There are two interesting elements to this blog posting at The Security Catalyst, which was written by the individual who compiled the Educational Security Incidents (ESI) Year in Review - 2006. One is the results themselves. The other is that watching what the statistically minded blogger does with the numbers. It's a good reminder that the results of surveys or numerical studies are not ends in themselves: Knowledgeable folks need to interpret those results to provide information that really is useful.
The writer, Adam Dodge, says colleges and universities in the U.S. reported 83 information security incidents last year. His posting focuses on the 20 of these defined as unauthorized exposure. These are cases in which people made mistakes and exposed information that they shouldn't have.
It's interesting to see what hides behind those numbers (OK, it's more numbers... but they are interesting numbers). Dodge says that those accidental exposures -- which were a shade under a quarter of the total incidents -- resulted in 232,000 record exposures. That's 8.6 percent of the total.
This can be taken in a couple of ways. On one hand, it can be said that each mistake is comparatively less damaging than each overt act of theft. On the other hand, it's disheartening to learn than almost 10 percent of incidents are entirely preventable.
What really would be interesting -- but seems beyond the scope of the report -- is a comparison of the level of danger of a piece of data mistakenly exposed compared to one that is stolen. Theoretically, an accidental exposure should be less dangerous: If somebody mistakenly leaves his or her house unlocked, there is far less of a chance of property being stolen than if a burglar breaks in with the express intention of stealing something.
It's also frightening to learn that almost a quarter of a million records were left exposed by accident.
The posting ends with three good pieces of advice from Dodge: Remove all personal information from the site that isn't needed, don't use the Web as a "temporary" way station for files that are being transferred, and periodically check the site to make sure nothing is amiss. It seems particularly important to eschew the Web as a storage vehicle, since once information is posted it will live on in caches long after it taken down from the site.