The Breach Research We Need

I’m not afraid to point out misleading or bad research that is funded by marketing groups strictly to gain headlines. Studies from firms like the Ponemon Institute come to mind here that give us excellent, shareable headlines supported by a house of cards. The information presented is unusable for risk management purposes, and is a quick way to get laughed out of a room if you quote these studies.

Doctor Tom Saves the Day, by Murray Barnes

What risk managers need is something that is comparable to their companies when trying to think about costs. Simply taking an average cost per record or an average cost per breach is not concrete enough to make risk management decisions. There’s not a way for Firm A to look at the results and understand how those could relate back to them.

Current limitations of security research:

  • We simply don’t have enough data from breaches from which to draw statistically valid conclusions.
  • Data communicated about breaches is done in an inconsistent manner, further confounding normalization efforts.
  • Privately held companies are not required to disclose breach cleanup efforts, thus limiting the population of available companies dramatically.
  • There is temptation to overfit models due to the lack of data.

All of these make it hard to create that headline and sell security products and services. It makes you wonder how much funded research goes unpublished by marketing teams because they don’t like the narrative.

So what is it we need? We need research that is transparent enough to help firms make those connections between themselves and the data on the screen. We need real dollars and sound research methods.

Some ideas:

  • Break data into various clusters based on industry, size of company, and other demographical details that help firms relate to the data.
  • Only use concrete costs (look backward, not forward) and avoid trying to capture opportunity costs or other indirect costs that you didn’t concretely measure. Show those costs as separate line items if you did.
  • Don’t overfit your models. If you use factor analysis, don’t turn around and say there are 22 factors that influence the cost of a breach. Instead, find the break on the scree plot that explains a high percentage of the influential factors and focus on those (hint, it is probably less than five).
  • Never rely on Affective Forecasting as the data you get from it will lead you down a path of the human psyche that will confound your results (see JPMorgan Chase’s odds-defying ability to stay in business after their breach). Insert eyeroll emoji here.
  • Commit to releasing the research even if it doesn’t help you sell more security widgets. If the research methods are sound, the data and results are useful.

Possibly Related Posts:

*** This is a Security Bloggers Network syndicated blog from Branden R. Williams, Business Security Specialist authored by Branden Williams. Read the original post at:

Avatar photo

Branden Williams

Dr. Branden R. Williams has more than twenty-five years of experience in business, technology, and cybersecurity as a consultant, strategist, and executive. Dr. Williams has experience working for the largest and smallest institutions as an entrepreneur, practitioner, and advisor. His specialty is navigating complex landscapes—be it compliance, security, technology, or business—and finding innovative solutions that promote growth while reducing risk. He is a practitioner and advisor for the operation, engineering, and management of IT and IS tools. He’s held several executive roles in the industry and served on both the PCICo and EMVCo boards.

branden-williams has 21 posts and counting.See all posts by branden-williams