In April 2015, the U.S. Department of Energy responded to Freedom of Information Act (FOIA) request from USA Today by releasing information on more than 1,100 cyber-security incidents that occurred over four years.
While the data was not detailed—only consisting of seven variables, two of which had been redacted—there was enough information for researchers from Stanford University to come to a surprising conclusion: The rate of security incidents decreased over time. In other words, while breaches have regularly made headlines, the DOE as a whole was seeing fewer attacks.
“People have the perception that cyber-attacks have increased in frequency and magnitude dramatically,” Marshall Kuypers, a Ph.D. candidate in the School of Management Science and Engineering at Stanford University, told eWEEK. “But when we run the numbers, we see this seems to be the result of media attention, not an actual trend.”
Kuypers revealed the analysis in a working paper focused on the Department of Energy data. The rate of incidents due to a various attack types neither increased nor decreased over time in the government agency’s data set.
However, malware incidents dominated the data, accounting for much of the observed trend. Because malware incidents fell, so did the overall trend.
The DOE is not the first organization studied by Kuypers to see a decline in incidents. An ongoing study of a large organization—which Kuypers cannot name but which has between 5,000 and 50,000 workers, he said—has experienced more than 60,000 incidents over a six-year period. Most types of attacks held relatively constant over the six-year period, according to the data. Once again, however, malware incidents slowed over time.
Another study by the University of New Mexico released at the Workshop on the Economics of Information Security analyzed 10 years of breach data from the Privacy Rights Clearinghouse and found that “neither size nor frequency of data breaches has increased over the past decade.”
If it sounds like companies have less to worry about, data from the security industry tells a different story. The company that collects the most breach data, Verizon, saw a significant spike in 2014. While the company has not yet released its annual Data Breach Investigations Report this year, the report will show another marked increase, according to Bryan Sartin, executive director of the Verizon RISK Team.
“If you filter the data on computer-based intrusions, hackers, Internet attacks and data theft … that has climbed like a rocket,” he said.
But even Verizon noted in its 2015 report that the media had latched on to breach reports as well, with the New York Times, for example, covering data breaches 700 times in the previous year, compared with less than 125 in 2013.
Security Researchers Challenge Claims Data Breaches Increasing
Verizon is not the only industry participant to note a dangerous change in attack trends. In its annual M-Trends report, incident response firm Mandiant Consulting, now a part of security company FireEye, interestingly did not note an overall increase in breaches in 2015, but did note “an increase in the number of disruptive attacks that we responded to” and that “more breaches than ever before became public knowledge.”
The other major attack trends included reports that Chinese-linked attackers are stealing large amounts of personally identifiable information and that attacks are targeting networking gear, the M-Trends report stated.
“I think there is a higher frequency of more serious, more impactful breaches that are happening now,” Charles Carmakal, vice president of incident response for FireEye, told eWEEK.
While the report gave relatively little data on actual incidents, the company did note that the time to detect a breach had decreased on average to 146 days in 2015, from 416 days in 2011. While that’s positive, Mandiant added, “In our experience, 146 days is 143 days too long.”
While the data from academic researchers and industry experts appears to contradict each other, both could be true. Breach data typically includes incidents where a device is lost or stolen, while the upwards trend noted by Verizon excludes such incidents.
In addition, Verizon’s Sartin and Mandiant’s M-Trends report both stressed an increase in attacks targeting intellectual property. Those types of attacks are typically hard to detect and hard to quantify in terms of cost, said Benjamin Edwards, a Ph.D. student in the Adaptive Systems Lab at the University of New Mexico and the co-author of the report showing that, over a decade, publicly disclosed breaches have not increased in impact.
“It is difficult to obtain reliable data on how much data breaches cost—or any other obvious measure of impact—so assessing impact quantitatively is still a challenge,” he said. “Thus, our results do not necessarily contradict [Mandiant’s].”
Finally, the differences in the subjects of each study could also explain the different conclusions. Mandiant and Verizon see an increase in total reported breaches, but as more companies take security seriously, the number of companies reporting breaches—and thus the total number of breaches—rises.
That can still happen even if academic researchers are seeing a constant number of incidents per year at any one particular firm.
The next step is to give companies a better understanding of how to best allocate their security budgets based on data analysis, Stanford’s Kuypers said. The researcher aims to develop a better way for companies to gauge the impact of their security budgets. Full disk encryption, for example, has dramatically reduced the costs of dealing with lost devices, while two-factor authentication has reduced the damage from lost credentials, he said.
Unfortunately, because of a lack of breach data, finding better models to measure risk and predict costs is difficult.
“For an organization with a million dollars to spend on security, it’s really hard to tell them where to put the money for the greatest risk reduction,” he said.