ANALYSIS A study on distributed denial of service attacks in 2016 and the first few months of 2017 by the analytics company Neustar raises the question of whether the number of individuals sampled is sufficient to come to the conclusions that have been reached.
Only 1010 people were interviewed for this 52-page report and they only came from the storied ranks – the so-called c-suite.
Exactly how Neustar has drawn the conclusions it has for this report is thus questionable. More so, when this is for three massive geographical regions; North America, Europe and the Asia-Pacific.
Is this number of people a significant sample statistically?
{loadposition sam08}Of course, Neustar is not alone in this kind of enterprise. Security outfits around the world do it. But at some point, one must ask these questions.
And security firms aren't the only one pushing statistics that are questionable. A few days ago, I received a report from Veritas, wherein it was stated boldly that Australian companies would spend an average of $1.86 million to become compliant with the EU's General Data Protection Regulation.
The number interviewed to come to this conclusion was small: 900 business decision-makers across the US, the UK, France, Germany, Australia, Singapore, Japan and South Korea. The amount stated was quite out of sync with the fact that the average revenue for an Australian business is in the range of $200,000. Where do they find $1.86 million to pay over two years?
Back to the Neustar report, the people interviewed were directors, managers, CISOs, CSOs, CTOs, and other c-suite executives. No coders, no lower-level software people, not a single person who is at the coalface.
But that is understandable. These c-suite dudes may not have much of a clue about what is going on, but in the end they are ones who will decide where a given company's security budget is to be spent.
So it helps to make them feel important by soliciting their opinions about the security at their respective companies.
The Neustar report has the usual statistics as all other online intrusion reports do. One line sums it up: things are getting worse, not better. But then anyone who reads the tech press would be aware of that. Of course, there is no need to hype things up – the reality is bad enough.
These reports are meant to do one thing: to drum up business. The company in question gains some legitimacy when its findings are reported in the tech media.
As I have pointed out before, security firms tend to do beat-ups when the silly season approaches. Maybe Neustar should make a bid at that time of the year.
Cover picture of Barrett Lyon, Neustar vice-president of research and development is from the Neustar report.