Get started Bring yourself up to speed with our introductory content.

Using the 2014 Verizon DBIR to review information security controls

The Verizon DBIR has a wealth of information on enterprise threats, but how can the average organization put it to good use? Nick Lewis explains.

The Verizon Data Breach Investigations Report has brought numerous insights over the last 10 years, and 2014's...

report was no exception. If you haven't read it yet, you should take the time to read the full report and understand how it applies to your industry and enterprise.

One of the most compelling statistics of the report is right on the front cover: "The universe of threats may seem limitless, but 92% of the 100,000 incidents we've analyzed from the last 10 years can be described by just nine basic patterns." This year's DBIR offers further insights into cybercrime and how enterprises can better protect themselves.

In this tip, I will cover how to interpret the industry-specific analysis of the 2014 Verizon DBIR and explain how to make the necessary changes to defend against the attacks that really matter.

Interpreting industry-specific analysis

The DBIR does much of the heavy lifting for enterprises, offering a vast amount of data and recommendations to improve security programs and reduce the number of security incidents.

To achieve its 2014 report results, Verizon collected and analyzed data from 1,367 data breaches and 63,437 security incidents from 50 contributing global organizations across 95 different countries. Fortunately for organizations today, the 2014 Verizon DBIR could derive more detailed and in-depth findings for the industry verticals than years before, mostly because of the increased sample size.

The DBIR broke the attack methods and trends into 19 industry verticals -- from education and finance to entertainment and transportation. For each target industry, the report provides statistics on how often it was victim to nine different categories of attack. These nine categories range from point-of-sale intrusion and theft/loss to Web application attacks and crimeware. A tenth pattern, titled "everything else," is a catch-all for anything not covered in the previous patterns.

After a brief overview of the frequency of incident patterns per victim industry, the report gets into the anticipated details: descriptions of the attacks, frequency of attacks, key findings and much-needed recommendations that will help organizations know which controls can help best thwart issues.

A victim industry, take a real estate organization for example, can look at Figure 19 and see that the incident classification pattern for insider misuse has the highest frequency. The company can then look up details in the "Insider and Privilege Misuse" section where it breaks down potential incidents even further. For this particular pattern, the top threat action is privilege misuse at 88%. The report then recommends controls to identify ways to prevent insider misuse. An enterprise in real estate now has actionable advice and can identify the four recommended controls to consider including in its information security program.

Verizon 2014 DBIR report -- frequency of incident classification patterns per victim industry.

Changes to defend against the attacks that really matter

Using industry trends and reports and news on security incidents can be highly beneficial for fine-tuning an enterprise's information security program. Since defending against each and every attack is impossible and most likely an inefficient use of information security resources, using such publications to determine and focus on defending against the attacks that matter the most helps organizations prioritize how resources are used.

The 2014 Verizon DBIR report has tried to make this task a little easier, especially for any organization that fits in its list of victim industries. Using the report, enterprises can identify which attacks are likely to target companies in their industries and pinpoint new controls or ways to improve existing controls to either prevent or mitigate potential attacks. For those not represented in this list, using the top nine basic attack patterns in a regular review of an information security program can prove extremely advantageous.

Enterprises can also review the recommended controls to determine if they have systems in place that reduce their risk based on the industry attack data. Two charts at the end of the report (figures 69 and 70) break down the critical security controls, listing how they apply to the incident patterns and target industries. Enterprises pick charts in their own industry to see which critical security controls they may wish to consider putting in place (if they haven't already) to achieve protection from incidents.
Verizon 2014 DBIR report -- critical security controls mapped to incident patterns.

For example, an enterprise in the healthcare sector could use the incident classification chart to identify its three biggest threats: theft/loss (46%), insider misuse (15%) and miscellaneous error (12%). These three patterns account for 73% of the threats the organization is likely to face and should help it determine potential controls to put in place or improve upon. In this example, each threat has slightly different recommendations for critical security controls with little overlap. Enterprises can then check to see how each critical security control is addressed in its information security program. If there are any gaps in the controls or if it is inadequately addressed by a technology or process that may not be effective anymore, an enterprise can use the report as the driver to update its security program by either proposing new policy or making the case to purchase and/or implement new technology.

Verizon 2014 DBIR report -- prioritization of critical security controls by industry.

There's no question that the DBIR is an invaluable tool for evaluating existing industry-specific controls to prevent these top incident patterns from becoming critical risks.


A number of enterprises today receive more information security-related data from their security tools than they could possibly ever use. On the other end of the spectrum, some enterprises don't have enough data to come up with any analytical results whatsoever.

In either scenario, a significant amount of money and man-hours must be invested to achieve usable results. If your organization doesn't have these resources to invest, reports such as the Verizon DBIR come in handy. The DBIR does much of the heavy lifting for enterprises, offering a vast amount of data and recommendations to improve security programs and reduce the number of security incidents. It's now up to the enterprises to take advantage of this information.

About the author:
Nick Lewis, CISSP, is the information security officer at Saint Louis University. Nick received his Master of Science degree in information assurance from Norwich University in 2005 and in telecommunications from Michigan State University in 2002. Prior to joining Saint Louis University in 2011, Nick worked at the University of Michigan and at Boston Children's Hospital, the primary pediatric teaching hospital of Harvard Medical School, as well as for Internet2 and Michigan State University.

Next Steps

Explore key elements when building an infosec program

Take a seat and attend our SearchSecurity intrusion defense lesson

View a primer on security management and strategy

This was last published in July 2014

Dig Deeper on Penetration testing, ethical hacking and vulnerability assessments

Join the conversation

1 comment

Send me notifications when other members comment.

Please create a username to comment.

Have you used the Verizon DBIR to evaluate your information security controls?