Where should defenses be deployed? Security managers can answer the question by knowing what types of breaches there are, and the rates that they occur relative to one another. A number of methods for determining such rates have been proposed with a view to helping with this decision making. Unfortunately, such methods sometimes tend towards anecdote, might be part of a marketing campaign, or lack the context needed to drive informed decisions. We propose a taxonomy to classify incidents of the loss of control over sensitive information. The taxonomy is hierarchical in nature, allowing classification of incidents to a level of precision appropriate to the amount of information available. Analysis of incidents using the taxonomy may also work with the precision appropriate given the question at hand and data available. We then explore the proportion of breach types in a subset of data losses accumulated by the Identity Theft Resource Center (ITRC). Using the 2002 North American Industry Classification System (NAICS), we classify breach events according to the industry sector in which they occurred. We conclude that the taxonomy is useful and that analysis of incidents by type and industry yields results that can be instructive to practitioners who need to understand how and where breaches are actually occurring. For example, the Health Care and Social Assistance sector reported a larger than average proportion of lost and stolen computing hardware, but reported an unusually low proportion of compromised hosts. Educational Services reported a disproportionately large number of compromised hosts, while insider conduct and lost and stolen hardware were well below the proportion common to the set as a whole. Public Administration’s proportion of compromised host reports was below average, but their share of processing errors was well above the norm. The Finance and Insurance sector experienced the smallest overall proportion of processing errors, but the highest proportion of insider misconduct. Other sectors showed no statistically significant difINTERHACK PROPRIETARY: PUBLIC/1/3 4 c. matthew curtin, cissp and lee t. ayres, cissp ference from the average, either due to a true lack of variance, or due to an insignificant number of samples for the statistical tests being used. INTERHACK PROPRIETARY: PUBLIC/1/3
[1]
R. Stokes.
Fair Credit Reporting Act
,
1999
.
[2]
Matt Curtin,et al.
Developing Trust: Online Privacy and Security
,
2001
.
[3]
G. Stoneburner,et al.
Risk Management Guide for Information Technology Systems: Recommendations of the National Institute of Standards and Technology
,
2002
.
[4]
U. S. Code,et al.
Gramm-Leach-Bliley Act
,
1999
.
[5]
Lynn A. Karoly,et al.
Health Insurance Portability and Accountability Act of 1996 (HIPAA) Administrative Simplification
,
2010,
Practice Management Consultant.
[6]
Gary Stoneburner,et al.
SP 800-30. Risk Management Guide for Information Technology Systems
,
2002
.