Like many in the computer security business, I consider the annual Computer Security Institute/FBI survey worth reading. However, as some of my colleagues have been pointing out for years, it has serious limitations as a basis for decision-making.
The classic paper on this is Dr. Michel Kabay's "Understanding Studies and Surveys of Computer Crime" which can be read here:
I believe the original 2001 version of this paper was pubished at the NIST conference and eventually became the basis for Chapter 4 of "The Computer Security Handbook, 4th Edition" (Wiley, 2002).
If you go back six or seven years such surveys were useful--despite their flaws--because they at least offered 'proof' that computer crime was happening. That meant you could put one in front of a manager or executive who was still in denial and hopefully change his or her mind. But I have always been concerned about the year-to-year numbers that the CSI/FBI survey generates, especially now that they are diverging from what everyone seems be experiencing as reality: there is more computer crime now that there has ever been. It is more aggressive, better funded, and quicker to exploit new avenues of system and user abuse.
Are many enterprises better shielded than they have ever been? Yes, but billions of dollars are still being lost each year and we are still a long way from quantifying the problem.
If you look back over the last 18 months you can easily document the admitted exposure of over 100 million records containing sensitive personal data belonging to Americans. Clearly, security has a long way to go.
The classic paper on this is Dr. Michel Kabay's "Understanding Studies and Surveys of Computer Crime" which can be read here:
http://www2.norwich.edu/mkabay/methodology/crime_stats_methods.htm
I believe the original 2001 version of this paper was pubished at the NIST conference and eventually became the basis for Chapter 4 of "The Computer Security Handbook, 4th Edition" (Wiley, 2002).
If you go back six or seven years such surveys were useful--despite their flaws--because they at least offered 'proof' that computer crime was happening. That meant you could put one in front of a manager or executive who was still in denial and hopefully change his or her mind. But I have always been concerned about the year-to-year numbers that the CSI/FBI survey generates, especially now that they are diverging from what everyone seems be experiencing as reality: there is more computer crime now that there has ever been. It is more aggressive, better funded, and quicker to exploit new avenues of system and user abuse.
Are many enterprises better shielded than they have ever been? Yes, but billions of dollars are still being lost each year and we are still a long way from quantifying the problem.
If you look back over the last 18 months you can easily document the admitted exposure of over 100 million records containing sensitive personal data belonging to Americans. Clearly, security has a long way to go.
Stephen Cobb, CISSP
Author, Privact for Business
[ reply ]
Link to this comment: http://www.securityfocus.com/comments/newsbriefs/255/1223#1223