Monday, November 26, 2007

The Semantics of Security

Adam Shostack (Is 2,100 breaches of security a lot?) raises some good questions about the latest security breach.

When I hear that HMRC has had 2,100 breaches reported, I'm forced to ask, "is that a lot?" To put the number in context, we need three things:

  • What is a breach? Does it include, for example, leaving your screen unlocked when you go to the restroom? We can't understand what 2,100 breaches mean without knowing what is being counted.
  • How big is the department? If it's 10 people, then that's a breach a day. If it's 2,100 people, then it's a breach a year. ...
  • How does this compare to other organizations? ... That seems lower than the US Government reported rate of one per hour, but actually, 2,100 breaches is about one per hour per business day for HMRC. So does HMRC leak at the same rate as all of the US government, or are we seeing different definitions of breaches?

Our ability to count things is a good indicator whether we know what we are talking about. This is an important element of semantics - having a membership rule (is this a breach or not) and an identity rule (is this the same breach as the one we've already counted or a new one). So we need a semantics of security.

No comments: