As you know we talked a decent amount about this during the analysis. I find the 80/20 split very interesting. The 80/20 rule has show up not only in the annual PCI assessments as you discuss but that’s the same ratio we find when doing a post-breach PCI assessments as well (except it’s reverse).

I’d like to know if the rule could be applied to effectiveness within the DSS. ie, do 20% of the controls provide 80% of the security value of the DSS? One day I’ll find some time to study that one a bit more…