Buried deep within 10 years of data, they found that large breaches are not necessarily increasing as the headlines and nightly news reports might assert. In fact, the number of large-scale breaches has actually decreased slightly since 2005, according to the research team.
Of course, that doesn’t mean there's nothing to worry about, but it does pull the focus away from the hype that typically accompanies a massive cybersecurity incident, like the breach of the Office of Personnel Management earlier this year.
In their report, Hype and Heavy Tails: A Closer Look at Data Breaches (PDF), researchers with the University of New Mexico and the Lawrence Berkeley National Laboratory outline the recent history of data breach trends.
Ben Edwards and Stephanie Forrest, with the University of New Mexico, said the study pointed to a “heavy-tailed distribution” and that the vast majority of breaches are small, with large breaches skewing the average results.
“The heavy-tailed distribution requires careful statistical methods to identify trends. With these methods we found that, despite anecdotal reports of an increase in large breaches, there was no statistical evidence of an increase,” they said. “In fact, the frequency of malicious breaches, as opposed to those which were the result of accident or negligence, actually decreased slightly over the last 10 years, according to our analysis.”
That being said, the researchers did note that the occurrence of accidental and negligent data breaches were holding steady during the same period of time.
To attempt to detect patterns, the team used data sets from the Privacy Rights Clearinghouse, a nonprofit that collects and disseminates data breach reports and statistical modeling.
“We used Bayesian modeling to identify trends. Bayesian modeling allows us to define statistical models that account for the heavy-tailed nature of the data and to rigorously compare models, selecting the one that mathematically fits the data best,” Edwards and Forrest wrote in an email. “We tested models in which there was no trend in the size or frequency of breaches, ones that had a linear trend, and models in which the size fluctuated several times over the course of the last decade. Comparing these models, we found that neither data breach frequency nor size have increased over time.”
But what does this information mean for the security professional? Is it time to throw caution to the wind and start putting money into endeavors other than cybersecurity? Hardly.
Despite what equates to a less than knee-jerk look at the statistics surrounding cybersecurity, Edwards and Forrest are far from telling anyone to divest in network security. They just advocate for doing it rationally.
“Money and effort spent to secure personal information is always well spent. However, it is important to focus our efforts on problems that are real, and more analysis like that in our paper would help clarify the security landscape," they said. "The purpose of the paper was not to stifle work preventing data breaches, but rather to advocate for a principled, rational view of recent events."
Because of the evolving nature of the cybersecurity arms race, the researchers speculate, both hackers and companies are improving their methods and maintaining a sort of balance. This concept is known as the “Red Queen” hypothesis, and essentially boils down to the need for organisms to evolve not only to gain a reproductive advantage, but also to maintain the status quo.
“In the case of data breaches, companies may be getting better at securing data at the same rate attackers are improving their methods and volume of attacks. If true, rather than an increase or decrease in breaches, we may have stasis, with neither attackers nor defenders gaining an advantage, even though both are ‘running’ very hard,” Edwards and Forrest said. “This is speculation on our part, and would require data that is not available to us and other types of analysis.”
When it comes to what exactly is responsible for the perception that large-scale data intrusions are an increasing occurrence, the two could not say whether growing media attention or expanded national reporting requirements were to blame.
According to Edwards and Forrest, 48 states now have mandatory data breach reporting laws, many of which were implemented within the last 10 years.
They did say, however, that the amount of personal information at risk with each breach could have something to do with it.
“One possibility is that the amount of personal information associated with each breached record is increasing. This might affect the apparent impact felt by breaches,” the team said.
As for exactly who their study is aimed toward, the researchers said they hope policymakers will take heed and consider the information available to them more carefully.
“Our results aren’t necessarily aimed at individual organizations, and may be more relevant to policymakers who make decisions based on media and industry reports," they said. "Most importantly, everyone working in this space needs to understand a little bit more about modern statistics so they can avoid erroneous conclusions based on the naive use of statistics. For organizations, the possibility that there is a Red Queen dynamic suggests that they should remain vigilant and continue to improve their defenses."