The Verizon RISK team have just published their VERIS community application. Structured on the VERIS (Verizon Enterprise Risk and Incident Sharing) framework, this application is a tool they have made available to extend to anyone the ability to contribute information on data breach incidents, to enrich the already considerable body of breach data Verizon has accumulated over the last several years. I have considered it a real boon to my own research to be able to point to this data for outcome-based validation of our findings, and am greatly encouraged to see the opportunity being extended to the community to further enhance this body of information.
To me, one of the interesting aspects of the application itself is how it makes one think about the many aspects of a breach incident, and how this thinking by itself can spur greater awareness of the ways in which organizations are exposed to data security risks. (More on this score anon!)
There is also an interesting parallel with other community-oriented forms of incident reporting that have led to improvements in overall risk management. NASA’s Aviation Safety Reporting System, for example, has for years encouraged pilots, air traffic controllers and aviation professionals to submit confidential reports of situations or incidents that can be used to help foster greater aviation safety. Part of the incentive to report through this system is a measure of immunity. Reports themselves cannot be used to enforce disciplinary action (although exceptions are made for criminal activity or information derived from other, non-ASRS sources). This tends to encourage reporting issues that might otherwise remain hidden to protect those involved, which better supports the safety objectives of the ASRS program.
This is something we should consider in information security as well. We would all benefit from greater insight into data that reveals how information security breaches succeed – but we continue to face significant barriers and inhibitors due to the feared impact on corporate or personal reputation or brand equity.
The VERIS application is a great place to start overcoming these hurdles and help organizations embrace more of the “new school” approach to security management.