I am attempting to construct a ranking of US publically-traded companies according to how much they would put their customers at risk when a data breach happens.
My question to infosec practioners with experience of real breaches is, what is a good set of metrics to gather? What makes a breach “better” versus “worse”?
Fast public reporting?
Having 2FA options in place?
Nothing in plaintext?
Server logs turned on (…cough…Ubiquiti…)?
Some of my assumptions to date (please correct me if I am wrong here):
There is no way to numerically quantify the risk that a breach will
occur prior to it happening
There is no way to numerically quantify how “bad” a given breach is
Qualitative expert judgement is therefore the only way to select
Even items which are weakly correlated with customer harm could help
(by averaging + assuming monotonically increasing “harm” on every variable)
Numeric variables (e.g. how long between breach and reporting) and booleans (e.g. does the company have a process for x) are both useful