lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <63633.66.9.238.10.1127917325.squirrel@www.warped.com>
Date: Wed, 28 Sep 2005 10:22:05 -0400 (EDT)
From: "Kenneth F. Belva" <ken@...security.com>
To: bugtraq@...urityfocus.com, full-disclosure@...ts.grok.org.uk
Cc: dbender@...tecase.com, research@...emon.org
Subject: Is the Bottom Line Impacted by Security Breaches?


White and Case, a top NYC law firm, posted a survey on Data Security
Breach Notifications on September 26, 2005.

>From the press release: "Victims of personal data security breaches are
showing their displeasure by terminating relationships with the companies
that maintained their data, according to a new national survey sponsored
by global law firm White & Case. The independent survey of nearly 10,000
adults, conducted by the respected privacy research organization Ponemon
Institute, reveals that nearly 20 percent of respondents say they have
terminated a relationship with a company after being notified of a
security breach."

White and Case Press release:
http://www.whitecase.com/news/news_detail.aspx?newsid=11731&type=News%20Releases

White and Case Paper:
http://www.whitecase.com/files/tbl_s5107Materials/FileUpload5837/151/Security_Breach_Survey.pdf


My research takes a macro approach: "The keynote address will cover
reputational risk in light of recent disclosures of high profile security
incidents at such institutions as CitiFinancial (Citigroup), Bank of
America and Wachovia, Choicepoint, DSW Shoe Warehouse and Polo Ralph
Lauren. The presentation will create a framework for understanding
reputational risk in light of these recent events that may be applicable
to responding to future incidents."

In the paper I ask: "If 40 million customer credit card numbers are
exposed in a security breach at the credit card processor CardSystems, why
do a significant number of people not cancel their Visa and/or
Mastercard?"

Reputational Risk Keynote Presentation:
http://www.ftusecurity.com/pub/FiTechSummit_final_paper.pdf

I am concerned that the survey is self-selecting. In other words, the
people responding to the survey already have a disposition one way or the
other. Of 51,433 people, only 17.8% (9,154) replied. That means 82.2%
(42,279) did not reply!

I'm not a statistician; is 17.8% statistically significant to determine a
general consensus?

The papers may not be directly contradictory to one another. Please keep
that in mind.

I would be interested to know other's opinions on the matter.

Sincerely,
Kenneth F. Belva, CISSP
http://www.ftusecurity.com



Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ