The security curmudgeon presents an excellent rebuttal to The Ponemon Institute’s analysis of breach data

Aside from pointing to the obvious conflict-of-interest due to vendor sponsorship and a lack of citation or substantiation for claims, curmudgeon raises the biggest question of all — is it really news.

Breaches have been rampant for years. Compromises that may or may not have involved the breach of sensitive data have been staggering for years. Zone-H.com shows almost 50,000 incidents (mass defacements generally don’t count as separate intrusions) in the last decade. Does Ponemon consider this when making the statement above? Or would Richmond / Ponemon like to qualify what “publicized” means to them? Just because you don’t look at a given publication, doesn’t mean it wasn’t publicized.

Hear him hear him! Here’s my favorite part:

How can you say with any certainty that “most are mercenaries, members of criminal syndicates or representatives of unfriendly countries”, if they “quietly get in and out”? How can you say anything about their demographics if they were undetected?

Exactly! At least Ponemon did not say the unidentified threats are Chinese.