Why security metrics aren’t helping prevent data loss

Reported data loss due to security breaches is not slowing down in the least bit, as the graph below (courtesy of DataLossDB.org) vividly points out.  What’s more, these statistics only include publicly reported breaches. One can only imagine how many security breaches are unreported by organizations wanting to avoid public scrutiny.

And did you notice what happened during 2009 — interesting isn’t it? I’m told there were several reasons for the drop in reported data-loss events. The one being championed by most was the introduction of security metrics. It seems security metrics as a tool started gaining real credibility around that time. The SANS Institute paper, Gathering Security Metrics and Reaping the Rewards, released during 2009 mentions:

“Many substantial benefits can be derived from initiating a security metrics program, and there is little reason for delay. At the onset it requires only a meager investment comprised mostly of the time spent planning, gathering data, and producing each report. This makes a security metrics program an intriguing project, especially in economically challenging times when funding can be tricky to secure.”

SOURCE: techrepublic.com

Information Security Buzz