Victim Demographics

The Victim Demographics section describes (but does not identify) the organization affected by the incident. The primary purpose is to aid comparisons between different types of organizations (across industries, sizes, regions, etc) or departments within a single organization. While any number of organizational characteristics could be tracked, those listed below provide an adequate basis for interesting and useful comparisons.

Organizations using VERIS to track incidents internally may (depending on circumstances) want to pre-populate some or all of the demographic variables rather than prompting the user for them upon each submission.

Victim ID

Question Text: Victim organization ID:

User notes: N/A

Question type: text field

Variable name: victim.victim_id (string)

Purpose: To associate incidents with the entity that was affected by them (without identifying the entity itself). Even in anonymous incident sharing scenarios, this can be useful for many purposes. For instance, it is necessary to study things like the average number of incidents per organization, why certain organizations suffer more incidents, whether certain corrective actions lead to reduced incidents/losses, etc.

Developer notes: If you plan to share incident with others, we suggest not making your org's name part of the victim ID. In certain situations (incident tracking within a single organization), this field may be auto-populated rather than prompting the user.

Miscellaneous:

  • Many VERIS users won't need this field at all - either because they're using it internally or because they're using it anonymously. Assuming you do want to record and share the victim name (i.e., if you're contributing to VCDB), the most important thing is to record a “proper” and recognizable form of the name to aid analysis.
  • If the victim's name is not known, leave victim_id blank. If you record something like “Unknown retailer,” it makes it difficult to distinguish that from a real name during analysis.
  • Always use the full/official name of the victim rather than abbreviations or shortened versions. For orgs like “IBM,” where the acronym is the official name, use that. This will help maintain consistent records (i.e., it's hard for a database to know that “BOA” and “Bank of America” are the same entity).
  • If the victim is a national government agency, always use the two-digit ISO country country code with no periods (e.g, “US Department of the Treasury” instead of “U.S.” or “United States.” Beyond that, try to use the full official name (e.g., “US Department of the Treasury” rather than “US Treasury Department” or “U.S. Dept of Treasury.”
  • If the victim is a state or local government agency, always use the “City of…” or “State of…” format. So New York Fire Department would be “City of New York Fire Department.”

Primary Industry

Question Text: Primary industry (NAICS code):

User notes: VERIS uses standard NAICS codes to identify industries. Record the appropriate code here, using at least 3 digits of the full 6 digit code (the more specific, the better). If multiple industries apply, enter the code of the business group that experienced the incident. NAICS provides descriptions at http://www.census.gov/cgi-bin/sssd/naics/naicsrch?chart=2012.

Question type: text field or enumerated list (single-select)

Variable name: victim.industry (string)

Purpose: Allows industry-specific analysis, trending, and comparisons.

Developer notes: We recommend making it as easy as possible for the user to locate and select the appropriate industry code (e.g., a picklist). If appropriate, auto-populate this field rather than prompting the user for it. The application should be configured to require at least 3 digits of the full 6 digit code in order to provide sufficient specificity.

Miscellaneous:

  • The full 6 digit NAICS code is preferred for industry over selecting from the enumerated list.
  • Use the “Nonstore retailer” code of 454111 for online/eCommerce retailers.

Country of operation

Question Text: Country of operation:

User notes: If multinational, enter the primary location of the business group that experienced the incident.

Question type: enumerated list (single-select)

Variable name: victim.country (string)

Purpose: Allows geographic analysis, trending, and comparisons.

Developer notes: VERIS uses the ISO 3166 codes for the country variable, which can be found here: http://www.iso.org/iso/country_codes.htm. We recommend creating a list in the interface rather than requiring users to enter the correct code.

Miscellaneous: VERIS specifies two datapoints pertaining to the geographic location of the victim: country and region. We include both because each has a slightly different use case. Collecting the country allows more specificity for trending, while the less-specific region provides another level of de-identification. We leave it up to the user to decide which most meets their needs.

State

Question Text: State/region of operation:

User notes: N/A

Question type: text field

Variable name: victim.state (string)

Purpose: Allows more specific in-country geographic analysis, trending, and comparisons if desired.

Developer notes: N/A

Miscellaneous: N/A

Number of employees

Question Text: Approximate number of employees:

User notes: The size of the entire organization is preferred rather than the particular division, branch, location, etc affected. For an independent or individually-owned and operated franchise, however, the size of that particular franchise location is usually more fitting.

Question type: enumerated list (single-select)

Variable name: victim.employee_count (string)

Purpose: Allows analysis, trending, and comparisons based on organizational size.

Developer notes: N/A

Miscellaneous: While the exact number could be used, ranges allow for interesting comparisons and provide some measure of de-identification for data sharing purposes. We have, however, considered moving toward an exact number to enable better correlation and analysis. If you have a preference either way, let us know.

Annual revenue

Question Text: Annual revenue:

User notes: If you plan to share this information and are concerned that the revenue could be used to identify your organization, round the figure sufficiently to provide an extra level of de-identification.

Question type: text field for amount and enumerated list (single-select) for iso_currency_code

Variable name: victim.revenue (comprised of the amount (integer) and iso_currency_code (string)

Purpose: Allows analysis, trending, and comparisons based on organizational revenue (another indicator of size).

Developer notes: An amount and a currency is included. Depending on your circumstances, it may make sense to preset and default currency rather than prompting the user for it each time. We recommend making it as easy as possible for the user to locate and select the appropriate currency code (e.g., a picklist).

Miscellaneous: N/A

Locations Affected

Question Text: Number of locations affected by this incident:

User notes: For instance, a central intrusion that spreads to multiple regional offices. Note: this assumes all locations belong to a single victim organization. If spread across multiple victims, treat as separate incidents.

Question type: text field

Variable name: victim.locations_affected (integer)

Purpose: Gives a sense of scale for the incident with respect to the organization affected.

Developer notes: N/A

Miscellaneous: N/A

Notes

Question Text: Enter any additional details you deem noteworthy about the victim in this incident.

User notes: N/A

Question type: text field

Variable name: victim.notes (string)

Purpose: Catch-alls are handy.

Developer notes: N/A

Miscellaneous: N/A

Additional Guidance

Single vs multiple incidents

  • It is sometimes difficult to determine the difference between multiple separate incidents and a single incident with multiple sequential events. For instance, the August 2013 attack against the New York Times could be seen as one multi-staged incident involving three victims (the Indian ISP, Melbourne IT, and NYT), but could also be considered three distinct, but related, incidents. In such cases, there is no “right or wrong” method, but data quality requires a consistent approach. Standard procedure with VERIS is to treat these as separate incidents that can be associated using the related_incidents field. As a rule, incidents in VERIS have only one primary victim.
  • Mass defacements and DDoS/DoS attacks can make this single vs multiple incident determination particularly difficult. Such reports often state that “547 sites defaced/DoS'd by #Actor” with few other details. It's not possible (at least not without a lot of effort) to determine if that involves a single compromised hosting provider that affected 547 hosted sites, whether those sites represent 547 unique victims, etc. In such cases, record “Mass Event” for the victim_id. Leave country, employee_count, and industry blank unless they are shared by the entire set of victims/sites/etc (e.g., they are all Indonesian). Record the total number of sites (or whatever) defaced/DoS'd in the secondary_amount field. If specific sites or names are given, copy/paste those in the secondary_id feld. Then record whatever other details are given as normal.