Explaining the value of good security is hard.  Nobody agrees on how scary it actually is, let alone what ideas are best.  It’s full of complications, uncertainty, competing opinions, and blowhard idiots.  Hardly anyone takes the time to offer deep, nuanced analyses of the problem - you’re more likely to get FUD and sales fluff.  

There are a couple groups that offer consistently high-quality insights.  One of those is Cyentia, who recently did statistical analysis of major incidents in the last 10 years.  I recommend.  Some highlights:

  • Incident frequency/likelihood scales exponentially to the size of the organization getting hit (p 8 - 13). 
  • They make a great case against using a flat cost/record on page 18. 
  • It has great examples of creative ways of presenting data visually.

It’s got a lot of style similarities to the annual Verizon DBIR, a similar report with a lot of credibility that covers every year individually. 

My thoughts/critique

Their starting data has some systematic gaps that they don’t address.  This dataset contains news-reported incidents at large companies, and potentially those that resulted in a cybersecurity insurance claim (the data was assembled by an insurance provider).  They may be missing a huge number of incidents from small businesses because they were not reported through those channels.  If that data was somehow found and included, it may eliminate their main conclusion that small businesses don’t get hit.  Banks and the IRS would have a lot more data about fraud-related security incidents that could partially fill this gap.  The best information would be business records from cybercrime outfits.  If you’ve recently found the Accounts Receivable ledger for Gandcrab, samsam, 16Shop, or APT33, I’d love to talk to you.