Survey Says…

Oct. 27, 2008
CSI/FBI Computer Crime and Security Survey shows losses down, incidents up.
Untitled Document Have you read the 2005 Computer Crime and Security Survey conducted by the Computer Security Institute and the FBI? CSI is a worldwide association “dedicated to advancing the view that information is a critical asset and must be protected.” On the surface, this mission statement might seem like a low hurdle, but experience has taught us that the lowest common denominators are growth and profits, not security.

The CSI/FBI Computer Crime and Security Survey has been conducted every year since 1999. While it has its flaws, it is the best available survey of its type that provides a historic record of the impact of computer crime on the American economy.

In 2005, approximately 5,000 information security practitioners in the United States were asked to complete the CSI/FBI Crime and Security survey. Seven hundred practitioners responded—that’s about a 13% return rate, which is better than average for a mass mail-out.

I encourage you to read the full survey for yourselves. It can be downloaded from the Publications section of the CSI Web site at www.GoCSI.com. Here are my thoughts on some of the survey’s key findings.

Finding 1: Worms and viruses cause the greatest amount of financial loss. Respondents reported more than $42 million in losses due to viruses and worms. For each of the next two categories, “unauthorized access” and “theft of proprietary information,” respondents reported losses of approximately $31 million.
The survey says 97% of respondents run firewalls, 96% run anti-virus programs, and 72% have intrusion detection systems. If your organization is among those that don’t run these systems, shame on you. The failure of an American corporation (particularly one large enough to have a security organization) to install firewalls and an anti-virus program or to engage a managed services provider is completely irresponsible. This type of negligence facilitates the continued propagation of viruses.

Finding 2: Losses are down. The total dollar amount of losses resulting from cybercrime is decreasing, according to the survey. The 639 respondents willing to answer this question reported total 2005 losses of more than $130 million. In 2004, 269 respondents reported more than $141 million in loss. If you break this down on a per respondent basis, the decrease is significant.

If true, this is an interesting finding, particularly because approximately half of the responding companies spend 5% or less of their IT budgets on security. SOX expenditures apparently are not included in this calculation. Is this because fewer significant cybercrimes are being reported?

Finding 3: Web page incidents have increased. The survey shows the Web page incident to be one of the fastest growing types of attack, but such attacks seem to cause the least amount of financial loss.

Be sure to include your corporate Web page when you assess the value of corporate assets. Everyone faces the challenge of limited resources—time, manpower, and money. First assess your assets, and then secure each asset according to its value to the corporation.

Finding 4: Outsourcers are the minority. The majority of responding companies—63%—do not outsource computer security.
Outsourcing some of the operational aspects of computer security to a vetted American security company makes good sense for some companies. Always maintain oversight and managerial control through well-crafted SLAs.

Finding 5: Purchase of cyber insurance remains low. Only 25% of respondents said their companies carried cybercrime insurance.
Perhaps this is related to the trend to not report cyber incidents. If you don’t report a cyber attack, you can’t file a claim. In the absence of publicly available evidence, insurance actuaries may have set the premium/risk ratio too high. This will balance out over time. Cyber insurance is a good thing if the premiums are commensurate with the actual risk.

Finding 6: Reporting has declined. The percentage of organizations reporting computer intrusions to law enforcement and legal counsel has declined consistently from 2001.

The primary reason given by respondents was fear of negative publicity and its impact on company stock and image. The second reason given was that competitors would use the information to their advantage. At this point, I’m going to resist giving my lecture on severity, celerity, and certainty—the three essential components of our deterrent system of justice. This is another example of profits being the lowest common denominator. An effective system of justice places responsibilities on the public and the private sector as well as law enforcement and government.

Finding 7: The use of financial metrics declined. The percentage of respondents using ROI dropped from 55% in 2004 to 38% in 2005; percentage of those using NPV dropped from 28% in 2004 to 18% in 2005.

My reaction to this? Good! I do not support the use of traditional financial metrics, such as ROI, ROSI, or NPV to evaluate security expenditures. I recommend using an international security template such as ISO17799 and overlaying a security maturity model. For more information, see “Repositioning the CISO,” in ST&D’s July 2005 issue.

The survey states that two areas showed a significant increase in the average dollar loss reported per respondent:
1) unauthorized access to information, and
2) theft of proprietary information.
If the recent $15 million judgment against ChoicePoint had been included in this report, the numbers would be more dramatic. It may take several more such judgments before companies learn that good security means good business.

Bob Wynn is the former director and state chief information security officer for the State of Georgia. His 20 years in the security field include experience in senior security management, infrastructure protection, computer crime investigations, policy writing and achieving compliance with federal regulations. For six years, Mr. Wynn has been an instructor at the FBI National Academy in Quantico, VA, specializing in cyber-terrorism, trends in computer crime, and the behaviors and motivations of computer-aided criminals.