Why I don’t like the OSF’s definition of “fringe incidents”

The Open Security Foundation doesn't keep track of all data breaches. In particular, they don't track what they call "fringe incidents." Here's how they define the incidents that they do log, which are all incidents that wouldn't count as "fringe incidents:"

The criteria has traditionally been:

  • An incident must have lost one or more of the following data types:
    • Social Security or national ID number
    • Credit card number
    • Bank account number
    • Medical record
    • Financial account number
  • AND the number of records lost/stolen/missing must be greater than 10,
  • AND the data lost must have had a steward organization.

The part that I particularly don't like about these criteria is that only incidents that affect more than 10 records end up being tracked.

It certainly looks like the size of data breaches follows a lognormal distribution. That particular distribution is symmetric (in the log) about its mean, so that you're just as likely to get a very small incident as you are to get a very big one. But to be able to see that pattern you need for those very small incidents to be part of your data set. So by filtering out the very small incidents, the OSF may be making it harder for researchers to find patterns in data that actually are there.  

Leave a Reply

Your email address will not be published. Required fields are marked *