One of the first classes I took in my Ph.D. program gave us a research assignment to "develop some new information security metrics". I settled on the topic of data breaches, and decided to take a look at them from a statistical standpoint. I looked in the academic literature, and most of the papers dealt with the cost of the breach from a standpoint of the stock value or capital markets. I found one paper that looked at breaches betwen 2003 and 2005, which was before most of the current data breach laws had come online.
I did a study on the problem, turned in a paper with the results (I think I had just over 1,000 incidents) and got an A. I had been bitten by the bug--it was too late. I kept up the study, looking for new insights to be found in the data. I added incidents over time, and found new sources as well. Eventually, I had a database with 2,807 incidents over the span of 5 years.
I wanted to publish the study so that the widest possible audience could benefit from the information. I'm happy to announce the publications of The Leaking Vault - Five Years of Data Breaches. I hope you find the contents useful.