A quick check on breach size distribution

Mike Roytman of RiskI/O argued in a recent BSides Las Vegas presentation that power law distributions are often far more useful when modeling incident impact than the more commonly used normal distribution (and certainly more useful than point estimates of central tendency, like median or mean).

He presented some empirical evidence of his own for this claim, and – as a good presenter does – got me thinking. Grabbing some nearby data from 110 breaches of known size involving NY firms in 2006 (which I gathered via FOIA and used in a FIRST presentation) I was able to pretty quickly crank out a pretty graphic.

Lo and behold, I do believe the gentleman is on to something. And it was fun to put the old data to new use.

Additional SEC docs

The following new documents were recently made available by the SEC, and have been identified by an automated process as potentially relating to disclosures of “cyber” risk or incidents.

12/19/2013 http://www.sec.gov/Archives/edgar/data/71691/000119312513479202/filename1.htm NEW YORK TIMES CO (CORRESP for NEW YORK TIMES CO)
10/22/2013 http://www.sec.gov/Archives/edgar/data/1111665/000119312513406326/filename1.htm TELECOMMUNICATION SYSTEMS INC FA (CORRESP for TELECOMMUNICATION SYSTEMS INC FA)
10/10/2013 http://www.sec.gov/Archives/edgar/data/930309/000119312513396074/filename1.htm DELHAIZE GROUP (CORRESP for DELHAIZE GROUP)
09/24/2013 http://www.sec.gov/Archives/edgar/data/202058/000119312513376280/filename1.htm HARRIS CORP DE (CORRESP for HARRIS CORP DE)
09/10/2013 http://www.sec.gov/Archives/edgar/data/1167886/000093980213000148/filename1.htm GOLDFIELDS INTERNATIONAL INC (CORRESP for GOLDFIELDS INTERNATIONAL INC)
08/08/2013 http://www.sec.gov/Archives/edgar/data/1111665/000119312513327035/filename1.htm TELECOMMUNICATION SYSTEMS INC FA (CORRESP for TELECOMMUNICATION SYSTEMS INC FA)
06/14/2013 http://www.sec.gov/Archives/edgar/data/1574815/000119312513259926/filename1.htm STOCK BUILDING SUPPLY HOLDINGS INC (CORRESP for STOCK BUILDING SUPPLY HOLDINGS INC)
05/23/2013 http://www.sec.gov/Archives/edgar/data/1047122/000104712213000069/filename1.htm RAYTHEON CO (CORRESP for RAYTHEON CO)
04/25/2013 http://www.sec.gov/Archives/edgar/data/1564708/000119312513175006/filename1.htm New Newscorp LLC (CORRESP for New Newscorp LLC)
04/16/2013 http://www.sec.gov/Archives/edgar/data/1157408/000110465913029858/filename1.htm K12 INC (CORRESP for K12 INC)

You can read more about correspondence like this at https://vaguelythreatening.wordpress.com/2012/08/30/sec-comment-letters-as-infosec-situational-awareness/ and about the automated mechanism used to identify these files at https://vaguelythreatening.wordpress.com/2012/11/14/a-note-on-automated-postings-of-sec-cyber-correspondence/

New batch of SEC correspondence

The following new documents were recently made available by the SEC, and have been identified by an automated process as potentially relating to disclosures of “cyber” risk or incidents.

12/05/2013 http://www.sec.gov/Archives/edgar/data/71691/000000000013066300/filename1.pdf NEW YORK TIMES CO (UPLOAD for NEW YORK TIMES CO)
10/21/2013 http://www.sec.gov/Archives/edgar/data/1571384/000000000013057717/filename1.pdf SIGMABROADBAND CO (UPLOAD for SIGMABROADBAND CO)
10/10/2013 http://www.sec.gov/Archives/edgar/data/1585689/000000000013056179/filename1.pdf Hilton Worldwide Holdings Inc (UPLOAD for Hilton Worldwide Holdings Inc)
09/26/2013 http://www.sec.gov/Archives/edgar/data/930309/000000000013053279/filename1.pdf DELHAIZE GROUP (UPLOAD for DELHAIZE GROUP)
09/26/2013 http://www.sec.gov/Archives/edgar/data/937834/000000000013053183/filename1.pdf METROPOLITAN LIFE INSURANCE CO (UPLOAD for METROPOLITAN LIFE INSURANCE CO)
09/09/2013 http://www.sec.gov/Archives/edgar/data/1111665/000000000013049343/filename1.pdf TELECOMMUNICATION SYSTEMS INC FA (UPLOAD for TELECOMMUNICATION SYSTEMS INC FA)
06/11/2013 http://www.sec.gov/Archives/edgar/data/1370880/000000000013031641/filename1.pdf FireEye Inc (UPLOAD for FireEye Inc)
06/04/2013 http://www.sec.gov/Archives/edgar/data/1574815/000000000013030509/filename1.pdf STOCK BUILDING SUPPLY HOLDINGS INC (UPLOAD for STOCK BUILDING SUPPLY HOLDINGS INC)
04/25/2013 http://www.sec.gov/Archives/edgar/data/1478242/000000000013022343/filename1.pdf Quintiles Transnational Holdings Inc (UPLOAD for Quintiles Transnational Holdings Inc)
04/18/2013 http://www.sec.gov/Archives/edgar/data/1478242/000000000013020915/filename1.pdf Quintiles Transnational Holdings Inc (UPLOAD for Quintiles Transnational Holdings Inc)
04/02/2013 http://www.sec.gov/Archives/edgar/data/1157408/000000000013017648/filename1.pdf K12 INC (UPLOAD for K12 INC)
03/29/2013 http://www.sec.gov/Archives/edgar/data/1569340/000000000013017075/filename1.pdf TICKET TO SEE INC (UPLOAD for TICKET TO SEE INC)
01/22/2013 http://www.sec.gov/Archives/edgar/data/895421/000000000013003533/filename1.pdf MORGAN STANLEY (UPLOAD for MORGAN STANLEY)
12/31/2012 http://www.sec.gov/Archives/edgar/data/1563411/000000000012070011/filename1.pdf Constellium N V (UPLOAD for Constellium N V)
10/26/2012 http://www.sec.gov/Archives/edgar/data/732717/000000000012059293/filename1.pdf AT T INC (UPLOAD for AT T INC)
10/09/2012 http://www.sec.gov/Archives/edgar/data/6769/000000000012055743/filename1.pdf APACHE CORP (UPLOAD for APACHE CORP)
10/05/2012 http://www.sec.gov/Archives/edgar/data/1427352/000000000012055348/filename1.pdf Onteco Corp ( Onteco Corp)
10/02/2012 http://www.sec.gov/Archives/edgar/data/797468/000000000012054287/filename1.pdf OCCIDENTAL PETROLEUM CORP DE (UPLOAD for OCCIDENTAL PETROLEUM CORP DE)

You can read more about correspondence like this at https://vaguelythreatening.wordpress.com/2012/08/30/sec-comment-letters-as-infosec-situational-awareness/ and about the automated mechanism used to identify these files at https://vaguelythreatening.wordpress.com/2012/11/14/a-note-on-automated-postings-of-sec-cyber-correspondence/

New SEC 10K for QLOGIC CORP, ELECTRONIC ARTS INC

The following new documents were recently made available by the SEC, and have been identified by an automated process as potentially relating to disclosures of “cyber” risk or incidents.

05/23/2013 QLOGIC CORP http://www.sec.gov/Archives/edgar/data/918386/000119312513233611/d488985d10k.htm (10-K for QLOGIC CORP)
05/22/2013 ELECTRONIC ARTS INC http://www.sec.gov/Archives/edgar/data/712515/000071251513000022/ea20130331-10kdoc.htm (10-K for ELECTRONIC ARTS INC)

Links shown in red contain references to actual “cyber” events/incidents, and the like.

New SEC 10K for SYMANTEC CORP, GBS Enterprises Inc, BMC SOFTWARE INC

The following new documents were recently made available by the SEC, and have been identified by an automated process as potentially relating to disclosures of “cyber” risk or incidents.

05/17/2013 SYMANTEC CORP http://www.sec.gov/Archives/edgar/data/849399/000119312513226119/d516182d10k.htm (10-K for SYMANTEC CORP)
05/17/2013 GBS Enterprises Inc http://www.sec.gov/Archives/edgar/data/1413754/000114420413030265/v344975_10k.htm (10-K for GBS Enterprises Inc)
05/09/2013 BMC SOFTWARE INC http://www.sec.gov/Archives/edgar/data/835729/000119312513210706/d508475d10k.htm (10-K for BMC SOFTWARE INC)

Links shown in red contain references to actual “cyber” events/incidents, and the like.

New SEC correspondence for PROSPER MARKETPLACE INC, Prosper Funding LLC

The following new documents were recently made available by the SEC, and have been identified by an automated process as potentially relating to disclosures of “cyber” risk or incidents.

10/01/2012 PROSPER MARKETPLACE INC, Prosper Funding LLC http://www.sec.gov/Archives/edgar/data/1416265/000114036112042187/filename1.htm (CORRESP for PROSPER MARKETPLACE INC)

06/22/2012 Prosper Funding LLC http://www.sec.gov/Archives/edgar/data/1542574/000000000012032914/filename1.pdf (UPLOAD for Prosper Funding LLC)

You can read more about correspondence like this at https://vaguelythreatening.wordpress.com/2012/08/30/sec-comment-letters-as-infosec-situational-awareness/ and about the automated mechanism used to identify these files at https://vaguelythreatening.wordpress.com/2012/11/14/a-note-on-automated-postings-of-sec-cyber-correspondence/

New SEC 10K for DEBT RESOLVE INC, ORCHARD SUPPLY HARDWARE STORES CORP

The following new documents were recently made available by the SEC, and have been identified by an automated process as potentially relating to disclosures of “cyber” risk or incidents.

05/03/2013 DEBT RESOLVE INC http://www.sec.gov/Archives/edgar/data/1106645/000147793213002123/drsv_10k.htm (10-K for DEBT RESOLVE INC)
05/03/2013 ORCHARD SUPPLY HARDWARE STORES CORP http://www.sec.gov/Archives/edgar/data/896842/000119312513199400/d475976d10k.htm (10-K for ORCHARD SUPPLY HARDWARE STORES CORP)

Links shown in red contain references to actual “cyber” events/incidents, and the like.

New SEC 10K for HARVEST NATURAL RESOURCES INC

The following new documents were recently made available by the SEC, and have been identified by an automated process as potentially relating to disclosures of “cyber” risk or incidents.

05/02/2013 HARVEST NATURAL RESOURCES INC http://www.sec.gov/Archives/edgar/data/845289/000119312513196239/d444289d10k.htm (10-K for HARVEST NATURAL RESOURCES INC)

Links shown in red contain references to actual “cyber” events/incidents, and the like.

Of historical interest (only?)

A tweet by @jack_daniel reminded me of a graphic used (on slide 6, I now am reminded) of a presentation I delivered at the 2007 FIRST conference.  Turns out that that while I had blogged about the presentation and made it available for download, the link is dead because I decommissioned the server. I wrote at the time, the main takeaways were intended to be:

That with the availability of breach reports direct from states with central reporting, such as New York, it is possible to measure part of our ignorance when we rely solely on published breach reports — even the best available sources (such as Attrition’s DLDOS DataLossDB) undercount breaches dramatically, and are biased toward larger incidents.

That we are still at the leading edge of an explosion of information, and that we should not draw hasty conclusions until more facts are in.

That, as Emil Faber might put it, “Knowledge is Good” and is not that painful to provide.

And finally, primary materials such as breach reports are useful artifacts not only because they tell us dry facts in a standardized format (but that IS nice), but also because the notices themselves are interesting evidence of how firms talk to their customers about a difficult topic.

Here’s a PDF of the presentation (along with my speaker notes).

New SEC correspondence for Bank of New York Mellon CORP

The following new documents were recently made available by the SEC, and have been identified by an automated process as potentially relating to disclosures of “cyber” risk or incidents.

08/23/2012 Bank of New York Mellon CORP http://www.sec.gov/Archives/edgar/data/1390777/000119312512366599/filename1.htm (CORRESP for Bank of New York Mellon CORP)
05/10/2012 Bank of New York Mellon CORP http://www.sec.gov/Archives/edgar/data/1390777/000119312512225900/filename1.htm (CORRESP for Bank of New York Mellon CORP)
07/26/2012 Bank of New York Mellon CORP http://www.sec.gov/Archives/edgar/data/1390777/000000000012040066/filename1.pdf (UPLOAD for Bank of New York Mellon CORP)

You can read more about correspondence like this at https://vaguelythreatening.wordpress.com/2012/08/30/sec-comment-letters-as-infosec-situational-awareness/ and about the automated mechanism used to identify these files at https://vaguelythreatening.wordpress.com/2012/11/14/a-note-on-automated-postings-of-sec-cyber-correspondence/