In my two most recent columns (Part 1 and Part 2), I've been looking at the Verizon Business RISK Team's valuable analysis of four years of data on security breaches among their clients entitled "2008 Data Breach Investigations Report." Today I'll look at the research findings concerning breach size and source.

The most interesting aspect of the data is that “The median size (as measured in the number of compromised records) for an insider breach exceeded that of an outsider by more than 10 to one. Likewise, incidents involving partners tend to be substantially larger than those caused by external sources.”

I was pleased to see the authors using the median, not the mean, of the number of records compromised; most of the reports published in our field erroneously use means (arithmetic averages) even though the variables have drastically skewed (asymmetric) frequency distributions that make those averages much less useful than for symmetric distributions. 

When the authors corrected for the number of cases involving external sources, internal sources, and partners, the numbers of records likely to be involved in a breach showed that “partners represent the greatest risk for data compromise, followed closely by insiders.” These observations support “the principle that privileged parties are able to do more damage to the organization than outsiders.”

Using as much information as they could bring together on the IP addresses of external attacks, the Verizon team found that the geographic distribution of attack origins looked like this (some of these numbers are not shown in the report but were supplied by author Wade Baker for this article):

• Europe-East: 24%
• Americas-North: 23%
• Asia-South/Southeast: 14%
• Asia-East: 12%
• Asia-North/Central (incl. Russia): 9%
• Europe-West/South: 9%
• Middle East: 5%
• Americas-South: 3%
• Africa: 1%
• Europe-North (Scandinavia): 0%
• Oceania (Austrialia/NZ): 0%
• Americas-Central: 0%

So, more than 80% of the estimated attack-sources are from Eastern Europe, North America, and Asia. These results surprised me, since I have fallen into the habit of thinking of China as the No. 1 source of threats to information security today; I have to correct my impressions and be more careful in my teaching, lecturing and writing.

M. E. Kabay, PhD, CISSP-ISSMP, is Program Director of the Master of Science in Information Assurance program at Norwich University.