Is encryption worth it?
Gartner’s Avivah Levitan says it’s better to spend money on encryption than on cleaning up after a data breach, according to a news report [link to http://www.itnews.com.au/newsstory.aspx?CIaNID=33396&src=site-marq no longer works] on her recent testimony before the US Senate.
Gartner’s method in researching this claim, as best I can tell, relies on looking at a few high-profile cases. Sure, if they are representative of the actual breach population (about which we, and Gartner, know next to nothing) then encryption is cheaper than being hit with a breach. But, in deliberations over national policy the plural of “anecdote” is not “data”.
But wait — we also don’t know the likelihood that you’ll get hit with a breach. Gartner’s report doesn’t discuss this, but it does say a breach costs 15X more than encryption.
Cool. So, if you’re risk-neutral and you believe you have a one in fifteen chance of losing large amounts of personal information, you should encrypt. But how to tell what your chance of being hit are?
I’d guesstimate that over the last two years or so, we have heard about maybe 300 breaches. I dare say there are vastly more than 4500 organizations handling personal information. We have more colleges and universities than that, for example.
So, either breaches are grossly under-reported, or Gartner’s case for encryption is not a case at all — this is a mountain being made out of a molehill, or Gartner’s estimate of cost is too low (for example, by not including loss in stock price).
My personal opinion:
Breaches are vastly underreported. Those about which we do not hear are “dog bites man” stuff, or are really big and bad, but thanks to loopholes, no reports need be made. The impact of a breach outside the “dog bites man” category, not counting the externality imposed on those whose info is revealed, is primarily reputational, and for publicly-traded firms manifests itself via abnormally low returns.
Real research concerning these matters is being done. It’d be highly desirable for our legislators to hear about some of it.
[Additional observations on this topic were posted over at Security Curve [link to http://www.securitycurve.com/blog/archives/000406.html no longer works], which prompted me to move this out of the Drafts folder and into the light of day.]