How Bad is It? Part 1: The Hypothesis
I recently had a spirited debate about the state of information security. Actually, I had several really good ones recently. There is a sense among many professionals that things are different these days. Different in a way that is worse. The debate is this: is this merely a perception issue or is there some way of quantifiably showing things are worse? I’d like to take the challenge and show that it is, in fact, worse. In attempting to do so I’ll present my hypothesis and set out to prove it with as much evidence as I can muster…with a day job and all.
My hypothesis: The state of Information Security today is in a worse state when compared to previous times within the Information Age.
I think I’ve built in some reasonable qualifiers here. First, I’m saying things are worse but I’m not able to say how much worse. I may show breaches are up or monetary losses are up but I can’t say it’s 3.4 times worse comparatively. I’m also comparing apples to apples in that I’m not comparing the state of Information Security during the Qin Dynasty to 2015. I’m using the period of time from roughly the 1980s to the present day. Finally, I’m also asking the reader - that’s you - to accept my premise that the data we have available is at least enough to form a reasonable sample set.
Here are the assertions that make the backbone of my hypothesis. Things are worse because:
Assertion 1: Lots of Offense. There is more of it and they are more skilled, funded, organized, and motivated.
Assertion 2: There is more attack surface. There are more systems and applications that are available for compromise. This is to say nothing of the state of code on these systems. I’m going to avoid that nuance for now. Meaning I’m not going to consider a large information system that is in a state of perfect security. I’m going to assume for this exercise that the attack surface is in a state of security on par with that which we’ve seen for the past several decades: bad.
Assertion 3: There is more data and metadata and that data and metadata has a high level of value.
That’s it for now. I’ll get to work on these multipliers and see what I can prove. And by that I mean I’ll search through the work that my colleagues have produced and see what they found. It’s called “The Mencia Treatment.”