tag:blogger.com,1999:blog-4482521283458453577.post2116975530672145289..comments2011-09-28T07:17:36.543-07:00kevin thompsonhttps://profiles.google.com/107682921975811187169noreply@blogger.comBlogger2125tag:blogger.com,1999:blog-4482521283458453577.post-35943061958836197492011-09-28T07:17:36.543-07:002011-09-28T07:17:36.543-07:00@Janke<br />That&#39;s a real problem, and I think the data from the current year is going to be more relevant that the data from the previous year. These ideas work great when the threat is something like fire because we&#39;ve known for a very long time how fire operates, what causes it, how we respond to it, etc. In information security it isn&#39;t so easy to make those assertions. <br /><br />On the other hand, it is easy to fall into the trap of thinking that you&#39;re better than other people. Like in the way that most drivers think they are above average drivers. Even though I think my security practices are awesome, I&#39;m probably average so maybe the overall trends across many industries is still valid.Black Fisthttp://www.blogger.com/profile/10140419541264972382noreply@blogger.comtag:blogger.com,1999:blog-4482521283458453577.post-856641098181682502011-09-22T13:51:03.541-07:002011-09-22T13:51:03.541-07:00If you add value, why not?<br /><br />First thoughts - not having followed the link. ;)<br /><br />(1) Would &#39;relevant&#39; need to be defined to include institutions with similar security policies and a similar user base? <br /><br />(2) Would the data need to be current(i.e. would current yearsl loss data from 200 companies be more relevant to a current security analysis than older data from fewer companies)?Michael Jankehttp://www.blogger.com/profile/00357905802460949707noreply@blogger.com