[Note: Rich, Adrian, and Mike are all traveling today, so we asked Jamie Arlen to provide at least a little perspective on an aspect of the DBIR he found interesting. So thanks Jamie for this. We will also throw Gunnar under the bus a little because he has been very active on our email list, with all sorts of thoughts on the DBIR, but he doesn’t want to share them publicly. Maybe external shaming will work, but more likely he’ll retain his midwestern sensibilities and be too damn nice.]
As usual, the gang over at Verizon have put a lot of information and effort into the 2014 edition of their DBIR (registration required). This is both a good thing and a bad thing. The awesome part is that there are historically very few places where incident information is available – leaving all too many professionals in the position of doing risk mitigation planning, based on anecdotes, prayer, and imagination. The DBIR offers some much-needed information to fill in the blanks.
This year you will note the DBIR is different. Wade, Jay, and the gang have gone back to the data to provide a new set of viewpoints. They have also done a great job of putting together great graphics. Visualization for the win! Except that all the graphics are secondary to the high quality data tables. Of course graphics are sexy and tables are boring. Unless you have to make sense of the data, that is. So I will focus on one table in particular to illustrate my point.
This is Figure 19 (page 15 printed, 17 of 62 in the PDF) – click it to see a larger version. You may need to stare at it for a while for it to even begin to make sense. I have been staring at it since Friday and I’m still seeing new things.
Obvious things
- Accommodation and Point of Sale Intrusion: No real surprise here. The problem of “the waiter taking the carbons” in the 70’s seems to be maintaining its strength into the future. Despite the efforts of the PCI Council, we have a whole lot of compliance but not enough security. And honestly, isn’t it time for the accommodation industry to make that number go down?
- Healthcare Theft/Loss: Based on the news it is no great surprise that about half the problems in healthcare are related to the loss or theft of information. We have pretty stringent regulation in place (and for years now). Is this a case of too much compliance and not enough security? It is time to take stock of what is really important (protecting the information of recipients of health care services) and build systems and staff capabilities to meet patient expectations!
Interesting things
- Industry = Public: Biggest issue is “Misc. Error”. I didn’t know what a Misc Error was either. It turns out that it is due to the reporting requirements most of the public sector is under – they need to (and do) report everything. Things that would go completely unremarked in most organizations are reported. Things like, “I sent this email to the wrong person,” “I lost my personal phone (which had access to company data),” etc. I vaguely remember something from stats class about this.
- Incident = Denial of Service: The two industries reporting the largest impact are ‘Management’ and ‘Professional’. If you look at the NAICS listings for those two industry categories, you will see they are largely ‘offices’. I would love a deeper dive into those incidents to see what’s going on exactly and what industries they really represent. The text of the report talks primarily about the impact of DoS on the financial industry, but doesn’t go into any detail on the effects on Management and Professional. You can read into the report to see that the issue may have been the takeover of content management systems by the QCF / Brobot DoS attacks.
- Incident = Cyber Espionage: Just sounds cool. And something we have all spent lots of time talking about. It seems to affect Mining, Manufacturing, Professional and Transportation in greater proportion than others. Again, I’d love a look at the actual incidents – they are probably about 10% Sneakers and 90% Tommy Boy. If you are working in those industries you have something interesting to talk to your HR department about.
There shouldn’t be any big surprises in this data, but there are plenty of obvious and interesting things. I am still staring at the table and waiting for the magic pattern moment to jump out at me.
Though if I stare at the chart long enough, I think it’s a sailboat.
Reader interactions
5 Replies to “Verizon DBIR 2014: Incident Classification Patterns”
“Maybe external shaming will work, but more likely he’ll retain his midwestern sensibilities and be too damn nice”
Wait, I work with James (and I am a fellow Canadian) and I have never seen him be too nice let alone nice at all. 😉
“Maybe external shaming will work, but more likely he’ll retain his midwestern sensibilities and be too damn nice”
Wait, I work with James (and I am a fellow Canadian) and I have never seen him be too nice let alone nice at all. 😉
Interesting points. Couple of comments from my side:
– of course we’ll see POS incidents mostly in Retail and Accommodation, probably not much in use in the other industries. I’m actually surprised that ‘Payment card skimmer’ isn’t higher for accommodation, but that Finance is the highest rank in that category. But that might simply be the reporting.
– let’s not forget the total numbers. The values are percentages of that specific category, not absolute numbers. E.g. the 75% Accommodation/POS represent 159 incidents, while the 27% Finance/webAppAttack actually represent 231 incidents.
We can’t compare the percentages across the chart, only use it within a column
Still working through the whole report as well and trying not to get too confused …
Definitely agree with the compliance vs security angle. This data should help drive that conversation.
Interesting points. Couple of comments from my side:
– of course we’ll see POS incidents mostly in Retail and Accommodation, probably not much in use in the other industries. I’m actually surprised that ‘Payment card skimmer’ isn’t higher for accommodation, but that Finance is the highest rank in that category. But that might simply be the reporting.
– let’s not forget the total numbers. The values are percentages of that specific category, not absolute numbers. E.g. the 75% Accommodation/POS represent 159 incidents, while the 27% Finance/webAppAttack actually represent 231 incidents.
We can’t compare the percentages across the chart, only use it within a column
Still working through the whole report as well and trying not to get too confused …
Definitely agree with the compliance vs security angle. This data should help drive that conversation.
Thanks for taking the time to write this up. We did put quite a bit of information and effort into this and you mentioned that was both good and bad, but only mentioned the good, what was the bad? Also, I’m curious where you were heading with the “Except that all the graphics are secondary to the high quality data tables.” thought. While I’m not against tables (we used a few this year), visualizations and tables serve different purposes and each have their place. Let me know which visuals you think would be better served by a table and I’ll follow up.
Also, please encourage Gunnar to comment. I’ve never known him to be “too damn nice” when it comes to sharing his opinion, at least privately. Either way, any and all feedback is welcome.
Thanks,
Jay