Information Security Statistics

"Statistics are like a bikini. What they reveal is suggestive, but what they conceal is vital."

Recently a colleague of mine recommended me to use statistics on my presentations.. When I see a bunch of numbers, pie charts and the percents signs on the screen, I get back to dot.com hey days… By 2008 we will see a world domination in…..

Statistics are only useful when they are generated according to statistical reality.A complete statistics survey result must contain links for methodological details including population coverage,. sample design, sample size and several other quality indicators .(for those who are wondering the source of the FUD).

In information security world, I see statistics in like “according to xxx institute 60% of the US businesses had been hacked last year so that you have to buy our product”. I have been expecting this cheap FUD to be over for so long, but no, it keeps coming back..
Well, as the smart audience you should ask, what do you mean by hacking, how did you question the respondents, what’s their role, what do they do, who do they work with etc.. You will end up with 300 respondents telling you the fate of the information security industry…By the way. I usually end up believing these numbers since the survey respondent (supposedly CISOs) had nothing else to do but answering these valuable surveys so that they form a lucky set of “60% hacked US operations”..