Yesterday, DAn Kaminsky said “There should be a yearly award for Best Security Data, for the best collection and disbursement of hard data and cogent analysis in infosec.” I think it’s a fascinating idea, but think that a yearly award may be premature. However, what I think is sorta irrelevant, absent data. So I’m looking [...]
In the past, we have has some decidedly critical words for the Ponemon Institute reports, such as “A critique of Ponemon Institute methodology for “churn”” or “Another critique of Ponemon’s method for estimating ‘cost of data breach’“. And to be honest, I’d become sufficiently frustrated that I’d focused my time on other things. So I’d [...]
My colleague Ross Smith has just presented an important new paper, “The Future of Work is Play” at the IEEE International Games Innovation Conference. There’s a couple of very useful lessons in this paper. One is the title, and the mega-trends driving games into the workplace. Another is Ross’s lessons of when games work: Over [...]
Over at the Office of Inadequate Security, Dissent says everything you need to know about a new report from the UK’s Big Brother Watch: Extrapolating from what we have seen in this country, what the ICO learns about is clearly only the tip of the iceberg there. I view the numbers in the BBW report [...]
Wade Baker has a quick response to my “Thoughts on the 2011 DBIR and APT,” including the data that I was unable to extract. Thanks!
At least, that’s the conclusion of a study from Telus and Rotman. (You might need this link instead) A report in IT security issued jointly by Telus and the Rotman School of Management surveyed 649 firms and found companies that ban employees from using social media suffer 30 percent more computer security breaches than ones [...]
So Verizon has recently released their 2011 DBIR. Or perhaps more accurately, I’ve managed to pop enough documents off my stack that my scribbled-on notes are at the top, and I wanted to share some with you. A lot have gone to the authors, in the spirit of questions only they can answer. Here, I [...]
Following the Diginotar breach, FOX-IT has released analysis and a nifty video showing OCSP requests. As a result, lots of people are quoting a number of “300,000″. Cem Paya has a good analysis of what the OCSP numbers mean, what biases might be introduced at “DigiNotar: surveying the damage with OCSP.” To their credit, FoxIt [...]
So I haven’t had a chance to really digest the new DBIR yet, but one bit jumped out at me: “86% were discovered by a third party.” I’d like to offer up an explanatory story of why might that be, and muse a little on what it might mean for the deployment of intrusion detection [...]
Hey, I know it’s late notice, but I’ll be speaking at 10:30 EST today on EBRM and the Verizon DBIR: https://www.techwebonlineevents.com/ars/eventregistration.do?mode=eventreg&F=1002809&K=CAA1BC&tab=agenda Alex