Lee Ayres Presents Breach Taxonomy Paper

Interhack Senior Analyst Lee Ayres is presenting the research paper A Comparative Analysis of Three Years of Breach Reports by Breach Type and Industry at The Ohio State University's October Security Day event, in Columbus, Ohio, on October 9, 2008. The paper will be published in the spring edition of the I/S Journal.


A firm understanding of the rates at which types of breaches occur, in proportion to one another, helps with the distribution of limited security budgets, by helping guide the expenditure of capital to where it will have the greatest impact. A number of sources have been proposed with a view to helping with this decision making. Unfortunately, such sources sometimes tend towards anecdote, might be part of a marketing campaign, or lack the context needed to make truly informed decisions.

Following up on the creation of a taxonomy for the hierarchical classification of data losses, we explored the proportion of breach types in a subset of data losses accumulated by the Identity Theft Resource Center. Using the 2002 North American Industry Classification System (NAICS), we classified breach events according to the industry sector in which they occurred.

We discovered a statistically significant distinction between the types of breaches that occur in several of the industry sectors. The Health Care and Social Assistance sector reported a larger than average proportion of lost and stolen computing hardware, but reported an unusually low proportion of compromised hosts. Educational Services reported a disproportionally large number of compromised hosts, while insider conduct and lost and stolen hardware were well below the proportion common to the set as a whole. Public Administration's proportion of compromised host reports was below average, but their proportion of processing errors was well above the norm. The Finance and Insurance sector experienced the smallest overall proportion of processing errors, but the highest proportion of insider misconduct. Other sectors showed no statistically significant difference from the average, either due to a true lack of variance, or due to an insignificant number of samples for the statistical tests being used.

About the I/S Journal

I/S: A Journal of Law and Policy for the Information Society is an interdisciplinary journal of research and commentary, concentrating on the intersection of law, policy, and information technology. I/S represents a one-of-a-kind partnership between one of America's leading law schools, the Moritz College of Law at The Ohio State University, and the nation's foremost public policy school focused on information technology, Carnegie Mellon University's H.J. Heinz III School of Public Policy and Management.

Subscribe to the I/S Journal or contact Interhack to receive a copy of the paper.

About Interhack

Based in Columbus, Ohio, Interhack Corporation is a professional services firm with clients all over North America. Founded in 1997 by a team of information security researchers, Interhack accepted the mission to make global computing and communications infrastructures worthy of trust. Interhack's two practice areas, Information Assurance and Forensic Computing, support that mission. The company is a supporting member of The Usenix Association. Additional information about Interhack is available at web.interhack.com.