's always the motivation by data theft -- make the data worthless to a non-authorized party with strong security, smart encryption, system change detection, and a staff paid well enough to give a crap about all of these things, and you have data that's as secure as it's going to get.

          Everyday Magic

          Any sufficiently advanced technology is indistinguishable from magic.
          -- Clarke's Third Law

          by The Technomancer on Mon Feb 10, 2014 at 03:10:18 PM PST

          [ Parent ]

          •  "Data security is very possible" (0+ / 0-)

            That's like saying "launching humans into space is very possible" and then asking why haven't we colonized Alpha Centauri yet.  Throwing a bunch of buzzwords at the problem doesn't actually amount to a solution.  And in this case, you might want to remember that for data to be worth something to the authorized user, it can't expire into worthlessness before you have time to do something with it.

            Also, there is zero evidence that outsourcing to specialist contractors offers actual improvements in either effectiveness or cost.  That's not a slap at the quality of work being pursued, but simply a reflection on the piss poor state of industry research on matter.  That's why you have a bunch of companies whining about the race between the black hats and their security folks.  They're dumping a lot of money into doing things and they have no way of quantifying their gains (if any).

            •  It's not a matter of buzzwords. (0+ / 0-)

              And by possible, I mean right now.  We're doing it.  There's a shitload of other companies that are too.

              I am very aware of the expiry rate on data.  My living gets made by processing publisher and marketer data in real-time, keeping data secure down the customer cookie level so that other companies can't snoop that/your data, and presenting our analysis to our customers.

              The computer part of the security equation isn't difficult with the right expertise.  The people part of the security equation is addressed with training, limited access to production environments, proper physical security, paying your employees enough to give a crap about the company and not just the bare minimum to maximize profit, and actually giving a crap about your employees as people and not as just another resource to get chewed up and spit out.

              Data's data, whether it's marketer data, census data, etc.  Same 0s and 1s with the same protection regiments.

              So since I do this stuff everyday, would you like to tell me why it's not possible?

              Everyday Magic

              Any sufficiently advanced technology is indistinguishable from magic.
              -- Clarke's Third Law

              by The Technomancer on Mon Feb 10, 2014 at 03:33:59 PM PST

              [ Parent ]

              •  Yes, we are launching humans into space (0+ / 0-)

                What we haven't done is actually eradicate or even severely curtail the breach incidence.  

                The point of automating security is to reduce human error; you've just listed off three moving parts dealing directly with humans (+ one more if you include the two others that basically boil down to offering an uncapped bribe not to commit fraud or be negligent).  None of which actually quantifies risk and reliability worth a damn.  I don't care how good you say you are.  I want the data showing that this much money I'm shelling out to deploy your product solves the security problem I'm faced with by that much.

                "Data's data" has to be the most irrelevant point mentioned yet.  You can organize sources, pipes and sinks for data into countless families of vulnerability, including the ones you don't know that you don't even know.

                •  Some points... (0+ / 0-)

                  1.  Good luck with the argument that paying a good salary amounts to a bribe to make people give a crap.  Redstate's over that way.  You'll find better luck there.

                  2.  The point of automation is to reduce human error, not eliminate humans.  If someone logs in that I'm not expecting or at a time I'm not expecting, my systems let me know and proactively counter the threat and send me a summary of any actions, commands, or changes made to the system.

                  3.  That info you ask for is in our sales decks.  We have had zero data theft instances.  The number of attempts at data theft is a non-zero number.  Our security gets regularly audited because our customers demand it.

                  4.  My job -is- to know about vulnerabilities, from reported security issues to 0-days to our own internal and external security.  We're trying to hack ourselves all the time, and hiring others to do it too.  How the hell else am I going to be confident my systems are secure?

                  I'm quite aware of the numerous and varied attack vectors out there.  So let me repeat my question you so artfully avoided:  

                  Would you like to tell me why what I do every day isn't possible?

                  There's a reason why you didn't answer it the first time.

                  Everyday Magic

                  Any sufficiently advanced technology is indistinguishable from magic.
                  -- Clarke's Third Law

                  by The Technomancer on Mon Feb 10, 2014 at 04:01:08 PM PST

                  [ Parent ]

                  •  We're paid great salaries (0+ / 0-)

                    1. Our average salaries are well above the American median; safely in the second highest quintile in fact.  All for a job that requires considerably less toil and offers more comfort than say sweating in an Amazon warehouse. As you say, Redstate's over that way.

                    2. That's good to hear, but it tells me nothing about the fault modes.  

                    3. That's an extraordinary claim, but at least it's on the track towards actual numbers.  Care to point out the sales deck, Mr. I Make The Internet Run?

                    4. I'm not saying you're not doing the Lord's work.  But, to again draw an analogy to NASA's safety obsession, it's work that we can't readily correlate to desired outcomes simply because the space of potential vulnerability is not well defined.  So you end up with a landfill of conditional measures (many of dubious quality) you have to sift through and none of them really answer the question the customer's asking.  "How much risk is there of this data getting out over 1, 5, 10, 15 years?"   And that's not not simply limited to information security, either; it's a problem endemic in all regimes of control.  

                    And finally, why would I answer a question that has nothing to do with anything we're talking about?

                    •  You said it can't be done. (0+ / 0-)

                      I asked why.  You can't answer it because you have zero useful, up-to-date knowledge on the topic.  A junior sysop could bullshit their way through that question.  Someone with actual skills could actually provide interesting conversation about.  It's an easy topic to discuss if you know your shit.

                      But, you're not here for discussion, and you don't know your shit.

                      Regarding pay, it actually matters less than respect and treating one's employees and coworkers like adults so long as you're actually covering their financial needs and getting them ahead as far as savings and retirement go, but it stops the good talent from getting more elsewhere.  Making sure employees own equity in the company helps too -- we all make money when the company does well.

                      And if you're doing this particular part of computer engineering and you're only making second quartile pay, you're happy where you are and don't mind getting paid a third of what you can get on the market, you suck at pay negotiations, or you're unaware of what's actually going on in this field and I'd like to offer you an interview because I don't care what kind of dick you are, if you've got skills, I've got a job on my team for you and I can beat the crap out of a second quintile salary.

                      And that's not me bragging.  That's all the companies in this field that are serious players in it.

                      If you think companies like the one I work for and the ones that hire us aren't thinking aren't doing long-term forecasting, you're wrong.  In fact, that's pretty much the core piece of any cost/benefit analysis when hiring a company like the one that employs me.  If you actually knew your shit and were attempting to have constructive discussion rather than trolling using 5 or more year old information.

                      0 data thefts is not an extraordinary claim.  Simple back-of-the-napkin math shows that there's a few data breaches every year, and a few orders of magnitude more companies that weren't breached.  This number is still quite small stretched out over a 75 year time span.  Again, if you're going to claim expertise on this topic, you should know this.

                      The math's there.  Companies with valuable data do the right thing and either secure it themselves or hire companies to do it for them, and ones that don't decided the cost/benefit analysis wasn't in favor of doing it right and banking on herd protection to avoid getting owned.

                      And I'm serious about the interview.

                      Everyday Magic

                      Any sufficiently advanced technology is indistinguishable from magic.
                      -- Clarke's Third Law

                      by The Technomancer on Mon Feb 10, 2014 at 05:19:30 PM PST

                      [ Parent ]

                      •  I never said it couldn't be done (0+ / 0-)

                        I said it hasn't been done.  And it is eradicate or substantially reduce the risk of breaches across the industry.  That's a friggin' fact, regardless of how high of an opinion you have of yourself.

                        Zero data thefts is an extraordinary claim.  I also point out it's the only claim you've made that uses an actual number.  And I also point out you still haven't backed it up.  

                        I'm pretty sure you're bright enough to tell the difference between an average salary and the salary of some guy you've never met doing things you know nothing about about.  Thanks for the invite, but East ain't too shabby at kicking the shit out of the second highest quintile.  And the food's better.

                        Pretty much everything else you've said boils down to shit talking.  If that's all you got, be my guest.  I'll wait for you to eventually point us to what will likely be a brochure and at best at least one but probably no more than five white papers on very narrow topics.  Please, proceed.

                        •  Right. (0+ / 0-)

                          You're making a claim.  Burden of proof's on you, bud.  It's your handle at the bottom of the comment that started this thread, and your claims.  You've refused multiple opportunities to back it up, then have the chutzpah to make demands of someone else.

                          Eradication of these threats doesn't happen.  Claiming that that's a knock against data security is like claiming that the fact people die is a knock on the medical industry.  They claim they can save your life, but everybody dies!

                          You're also quite well aware why it's impossible to get a count of the rate of successful security breaches -- because the numbers get reported as a number of successful breaches.  Successful ones are rising.  Do you have a count of unsuccessful ones to present your numbers to show that the overall rate as a percentage of attempts isn't getting better?  You made the claim, so I assume you do.  Present at any time.

                          Shoot me a KosMail with where I should send the NDA to and I'll be happy to show you my numbers.  KosMail me if you require an NDA to show me yours.  I don't do brochures, and the white papers are marketing crap.  You're (supposedly) an engineer.  You know that.  I'm slightly hurt that you'd think I'd lean on those.

                          My problem with working back East is that the weather is ass and both Government and Financial information services are soul-draining jobs.  Did it for Citi's high-frequency trading servers...never again.  Nothing like getting bitched out in three languages by 5 different trading desks for having a perfect failover (fiber line cut) with zero transactions lost, but the extra 5ms that failing over from Wall St. to the DR site across the river supposedly cost Citi $1.6mil/minute until they patched up the cable.

                          Mind you, I had a request for a failover connection in that DC open for 6 months.  My predecessor for months before that.  You'd think Citi would have spent the money on it if a perfect failover cost 'em $1.6mil/min, but apparently it was insured and it was easier to bitch out the system engineers than prevent the need to use the insurance.  Request is probably still waiting for approval somewhere in that gawd-awful system.

                          But I digress.  If you're working financial or government IS, then let me be the first to apologize for your bad day.  Don't lie and say you aren't having one, if you work for either of those types of shops, you are.

                          I'd argue about the food, too.  SF has tasty eats and startup services to make 'em convenient.

                          We've both been talking shit this whole time.  Figured you were enjoying yourself.  If it bothers you, say the word and I'll talk like I'm around the Christian uncle I have that still cuffs me upside the head if I'm not polite and curse-free.

                          Everyday Magic

                          Any sufficiently advanced technology is indistinguishable from magic.
                          -- Clarke's Third Law

                          by The Technomancer on Mon Feb 10, 2014 at 06:26:16 PM PST

                          [ Parent ]

                          •  Burden of proof met (1+ / 0-)
                            Recommended by:
                            The Technomancer

                            http://datalossdb.org/...

                            http://www-935.ibm.com/...

                            https://www.riskbasedsecurity.com/...

                            Honestly, didn't think there was any dispute about it, seeing as it's a key subject of the goddamned diary.

                            Since we're running long, and since you seem to be more interested in fighting strawmen, I'll respond to each point directly:

                            Eradication of these threats doesn't happen.  Claiming that that's a knock against data security is like claiming that the fact people die is a knock on the medical industry.  They claim they can save your life, but everybody dies!
                            If I may quote myself: "That's not a slap at the quality of work being pursued, but simply a reflection on the piss poor state of industry research on matter."
                            You're also quite well aware why it's impossible to get a count of the rate of successful security breaches -- because the numbers get reported as a number of successful breaches.  Successful ones are rising.  Do you have a count of unsuccessful ones to present your numbers to show that the overall rate as a percentage of attempts isn't getting better?  You made the claim, so I assume you do.  Present at any time.
                            I applaud you for restating something I said earlier: "it's work that we can't readily correlate to desired outcomes simply *because the space of potential vulnerability is not well defined. *"
                            Shoot me a KosMail with where I should send the NDA to and I'll be happy to show you my numbers.  KosMail me if you require an NDA to show me yours.  I don't do brochures, and the white papers are marketing crap.  You're (supposedly) an engineer.  You know that.  I'm slightly hurt that you'd think I'd lean on those.
                            You brought up the sales deckk, not me, so I'm not terribly impressed with how hurt you might be.  If what you have to show beyond that requires an NDA, let me save you the time and say I'll welcome any open source evidence of the closest competing system you can name: even a theoretical one.  
                            My problem with working back East is that the weather is ass and both Government and Financial information services are soul-draining jobs.   Did it for Citi's high-frequency trading servers...never again.  Nothing like getting bitched out in three languages by 5 different trading desks for having a perfect failover (fiber line cut) with zero transactions lost, but the extra 5ms that failing over from Wall St. to the DR site across the river supposedly cost Citi $1.6mil/minute until they patched up the cable. Mind you, I had a request for a failover connection in that DC open for 6 months.  My predecessor for months before that.  You'd think Citi would have spent the money on it if a perfect failover cost 'em $1.6mil/min, but apparently it was insured and it was easier to bitch out the system engineers than prevent the need to use the insurance.  Request is probably still waiting for approval somewhere in that gawd-awful system.
                            Lot more than Finance and Government jobs in New England (and I agree, they are soul draining).  We have lots companies and universities doing great work in EE, aerospace, health, and so on and so on. Personally, I prefer an office with ready access to workbench and all the boards and elements I could ever want.   And I like my weather shitty.  
                            But I digress.  If you're working financial or government IS, then let me be the first to apologize for your bad day.
                            I'm not, so don't worry about it.
                            I'd argue about the food, too.  SF has tasty eats and startup services to make 'em convenient.
                            So does Midland, TX.  I'm a New Yorker, so I'll leave it at that.
                            We've both been talking shit this whole time.  Figured you were enjoying yourself.
                            No, I don't.  Because I don't like making claims on my own authority.  However, as far as I'm concerned that's all shit-talking is.  You can be as sleeves-rolled-up abrasive as you want to be, and so long as you push a valid point and don't pack up your marbles you'll get the same in turn.
                          •  Now that's more like it. (1+ / 0-)
                            Recommended by:
                            rduran

                            Firstly, let me apologize for reading you wrong and therefore being a dick.  I'll tone the aggro.

                            Except like you said, the eradicate portion isn't in question, and, as you point out, you've said so yourself that since unsuccessful attacks aren't reported, we have no idea if the rate of successful attacks is increasing.  I'm going to be a stickler on the fact that your it in question is:

                            eradicate or substantially reduce the risk of breaches across the industry.
                            I'm not aware of any mathematics that allow you to calculate the rate of successful attacks when you don't have the denominator require to calculate successful attacks divided by total attempts and no data set available to make even a reasonable estimate of whether a year over year increase or decrease is happening.

                            Seriously, if you know a way or you even have a decent theory, I'm all ears, and that's not sarcasm.  The closest way I can think of to even come close to deriving that answer is to use the growth rate of total devices connected to the Internet, which is rising at a faster rate than the total number of successful break-ins.  If the number of targets is rising at a faster rate than the number of successful break-ins, and devices are passing around more data than ever, I'd say that's about as close as we can currently get to proof that you can substantially reduce the risk of suffering a breach.

                            An alternate calculation that might approximate the relative decrease or increase of data breach severity would be to calculate the change in the amount of data breached vs. the growth of the total data set.  We know that's growing at an exponential rate, while the amount of data breached doesn't appear to be.

                            I'd wager the same goes if we compared value of the data breached vs. total estimated value stored in data.

                            And again, given the weak tea that attempt at calculation represents, if you've got a better idea on how to do it, I'm all ears.  But unless you've got something better, I don't see how you can claim that incidents haven't been severely reduced, or even have a way to make a claim of reduction, increase, or non-movement either way.

                            You can't back your claim because the numbers don't exist.  I can't back mine without a signed NDA to show we've had zero successful data security breaches.  Even asked my boss before I left work because I do feel like a dick having to pull the NDA card, and I can't say I'd react any differently from you if I were in your shoes.  I was actually hoping you'd play ball, because I like showing off my work.

                            And winning arguments, but that's secondary to the pursuit of knowledge.  ;)

                            So, that seems to leave us at an impasse.  Call it good game and see you in the next thread?

                            And if you are out in SF anytime, shoot me a KosMail, and I'll buy you lunch as penance for going aggro.  Fair enough?

                            Everyday Magic

                            Any sufficiently advanced technology is indistinguishable from magic.
                            -- Clarke's Third Law

                            by The Technomancer on Mon Feb 10, 2014 at 08:28:43 PM PST

                            [ Parent ]

                          •  You can take "eradicate" as you would (0+ / 0-)

                            if someone said "we eradicated polio and smallpox."  It's only accurate in the sense that no one's complaining about it enough to draw the attention of the epidemiologists.  

                            On measuring vulnerablity, a couple of points.  As you pointed out earlier, we really can't pin down the numerator with any certainty.  You can only aggregate what's reported, and what's reported is spread across as many news sources as there are known incidents.  Data feed problem aside, there are also powerful incentives not to air your dirty laundry in public.  

                            You could rough it.  The ratio has an upper ceiling of one (obviously a successful attack as to have at least one attempt behind it).  So just fix your denominator to be the number of successful incidents in some peak year in a range of interest.  Index against some known growth trend in connected devices for a rough proxy of growth in data and vectors for attack.  You won't give a measure of absolute risk, but from period to period you'll get deltas that should at least tell you if you're going in the right direction (and how quickly).

                            That said, I don't have a decent model that tells you anything you really want to know: like how what it is you can do to make the trend curve up or down.  It certainly doesn't deaggregate well; you've got thousands of data breaches and each have their own stories--I wouldn't be surprised if they sorted into as many as hundreds of different families of vulnerability.  And as Dumbo pointed out, it's an arms race.  Obviously there aren't just thousands of attempts a year, not when a single man can generate a few hundred billion port scans in that same period from a single box.

                            I still don't know if we were at an impasse.  My main point is that companies have next to know idea how safe their data is or to what extent anything they're buying or developing in house will keep their data secure from an industry perspective.  That isn't a slam against the engineers, it's an acknowledgement that the problem space isn't very well defined. Unless I'm reading you wrong, you make that point yourself.  And it's a problem not unique to computer security.  It's one that's plagued security in general for millenia.  Beyond that, it's a major problem in software QA (which, in my view, has become more of a religion than a discipline--but that's another discussion).

                            If I'm out SF way, I'll take you up on that offer.

    •  If consumers say fuck all this (2+ / 0-)
      Recommended by:
      The Technomancer, rduran

      and stop using credit cards in online transactions, I think you'll see something done very quickly, no matter how difficult or seemingly impossible.

      This isn't a quest for the impossible, really.  It's an arms race.  A new security technology comes out.  Hackers try to defeat it.  Another new security technology comes out to defeat the hackers... etc., etc., etc.  So it has always been, and not just in the IT realm.  

      •  Except that's not going to happen (1+ / 0-)
        Recommended by:
        stevemb

        For the same reason financial instability hasn't forced us back onto the barter system.

      •  Exactly. (2+ / 0-)
        Recommended by:
        BYw, jubal8

        My job's not to permanently stop systems breaches.  It's to do the following:

        1)  Secure the systems in a manner that makes it time consuming to break in, and using access and access control methods that aren't brute-forceable in someone's lifetime.

        2)  If they do get in, have automated process in place that stop them from getting any further as well as track every command they run.

        3)  Encrypt everything, even server to server communication, because we design around the possibility of a breach.  Then charge enough to make up for the overhead that comes with securing everything.

        4)  Continually test security with internal and external penetration testing, or as the media calls it, "white hat hacking".

        5)  Get audited on a regular basis to ensure we didn't miss anything.

        It's expensive, yes.  And since no multi-million/billion dollar company wants to be the next Target, Sony, Barclay's, or any other company that's had their name in the news over data theft, they'll pay it because it's a drop in their bucket, especially compared to the possible loss (estimated cost of data theft * likelihood over X time) they're accounting for.

        Frankly, I'm more worried about the data trade between companies, and who companies I deal with as a consumer let on their site.  Do you trust all thirteen different entities that provide assets or run scripts on DKos, and all the companies they partner with to process all the data they're gathering?

        Always remember -- if the product or service is free, you're actually the product, not the customer.

        Everyday Magic

        Any sufficiently advanced technology is indistinguishable from magic.
        -- Clarke's Third Law

        by The Technomancer on Mon Feb 10, 2014 at 04:46:21 PM PST

        [ Parent ]

        •  Awesome (1+ / 0-)
          Recommended by:
          Steve Masover

          What a great description of the continuing process of putting up protective walls around your data and then manning the walls.

          Organizations that create massive stores of personal data and then fail to properly protect that data -- I think they are akin to companies that, for example, make their profits from extraction and consumption of raw materials for energy production, and then leave the ash behind in barely protected waste ponds that put people and ecologies at peril for decades afterward. Meanwhile the profiteers put protective walls between those profits and the associated risks.

          My δόγμα ate my Σ

          by jubal8 on Mon Feb 10, 2014 at 11:48:09 PM PST

          [ Parent ]

          •  Spot on analogy: data breach as externality (0+ / 0-)

            In these cases, what companies are doing is making profits that aren't profits, because they're not paying the costs of their manufacturing (or information-as-value creation) process.

            The losses incurred by consumers who have to suffer for their indifference is what economists call an externality. Not a compliment, except among thieves.

      •  And no one said it's a quest for the impossible (0+ / 0-)

        least of all the companies that earned this diary's ire.  In fact, they pretty much made the same point you just did.

      •  A big if, I'm afraid (1+ / 0-)
        Recommended by:
        stevemb

        Here, from the NBC piece linked in this post:

        A surprising finding: Many people who are offered free identity protection services following a breach don’t sign up for it.

        Of the nearly 29 million people who received a notice in 2012 that their information was stolen, only 5.8 million took advantage of a service to reduce the risk of fraud, Javelin estimated. Why?

        Brian McGinley who runs such a service at ID Theft 911 thinks “breach fatigue” could be to blame.

        “People receive so many of these letters and if nothing’s happened so far, they may assume nothing’s going to happen this time,” he explained.

        That’s a big mistake. Someone who’s had their data breached is 14 times more likely to become a fraud victim, McGinley told me.

        There may be a tipping point that hasn't emerged yet, but it's might hard to discern from here what "catastrophe" will cause the average person to stop using credit cards online.
        •  Javelin's another marketeering boiler room (1+ / 0-)
          Recommended by:
          stevemb

          So it's an open question as to what the terms "free"  and "identity protection" actually mean.  

          Really, who can claim the gold standard of trust in consumer information security?  Who is worth handing off the hassle of following a few best practices (dubious as they may be)?

          •  I'm somewhat in shock... (1+ / 0-)
            Recommended by:
            stevemb

            ...to think that you linked 12 "best practices" for the user side of things and think that that's in any way relevant to a conversation about data protect from the business side of the house or that calling anything dubious without providing your "expert" advice/analysis why is in any way a responsible action or useful discussion.

            This is a masterful troll.  Well played, sir.  Well played.

            Everyday Magic

            Any sufficiently advanced technology is indistinguishable from magic.
            -- Clarke's Third Law

            by The Technomancer on Mon Feb 10, 2014 at 05:24:00 PM PST

            [ Parent ]

            •  Put up or shut up (1+ / 0-)
              Recommended by:
              stevemb

              You're the one hocking a product here.

              •  No, I'm not. (0+ / 0-)

                I don't work for a company that sells a consumer product.  I hang out here for fun, for the news and topics this site provides, and to inform people because I enjoy teaching and outside of training the occasional FNG, I don't get to teach often.  

                If I were hawking (hocking is pawning) a product here, I would have:

                A)  Bought legit advertising here, because fuck comment spam and comment spammers.
                B)  Mentioned my company's name at least once.

                I asked you to put up or shut up a while ago.  You didn't, you can't, and you won't.

                Everyday Magic

                Any sufficiently advanced technology is indistinguishable from magic.
                -- Clarke's Third Law

                by The Technomancer on Mon Feb 10, 2014 at 05:54:35 PM PST

                [ Parent ]

        •  That Finding Doesn't Surprise Me At All (0+ / 0-)

          If I get a notice out of nowhere offering some "free" service, my default assumption is that it's bait to get me to sign up for something that turns out not to be as "free" as advertised and is difficult to cancel once the catch become evident.

          On the Internet, nobody knows if you're a dog... but everybody knows if you're a jackass.

          by stevemb on Tue Feb 11, 2014 at 09:52:56 AM PST

          [ Parent ]

  •  You've written a good and thought-provoking diary (2+ / 0-)
    Recommended by:
    The Technomancer, Steve Masover

    that addresses larger issues than the narrow focus the comments have so far addressed.  Thank you for doing that.  The risk inherent in datamining is the reason that one grocery store thinks I'm a Jamaican housekeeper while another thinks I'm an East-Asian male courier while a third believes I'm Bolivian.  I don't remember what my profession is, but I'm sure I made it something interesting.

    Garbage in, garbage out.  And I use cash for most purchases, at least for as many as I can.

    I'm sorry that one person decided to plant a flag on your diary and make it a hill to die on.  My advice that commenter, respectfully, is this:  Write your own diary.  Control your own discourse.  And when you do, pray that your readers treat you with more respect than you have done here.

    "I speak the truth, not as much as I would, but as much as I dare, and I dare a little the more, as I grow older." --Montaigne

    by DrLori on Mon Feb 10, 2014 at 07:11:12 PM PST

    •  Thank you for commenting on *this* diary (2+ / 0-)
      Recommended by:
      The Technomancer, DrLori

      ... what can one do, sometimes the open door brings what it brings. I had noticed that the commenter in question has posted loads of comments since he joined Kos but never a diary. It's a social media strategy, I suppose, but not one I admire particularly.

Subscribe or Donate to support Daily Kos.

Click here for the mobile view of the site