Mike Roytman of RiskI/O argued in a recent BSides Las Vegas presentation that power law distributions are often far more useful when modeling incident impact than the more commonly used normal distribution (and certainly more useful than point estimates of central tendency, like median or mean).
He presented some empirical evidence of his own for this claim, and – as a good presenter does – got me thinking. Grabbing some nearby data from 110 breaches of known size involving NY firms in 2006 (which I gathered via FOIA and used in a FIRST presentation) I was able to pretty quickly crank out a pretty graphic.
Lo and behold, I do believe the gentleman is on to something. And it was fun to put the old data to new use.