Verizon's Insider Threat

You've heard the psuedo-axiomatic bull-puckey that 80% of attacks are internal. As if this were universally true everywhere on Earth and everyone just "knows" this fact, like they know the hue of the sky.

Somewhere along the way (I was hearing this when I first got into infosec in the mid 90's) some government study came to this conclusion. Quite possibly the CSI/FBI computer crime surveys were at the root, I really don't know and it really doesn't matter.

I'm not saying there isn't insider threat. Or that insider access increases impact of successful attacks thus increasing risk. I'm not even particularly disagreeing with 80% because I'm sure there are cases where that figure is accurate.

But we as infosec professionals have to understand our own unique threats rather than blindly quoting some nearly urban-legendary statistics as if it applies everywhere.

Verizon's insider threat data, according to this article, lends some credence to the notion of insider threat being a big deal. Where bigness of deal varies from company to company. It also suggests that the problem--at Verizon, specifically--isn't as bad as the oft-quoted 80%.

Less interesting than the actual numbers, to me, is the fact that they collect these metrics in the first place. Do you?  Should you?  I think so.  How do/would you go about it?

And at the same time remain mindful of the fact that we don't know what we don't know? I hate it when infosec professionals tell me, for example, "we've had xxx incidents this year" and forget to add on the phrase "that we know of".