Shostack + Friends Blog Archive

 

Does Lost Data Matter?

At WEIS last week, Allan Friedman presented “Is There a Cost to Privacy Breaches? An Event Study.” The study looked at the effect of a privacy breach on stock value, and roughly concluded that it doesn’t do any harm to the shareholders after a few days. Tom Espiner of ZDNet has an article that explains the research in more depth [link to http://news.zdnet.co.uk/0,39020330,39277965,00.htm no longer works]. Previous work is mostly by the (commercial) Ponemon institute, and has focused on helping their customers understand that how the news is broken is very important for the effects of the breach. (“Small Bits on Privacy,” “How To Notify Customers After a Breach,” “Costs of Breaches” and “Attackers, Disclosure and Expectations.”)

So we have two bits of apparently discordant data: Ponemon says that breaches can have a serious effect on customer retention, and Friedman, Acquisti and Telang say the markets don’t care. I suspect both are correct.

How can that be? Are markets not efficient? I think a few things are happening. The new paper looked at 78 breaches from a larger set that was reduced by various filters. That’s a small data set. Fortunately, we have more data now, and perhaps it will be possible to see more in future studies.

Even so, breaches are one time events, and the market probably discounts them as they appear to be random. Why do they appear to be random? Because its hard to evaluate if a security program is effective, even internally. It is even harder, as a customer, to decide if a company is secure. In fact, companies who have recently suffered a breach may be investing more heavily in security, and are thus a better place to do business with if you care about the security of your data.

There’s another important lesson here: 1386 and its descendants are not bad for business. The huge lobbying effort to curtail them is wasted effort, and companies should stop investing in it. Since the pain of a breach is temporary, its not all that worth worrying about. The current crop of stories will fall away, and consumers cares will be addressed by the rise of new firms like Debix [http://debix.com/]. (I have consulted for Debix, and have some options as well.)

As the worries fall away, we’ll start to be able to evaluate security programs. The newfound availability of data is a marvelous thing. It allows Acquisiti, Friedman and Telang to evaluate the effect of privacy breaches on shares. It will give us more data, and that data will be invaluable to a broad swath of research efforts.

So yes, lost data does matter, if not to the shareholders.

3 comments on "Does Lost Data Matter?"

  • Because its hard to evaluate if a security program is effective, even internally. It is even harder, as a customer, to decide if a company is secure.

    If it is hard to as a customer, and as an outside observer, maybe it is also hard as a supplier. Indeed, who knows? I explore this in “The market for silver bulllets” which would have been excellent to present in Cambridge, but the vampires got me.

    The newfound availability of data is a marvelous thing.

    Does the attacker know? I’m not sure, but Schechter and Smith make this remark:

    Sharing of information is also key to keeping marginal risk high. If the body of knowledge of each member of the defense grows with the number of targets attacked, so will the marginal risk of attack. If organizations do not share information, the body of knowledge of each one will be constant and will not affect marginal risk.

    Stuart E. Schechter and Michael D. Smith “How Much Security is Enough to Stop a Thief?”, Financial Cryptography 2003 [http://www.eecs.harvard.edu/~stuart/papers/fc03.pdf]

  • adam says:

    Ian, I’m not sure who the attacker is here. Could you elaborate?

  • Mr. X says:

    “As the worries fall away, we’ll start to be able to evaluate security programs.”
    Does this not assume that security programs (or programmes in British parlance) are sufficiently dissimilar such that they can be evaluated in comparison to each other?
    To my mind, there is a bland uniformity to almost every major corporate security program. The monoculture argument, in essense.
    If breaches seem to occur essentially at random (i.e. the quality of the security program has no bearing on the probability that a breach will occur) then perhaps that will be the catalyst for the renaissance in thinking that we need.

Comments are closed.