Another critique of Ponemon’s method for estimating ‘cost of data breach’

by Russell on January 26, 2011

I have fundamental objections to Ponemon’s methods used to estimate ‘indirect costs’ due to lost customers (‘abnormal churn’) and the cost of replacing them (‘customer acquisition costs’). These include sloppy use of terminology, mixing accounting and economic costs, and omitting the most serious cost categories.

A critique of Ponemon Institute methodology for “churn”

by adam on January 25, 2011

Both Dissent and George Hulme took issue with my post Thursday, and pointed to the Ponemon U.S. Cost of a Data Breach Study, which says: Average abnormal churn rates across all incidents in the study were slightly higher than last (…)

Read the rest of this entry »

Requests for a proof of non-existence

by adam on January 24, 2011

So before I respond to some of the questions that my “A day of reckoning” post raises, let me say a few things. First, proving that a breach has no impact on brand is impossible, in the same way that (…)

Read the rest of this entry »

Gunnar on Heartland

by alex on January 22, 2011

Analysis of Heartland’s business as a going concern by @oneraindrop. Especially interesting after comments on the CMO video.

A Day of Reckoning is Coming

by adam on January 20, 2011

Over at The CMO Site, Terry Sweeney explains that “Hacker Attacks Won’t Hurt Your Company Brand.” Take a couple of minutes to watch this. Let me call your attention to this as a turning point for a trend. Those of (…)

Read the rest of this entry »

Gunnar’s Flat Tax: An Alternative to Prescriptive Compliance?

by alex on January 14, 2011

Hey everybody! I was just reading Gunnar Peterson’s fun little back of the napkin security spending exercise, in which he references his post on a security budget “flat tax” (Three Steps To A Rational Security Budget).  This got me to (…)

Read the rest of this entry »

Dashboards are Dumb

by Russell on January 12, 2011

The visual metaphor of a dashboard is a dumb idea for management-oriented information security metrics. It doesn’t fit the use cases and therefore doesn’t support effective user action based on the information. Dashboards work when the user has proportional controllers or switches that correspond to each of the ‘meters’ and the user can observe the effect of using those controllers and switches in real time by observing the ‘meters’. Dashboards don’t work when there is a loose or ambiguous connection between the information conveyed in the ‘meters’ and the actions that users might take. Other visual metaphors should work better.

Referencing Insiders is a Best Practice

by adam on January 7, 2011

You might argue that insiders are dangerous. They’re dangerous because they’re authorized to do things, and so monitoring throws up a great many false positives, and raises privacy concerns. (As if anyone cared about those.) And everyone in information security (…)

Read the rest of this entry »

CRISC – The Bottom Line (oh yeah, Happy New Year!)

by alex on January 2, 2011

No doubt my “Why I Don’t Like CRISC” blog post has created a ton of traffic and comments.  Unfortunately, I’m not a very good writer because the majority of readers miss the point.  Let me try again more succinctly: Just (…)

Read the rest of this entry »