A couple of tidbits

Before we formally introduce you to the 2019 Data Breach Investigations Report (DBIR), let us get some clarifications out of the way first to reduce potential ambiguity around terms, labels, and figures that you will find throughout this study.

VERIS resources

The terms "threat actions," "threat actors," "varieties," and "vectors" will be referenced a lot. These are part of the Vocabulary for Event Recording and Incident Sharing (VERIS), a framework designed to allow for a consistent, unequivocal collection of security incident details. Here are some select definitions followed by links with more information on the framework and on the enumerations.

Threat actor: Who is behind the event? This could be the external “bad guy” that launches a phishing campaign, or an employee who leaves sensitive documents in their seat back pocket.

Threat action: What tactics (actions) were used to affect an asset? VERIS uses seven primary categories of threat actions: Malware, Hacking, Social, Misuse, Physical, Error, and Environmental. Examples at a high level are hacking a server, installing malware, and influencing human behavior.

Variety: More specific enumerations of higher level categories - e.g., classifying the external “bad guy” as an organized criminal group, or recording a hacking action as SQL injection or brute force.

Learn more here:

• github.com/vz-risk/dbir/tree/gh-pages/2019 – DBIR figures and figure data.
• veriscommunity.net features information on the framework with examples and enumeration listings.
• github.com/vz-risk/veris features the full VERIS schema.
• github.com/vz-risk/vcdb provides access to our database on publicly disclosed breaches, the VERIS Community Database.
• http://veriscommunity.net/veris_webapp_min.html allows you to record your own incidents and breaches. Don’t fret, it saves any data locally and you only share what you want.

Incident vs. breaches

We talk a lot about incidents and breaches and we use the following definitions:

Incident: A security event that compromises the integrity, confidentiality, or availability of an information asset.

Breach: An incident that results in the confirmed disclosure—not just potential exposure—of data to an unauthorized party.
 

Industry labels

We align with the North American Industry Classification System (NAICS) standard to categorize the victim organizations in our corpus. The standard uses 2 to 6 digit codes to classify businesses and organizations. Our analysis is typically done at the 2-digit level and we will specify NAICS codes along with an industry label. For example, a chart with a label of Financial (52) is not indicative of 52 as a value. 52 is the NAICS code for the Finance and Insurance sector. The overall label of "Financial" is used for brevity within the figures. Detailed information on the codes and classification system is available here:

https://www.census.gov/cgi-bin/sssd/naics/naicsrch?chart=2017

New chart, who dis?

You may notice that the bar chart shown may not be as, well, bar-ish as what you may be used to. Last year, we talked a bit in the Methodology section about confidence. When we say a number is X, it’s really X +/- a small amount.

This year we’re putting it in the bar charts. The black dot is the value, but the slope gives you an idea of where the real value could be between. In this sample figure we’ve added a few red bars to highlight it, but in 19 bars out of 20 (95%),¹ the real number will be between the two red lines on the bar chart. Notice that as the sample size (n) goes down, the bars get farther apart. If the lower bound of the range on the top bar overlaps with the higher bound of the bar beneath it, they are treated as statistically similar and thus statements that x is more than y will not be proclaimed.

Questions? Comments? Brilliant ideas?

We want to hear them. Drop us a line at dbir@verizon.com, find us on LinkedIn, tweet @VZEnterprise with the #dbir. Got a data question? Tweet @VZDBIR!