A Matter of Probability

I was reading an article in Information Week on some scary security thing, and I got to the one and only comment on the post:

Most Individuals and Orgs Enjoy "Security" as a Matter of Luck

Comment by janice33rpm Nov 16, 2010, 13:24 PM EST

I know the perception, there are so many opportunities to well, improve our security, that people think it’s a miracle that a TJX style breach hasn’t occurred to them a hundred times over and it’s only a matter of time.  But the breech data paints a different story than “luck”. 

As I thought about it, that word “luck” got stuck in my brain like some bad 80’s tune mentioned on twitter.  I started to question, what did “lucky” really mean?  People who win while gambling could be “lucky”, lottery winners are certainly “lucky”.  Let’s assume that lucky then means beating the odds for some favorable outcome, and unlucky means unfavorable, but still defying the odds.  If my definition is correct then the statement in the comment is a paradox.  “Most” of anything cannot be lucky, if most people who played poker won then it wouldn’t be lucky to win, it would just be unlucky to lose.  But I digress. 

I wanted to understand just how “lucky” or “unlucky” companies are as far as security, so I did some research.  According to Wolfram Alpha there are just over 23 Million businesses in the 50 United States and I consider being listed in something like datalossDB.org would indicate a measurement of “not enjoying security” (security fail).  Using three years from 2007-2009, I pulled the number of unique businesses from the year-end reports on datalossDB.org (321, 431 and 251).  Which means that a registered US company has about a 1 in 68,000 chance of ending up on datalossDB.org.  I would not call those not listed as “lucky”, that would be like saying someone is “lucky” if they don’t get a straight flush dealt to them in 5-card poker (1 in 65,000 chance of that)

But this didn’t sit right with me.  That was a whole lot of companies and most of them could just be a company on paper and not be on the internet.  I turned to the IRS tax stats, they showed that in 2007, 5.8 million companies filed returns.  Of those about 1 million listed zero assets, meaning they are probably not on the internet in any measurable way.  Now we have a much more realistic number, 4,852,748 businesses in 2007 listed some assets to the IRS.  If we assume that all the companies in dataloss DB file a return, that there is a 1 in 14,471 chance for a US company to suffer a PII breach in a year (and be listed in the dataloss DB).

Let’s put this in perspective, based on the odds in a year of a US company with assets appearing on dataloss DB being 1 in 14,471:

• If you are female, it is more likely that you’ll die in a transportation accident in a year. (1 in 10,170)
• It is more likely that a person will visit an emergency department due to an accident involving pens or pencils (1 in 13,300)
• (my favorite) It is more likely that a person will visit an emergency department due to an accident involving a grooming device (1 in 10,200)

Aside from being really curious what constitutes as a grooming device, I didn’t want to stop there, so let’s remove a major chunk of companies whose reported assets were under $500,000. 3.8 million companies listed less then $500k in their returns to the IRS in 2007, so that leaves 982,123 companies in the US with assets over $500k.  I am just going to assume that those “small” companies aren’t showing in the dataloss stats.

Based on being a US Company with over $500,000 in assets and appearing in dataloss DB at least once (1 in 2,928):

• It is more likely that a person will visit an emergency department due to an accident involving home power tools or saws (1 in 2,795)
• It is more likely that a Hispanic female 12 or older will be the victim of a purse-snatching or pickpocketing (1 in 2,500)
• And finally, is is more likely that a person 6 or older will participate in a non-traditional triathlon in a year (1 in 2,912)

Therefore, I think it’s paradoxically safe to say:

Most Individuals do not participate in a non-traditional triathlon as a Matter of Luck.

Truth is, it all goes down to probability, specifically the probability of a targeted threat event occurring.  In spite of that threat event being driven by an adaptive adversary, the actions of people occur with some measurable frequency.   The examples here are pretty good at explaining this point.  Crimes are committed by adaptive adversaries as well, and we can see that about one out of every 2,500 Hispanic females 12 or older, will experience a loss event from purse-snatching or pickpocketing per year.  In spite of being able to make conscious decisions, those adversaries commit these actions with astonishing predictability.  Let’s face it, while there appears to be randomness on why everyone hasn’t has been pwned to the bone, the truth is in the numbers and it’s all about understanding the probability.