Is encryption worth it?
Gartner’s Avivah Levitan says it’s better to spend money on encryption than on cleaning up after a data breach, according to a news report [link to http://www.itnews.com.au/newsstory.aspx?CIaNID=33396&src=site-marq no longer works] on her recent testimony before the US Senate.
The problem?
Gartner’s method in researching this claim, as best I can tell, relies on looking at a few high-profile cases. Sure, if they are representative of the actual breach population (about which we, and Gartner, know next to nothing) then encryption is cheaper than being hit with a breach. But, in deliberations over national policy the plural of “anecdote” is not “data”.
But wait — we also don’t know the likelihood that you’ll get hit with a breach. Gartner’s report doesn’t discuss this, but it does say a breach costs 15X more than encryption.
Cool. So, if you’re risk-neutral and you believe you have a one in fifteen chance of losing large amounts of personal information, you should encrypt. But how to tell what your chance of being hit are?
I’d guesstimate that over the last two years or so, we have heard about maybe 300 breaches. I dare say there are vastly more than 4500 organizations handling personal information. We have more colleges and universities than that, for example.
So, either breaches are grossly under-reported, or Gartner’s case for encryption is not a case at all — this is a mountain being made out of a molehill, or Gartner’s estimate of cost is too low (for example, by not including loss in stock price).
My personal opinion:
Breaches are vastly underreported. Those about which we do not hear are “dog bites man” stuff, or are really big and bad, but thanks to loopholes, no reports need be made. The impact of a breach outside the “dog bites man” category, not counting the externality imposed on those whose info is revealed, is primarily reputational, and for publicly-traded firms manifests itself via abnormally low returns.
Real research concerning these matters is being done. It’d be highly desirable for our legislators to hear about some of it.
[Additional observations on this topic were posted over at Security Curve [link to http://www.securitycurve.com/blog/archives/000406.html no longer works], which prompted me to move this out of the Drafts folder and into the light of day.]
Depends on where you use encyrption, doesn’t it? For example, I think “secure email” reduces risk as much as most people think.
However, it’s pretty obvious from the press play that encryption of data on laptops might be worth the effort in order to reduce reputation and increased response losses.
I am referring above to encryption of data at rest. Sorry if that wasn’t sufficiently obvious.
Chris, my thoughts exactly, you’ve saved me from posting – the Gartner figures were ridiculous on the face of it, and I wonder why they bothered to publish?
>> The impact of a breach outside the “dog bites man” category, not counting the externality imposed on those whose info is revealed, is primarily reputational, and for publicly-traded firms manifests itself via abnormally low returns.
This is an assumption that I make in a working draft. If integrated into the informational literature (Spence’s market for education *not* Akerlof’s market for lemons) then the result is that security is a market for silver bullets. This pretty much means that any technique like encryption is futile, the issue has to be dealt with by changing the payoffs.
Markup issues,
That should read I -don’t- think secure email…
At rest? makes sense in a few places, but certainly not to the extent Gartner wants us to believe.
>>the Gartner figures were ridiculous on the face of it, and I wonder why they bothered to publish?
Good question.
Sorry Alex–what markup did you expect to have work that did not?
Worse than “breaches are vastly underreported” is the probably even more true “breaches are vastly underdiscovered”.