Can Digital Security Problems Be Solved Using Representative Industry Trend Data?

I recently received a new credit card in the mail with a letter stating - "we believe the security of your old card may have been compromised".  My new card contains a computer chip for added security so when used at a new "security chip enabled" checkout terminal the card is apparently more secure. In fact, when the computer chip is digitally verified by the checkout computer I don't even have to sign the credit card slip anymore. For online purchases I need to use a new PIN number to verify my card at the time of purchase.  So this got me thinking - are the new security features effective solutions? Well...I don't know. What caused my personal information to be compromised in the first place? I don't know.  Am I any better protected than before?

According to the Privacy Rights Clearinghouse there has been 255 million security record breaches involving sensitive personal information in the U.S. since 2005.  26 million personal medical records were breached from the U.S. Department of Veterans Affairs in 2006. In 2005, CardSystems suffered the breach of 40 million credit card holder's personal account information and in January 2007 TJ Stores (TJX) suffered the breach of over 46 million credit and debit card holders account information. The TJX incident alone impacted 100 million accounts to the tune of $94 million dollars.  It has been estimated that the exposure of 46,000 records of sensitive personal information costs an organization on average - $76 million.

So what is being done to protect the public? There is a dizzying array of reports on the topic - each offering various solutions to safeguard sensitive data. There seems to be a reliance on the statistical analyses of industry trends to drive solutions much like a Pareto Analysis. Information from actual data security breaches have been categorized by business sector, type of data breached, proportion attributed to malicious acts, theft, hacking, careless/untrained employee so on and so on. Solutions are then recommended based on the trend data exhibiting the highest percentages or greatest threats.

Is implementing solutions based on industry trends a proactive way to solve the problem of data security breaches or for that fact any problem?  Well....maybe. It depends on how you use the knowledge. If you simply use recommended solutions without understanding what the actual causes of your own internal problems are you are certainly taking a chance that the borrowed solutions may not be addressing the causes of your own problems. In other words if the solutions are ineffective you remain vulnerable to the consequences of another breach.  When you blindly accept solutions from external sources, the risk to you comes from assuming that 1) the borrowed solution ideas are controlling known causes of other problems, and 2) your problems are caused by the same things experience by others.  Solutions generated from data categories used in trending are less likely to be effective than solutions that that are controlling specifically defined individual causes.

However, industry trend data can be useful if you use it in conjunction with your own RCAs to direct the search for causes within your own system boundaries.  Industry trend data can also help an RCA team decide if it has been diligent enough in the depth of its analysis. When conducting a multiple event analysis (i.e., an analysis of multiple RCAs used to identify common causes among multiple mutually exclusive problems) industry trends can help bring focus to the areas in which common causes might be found.

What are your thoughts - is implementing solutions based on industry trends a proactive way to solve existing problems?

Sincerely,

Mark Hall, Account Manager
Apollo Associated Services

Note: The organizations referred to in this article are not clients of Apollo Associated Services, LLC.

Post Your Comments

* Required fields

* Name:

* Email:

* Comments: