Wade Baker, Ph.D.

Sharing information in a supply chain can bring benefits to many, if not all, members of the chain; however, the impact of information sharing and information technology (IT) implementation on supply chain risk is not well understood. Reports from corporate board meetings indicate that while concern is expressed over such risk, there are no accepted principles or best practices for quantification of supply chain risk. To increase understanding of cybersecurity risk in supply chains from a more… Show more

Sharing information in a supply chain can bring benefits to many, if not all, members of the chain; however, the impact of information sharing and information technology (IT) implementation on supply chain risk is not well understood. Reports from corporate board meetings indicate that while concern is expressed over such risk, there are no accepted principles or best practices for quantification of supply chain risk. To increase understanding of cybersecurity risk in supply chains from a more grounded quantitative perspective, we identify four different ways an organization in a chain can be attacked as well as the principal factors putting that firm at risk to each of the four types of attack. Using data from detailed forensic analyses of approximately 2000 companies and/or organizations that experienced attacks, we answer fundamental, data-driven questions both external and internal to a firm belonging to a supply chain. Show less

Despite significant innovations in IT security products and research over the past 20 years, the information security field is still immature and struggling. Practitioners lack the ability to properly assess cyber risk, and decision-makers continue to be paralyzed by vulnerability scanners that overload their staff with mountains of scan results. In order to cope, firms prioritize vulnerability remediation using crude heuristics and limited data, though they are still too often breached by… Show more

Despite significant innovations in IT security products and research over the past 20 years, the information security field is still immature and struggling. Practitioners lack the ability to properly assess cyber risk, and decision-makers continue to be paralyzed by vulnerability scanners that overload their staff with mountains of scan results. In order to cope, firms prioritize vulnerability remediation using crude heuristics and limited data, though they are still too often breached by known vulnerabilities for which patches have existed for months or years. And so, the key challenge firms face is trying to identify a remediation strategy that best balances two competing forces. On one hand, it could attempt to patch all vulnerabilities on its network. While this would provide the greatest ‘coverage’ of vulnerabilities patched, it would inefficiently consume resources by fixing low-risk vulnerabilities. On the other hand, patching a few high-risk vulnerabilities would be highly ‘efficient’, but may leave the firm exposed to many other high-risk vulnerabilities. Using a large collection of multiple datasets together with machine learning techniques, we construct a series of vulnerability remediation strategies and compare how each perform in regard to trading off coverage and efficiency. We expand and improve upon the small body of literature that uses predictions of ‘published exploits’, by instead using ‘exploits in the wild’ as our outcome variable. We implement the machine learning models by classifying vulnerabilities according to high- and low-risk, where we consider high-risk vulnerabilities to be those that have been exploited in actual firm networks. Show less

According to Deloitte’s Chief Cloud Strategy Officer, “[2019] is the
year when workloads on cloud-based systems surpass 25 percent,
and when most enterprises are likely to hit the tipping point in terms
of dealing with the resulting complexity” [1]. Given the nature of For Good
Measure (this column), it may surprise you that it wasn’t the 25 percent statistic that caught our attention in Deloitte’s quote; it was reference to a “tipping point” where “dealing with the resulting… Show more

According to Deloitte’s Chief Cloud Strategy Officer, “[2019] is the
year when workloads on cloud-based systems surpass 25 percent,
and when most enterprises are likely to hit the tipping point in terms
of dealing with the resulting complexity” [1]. Given the nature of For Good
Measure (this column), it may surprise you that it wasn’t the 25 percent statistic that caught our attention in Deloitte’s quote; it was reference to a “tipping point” where “dealing with the resulting complexity” in the cloud begins
to negatively affect security. So we ask, do we see evidence that this is occurring? Are the rate of security exposures in the cloud higher than on-prem? Show less

This innovative study prepared by the Cyentia Institute breaks down walls between cybersecurity leaders and Boards of Directors. Data is often said to be the lifeblood of the company; yet, there is immense frustration at how risks to that information are measured, mitigated, and communicated across the enterprise. As the financial, regulatory, and legal stakes of data breaches and disruptions rise, leaders at all levels must come together to protect and further the business.

Scores of… Show more

This innovative study prepared by the Cyentia Institute breaks down walls between cybersecurity leaders and Boards of Directors. Data is often said to be the lifeblood of the company; yet, there is immense frustration at how risks to that information are measured, mitigated, and communicated across the enterprise. As the financial, regulatory, and legal stakes of data breaches and disruptions rise, leaders at all levels must come together to protect and further the business.

Scores of in-depth interviews reveal six Balance Points where Chief Information Security Officers (CISOs) and Board member viewpoints are prone to diverge. We conclude the report by introducing the concept of a Cyber Balance Sheet, which borrows familiar terminology of assets and liabilities to improve communication and consensus around cyber risk. Show less

ThreatConnect®, in partnership with Defense Group Inc., has attributed targeted cyber espionage infrastructure activity associated with the “Naikon” Advanced Persistent Threat (APT) group to the Chinese People’s Liberation Army’s (PLA) Chengdu Military Region Second Technical Reconnaissance Bureau (Military Unit Cover Designator 78020). This assessment is based on technical analysis of Naikon threat activity and native language research on a PLA officer within Unit 78020.

For nearly five… Show more

ThreatConnect®, in partnership with Defense Group Inc., has attributed targeted cyber espionage infrastructure activity associated with the “Naikon” Advanced Persistent Threat (APT) group to the Chinese People’s Liberation Army’s (PLA) Chengdu Military Region Second Technical Reconnaissance Bureau (Military Unit Cover Designator 78020). This assessment is based on technical analysis of Naikon threat activity and native language research on a PLA officer within Unit 78020.

For nearly five years, Unit 78020 has used an array of global midpoint infrastructure to proxy the command and control of customized malware variants embedded within malicious attachments or document exploits. These malicious attachments are operationalized within spear phishing campaigns that establish beachheads into target organizations, facilitating follow on exploitation activities.

This report applies the Department of Defense-derived Diamond Model for Intrusion Analysis to a body of technical and non-technical evidence to understand relationships across complex data points spanning nearly five years of exploitation activity. The Diamond Model is an approach to analyzing network intrusion events. The model gets its name and shape from the four core interconnected elements that comprise any event – adversary, infrastructure, capability, and victim. Thus, analyzing security incidents – from a single intrusion up to a full campaign – essentially involves piecing together the diamond using elements of information collected about these four facets to understand the threat in its full and proper context over time. Show less

The year 2014 saw the term “data breach” become part of the broader public vernacular with The New York Times devoting more than 700 articles related to data breaches, versus fewer than 125 the previous year. It was the year major vulnerabilities received logos (collect them all!) and needed PR IR firms to manage their legions of “fans.” And it was the year when so many high-profile organizations met with the nigh inevitability of “the breach” that “cyber” was front and center at the boardroom… Show more

The year 2014 saw the term “data breach” become part of the broader public vernacular with The New York Times devoting more than 700 articles related to data breaches, versus fewer than 125 the previous year. It was the year major vulnerabilities received logos (collect them all!) and needed PR IR firms to manage their legions of “fans.” And it was the year when so many high-profile organizations met with the nigh inevitability of “the breach” that “cyber” was front and center at the boardroom level. The real sign of the times, however, was that our moms started asking, “Is that what you do, dear?” and seemed to finally get what we do for a living.

The 2015 Data Breach Investigations Report (DBIR) continues the tradition of change with additions that we hope will help paint the clearest picture yet of the threats, vulnerabilities, and actions that lead to security incidents, as well as how they impact organizations suffering them. In the new “Before and Beyond the Breach” section, our security data scientists analyzed (literally) dozens of terabytes of data from partners new and old, making this one of the most collaborative, data-driven information security (InfoSec) reports in existence. If you’re accustomed to reading the DBIR mainly for the headliners and one-liners, you might need to coffee up and put your thinking cap on for this one. But it’ll be worth it; we promise. Fret not, “incident pattern” aficionados—the nefarious nine are back, but they have slimmed down a bit, as you’ll see when you get to that section.

Speaking of partners, the DBIR would not be possible without our 70 contributing organizations.
We continue to have a healthy mix of service providers, IR/forensic firms, international Computer
Security Information Response Teams (CSIRTs), and government agencies, but have added
multiple partners from security industry verticals to take a look at a broad spectrum of realworld
data. Show less

For DBIR veterans, a cursory look at the table of contents will reveal some significant changes to the report structure you’ve gotten used to in years past. Rather than our signature approach organized around actors, actions, assets, timelines, etc., we’ve created sections around 9 incident patterns that collectively describe 92% of all incidents we've studied over the last 10 years. Within each of those patterns, we cover the actors who cause them, the actions they use, assets they target… Show more

For DBIR veterans, a cursory look at the table of contents will reveal some significant changes to the report structure you’ve gotten used to in years past. Rather than our signature approach organized around actors, actions, assets, timelines, etc., we’ve created sections around 9 incident patterns that collectively describe 92% of all incidents we've studied over the last 10 years. Within each of those patterns, we cover the actors who cause them, the actions they use, assets they target, timelines in which all this took place, and give specific recommendations to thwart them. The dataset that underpins the DBIR is comprised of over 63,000 confirmed security incidents contributed by 50 organizations around the world. The ultimate goal is to provide actionable information presented in a way that enables you to hash out the findings and recommendations most relevant to your organization. Show less

Perhaps more so than any other year, the large scale and diverse nature of data breaches and other network attacks took center stage in 2012. But rather than a synchronized chorus making its debut on New Year’s Eve, we witnessed separate, ongoing movements that seemed to come together in full crescendo throughout the year. And from pubs to public agencies, mom-and-pops to multi-nationals, nobody was immune. As a result—perhaps agitated by ancient Mayan doomsday predictions—a growing segment of… Show more

Perhaps more so than any other year, the large scale and diverse nature of data breaches and other network attacks took center stage in 2012. But rather than a synchronized chorus making its debut on New Year’s Eve, we witnessed separate, ongoing movements that seemed to come together in full crescendo throughout the year. And from pubs to public agencies, mom-and-pops to multi-nationals, nobody was immune. As a result—perhaps agitated by ancient Mayan doomsday predictions—a growing segment of the security community adopted an “assume you’re breached” mentality.

All in all, 2012 reminded us that breaches are a multi-faceted problem, and any one-dimensional attempt to describe them fails to adequately capture their complexity. The 2013 Data Breach Investigations Report (DBIR) corroborates this and brings to bear the perspective of 19 global organizations on studying and combating data breaches in the modern world. The list of partners is not only lengthy, but also quite diverse, crossing international and public/private lines. It’s an interesting mix of law enforcement agencies, incident reporting/handling entities, a research institution, and other incident response (IR)/forensic service firms.

What’s more, these organizations contributed a huge amount of data to the report. All told, we have the privilege of setting before you our analysis of more than 47,000 reported security incidents and 621 confirmed data breaches from the past year. Over the entire nine-year range of this study, that tally now exceeds 2,500 data breaches and 1.1 billion compromised records. Show less

Partnering is a common business practice which takes advantage of outside expertise and allows companies to focus efforts on their core competencies. A key component of partner coordination is information sharing. Whether a partner is a traditional partner such as a supply vendor, where the firms use information technology (IT) as a facilitator for information sharing, or an IT partner to which an organization outsources certain IT functions, IT allows partners to open information borders to… Show more

Partnering is a common business practice which takes advantage of outside expertise and allows companies to focus efforts on their core competencies. A key component of partner coordination is information sharing. Whether a partner is a traditional partner such as a supply vendor, where the firms use information technology (IT) as a facilitator for information sharing, or an IT partner to which an organization outsources certain IT functions, IT allows partners to open information borders to each other. While beneficial in many ways, this sharing also creates security vulnerabilities which should not be ignored. In this study, we examine forensic accounts of numerous past security incidents in an effort to learn more about the impact of partner relationships on security risk, and to suggest factors which may be indicators of increased risk. Show less

This year our DBIR includes more incidents, derived from more contributors, and represents a broader and more diverse geographical scope . The number of compromised records across these incidents skyrocketed back up to 174 million after reaching an all-time low (or high, depending on your point of view) in last year’s report of four million . In fact, 2011 boasts the second-highest data loss total since we started keeping track in 2004.

Once again, we are proud to announce that the… Show more

This year our DBIR includes more incidents, derived from more contributors, and represents a broader and more diverse geographical scope . The number of compromised records across these incidents skyrocketed back up to 174 million after reaching an all-time low (or high, depending on your point of view) in last year’s report of four million . In fact, 2011 boasts the second-highest data loss total since we started keeping track in 2004.

Once again, we are proud to announce that the United states secret service (Usss) and the Dutch national High Tech Crime Unit (nHTCU) have joined us for this year’s report . We also welcome the australian federal Police (afP), the Irish Reporting & Information security service (IRIssCeRT), and the Police Central e-Crime Unit (PCeU) of the london Metropolitan Police . these organizations have broadened the scope of the DBIr tremendously with regard to data breaches around the globe. We heartily thank them all for their spirit of cooperation, and sincerely hope this report serves to increase awareness of cybercrime, as well as our collective ability to fight it.

With the addition of Verizon’s 2011 caseload and data contributed from the organizations listed above, the DbIR series now spans eight years, well over 2000 breaches, and greater than one billion compromised records . It’s been a fascinating and informative journey, and we are grateful that many of you have chosen to come along for the ride . as always, our goal is that the data and analysis presented in this report prove helpful to the planning and security efforts of our readers . Show less

We took another look at the data from our 2012 Data Breach Investigations Report (DBIR) and analyzed it across a number of industries: Financial and Insurance, Healthcare, Accommodations and Food Service as well as Retail. We also reviewed cases where Intellectual Property was stolen, regardless of the industry, to analyze the attack methods and data stolen. This is relevant to a variety of organizations, but may be of particular interest for the public sector, manufacturing, or high tech… Show more

We took another look at the data from our 2012 Data Breach Investigations Report (DBIR) and analyzed it across a number of industries: Financial and Insurance, Healthcare, Accommodations and Food Service as well as Retail. We also reviewed cases where Intellectual Property was stolen, regardless of the industry, to analyze the attack methods and data stolen. This is relevant to a variety of organizations, but may be of particular interest for the public sector, manufacturing, or high tech industries. Show less

We are very glad to have the United States Secret Service (USSS) back with us for the 2011 DBIR. Additionally, we have the pleasure of welcoming the Dutch National High Tech Crime Unit (NHTCU) to the team. Through this cooperative effort, we had the privilege—and challenge—of examining about 800 new data compromise incidents since our last report (with 761 of those for 2010). To put that in perspective, the entire Verizon-USSS dataset from 2004 to 2009 numbered just over 900 breaches. We very… Show more

We are very glad to have the United States Secret Service (USSS) back with us for the 2011 DBIR. Additionally, we have the pleasure of welcoming the Dutch National High Tech Crime Unit (NHTCU) to the team. Through this cooperative effort, we had the privilege—and challenge—of examining about 800 new data compromise incidents since our last report (with 761 of those for 2010). To put that in perspective, the entire Verizon-USSS dataset from 2004 to 2009 numbered just over 900 breaches. We very nearly doubled the size of our dataset in 2010 alone!

In addition to being the largest caseload ever, it was also extremely diverse in the threat agents, threat actions, affected assets, and security attributes involved. We witnessed highly automated and prolific external attacks, low and slow attacks, intricate internal fraud rings, country-wide device tampering schemes, cunning social engineering plots, and much more. Some of the raw statistics may seem to contradict this claim of diversity (e.g., the percent of breaches attributed to external agents is more lopsided than ever), but one must consider the change in scale. Whereas “10%” used to mean approximately 10-15 breaches across an annual caseload averaging 100-150, it now means 75 breaches in the context of the 2010 caseload. Consider that fact as you digest and ponder results from this year’s report.

With the addition of Verizon’s 2010 caseload and data contributed from the USSS and NHTCU, the DBIR series now spans 7 years, 1700+ breaches, and over 900 million compromised records. We continue to learn a great deal from this ongoing study and we’re glad to have the opportunity once again to share these findings with you. As always, our goal is that the data and analysis presented in this report prove helpful to the planning and security efforts of our readers. Show less

This report analyzes findings from actual Payment Card Industry (PCI) Data Security Standard (DSS) assessments conducted by Verizon’s team of Qualified Security Assessors (QSAs). The report describes where these organizations stand in terms of overall compliance with the DSS and
presents analysis around which specific requirements are most and least often in place during the assessment process. Furthermore, we overlay this assessment-centric data with findings from Verizon’s Investigative… Show more

This report analyzes findings from actual Payment Card Industry (PCI) Data Security Standard (DSS) assessments conducted by Verizon’s team of Qualified Security Assessors (QSAs). The report describes where these organizations stand in terms of overall compliance with the DSS and
presents analysis around which specific requirements are most and least often in place during the assessment process. Furthermore, we overlay this assessment-centric data with findings from Verizon’s Investigative Response services to provide a unique risk-centric perspective on the compliance process. In a section new to this year’s edition, significance tests are conducted to examine the relationship(or lack thereof) between various organizational practices and initial compliance scores. Show less

Security countermeasures help ensure the confidentiality, availability, and integrity of information systems by preventing or mitigating asset losses from Cybersecurity attacks. Due to uncertainty, the financial impact of threats attacking assets is often difficult to measure quantitatively, and thus it is difficult to prescribe which countermeasures to employ. In this research, we describe a decision support system for calculating the uncertain risk faced by an organization under cyber attack… Show more

Security countermeasures help ensure the confidentiality, availability, and integrity of information systems by preventing or mitigating asset losses from Cybersecurity attacks. Due to uncertainty, the financial impact of threats attacking assets is often difficult to measure quantitatively, and thus it is difficult to prescribe which countermeasures to employ. In this research, we describe a decision support system for calculating the uncertain risk faced by an organization under cyber attack as a function of uncertain threat rates, countermeasure costs, and impacts on its assets. The system uses a genetic algorithm to search for the best combination of countermeasures, allowing the user to determine the preferred tradeoff between the cost of the portfolio and resulting risk. Data collected from manufacturing firms provide an example of results under realistic input conditions. Show less

This report analyzes findings from actual Payment Card Industry Data Security Standard (PCI DSS) assessments conducted by Verizon’s team of Qualified Security Assessors (QSAs). The report examines the progress of organizations toward the goal of compliance and includes topics such as how and why some seem to struggle more than others. Also presented are statistics around which PCI DSS requirements and sub-requirements are most and least often in place (or compensated for) during the assessment… Show more

This report analyzes findings from actual Payment Card Industry Data Security Standard (PCI DSS) assessments conducted by Verizon’s team of Qualified Security Assessors (QSAs). The report examines the progress of organizations toward the goal of compliance and includes topics such as how and why some seem to struggle more than others. Also presented are statistics around which PCI DSS requirements and sub-requirements are most and least often in place (or compensated for) during the assessment process. Finally, the report overlays PCI assessment data with findings from Verizon’s Investigative Response services to provide a unique risk-centric slant on the compliance process. Show less

In some ways, data breaches have a lot in common with fingerprints. Each is unique and we learn a great deal by analyzing the various patterns, lines, and contours that comprise each one. The main value of fingerprints, however, lies in their ability to identify a particular individual in particular circumstances. In this sense, studying them in bulk offers little additional benefit. On the other hand, the analysis of breaches in aggregate can be of great benefit; the more we study, the more… Show more

In some ways, data breaches have a lot in common with fingerprints. Each is unique and we learn a great deal by analyzing the various patterns, lines, and contours that comprise each one. The main value of fingerprints, however, lies in their ability to identify a particular individual in particular circumstances. In this sense, studying them in bulk offers little additional benefit. On the other hand, the analysis of breaches in aggregate can be of great benefit; the more we study, the more prepared we are to stop them.

Not surprisingly, the United States Secret Service (USSS) is also interested in studying and stopping data breaches. This was a driving force in their decision to join us in this 2010 Data Breach Investigations Report. They’ve increased the scope of what we’re able to study dramatically by including a few hundred of their own cases to the mix. Also included are two appendices from the USSS. One delves into online criminal communities and the other focuses on prosecuting cybercrime. We’re grateful for their contributions and believe organizations and individuals around the world will benefit from their efforts.

With the addition of Verizon’s 2009 caseload and data contributed from the USSS, the DBIR series now spans six years, 900+ breaches, and over 900 million compromised records. We’ve learned a great deal from this journey and we’re glad to have the opportunity to share these findings with you. As always, our goal is that the data and analysis presented in this report proves helpful to the planning and security efforts of our readers. Show less

Recent United States laws allocate billions of dollars for the establishment of electronic health records and for their nationwide electronic exchange in order to improve the quality and coordination of care. Additionally, many medical organizations around the world have connected themselves in supply chains, and are exploring the strategic utilization of information technology (IT) throughout their chains to improve their overall efficiency and effectiveness. Although these efforts may… Show more

Recent United States laws allocate billions of dollars for the establishment of electronic health records and for their nationwide electronic exchange in order to improve the quality and coordination of care. Additionally, many medical organizations around the world have connected themselves in supply chains, and are exploring the strategic utilization of information technology (IT) throughout their chains to improve their overall efficiency and effectiveness. Although these efforts may reduce health costs, both the current status of IT security risk and the potential consequences of interconnectedness are largely unknown.

This research examines medical supply chain risk exposure. In particular, data from six pharmaceutical companies and eight healthcare organizations is combined with input from security experts to determine the current degree of IT security risk. In addition, we examine an optimal strategy to reduce overall risk and the amount of supply chain risk due to partnering. We find, for the surveyed organizations, a dramatic under-deployment of controls, resulting in huge risk exposure. The analysis shows that a 25-fold decrease in risk can be achieved with only a 138% increase in the current countermeasure budget. Attacks from supply-chain partners are a relatively small, but yet very important, part of the current risk profile for these medical organizations. Show less

Overall, this supplemental report is a break from the norm for the DBIR series. Rather than heavily centered around statistics, it is much more descriptive and narrative. We provide a detailed description of the 15 most common threats, including common victims, variations, recommended controls and a case example from our investigations.

This change in direction represents what we felt to be the most suitable form for the intended function. We hope the detour proves worth your time and… Show more

Overall, this supplemental report is a break from the norm for the DBIR series. Rather than heavily centered around statistics, it is much more descriptive and narrative. We provide a detailed description of the 15 most common threats, including common victims, variations, recommended controls and a case example from our investigations.

This change in direction represents what we felt to be the most suitable form for the intended function. We hope the detour proves worth your time and that it leads to a better understanding of what possible problems your organization might face, and how to be better prepared to meet them Show less

Are the security products your organization depends upon every day reliable? Do they consistently meet expectations and live up to their billing? Chances are they do not and this experience has resulted in the not-so-tongue-and-cheek postulation that new security products are created to compensate for the shortcomings and side effects of the existing ones. That’s not to say there is never a legitimate need for new security solutions; new business models, new technologies, new threats, and new… Show more

Are the security products your organization depends upon every day reliable? Do they consistently meet expectations and live up to their billing? Chances are they do not and this experience has resulted in the not-so-tongue-and-cheek postulation that new security products are created to compensate for the shortcomings and side effects of the existing ones. That’s not to say there is never a legitimate need for new security solutions; new business models, new technologies, new threats, and new levels of global interconnectedness require us to continually adapt the products and practices we employ to protect information assets.

Two decades of certification testing has afforded ICSA Labs a great deal of experience and knowledge about common weaknesses in security products. Testing products before they hit the shelves provides insight into what is prone to happen once they leave them. We’ve learned what improves reliability and what tends to detract from it. We’ve seen first hand how often problems occur, what types occur most often, and why they occur. We’ve also seen how vendors respond to these issues and how their actions can affect consumers for better or for worse.

This report is an effort to distill observations from the ICSA testing labs along with others from the security product industry over the last 20 years. It is the first step in a larger agenda at ICSA Labs to expand information sharing and collaboration with the security community. Future work will provide additional product-specific findings as well as more detailed analysis. We hope readers find these efforts helpful in their mission to protect information and useful to the decisions and deployments made in support of that mission. Show less

2008 will likely be remembered as a tumultuous year for corporations and consumers alike. Fear, uncertainty, and doubt seized global financial markets; corporate giants toppled with alarming regularity; and many who previously lived in abundance found providing for just the essentials to be difficult. Among the headlines of economic woes came reports of some of the largest data breaches in history. These events served as a reminder that, in addition to our markets, the safety and security of… Show more

2008 will likely be remembered as a tumultuous year for corporations and consumers alike. Fear, uncertainty, and doubt seized global financial markets; corporate giants toppled with alarming regularity; and many who previously lived in abundance found providing for just the essentials to be difficult. Among the headlines of economic woes came reports of some of the largest data breaches in history. These events served as a reminder that, in addition to our markets, the safety and security of our information could not be assumed either.

The 2009 Data Breach Investigations Report (DBIR) covers this chaotic period in history from the viewpoint of our forensic investigators. The 90 confirmed breaches within our 2008 caseload encompass an astounding 285 million compromised records. These records have a compelling story to tell, and the pages of this report are dedicated to relaying it. As with last year, our goal is that the data and analysis presented in this report prove helpful to the planning and security efforts of our readers. Show less

Verizon Business published the 2008 Data Breach Investigations Report (DBIR) in June of this year. Compiling four years of data from over 500 cases worked by the Verizon Business Investigative Response team, it was intended to be a kind of “state-of-the-union” look at recent security breach and data compromise trends. As those who read the report already know, the picture it painted was not altogether rosy.

The DBIR presented statistics in aggregate across all the organizations in our… Show more

Verizon Business published the 2008 Data Breach Investigations Report (DBIR) in June of this year. Compiling four years of data from over 500 cases worked by the Verizon Business Investigative Response team, it was intended to be a kind of “state-of-the-union” look at recent security breach and data compromise trends. As those who read the report already know, the picture it painted was not altogether rosy.

The DBIR presented statistics in aggregate across all the organizations in our caseload and did not delve into the state of affairs within each of the industries represented (see Figure 1 for distribution). However, since the original publication, we continue to receive many requests for industry-specific data and comparisons. It is the goal of this 2008 Data Breach Investigations Supplemental Report to meet these requests. Show less

The 2008 Verizon Business Data Breach Investigations Report integrates a vast amount of factual evidence from forensic investigations over the last four years. The study is unique in that it offers an objective, first-hand view of data breaches directly from the casebooks of our Investigative Response team. Tens of thousands of data points weave together the stories and statistics from compromise victims around the world. We have attempted to interpret their tales and it is our hope that your… Show more

The 2008 Verizon Business Data Breach Investigations Report integrates a vast amount of factual evidence from forensic investigations over the last four years. The study is unique in that it offers an objective, first-hand view of data breaches directly from the casebooks of our Investigative Response team. Tens of thousands of data points weave together the stories and statistics from compromise victims around the world. We have attempted to interpret their tales and it is our hope that your organization will learn from these findings and thereby avoid their end. Show less

The collaborative nature of supply chains has exposed firms to a variety of security risks. With information technology (IT) as the cornerstone to integration, this exposure can be passed throughout all levels of business. Unfortunately, the role one plays in the supply chain may affect an internalized view of their firm’s current security position, both in terms of what is being done and what should be done to limit risk exposure. This paper provides an initial investigation of the nature and… Show more

The collaborative nature of supply chains has exposed firms to a variety of security risks. With information technology (IT) as the cornerstone to integration, this exposure can be passed throughout all levels of business. Unfortunately, the role one plays in the supply chain may affect an internalized view of their firm’s current security position, both in terms of what is being done and what should be done to limit risk exposure. This paper provides an initial investigation of the nature and perception of information security risk in supply chains and the managerial implications and limitations of current IT security practices. Show less

Integration of information flows facilitated by advances in information technology (IT) has increased collaboration across supply chains. However, benefits of interconnectivity are not gained without risk, as IT has removed protective barriers around assets and processes. Thus, supply chains are better able to satisfy customer needs yet are potentially more vulnerable to disruption due to an array of IT-specific threats. Highly interconnected supply chains would appear to be especially prone to… Show more

Integration of information flows facilitated by advances in information technology (IT) has increased collaboration across supply chains. However, benefits of interconnectivity are not gained without risk, as IT has removed protective barriers around assets and processes. Thus, supply chains are better able to satisfy customer needs yet are potentially more vulnerable to disruption due to an array of IT-specific threats. Highly interconnected supply chains would appear to be especially prone to these hazards. Although supply chain risk and information technology risk have been studied in isolation, little has been done to define the impact of information security on supply chain management. This exploratory investigation addresses this deficiency in the literature by defining information security risk in the context of supply chain management. It identifies, categorizes, and validates information technology threats as sources of risk in the supply chain. It then establishes a conceptual framework for further study into supply chain information security risk. Finally, it discusses the implications of information security risk in the supply chain. It is suggested that supply chain risk is affected by IT threats and therefore the benefits of collaboration facilitated by IT integration must exceed the increase in risk due to IT security threats. Show less

Collaboration between supply chain partners, facilitated by integration of information flows, has created more efficient and effective networks. However, the benefits of interconnectivity are not gained without risk. Though essential to support collaboration, increased use of information technology has removed internal and external protective barriers around an organization’s assets and processes. Thus, supply chains are better able to satisfy the needs of customers while more vulnerable to an… Show more

Collaboration between supply chain partners, facilitated by integration of information flows, has created more efficient and effective networks. However, the benefits of interconnectivity are not gained without risk. Though essential to support collaboration, increased use of information technology has removed internal and external protective barriers around an organization’s assets and processes. Thus, supply chains are better able to satisfy the needs of customers while more vulnerable to an array of IT-specific risks. This chapter identifies the sources of IT threats in the supply chain, categorize those threats, and validates them by means of a survey of 188 companies representing a range of supply chain functions. Analysis suggests that supply chain risk is affected by IT threats and therefore the benefits of collaboration facilitated by IT integration must exceed the increase in risk due to IT security threats. Show less

Previous studies of organizations’ use of information security controls have focused on the presence or absence of controls, not their quality. According to a recent survey focusing on control quality, implementation quality varies significantly by organization size as well as industry. We designed and conducted a survey as an initial step toward meeting this challenge. To do this, we bench- marked how organizations manage information security through the implementation of various controls. Al-… Show more

Previous studies of organizations’ use of information security controls have focused on the presence or absence of controls, not their quality. According to a recent survey focusing on control quality, implementation quality varies significantly by organization size as well as industry. We designed and conducted a survey as an initial step toward meeting this challenge. To do this, we bench- marked how organizations manage information security through the implementation of various controls. Al- though security surveys are nothing new, our method aims to uncover specific details of control implementa- tion and focus on the implementation’s quality. With a more precise understanding of current practices, infor- mation security management properly can begin to pur- sue effective strategies to improve quality and lower risk. Show less

Much of the confusion about the effectiveness of information security programs concerns not only how to measure, but also what to measure – an issue of equivocality. Therefore, in order to generate data, and thereby lower uncertainty for improved security-related decision-making, it is first essential to reduce equivocality by defining, expanding, and clarifying risk factors so that metrics, the “necessary measures,” can be unambiguously applied. This paper formulates a system that (1) allows… Show more

Much of the confusion about the effectiveness of information security programs concerns not only how to measure, but also what to measure – an issue of equivocality. Therefore, in order to generate data, and thereby lower uncertainty for improved security-related decision-making, it is first essential to reduce equivocality by defining, expanding, and clarifying risk factors so that metrics, the “necessary measures,” can be unambiguously applied. This paper formulates a system that (1) allows threats to be accurately measured and tracked, (2) enables the impacts and costs of successful threats to be determined, and (3) aids in evaluating the effectiveness and return on investment of countermeasures. Show less

Relationship management theory focuses on processes of shared goals and favorable outcomes for organizations and their publics. Relationship management theory also provides theoretical justification for research exploring the threat phishing poses to upend the shared goal between organizations and their publics to secure online financial and personal information. Phishing refers to the fraudulent and increasingly authentic looking e-mail attempts aimed to lure unsuspecting recipients into… Show more

Relationship management theory focuses on processes of shared goals and favorable outcomes for organizations and their publics. Relationship management theory also provides theoretical justification for research exploring the threat phishing poses to upend the shared goal between organizations and their publics to secure online financial and personal information. Phishing refers to the fraudulent and increasingly authentic looking e-mail attempts aimed to lure unsuspecting recipients into sharing information such as credit card, checking account, and social security numbers. Internet security recommendations were used to develop and to assess compliance with 24 strategies aimed to help organizations and publics protect online information. Results show surprisingly low adherence of many recommended anti-phishing strategies. Efforts to protect organization-public relationships are discussed as are future research projects to explore phishing effects and anti-phishing advocacy. Show less

Phishing is the use of fraudulent e-mail used to lure consumers into relinquishing sensitive information. A pre-test/post-test experiment controlling for three levels of online anti-phishing promotional information was used to measure post-test evaluations of participant trust. Trust, a central theoretical construction for relational theories of public relations theories and relationship marketing, was assessed on 101 participants randomly assigned to one of three controlled anti-phishing… Show more

Phishing is the use of fraudulent e-mail used to lure consumers into relinquishing sensitive information. A pre-test/post-test experiment controlling for three levels of online anti-phishing promotional information was used to measure post-test evaluations of participant trust. Trust, a central theoretical construction for relational theories of public relations theories and relationship marketing, was assessed on 101 participants randomly assigned to one of three controlled anti-phishing conditions. Results show higher amount of anti-phishing information promote higher levels of trust. Despite initial concern that a threshold effect may result from anti-phishing information, results show consumers find promotional security information helpful rather than worrisome. Show less