Inadvertent disclosure of sensitive business information represents one the largest classes of recent security failures. With each new story, firms come under increased pressure to harden their networks and take a more aggressive security posture. However, it is often not clear what security initiatives offer firms the greatest improvement.

In this project, we are examining different types of disclosures including lost mass storage devices, inadvertent web posting, social networks, blogs, and peer-to-peer file sharing networks. In each case, the disclosures are the same: sensitive information inadvertently leaked creating embarrassment, vulnerabilities, and financial losses for the firm, its investors, and customers. We show how confidential and potentially damaging documents have made their way onto public networks.

The research also shows that criminals actively search hoping to find information that they can exploit. For a specific type of disclosure, peer-to-peer file sharing networks, we have found a statistically significant link between leakage and firm employment base and have developed a benchmarking technique to compare leakage. Ongoing work is examining the extent of the leakage problem in different industries including US Banking. We how information is exploited including fraud, unsolicited advertising, social engineering, and identity theft.

Video:
Eric Johnson explains inadvertent disclosures over the internet.