Adam notes that the Commission on Cyber Security is currently meeting “to provide advice about cyber-security policy to the next presidential administration.” Adam has a recommendation:
Many of our fears about what happens after a company is breached have turned out to be false. This is the first key lesson. We have feared that companies will go out of business, people will lose their jobs, and customers will flee. Generally, these things happen only in extreme outliers, if at all. (Two companies have gone out of business; average customer churn is about 2%.)This would be a big improvement.The second lesson comes from studying the data. The dataloss list contains less selection bias about a broader set of incidents than any other public data I’ve ever seen.
So my goal for the 44th Presidency would be to overcome the fear that has held us back from having national cybercrime statistics, in the form of good law requiring breach disclosure.
— How Government Can Improve Cyber-Security, by Adam Shostack, Emergent Chaos, 12 Nov 2007
-jsq