CSI/FBI STUDY SAYS: SECURITY BREACHES ON THE RISE

The Computer Security Institute (CSI) last week released its fifth annual survey on computer crime and security. Conducted with the assistance of the FBI's Computer Intrusion Squad, the survey found that computer crimes have increased in number, severity and cost.

Respondents included 643 U.S. computer security personnel in businesses, government agencies and nonprofit organizations. Ninety percent of respondents reported at least one breach of computer security in 1999. Some 70 percent reported more severe breaches of security, including theft of proprietary information, fraud, system penetration (27 percent), denial-of-service (DoS) attacks (25 percent) and sabotage. While 74 percent acknowledged financial losses due to security breaches, only 42 percent would put a dollar figure to their losses. Those 273 respondents reported a total of $265 million in losses. The average annual total loss reported over the last three years was $120 million.

The figures show increases in security breaches, the severity of breaches and the dollar losses due to computer crime. However, "the results do not mean that dollar losses from computer crime have necessarily doubled in the past year," says Dorothy E. Denning, professor of Computer Science at Georgetown University. "This year, 273 respondents quantified their losses, compared with only 163 last year. Looking at the average loss per company (of those that reported figures), the increase is up from about $76,000 to about $97,000 -- significant, but less dramatic."

Furthermore, the numbers, in the past, have been heavily skewed by a few companies that suffered staggering losses, Denning says. For example, in 1998, three companies accounted for $90 million of the $137 million total reported losses. "Thus, there are at least three possible explanations for the larger figures," she says. "One, the problem is indeed getting worse and more costly for companies; two, companies are keeping better tabs on the costs of computer crimes; or three, a few companies suffered enormous losses, which heavily impacted the results. I expect that all of these are factors."

"Although the CSI survey is valuable, it always suffers from the same problem: self-selection of the respondents," says M. E. Kabay, security leader of the information security group at Adario, a Menlo Park, Calif.-based consulting firm. "Differences from group to group and from year to year inevitably confound several sources of variation, including possible differences in the underlying phenomena, in the nature of responses and in the nature of the respondents."

Moreover, there are those who believe that the numbers are, in fact, too optimistic. "I think we are still conservatively reporting these costs," says Robert Moskowitz, senior technical director at ICSA.net.

Winn Schwartau, chief operating officer of Seminole, Fla.-based consulting firm The Security Experts, agrees. "The best guesses today range from $20 billion to $300 billion in annual losses [nationally]," he says. "The FBI's and my studies suggest that the higher figure is closer to the truth. What this shows is that the amount of crime reported was higher than last year, which seems to indicate that computer crime is up. Unfortunately, with computer crime, there is no clear cut means to value my losses and compare them to your losses without a metric to do so."

However, seeing an increase in computer crime is no surprise to Clark L. Staten, CEO of the Chicago-based Emergency Response & Research Institute. "It's something we have been warning about for a number of years," he says. "Willie Sutton said he robbed banks 'because that's where the money is.' The same can be said for the Internet today: That's where the money is flowing and where the security may not be of the same quality as that which protects the brick-and-mortar corporate and financial institutions."

For more information on the CSI/FBI report, visit http://www.gocsi.com/prelea_000321.htm