As I see it, information gets lost or stolen in one of three fundamental modes:

• accidental: This is the person who leaves a CD of Personal Data in an airplane seat pocket or loses a laptop. They genuinely didn’t mean to lose the information, but in the course of some slip-up or other loss, the information got taken as well. These sorts of losses probably have the highest volume, but also the lowest likelihood of an involved piece of data being exploited.
• selfish: This is the person who probably knows that what they’re doing is wrong or risky, but is more concerned with their immediate benefit than the impact on those affected. This model applies less to Personal Data and more to intellectual property. This is the person who, for example, posts sensitive corporate data on a Web site for their own prestige benefit, ignoring the risk to his or her employer or discloses information to “get back” at some perceived slight their employer or boss committed against them.

  This also includes some, but not all, of the situations where someone fails to utilize available protections because they’re too inconvenient or difficult to apply. In many cases, the safeguards really are too difficult for the average user to comprehend or apply. I would put not using SSL on a Web site where payments are accepted in this category (for the Web site operator) but would put disclosure due to email monitoring in the “accidental” category since PGP really is too difficult for the average user to comprehend.*

  This is also the model by which content often enters the Darknet. Someone rips & uploads information (a song, movie, book, etc.). They may not receive direct monetary benefit, but they either gain prestige (in an up/down ratio sharing group) or a feeling of “sticking it to The Man.”**

  While the likelihood of this information being exploited to harm the owner/described entity is higher than accidental loss, that harm is by no means assured. The discloser may or may not disclose truly sensitive information or it may not be found and interpreted by the necessary parties.

• malicious: Corporate espionage and fraud. This is information that obtained specifically to be used for the direct (monetary?) benefit of the attacker and/or to the detriment of the rightful owner. This is the highest-risk case since the attacker is assuming risk specifically to gain reward–in that regard, the information theft is a criminal commercial venture. Not exploiting the stolen data would be like holding up a liquor store, then forgetting to take the cash from the register–it has happened, but we would be foolish to count on failure to utilize the proceeds of the theft as a safeguard.

While there are commonalities in the controls which can reduce the risk of each type of breach, understanding which scenario you’re worried about can in turn lead to the applicable vulnerability and can change control design considerably.

For example, full hard drive encryption can provide excellent mitigation of accidental loss risk as well as certain malicious loss use cases (e.g. targeting a laptop for its data), but will do next to nothing to stop a disgruntled employee from leaking information which they legitimately have access to during their day-to-day work activities. In the initial discussion, however, the information owner might just say, “Keep people from stealing our data!”

Understanding the nature of the different potential threats is an essential piece of Risk Assessment and can, quite often, provide the quickest path to effective risk reduction, even in the absence of good data about frequency or impact. Also, by understanding the motivations of the loss cases, it becomes much easier to adequately assess likelihood. I say “adequately” because, despite the efforts of people like Chris Walsh, we simply lack good data on the true likelihood or impact of any but the least interesting (i.e. those where the security can be operationalized) attacks.

* These gaps would seem like obvious opportunities for the security products industry to step up, but we continue to see little progress in the secure & usable product space.
** Yes, I sound like the not-hip-but-trying-to-be-hip-guy here, but that’s just life sometimes. I’m used to it.

[…] Chandler Howell discusses data theft and loss in the risk management blog “Not Bad For a Cubicle” last week. […]

[…] They agreed that it would do very little to prevent a malicious attacker. If a baby was brought within range of the door’s sensor, the doors of the maternity ward were wired to mag-lock shut and an alarm would sound. Given the ease of removing the tag, however, that would do little to stop a malicious attacker. […]

[…] Chandler Howell has a great post over at the “Not Bad For a Cubicle” blog, discussing the three different ways information is lost: accidental loss, selfish loss (which might also be called carelessness) and malicious loss. While these may seem obvious after reading through them, it’s a nice and simple way of looking at information loss that’s useful to keep in mind. It’s often tempting in doing security risk management to focus too much on one or two of these areas, while spending not enough time on the possibility of a third option. […]