July 11

Breach vs. Incident: Semantics or Something More?

10  comments

By Adam Dodge

Recently, the University of Texas, Pan American announced that a staff member lost an external hard drive containing names, address and Social Security numbers of around 1,200 UTPA staff. The good news for these individuals is that the hard drive was found by another UTPA staff member and there does not appear that any unauthorized individuals had access to staff information. However, reading over one of the initial news stories about this security incident brought a question to my mind.

In an article over at The Monitor, UTPA Vice President for Business Affairs, James Langabeer stressed that the loss of this external hard drive was only an “incident” and did not constitute a “breach” by an outside individual. According to Langabeer, “It is an incident, it’s not a breech. A breach is when someone takes something out of your computer and deliberately takes it from you. If you lose it, it’s an incident”

What I find so fascinating about this statement is that the distinction between incident and breach and that an “incident” should not be viewed in the same light as a “breach”. So I started thinking, is this distinction merely a semantic issue or are there some underlying assumption amongst the general public that an incident is an everyday, and perhaps less dangerous, occurrence then a breach. One of the words is a simple noun that brings to mind a singular event of some type that may or may not be harmful. The other word is more action oriented and brings to mind, at least to my mind, images of whales bursting through the surface of the water and other dynamic events. Given the very differences in these words, should they be used as interchangeably as they are in the Information Security arena?

I think that making a distinction between breach and incident in this manner is dangerous. While I believe there are indeed differences between breach and incident, I do not agree with the portrayal of each being separate from the other. Instead, a breach is a subset of the overall types of information security incidents that can affect an organization. Other types of incidents can include theft, loss, unauthorized disclosure, denial of service, mistakes, and a whole host of other issues that are too numerous to list. In the end, any occurrence that is contrary to current information security controls is, in effect, and incident. This means that any breach of information systems, past security controls, is in fact an incident.

One thing that we absolutely need to make clear as security individuals is that these “incidents” caused by internal employees are, at the very least, just as dangerous as “breaches” by external attackers. I have written a few times about the insider threat faced by organizations. Studies have continued to prove that internal employees cause a large majority of information security incidents. Yet, organizations still attempt to pass off employee misconduct as a lesser offense when in fact these are the very employees who both know where the information is and have direct access to this information.

However, in the end, whether caused by a “breach” or an “incident”, the loss and/or exposure of protected information is a signal to the organization that something is not working properly. This is what is important. We need to understand that it is not just about fixing the problem. Instead, it is about understanding why the problem occurred and creating controls to help prevent like occurrences in the future.

Unfortunately, it seems that more organizations are beginning to make this distinction in press releases surrounding security incidents.


Tags


You may also like

Are you using frameworks properly?

Leadership and communication are actually layers, not levels

  1. Adam,

    I agree with your post, and this game of semantics can lead to a false sense of security. I saw a situation where a laptop containing sensitive credit card data (PANs, name, expiry date) in a spreadsheet (of course it wasn’t encrypted…) disappeared, but it was found an hour or so later in a conference room down the hall. Everyone was relieved that “nothing had happened.” I (outside consultant) and the security folks were incredulous: who had accessed the laptop? what had they copied or taken? did it just walk out on its own? We wanted to classify it as a breach.

    I fear that by being able to minimize such events as “incidents” or by adding an adjective and calling it a “potential breach” we allow ourselves to ignore a potentially dangerous situation. I am not a security expert, but from the business perspective I suggest the distinction between breach and incident (or “compromise” and “exposure” as I’ve heard) is a false one.

  2. Adam,

    I agree with your post, and this game of semantics can lead to a false sense of security. I saw a situation where a laptop containing sensitive credit card data (PANs, name, expiry date) in a spreadsheet (of course it wasn’t encrypted…) disappeared, but it was found an hour or so later in a conference room down the hall. Everyone was relieved that “nothing had happened.” I (outside consultant) and the security folks were incredulous: who had accessed the laptop? what had they copied or taken? did it just walk out on its own? We wanted to classify it as a breach.

    I fear that by being able to minimize such events as “incidents” or by adding an adjective and calling it a “potential breach” we allow ourselves to ignore a potentially dangerous situation. I am not a security expert, but from the business perspective I suggest the distinction between breach and incident (or “compromise” and “exposure” as I’ve heard) is a false one.

  3. Adam,

    I agree with you and see the additional problem of companies wanting to stick with semantics of nomenclature to avoid having to report specific “words” based on regulatory requirements or some other published statistic. If they categorize everything as an incident then it can be group together with potential spam, minor virus issues or a failed hard-drive…for the most part hidden from view and masking the underlying issues.

    I also see it, as wconway alluded to, as a way for companies to avoid the actual issue and making the appropriate countermeasures so it does not happen again.

  4. Adam,

    I agree with you and see the additional problem of companies wanting to stick with semantics of nomenclature to avoid having to report specific “words” based on regulatory requirements or some other published statistic. If they categorize everything as an incident then it can be group together with potential spam, minor virus issues or a failed hard-drive…for the most part hidden from view and masking the underlying issues.

    I also see it, as wconway alluded to, as a way for companies to avoid the actual issue and making the appropriate countermeasures so it does not happen again.

Comments are closed.
{"email":"Email address invalid","url":"Website address invalid","required":"Required field missing"}

Subscribe to our newsletter now!