Then we’ll throw out the contact = true part, and use that number as a percentage…

If you’re looking for a baseline measurement, we should probably agree on a definition of risk. I break risk into the following factors: the probable frequency and probable magnitude of loss. In other words, how much you stand to lose, and how often you’re going to lose it.

I’ve been (un)fortunate enough to be privy to information about a large scale compromise concerning spyware. Literally thousands of desktops of malware. It was determined that there was only one instance of the Malware being used at all past the initial infection, and then just a cursory “look around” – no evidence of abuse. To me, the similarities of the scenarios are interesting – I would guess that the percentage of use of the PII is similar, simply because the level of effort involved to steal from hundreds of thousands of people is so great, not to mention the fact that a smart criminal might figure that if he used more than a certain percentage of those IDs – he’d attract attention.

So my analysis of the subject so far really focuses on aspects of a Threat Community that is interested in inflicting some level of harm using the information. This, of course, is an assumption. I would love to study the probability that the perp. actually just sold the thing, data and all to a pawn shop or (ahem) associate who blew the contents away and all risk is eliminated.

So when I look at a Threat, I try to estimate a couple of basic things:

1.) Their Capability, which I break up into a measurement of their skills (knowledge and experience) and resources (time and materials).
2.) The factors that determine their willingness to act. In other risk studies, we’ve been using this “willingness” measurement as part of the factors that make up “Threat Event Frequency”. TEF is basically how likely it is a threat will act, and part of probability determination on how often we can expect loss. This willingness I think would consist of the attackers own determinations of: a.) feasibility, a ratio of challenge to the attacker and their (perceived) capability – and b.) motivation, a function of risk (to them) and reward.

So in an effort for me to give you a “baseline risk” qualification, let me solicit your opinions on the following in percentages from 1-100:

1.) Threat Capability (assume we’re going to use a threat that is aware that they could use the data on the laptop, not just a quick $200 turn around to go buy some crack). A rating of 1 would be a complete moron with Windows 3.11 and an IP stack on 14.4, and 99 would be the most elite government agent with government agency resources behind them. I would assume tons of time to act on their part.

2.) The frequency with which you would expect them to attack. Consider this to be a measurement of “willingness”, above. We don’t need to try to factor in a range for frequency of contact, at this point contact = true.

Once you give me some values for those two factors, we can move onto other factors to consider in the “frequency of loss” part of risk.

Interestingly enough, for the VA or just about any B2C – if you think about magnitude of loss from their perspective, and not the perspective of the consumer, there’s very little loss to consider, IMHO. Risk to a bank, the VA, Insurance company, hospital, whatever, concerning loss of PII *in a B2C incident* for a large company with plenty of brand equity is pretty low. The main component of their loss is regulatory fines and judgments, and maybe, just maybe a class action suit.

My post about the VA Fiasco of losing 26 million personal records (including mine) has struck a chord with some. I thought I would take the time to clarify some things: 1. Emergent Chaos posted a specific response in The Persistence of SSNs, and The Pe…

The VA is making changes, and that is good. But don’t you think your comments could cause some people to relax and reduce the pressure on elected officials and the VA to make something happen to fix this? This DOES NOT need to disappear, whcih is what I am afraid will happen if people start producing arguments such as yours.

Pete Lindstrom, who knows a good phrase when he reads one, puts forward the claim that the theft of veterans SSNs doesn’t put them at increased risk of fraud. His basic argument is that there’s a lot of people out…

June 2, 2006 Good Morning: First Ill apologize for my lack of blogging this week. Being on the west coast did not give me a lot of time to do much besides meet with folks and do The Daily Incite. But Ill be back in the office next week, so

It’s not kooky talk – in fact, I agreed in my posting that risk is *likely* increased simply by having more people with access to these SSNs, though I disagree strongly that this applies solely to “unauthorized” people given that the vast majority of identity fraud comes from “authorized” people. Let’s face it – there are plenty of ways for an identity thief to get SSNs and other PII that are much less risky than breaking into somebody’s house.

What I am suggesting is that the absolute level of increased risk is likely very, very, low. That is, if a typical account has 150,000 people with access and now there are 150,005 (or even 150,100 for that matter) even having an extra 100 people with access is not going to change the risk equation that much.

Your point about unintended positive consequences is an interesting one – not one I’ve seen brought up simply on its merits before. Your idea is a good one: that loss like this may actually reduce identity theft. Now, whether or not it justifies the FUD is an interesting question…

(Btw, this incident has potentially more serious consequences than identity theft that we probably should be looking at closely).

The whole reason the risk is hypothesized to be increased is that now more people know these 26.5 million SSNs. Surely it isn’t kooky talk to say that the more unauthorized people that know your PII, the higher the probability it will be misused?

However, your idea about looking at the ID theft rate and determining the increased risk after the fact may not work because the Vets may change their behavior. For example, large numbers may put freezes on their credit reports. It may turn out, as a result, that FEWER of them wind up getting hit by an actual ID theft. To really figure this out, we need to have a good deal more info, and right now I don’t think much of it is being collected.