Monday, April 25, 2011

How to misinterpret the Verizon DBIR

Actually, a post on the topic described in the title would be pretty much redundant, because a lot of people seem to have a natural talent for misinterpreting information.  And the Verizon Data Breach Investigations Report is one that really gets some bizarre spins put on it (and that’s before the sales weasels get their paws on it and start trying to scare prospects into buying stuff).

In case you’ve been under a rock, Verizon released their 2011 DBIR last week.  Get your own copy from the Verizon Security Blog.  Read it, there’s good stuff in there.  Keep your filters up as you read it; this is good, and it is data few others share- but not perfect, and the experiences are not universal (and Verizon is candid about this).

For practical advice on reading the report (and many others), I will offer the following:

  • The sample sets are not the universal experience.  Informative, but not universal.
  • Correlation is not causation.  Never was, still isn’t.
  • The report provides data on both the number of breaches and the number of records lost.  They are very different, and should not be confused.
  • The report also lists both raw numbers and percentages.  These sometimes appear to generate conflicting information.
    • And really provide for some apparently conflicting trends.
  • Combine misunderstanding of the difference between number of breaches and number of records lost with a misunderstanding of percentages versus raw numbers… and you are ready to be interviewed on the DBIR.

Really, go read it for yourself.  It is good- just be wary of what others tell you it says.



Friday, April 1, 2011

Quasi-annual semi-disclaimer

I need to head off a little confusion, most folks know this, but here goes:

I am the Community Development Manager for Astaro.  It is a great job, with a great company, and I’m eager to assist people with the products and the company any way I can.  BUT, I am not in the sales, support, or development teams- nor can I snap my fingers and make things happen (believe me, I’ve tried).  Unless I state otherwise in a conversation, presentation, whatever- I do not speak for Astaro, its founders, employees, etc.  If you want to contact me about Astaro, I want to hear from you and will do whatever I can to answer questions or assist you; please drop me a line at jdaniel [at], or hit me up on Twitter @Astaro_JD.

I am one of the co-founders of Security B-Sides, and am one of the core group of people who help keep it rolling and growing.  I also help run some of the events.  As I have said many times, the B-Sides phenomenon is amazing, the community is beyond amazing, and I am both proud and humbled to be a part of it.  BUT, I am not B-Sides, I’m just one of the team.  Unless I state otherwise, I do not speak for B-Sides, and any opinions expressed are my own.  I specifically maintain some distance from some things in the B-Sides world, generally involving specific sponsorship and financial matters.  This is because I work for a sponsor and do not want any appearance of conflict.  I am eager to answer questions about B-Sides, help organizers where I can, connect people- whatever I can to to help sustain Security B-Sides.  To contact me about B-Sides, please send a note to jack [at]  For general information (or to reach the core team) please send messages to info [at]

Note: I have considered a separate blog for B-Sides commentary and updates, but instead will continue to post B-Sides content here- but out of deference for those who may not be interested, I will make sure the title of all B-Sides posts begins with “B-Sides” so that you can skip them if you are so inclined.

If you want to contact me about anything other than B-Sides or Astaro, and don’t know where to turn, I’m on Twitter @jack_daniel or you can email me at jdaniel [at]

Now, back to not blogging enough.  Except I really need to do that blog on Frankie’s Tiki Room over on the other blog.