ELEVENTH ANNUALCSI/FBI COMPUTER CRIMEAND SECURITY SURVEY2006GoCSI.com2006FBIsurveycover10_q5SP.qxd 07/21/2006 12:25 PM Page 1The Computer Crime and Security Survey is con-ducted by the Computer Security Institute with the participation of the San Francisco Federal Bureau of Investigation’s Computer Intrusion Squad. The survey is now in its 11th year and is, we believe, the longest-running continuous survey in the information security field. This year’s survey results are based on the respons-es of 616 computer security practitioners in U.S. cor-porations, government agencies, financial institutions, medical institutions and universities.The 2006 survey addresses the major issues con-sidered in earlier CSI/FBI surveys, thus allowing us to analyze important computer security trends. The long-term trends considered include:❏ Unauthorized use of computer systems;❏ The number of incidents from outside, as well as inside, an organization;❏ Types of attacks or misuse detected, and;❏ Actions taken in response to computer intrusions.This year’s survey also addresses several emerging secu-rity issues that were first probed only with the 2004 CSI/FBI survey. All of the following issues relate to the economic decisions organizations make regarding com-puter security and the way they manage the risk associ-ated with security breaches:❏ Techniques organizations use to evaluate the perfor-mance of their computer security investments;❏ Security training needs of organizations;❏ Organizational spending on security investments;❏ The impact of outsourcing on computer security activities;❏ The use of security audits and external insurance;❏ The role of the Sarbanes–Oxley Act of 2002 on se-curity activities, and;❏ The portion of the information technology (IT) budget organizations devote to computer security.This year’s questionnaire also included some questions being introduced for the first time. In particular, an open-ended question about the current concerns of respondents has provided insight into the relative per-ceived urgency of concerns about issues such as data protection and instant messaging. © 2006 by Computer Security Institute. All rights reserved. 12006CSI/FBICOMPUTER CRIMEAND SECURITY SURVEYby Lawrence A. Gordon, Martin P. Loeb,William Lucyshyn and Robert Richardson2006 CSI_FBI Survey v31.indd 12006 CSI_FBI Survey v31.indd 1 07/12/2006 6:06:44 PM07/12/2006 6:06:44 PMSome of the key findings from the participants in this year’s survey are summarized below: ❏ Virus attacks continue to be the source of the greatest financial losses. Unauthorized access continues to be the second-greatest source of fi-nancial loss. Financial losses related to laptops (or mobile hardware) and theft of proprietary information (i.e., intellectual property) are third and fourth. These four categories account for more than 74 percent of financial losses. ❏ Unauthorized use of computer systems slightly decreased this year, according to respondents.❏ The total dollar amount of financial losses re-sulting from security breaches had a substantial decrease this year, according to respondents. Al-though a large part of this drop was due to a decrease in the number of respondents able and willing to provide estimates of losses, the average amount of financial losses per respondent also decreased substantially this year.❏ Despite talk of increasing outsourcing, the survey results related to outsourcing are similar to those reported in the last two years and indicate very little outsourcing of information security activi-ties. In fact, 61 percent of the respondents indi-cated that their organizations do not outsource any computer security functions. Among those organizations that do outsource some computer security activities, the percentage of security ac-tivities outsourced is rather low.❏ Use of cyber insurance remains low, but may be on the rise.❏ The percentage of organizations reporting com-puter intrusions to law enforcement has reversed its multi-year decline, standing at 25 percent as compared with 20 percent in the previous two years. However, negative publicity from report-ing intrusions to law enforcement is still a major concern for most organizations.❏ Most organizations conduct some form of eco-nomic evaluation of their security expenditures, with 42 percent using Return on Investment (ROI), 21 percent using Internal Rate of Return (IRR), and 19 percent using Net Present Value (NPV). These percentages are all up from last year’s reported numbers. Moreover, in open-end-ed comments, respondents frequently identified economic and management issues such as capital budgeting and risk management as among the most critical security issues they face.❏ Over 80 percent of the organizations conduct security audits.❏ The impact of the Sarbanes–Oxley Act on in-formation security continues to be substantial. In fact, in open-ended comments, respondents noted that regulatory compliance related to in-formation security is among the most critical security issues they face.❏ Once again, the vast majority of the organiza-tions view security awareness training as impor-tant. In fact, there is a substantial increase in the respondents’ perception of the importance of security awareness training. On average, re-spondents from most sectors do not believe their organization invests enough in this area. 2006 CSI/FBI Computer Crime and Security Survey2 © 2006 by Computer Security Institute. All rights reserved.KEY FINDINGS2006 CSI_FBI Survey v31.indd 22006 CSI_FBI Survey v31.indd 2 07/12/2006 6:06:45 PM07/12/2006 6:06:45 PMDETAILED SURVEY RESULTSNOTE: Dates on the figures refer to the year of the report (i.e., 2006). The supporting data is based on the 2005 calendar year. © 2006 by Computer Security Institute. All rights reserved. 32006 CSI/FBI Computer Crime and Security SurveyInformation on the organizations and the individuals representing those organizations that responded to this year’s survey are summarized in figures 1 through 4. To encourage respondents to share information about oc-casions when their defenses were overrun and, in par-ticular, to provide data regarding financial damages, the survey is conducted anonymously. A necessary result of this is that direct longitudinal analyses are not possible. Generally speaking, however, the demographics of sur-vey respondents have remained consistent over the past
View Full Document
Unlocking...