Sqrrl Blog

Jul 9, 2015 8:00:00 AM

Introducing the Sqrrl Cyber Incident Matrix

A Sqrrl blog series focused on Data Breaches

Data Breaches are in the news again and again these days. Between the IRS, OPM, Target, Lastpass, and countless other private and public organizations, data and networks of all varieties are prime targets for both external attackers and internal infiltrators. Our newsfeeds, inboxes, and conversations are all saturated with people asking how and why these incidents occur. Over the past 12 months, cybersecurity issues have centered themselves more prominently at the center of public debate than they ever have been in the past. The rate at which private data is being compromised weekly is as alarming as it is impressive.

Today, we’re launching the Sqrrl Cyber Incident Matrix because we believe that there is a need for a place that collects, catalogues, and breaks down these incidents concisely, and in a manner that is easy to understand. Our goal is to take a look at data breaches in the news, rate them based on their severity and complexity, and analyze the known aspects of each breach. We’re not here to make wild theories; the purpose behind this blog is to collect the known facts about a breach and try to build a contextual narrative of how different breaches relate to each other.

We’ve created a matrix to plot these attacks, and survey the breach landscape as a whole. This visual guide’s aim is to help contextualize each incident, avoid over inflated paranoia over hacks, and potentially show that there are indeed possible ways to help alleviate the problems. We plan to approach each major breach that occurs as it comes up in the news, and retroactively fill in this evolving matrix. In order to be consistent in plotting each breach, we’ve assigned a score from 1-10 for each breach in terms of both severity and complexity, based on what we know from news reporting, company/agency releases, and our expertise in the field.

Click on any of the icons below to explore each breach's profile:

Sqrrl_Cyber_Incident_Matrix-5   OPM Breach IRS Breach Anthem Breach ATM hacks Kaspersky hack Insider Trading hacks Ashley Madison Breach Penn State SSA Breach VTech Breach

Our scoring algorithm is based on a 1-10 point system for both severity and complexity. The scores for both categories break down as follows:

Complexity Criteria:

  • Amount of time it likely took to plan
    • Minimal Planning time: 0 points
    • Several months: 1 point
    • Over one or many years: 2 points
  • Indirect attack on target (e.g., used a side door through a vendor): 1 point
  • Coordinated cyber and human operation: 1 point
  • Use of Zero Days
    • Used a zero day exploit: 1 point
    • Used multiple zero day exploits: 2 points
  • Went undetected for
    • 1 month or less: 0 points
    • 1 to 6 months: 1 point
    • 6+ months: 2 points
  • Advanced TTPs 
    • Rudimentary or common TTPs or malware: 0 Points
    • Used advanced TTPs or advanced malware: 1 point
    • Used previously unknown TTP or malware: 2 points

Severity Criteria:

  • Incident Costs (cost of remediation, value of compromised data/damaged material)
    • None: 0 points
    • $1-100k: 1 point
    • $100k - 1M: 2 points
    • $1M - 100M: 3 points
    • $100M+: 4 points
  • Physical Damage
    • None: 0 points
    • Limited: 1 point
    • Extensive: 2 points
  • Lives Lost
    • None: 0 points
    • One: 1 point
    • Multiple: 2 points
  • National Security Impact
    • None: 0 points
    • Moderate: 1 point
    • Significant: 2 points

Important notes on scoring criteria:

-Incident Costs: This score includes both the cost of property stolen or compromised in the attack as well as other potential losses, remediations and recovery costs incurred in the aftermath of the attack. (e.g. the costs associated with theft through and recovery from a stolen identity)

-Physical Damage: In this context limited physical damage implies the physical destruction of computers or individual systems that are relatively isolated (e.g., wiping and rendering a hard disk inoperable). Extensive damage would imply the physical destruction of multiple systems across a vast number of targets, particularly those which are geographically dispersed (e.g., multiple industrial control systems across various facilities).

-Lives Lost: It is critical to note that the criteria for lives lost does NOT attempt to compare the value of human lives, but rather only notes whether or not an attack has the capability of incurring the loss of one life or multiple as an indicator of how severe a cyber attack can be, particularly since to date this is still unprecedented in cyber incidents. We will already count lives lost under economic costs using the Statistical Value of Human Life, so these points only add to the severity of an attack on top of those costs.

We hope that you’ll utilize this blog as a way to get honest industry opinions on new data breaches, and that our analysis of these situations show the importance of focusing on security. Stay tuned for our first featured breach profile in the coming days!

Cybersecurity Analytics  


Topics: Cybersecurity, Breach Detection, Outlier Detection, Data Breach, Incident Response