Monday, April 25, 2011

How to misinterpret the Verizon DBIR

Actually, a post on the topic described in the title would be pretty much redundant, because a lot of people seem to have a natural talent for misinterpreting information.  And the Verizon Data Breach Investigations Report is one that really gets some bizarre spins put on it (and that’s before the sales weasels get their paws on it and start trying to scare prospects into buying stuff).

In case you’ve been under a rock, Verizon released their 2011 DBIR last week.  Get your own copy from the Verizon Security Blog.  Read it, there’s good stuff in there.  Keep your filters up as you read it; this is good, and it is data few others share- but not perfect, and the experiences are not universal (and Verizon is candid about this).

For practical advice on reading the report (and many others), I will offer the following:

  • The sample sets are not the universal experience.  Informative, but not universal.
  • Correlation is not causation.  Never was, still isn’t.
  • The report provides data on both the number of breaches and the number of records lost.  They are very different, and should not be confused.
  • The report also lists both raw numbers and percentages.  These sometimes appear to generate conflicting information.
    • And really provide for some apparently conflicting trends.
  • Combine misunderstanding of the difference between number of breaches and number of records lost with a misunderstanding of percentages versus raw numbers… and you are ready to be interviewed on the DBIR.

Really, go read it for yourself.  It is good- just be wary of what others tell you it says.