It is not unethical for companies to shed light into real problems facing organizations today. If people don't know that solutions exist to address these challenges, how do they get fixed?

Technology solutions address real companies challenges. How do you suggest companies get more insight into the problems they need to solve then?

I think the overall point to the story is that security vendors seize opportunities to sell their products. They've done it with HIPAA, PCI, etc. Now they're trying to leverage the economic crisis to sell their products. They believe they have a "hammer" and everything looks like a "nail" to them.

Does this 79% include the taking home of personal emails and contacts within an Outlook PST or emailing them home?

Arguably it is DL, but it's quite different from malicious activity with a goal to steal data that actually has a value to the business.

When Ponemon's top privacy rankings were announced, I took that with a grain of salt having seen things firsthand. It merely means marketing strategies are working and the public feels all fluffy inside. Kudos for the public perception, but it's not reality. I'd rather see those marketing dollars go to EDUCATING the public as opposed to trying to sway them.

We work with facts, reality and not speculation. I'm solidly aligned with Mr. Brenner on this one.

Vendors like Symantec sell fear, not security products, when they report on “Rises on Data Theft, Data Leakage, and Targeted Attacks Leading to Hackers’ Financial Gain”, without suggesting cost-effective security countermeasures.

An outstanding example of security bull-feathers is the March 2007 issue of the semi-annual Symantec Internet threat report. The report has lots of statistics, but the mistakes and overall lack of a systematic threat modeling approach are disappointing from a such a large vendor. Here are a few examples of problems with the report:

1. Lumps consumers and enterprises together
“End users, whether consumers or enterprises, need to ensure proper security measures to prevent an attacker from gaining access to their confidential information, causing financial loss, harming valuable customers, or damaging their own reputation.”

Since when do consumers have customers…Consumers are insured for credit card theft and PCI DSS certified merchants are protected from chargeback exposure with the acquiring bank. What financial losses do consumers and enterprises have in common?

2. Incorrectly classifies assets, incorrectly uses legal terms
“Symantec tracked the trade of stolen confidential information and captured data frequently sold on underground economy servers. These servers are often used by hackers and criminal organizations to sell stolen information, including social security numbers, credit cards, and e-mail address lists”.

Social security numbers are classified as PII (personally identifiable information) not confidential information. If Symantec is uncertain how to classify this asset, they should read the US State privacy laws and PCI DSS specification. As a matter of fact, the law does not protect confidential information - it protects a confidence relationship. Once the information is disclosed (and Social security numbers are frequently disclosed), a third party is not prevented from independently duplicating and using the information. See the Wikipedia.

3. Provides misleading data
“Increase in Data Breaches Help Facilitate Identity Theft”

By not quantifying the threat probability, Symantec deliberately misleads the reader into thinking that cyber threats are the main attack on PII.

Au contraire. The FTC says that most identify theft cases are caused by offline methods such as dumpster diving, stealing and pretexting. According to Applied Cybersecurity Research, “Internet-related identity theft accounted for about 9 percent of all ID thefts in the United States in 2005″.

4. Cites vulnerability stats without suggesting countermeasures
“Symantec documented 12 zero-day vulnerabilities during the second half of 2006″

What is the point of a threat model without security countermeasures?

a. What were the vulnerabilities, and do consumer PCs have the same vulnerabilities as corporate servers behind a Checkpoint firewall?

b. What are the most cost-effective security countermeasures?

c. Does Symantec recommend that consumers use the same security countermeasures and risk assessment procedures as business enterprises?