The Breach Level Index has to be inclusive of minor loss of data all the way up to the largest reported breaches, such as that of the 150 million records stolen from the Shanghai Roadway Marketing Service reported in March 2012.
The Breach Level Index must fit the information readily available for each breach and it must be easy to understand and calculate. It should include weighted values for number of records, type of data, source of the breach and whether or not the data has been used for nefarious purposes. The Breach Level Index is open ended in that there is no upper limit, although to date the largest breach scores just under a 10. The Index is logarithmic (base 10) so just as in the scales for volcanoes and earthquakes, a score of 7, for instance, is 100 times more severe than a score of 5. |
To make the Breach Level Index easily understandable to a broad swath of society, we think it makes sense to map the Index scores to a simple five-step scale, similar to the Saffir-Simpson scale. The following table shows how Index scores map to this scale. To put it into context, the California Department of Support Services breach would be a Category 3 data breach, while the LinkedIn breach would be Category 4.
|