Profile picture
Jake Williams @MalwareJake
, 9 tweets, 3 min read Read on Twitter
This is drawing a lot of ire from the infosec crowd because there's no obvious causality. We SHOULD be careful not to assign causality where there is none. But this data IS valuable and we shouldn't dismiss it because it lacks a causal link. 1/n
comparitech.com/blog/informati…
The study authors note that the biggest problem with this sort of study is the sample size is small. There simply are not that many publicly traded companies that have suffered significant breaches available to study. There are also many factors, making causality difficult. 2/n
Some interesting takeaways: Stock price goes down immediately after a breach, but recovers quickly after. This doesn't surprise me at all. @RenditionSec works a lot of breach cases and this tracks with our experience in privately held companies. 3/n
Most of our customers who suffer a breach lose some business short term. But we've noted a sort of Streisand Effect with breaches that are publicly disclosed. The organization that has the breach gets a bunch of free media coverage (albeit negative) and that hurts short term. 4/n
But a few months later, the company has better name recognition due to the media coverage and few can remember why they've heard of the breached org. They do business with org because of name recognition. Behavioral economists call this "familiarity bias" 5/n
The familiarity bias continues to have an impact, but orgs must innovate to stay ahead of their competitors. A breach distracts them from that innovation and largely puts them in survival mode, where the breach takes focus away from long term innovation and business thrusts. 6/n
This leads to long term (2-5 year) underperformance against their competitors. The study cited in this thread seems to confirm this, noting that the 3 year performance is below the NASDAQ average. Note that at 3+ years, there are many other factors that may impact share price 7/n
This is a tough problem to study. I applaud the authors for putting it together. I will suggest that most infosec pros calling this FUD read a story about the report, not the report itself. We need more data in the industry and this is a GREAT example of it. 8/n
Of course this study isn't perfect, none ever will be. But this shows that there is a positive correlation between breaches and market performance. Do what you will with this data, but let's celebrate that we have the data in the first place. 9/9
Missing some Tweet in this thread?
You can try to force a refresh.

Like this thread? Get email updates or save it to PDF!

Subscribe to Jake Williams
Profile picture

Get real-time email alerts when new unrolls are available from this author!

This content may be removed anytime!

Twitter may remove this content at anytime, convert it as a PDF, save and print for later use!

Try unrolling a thread yourself!

how to unroll video

1) Follow Thread Reader App on Twitter so you can easily mention us!

2) Go to a Twitter thread (series of Tweets by the same owner) and mention us with a keyword "unroll" @threadreaderapp unroll

You can practice here first or read more on our help page!

More from @MalwareJake see all

Profile picture
Twas the night before Christmas and all over the ‘net,
Not a creature was stirring except China hacking Tibet.

The IPS were strung by the egress with care,
In hopes that St WannaCry soon would be stopped there.
1/n
The children were nestled all snug in their beds,
While IoT devices mined the dreams from their heads.

Mama with her EDR and I with my IDS
Were ready to tackle an infosec mess.

Down in the SOC there arose such a clatter,
I logged into my dashboard to see what was the matter 2/
This thing had better work, it cost so much cash.
But gosh darnit, I can’t use it until I update Adobe Flash…

Pondering the alarms I thought “Oh heck no!”
That’s because the threshold for alerting was configured so low.
3/n
Read 14 tweets
Profile picture
I certainly don't agree with everything in this thread, but it is very thought provoking nonetheless. I tell clients regularly that cyber security IS warfare if APT is in your threat model. We often fight nation state hackers with nearly infinite resources by deploying a CEH. 1/n
This obviously doesn't work. When you step back and look at resources that APT groups have, it's obvious they can comrpomise almost any organization. My favorite example is the China/Bit9 example. Picture being an attacker who can't get into a top tier target. 2/n
Now imagine that you think "Bit 9 is standing in our way, so we'll 'just' go comrpomise them." Um, that's a moonshot. Ask yourself:
1. What kind of organization dedicates resources to moonshots?
2. How many moonshots do we not know about?
3. How valuable was that target?
3/n
Read 7 tweets
Profile picture
I'm writing a new blog post but I need some help. We have a problem in the tech industry with consent vs. informed consent. Problems with confusing the two are not unique to infosec. Medicine has been practiced for millennia, but informed consent is at best ~50 years old. 1/n
Legalese terms of service can't be comprehended by a large percentage of a user base. Even if you understand what is being collected, do you understand how it will be used? A patient can't give informed consent without a discussion of risk. 2/n
Doctors don't routinely downplay risk in a procedure. This comes from two sources:
1. Liability
2. In most cases (electives are a counter-example), the doctor has a product (the procedure) the patient needs

These do not hold true in the technology field. 3/n
Read 7 tweets

Related threads

Profile picture
Random #InfoSec n00b tip, from an InfoSec n00b. If you see something that your tingling spidey senses are making you think it’s important (like a network alert or a piece of OSINT) don’t be afraid to ask someone to check it out, just to be sure. 1/3
Lots of times, I will see something and will be like, “Hey, I feel like this is important, but I’m not sure, can you take a look? The experienced ppl will then will tell me why it isn’t or is important. 2/3
More often then not, I will get feedback of, “thanks for pointing that out, good catch.” Have reasons to back up why you think it could by an important alert. State your case and then learn something new in the process. 3/3
Read 3 tweets
Profile picture
I've had my 2nd coffee and it's time for another #infosec rant. This one is aimed, with love, at my white male colleagues in this biz. I love that many of us are helping our brothers and sisters build their careers in infosec. But PLEASE be careful with the advice you give out.
Before we white dudes give career advice to others, we have to consider that the tech industry (including #infosec) still has HUGE double standards when it comes to race and gender. Thus, what worked for ME might actually be harmful advice for a woman or for a black man.
One obvious example is: "You don't need a college degree." I'm a college dropout myself - I did 2 yrs of a CS degree before deciding that school wasn't for me. By the time my class graduated, I'd already co-founded @rapid7. Great!
Read 9 tweets
Profile picture
A thread on being a so-called “Security expert”.

I cringe at how much sincere, well-meaning, yet ultimately WRONG #infosec advice I gave out while working as the founder/VP Eng of a major security vendor.

When I left at IPO, I knew I needed a broader perspective. (1/N)
It’s too easy for someone in #infosec to call themselves an “expert” or (god forbid) a “thought leader”. Very few of us so-called experts have a rigorous background in security. My background is software. Most of us just jumped in early and learned as we went.
#SecurityExperts
#infosec is so broad, it covers so many technical and non-technical disciplines, that most of us who were experts in ONE area (like vulnerability mgmt in my case) have very deep expertise in that ONE area, but we’re amateurs in most other areas. #SecurityExperts
Read 25 tweets
Profile picture
#infosec moment:

1/ Met a gentleman this morning outside our agency building today. Enjoyed some small talk; turns out he just got picked up for a dream infosec job. His first actually. Had joined the USAF in aircraft maintenance, pushed himself to learn IT after hours.
2/ You could tell within the first 30 seconds how passionate he is about this field, and how his intelligence and drive would take him far. By 60 seconds, you could also see his self-doubt & tendencies towards Impostor Syndrome.
3/ Ended up spending nearly 30 minutes just mentoring. He had seen me around in cyber (new here myself), and heard my honestly undeserved nickname “MegaMind”. Turns out it wasn’t entirely a chance encounter.
Read 8 tweets
Profile picture
Obviously this immediately got added to my reading list #infosec #threatintel
Well, off to the races. I'm starting to read through The Perfect Weapon. I'll share my train of thought as it comes up. Sadly, because I'm doing it as an audiobook the snippets I want to quote may not be available online
Includes a reference to the Atlanta ransomware attack among state-linked attacks. I've never seen it framed as state-sponsored, but it provides a good case study for what such an attack on state or municipal governments might look like
Read 32 tweets
Profile picture
1/ The MSM Media, specifically @MSNBC, is lying to You about William Binney. He's not a 'Conspiracy Theorist.' He's an NSA WhistleBlower. startpage.com/do/search?q=tr… .@Thomas_Drake1 .@JesselynRadack .@theintercept
2/ Binney is simply pointing out that NONE of the 17 Intel Agencies have shown a SHRED of FORENSIC evidence it was the Russians that hacked the DNC or DNCCC - Here's .@theintercept report: interc.pt/2iCBzZ0
3/ Here's the July 24 2017 @Consortiumnews Report Challenging the 17 Agencies' Assessment consortiumnews.com/2017/07/24/int… cc .@MalcolmNance
Read 23 tweets

Trending hashtags

#GenericDrugs #InfoSec #infosecjobs #Classical #investigations #UX #ProtectYourself #infosec #Indivisible #OpenSource #opsec #ink #womenintech #TheResistance #TradeWar #unintendedoutcomes #GCDigital #phished #NemblaForever #howtoresist #datascience #AZ #ethics #icssecurity #data

Did Thread Reader help you today?

Support us! We are indie developers!

This site is made by just three indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member and get exclusive features!

Premium member ($30.00/year)

Too expensive? Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal Become our Patreon

Thank you for your support!