Security Incidents vs Reporting

Adam Shostack has brought up a nice question regarding identity theft statistics. The question of whether actual incidents are up or more people are reporting such incidents should always be asked when calculating statistics.

Take for instance the number of cross-site scripting vulnerabilities as reported by the National Vulnerability Database:



The increasing numbers for this type of vulnerability could be due to several factors:

• - More Web 2.0 applications.
• - More sophisticated attacks.
• - More awarness and reporting about this type of vulnerability.

Just food for thought...