Then I did a search on security breaches and found a website from a non-profit organization called Privacy Rights Clearinghouse listing every U.S. security breach bought to litigation from 2005 until its updated date of today’s writing (January 29th, 2011). Up to this date, of all cases that were litigated, the total amount was 512,334,164. (Clearinghouse, 2011)It included items such as breaches of securities by doctors signing off on patient files that they never saw, billing them and leaving their files unsecure to a simple laptop stolen from a University that contained students information, including address and social security numbers.
My idea on security breaches were mostly going to be in large corporations that were hacked and 40 million credit card numbers were stolen, or maybe a government server was attacked that contained vital U.S. security information. Ironically in local news, Wikileaks is which immediately came to mind. It actually was in fact started as a wiki but not longer accepts edits to its sites. (Editorial, 2011) This site has been blacklisted by most web hosting companies, banks and viewed as a national threat to many countries. Those are the major items that I believe most people think of, on this type of grand scale. It is staggering to think about the amount of money that is lost, or should I say not realized lost, due to security breaches.
The chapter 12 of Beautiful Security lists a case that went before a judge in 1944 where a barge that was unmanned, broke loose in NY Harbor and caused damage. The judge came up with a formula to determine what the liability of this case would be. The formula B is less than P times L, where B is the burden, P is the probability and L is the injury. Therefore, the burden (B) would be based on if it is lower than P times L. The author translates this case to state that “the burden on an organization to prevent an information security breach or lapse is less than the probability of that breach multiplied by the damages that could result, that organization should seriously consider taking on that burden.” (Oram & Viega, 2009) They then go on to say on how should they determine the return on security investment (ROSI). Does the organizations security dollars match their potential liability? Without going into detail of the ensuing formula, my initial thoughts were how you determine the ROSI in 2009, when a new security breach possibility arises in 2010, then re-determining the ROSI in 2010 for a new breach to raise its ugly head in 2011 and so forth. I would expect that based upon the solution cost or the cost of mitigation, the ROSI will have to be re-visited on a regular basis.
Does an organization take a pragmatic approach to their potential security breach exposure, or wait until there is an actual problem and attempt to mitigate the problem then? I believe that the latter was the norm in early technology years and the former is now the driving forces of both IT and compliance departments. An organization can follow all of the rules and guidelines so as to comply with their state and federal regulations and still be breached, just as a company that does not comply with the laws, and remain unscathed. It is apparent to me that if an organization is going to flourish in today’s changing worlds; IT and compliance have to be best friends, even if they are a necessary evil.
Clearinghouse, P. R. (2011). Chronology of Data Breaches Security Breaches 2005-Present
from Privacy Rights Clearinghouse: http://www.privacyrights.org/data-breach#CP
Editorial. (2011). Wikileaks. New York Daily News. Retrieved from http://www.nydailynews.com/topics/WikiLeaks.org
Oram, A., & Viega, J. (Eds.). (2009). Beautiful security: O'Reilly Media, Inc.