In April 2015, the U.S. Department of Energy responded to Freedom of Information Act (FOIA) request from USA Today by releasing information on more than 1,100 cyber-security incidents that occurred over four years.
While the data was not detailed—only consisting of seven variables, two of which had been redacted—there was enough information for researchers from Stanford University to come to a surprising conclusion: The rate of security incidents decreased over time. In other words, while breaches have regularly made headlines, the DOE as a whole was seeing fewer attacks.
"People have the perception that cyber-attacks have increased in frequency and magnitude dramatically," Marshall Kuypers, a Ph.D. candidate in the School of Management Science and Engineering at Stanford University, told eWEEK. "But when we run the numbers, we see this seems to be the result of media attention, not an actual trend."
Kuypers revealed the analysis in a working paper focused on the Department of Energy data. The rate of incidents due to a various attack types neither increased nor decreased over time in the government agency's data set.
However, malware incidents dominated the data, accounting for much of the observed trend. Because malware incidents fell, so did the overall trend.
The DOE is not the first organization studied by Kuypers to see a decline in incidents. An ongoing study of a large organization—which Kuypers cannot name but which has between 5,000 and 50,000 workers, he said—has experienced more than 60,000 incidents over a six-year period. Most types of attacks held relatively constant over the six-year period, according to the data. Once again, however, malware incidents slowed over time.
Another study by the University of New Mexico released at the Workshop on the Economics of Information Security analyzed 10 years of breach data from the Privacy Rights Clearinghouse and found that "neither size nor frequency of data breaches has increased over the past decade."
If it sounds like companies have less to worry about, data from the security industry tells a different story. The company that collects the most breach data, Verizon, saw a significant spike in 2014. While the company has not yet released its annual Data Breach Investigations Report this year, the report will show another marked increase, according to Bryan Sartin, executive director of the Verizon RISK Team.
"If you filter the data on computer-based intrusions, hackers, Internet attacks and data theft … that has climbed like a rocket," he said.
But even Verizon noted in its 2015 report that the media had latched on to breach reports as well, with the New York Times, for example, covering data breaches 700 times in the previous year, compared with less than 125 in 2013.