Risky business: Fine-grained data breach prediction using business profiles

A Sarabi, P Naghizadeh, Y Liu, M Liu - Journal of Cybersecurity, 2016 - academic.oup.com
Journal of Cybersecurity, 2016academic.oup.com
This article aims to understand if, and to what extent, business details about an organization
can help to assess a company's risk in experiencing data breach incidents, as well its
distribution of risk over multiple incident types, in order to provide guidelines to effectively
protect, detect, and recover from different forms of security incidents. Existing work on
prediction of data breach mainly focuses on network incidents, and studies that analyze the
distribution of risk across different incident categories, most notably Verizon's latest Data …
This article aims to understand if, and to what extent, business details about an organization can help to assess a company’s risk in experiencing data breach incidents, as well its distribution of risk over multiple incident types, in order to provide guidelines to effectively protect, detect, and recover from different forms of security incidents. Existing work on prediction of data breach mainly focuses on network incidents, and studies that analyze the distribution of risk across different incident categories, most notably Verizon’s latest Data Breach Investigations Report, provide recommendations based solely on business sector information. In this article, we leverage a broader set of publicly available business details to provide a more fine-grained analysis on incidents involving any form of data breach and data loss. Specifically, we use reports collected in the VERIS Community Database (VCDB), as well as data from Alexa Web Information Service (AWIS), the Open Directory Project (ODP), and Neustar Inc., to train and test a sequence of classifiers/predictors. Our results show that our feature set can distinguish between victims of data breaches, and nonvictims, with a 90% true positive rate, and 11% false positive rate, making them an effective tool in evaluating an entity’s cyber-risk. Furthermore, we show that compared to using business sector information alone, our method can derive a more accurate risk distribution for specific incident types, and allow organizations to focus on a sparser set of incidents, thus achieving the same level of protection by spending less resources on security through more judicious prioritization.
Keywords: data breach; resource allocation; risk assessment.
Oxford University Press