What resources exist to research data on actual security incidents?
I would prefer an online resource but offline resources are acceptable. The cost of access should be less than $100 (US) for access to a statistically significant number of incidents. I would prefer databases that include more than just media reported security incidents.
I know of one online database RISI but a membership there is $995 (US) for 3 month access to their database. Are there similar databases at a lower cost?
Ones I tend to draw on:
Verizon Data Breach Report - this is generally considered THE source on data breaches
Krebs Java Security Report - Krebs is very well respected - various studies, of which this is a grand example
WHID Security Report - also very useful
These are all freely available online, and updated versions available annually (or more often in the case of Krebs)
My group has often used the OSF DataLoss DB for some comparative statistical analysis. By and large the data is gathered through public sources, either reported on the web or by issuing Freedom of Information requests to the various agencies that process breach notifications.
The real benefit is that this information is free, and made available as a downloadable database. As such post processing can go very nice and smooth.
Maybe helpful? Identity Theft Resource Center (http://www.idtheftcenter.org/artman2/publish/lib_survey/ITRC_2008_Breach_List.shtml)
2011 breach list: http://www.idtheftcenter.org/ITRC%20Breach%20Report%202011.pdf
It's more at the meta level of what happens the most, and doesn't cover specific incidents in detail, but every year the US gov't releases the Top 25 Dangerous Software Errors which references the Common Weakness Enumeration which is a break down of every know category of vulnerability.
2011's top 25 can be found here.
