Data Breaches Vary by Industry

(April 23, 2009) Proposing a taxonomy for classifying data loss incidents, Interhack examined incidents by type and industry and found significant results for Finance, Education, Public Administration, and Healthcare.

Study Shows Finance, Education, Healthcare, and Government Lose Sensitive Personal Data Differently

APRIL 23, 2009—Proposing a taxonomy for classifying data loss incidents with public information, Interhack has examined publicized data breaches by type and industry and found significant results for Finance, Education, Public Administration, and Health Care. 

“We believe we can make a science of finding likelihood and helping defenses to be properly focused.”—Matthew Curtin, Founder Interhack

“We discovered a statistically significant distinction between the types of breaches that occur in several of the industry sectors.” Matthew Curtin, founder of Interhack and co-author of the study said. Curtin and Interhack Senior Analyst Lee Ayres created the taxonomy for the hierarchical classification of data losses and then applied it to a set of data breaches accumulated by the Identity Theft Resource Center. Curtin and Ayres classified breach events according to industry sector using the 2002 North American Industry Classification System (NAICS).

The Health Care and Social Assistance sector reported a larger than average proportion of lost and stolen computing hardware, but reported an unusually low proportion of compromised hosts.  Educational Services reported a disproportionally large number of compromised hosts, while insider conduct and lost and stolen hardware were well below the proportion common to the set as a whole. Public Administration's proportion of compromised host reports was below average, but their proportion of processing errors was well above the norm. The Finance and Insurance sector experienced the smallest overall proportion of processing errors, but the highest proportion of insider misconduct. Other sectors showed no statistically significant difference from the average, either due to a true lack of variance, or due to an insignificant number of samples for the statistical tests being used.

The taxonomy and data breach study have many applications.  For one, finding likelihood of security incidents has been a sort of guessing game for information security practitioners.  “We believe we can make a science of finding likelihood and helping defenses to be properly focused,” Curtin said.  “We have the analytical tools, and we see promise in the approach.”

Curtin unveils the taxonomy and data breach study at RSA Conference 2009 in San Fransisco, California on April 23 in the presentation Using Science to Battle Data Loss: Analyzing Breaches by Type and Industry.

Where to Get the Study

The research paper Using Science to Combat Data Loss: Analyzing Breaches by Type and Industry is being published in Volume 4, Issue 3 (Winter 2008–09) of I/S: A Journal of Law and Policy for the Information Society. The I/S Journal is an interdisciplinary journal of research and commentary, concentrating on the intersection of law, policy, and information technology. It represents a one-of-a-kind partnership between one of America's leading law schools, the Moritz College of Law at The Ohio State University, and the nation's foremost public policy school focused on information technology, Carnegie Mellon University's H.J. Heinz III School of Public Policy and Management.

Subscribe to the I/S Journal or download a copy of the paper from Interhack's Web site.

About Interhack

Based in Columbus, Ohio, Interhack Corporation is a computer expert firm with practices in Information Assurance and Forensic Computing.  Founded in 1997 by a team of information security researchers, Interhack works to make global computing and communications infrastructures worthy of trust.  Today the firm has clients all over North America.  Additional information about Interhack is available at web.interhack.com.

For media inquiries, please contact Abby Park at +1 614-545-4225 or abbyp@interhack.com.