“These findings relate specifically to the occurrence
(likelihood) of security breaches leading to data
compromise … not attacks, not impact, not general security
incidents and not risk.”
The study has since evolved to include security incidents
and not just breaches for many findings, but the rest of the
statement holds true to this day. The information, provided
in aggregate, is filtered in many ways to make it relevant
to you (e.g., by industry, actor motive). It is a piece of the
information security puzzle—an awesome corner piece that
can get you started—but just a piece nonetheless. The rest is
filled in by you. You (hopefully) know the controls that you do
or do not currently have to mitigate the effectiveness of the
threat actions most commonly taken against your industry.
You know the assets that store sensitive data and the data
flow within your environment. If you don’t – get on that. You
also know your own incident and data-loss history. Use your
own knowledge combined with the data from our report; they
complement each other.
Don’t be shy—welcome to the party. As always, this report
is comprised of real-world data breaches and security
incidents—either investigated by us or provided by one of our
outstanding data contributors.
The statements you will read in the pages that follow
are data-driven, either by the incident corpus that is the
foundation of this publication, or by non-incident datasets
contributed by several security vendors.
We combat bias by utilizing these types of data as opposed
to surveys, and collecting similar data from multiple sources.
We use analysis of non-incident datasets to enrich and
support our incident and breach findings. Alas, as with any
security report, some level of bias does remain, which we
discuss in Appendix D.