Have you ever had someone tell you, argumentatively or dismissively, that “it’s just a matter of semantics?” There’s some inherent irony in that idiom in that it’s actually a misuse of the word ‘semantics,’ which is defined as ‘the meaning of a word or phrase.’
In Information Security, we often read about data breaches and how customer records or sensitive data has been “stolen.” Theft is a well-understood concept, and so it’s not surprising that it’s used in relation to data as much as any other object.
When property is stolen, we all understand what that means; the property owner had possession, an event occurred, and then the property owner no longer had possession.
Data is different, however, and the difference is important. Actual data theft is rare. An example might be when the data is stored on a physical device that’s stolen, like a laptop. In that case, the data was really stolen, though you could argue that the intent was to steal the laptop and the data was incidental.
When a data breach occurs, the data is almost always *not* stolen. It might be copied, or accessed or possibly destroyed, but there are very few cases where the data owner loses possession while the thief gains it. Here are a few examples:
- “Hackers Try to Extort Domino’s Over Stolen Data” http://www.newsweek.com/hackers-try-extort-dominos-over-stolen-data-255048
But Domino’s still has possession of your topping preferences!
- “No Evidence Data Was Stolen When Montana Computer was Hacked” http://www.govtech.com/security/No-Evidence-Data-Was-Stolen-When-Montanas-Computers-were-Hacked.html
This statement is true regardless of whether the attackers actually accessed and copied the data. It’s still there, so it wasn’t stolen.
- “Medtronic discloses two data breaches last year; says no patient data stolen but some missing” http://www.startribune.com/business/263994741.html
The data isn’t here, but we’re sure it wasn’t taken by the attackers, who definitely were in the network. Hmmm…
Why is the language used important? You might think I’m being pedantic, and I am, but there’s a purpose. The difference between theft and access is at the root of why information security is so significantly different from physical security, and our continued misuse of terms perpetuates a fundamental misunderstanding.
Imagine how much harder it would be to solve a physical robbery if nothing was actually taken. Imagine how much more disturbing it would be if criminals could basically move into your house without you knowing. The continued use of physical metaphors for cybercrime simply fails to adequately convey the actual crimes that take place.
The result is that the public misunderstands the reality of information security, and that, the industry professionals make choices rooted in physical metaphors that simply don’t apply.
- What I Learned as a Con Man
- Confessions of a LinkedIn Imposter: We Are Probably Connected
- Grounding Anti-Phishing Programs in Cognitive Foundations
- Manipulating People for Fun and Profit
The Executive’s Guide to the Top 20 Critical Security Controls: Tripwire has compiled an e-book, titled The Executive’s Guide to the Top 20 Critical Security Controls: Key Takeaways and Improvement Opportunities, which is available for download [registration form required].
Title image courtesy of ShutterStock