Re: 'We pride ourselves on being a leader in managing and protecting data'
I've lately made the scale on mine logarithmic,
No scale means anything unless it has dimensions. We need an SI or ElReg quantum for data breaches. I'd suggest that the unit is called a "Dido", but I'm wondering that the actual scaling should be. I think it needs to be some product of:
1) absolute size of the breach in individual accounts or records exposed,
2) the significance of the data lost on some scale of 1 to 5, where Talk Talk are a three, and Equifax a four - you'd get a five for losing personally sensitive information eg health, personal circumstances, where I have a distinction between personally confidential data and personally sensitive data.
3) a scaled value for the stupidity in allowing the breach on a 1-3 scale. A simple SQL attack is about as basic as you get, that's a 3, a nation-state attack using zero days is a 1.
4) Track record. Simply the number of known breaches in the previous three years.
So, for the last Talk Talk hack, I'm reckoning 157,000 x 3 x 3 x 3 / 1m = 4.24 Didos.
Now, do we take that number of 4.239m as one Dido, and measure other breaches against that? Or do we divide by a million to keep the numbers easy to use, and keep the honorarium, but then quantify the Talk Talk breach as 4.239 Didos? Either way the sheer size of the Equifax breach means Dan 55 is most certainly correct to be using a log scale.