Search: Home Bugtraq Vulnerabilities Mailing Lists Jobs Tools Beta Programs
    Digg this story   Add to  
Controversial security report finds lower losses
Published: 2006-07-17

The Computer Security Institute released their annual survey last week finding that corporate losses due to cybersecurity incidents had fallen for the fifth straight year, but critics questioned the study's methodology.

The survey, which collected 616 responses from the CSI's membership, found that the average loss reported by respondents fell to $168,000 in 2005 from $204,000 in 2004, but only half of respondents gave information on losses. The study also found that more companies are willing to report cybercrimes, increasing to 25 percent in 2005 from 20 percent in the prior two years.

However, critics have charged that the survey is not a representative snapshot of the cybersecurity problem. Gartner analyst Rich Mogull questioned the results (PDF), stressing that the industry does not have an agreed-upon definition and cost calculation for security incidents or for intellectual property loss. Another security professional and a regular contributor to the Emergent Chaos blog, Chris Walsh, added that the number of members that responded to the survey seemed too low to present a meaningful picture.

In a response to critics of the report, CSI editor Robert Richardson stressed that the numbers reported by members did not seem out of line with the industry as a whole.

"The takeaway here is simply that the seemingly low average losses in the CSI/FBI survey aren’t anomalous--unless one wanted to argue that they were too high," Richardson stated in the posting. "They are roughly in line with numbers in other surveys that have attempted to get a handle on financial losses."

The debate comes as anecdotal evidence of costly cybercrimes emerges, including the loss--and then recovery--of a laptop and external hard drive with nearly 26.5 million names, social security numbers and birth dates of U.S. veterans. Moreover, costs of cybercrime increase quickly, especially if the bill is used in the prosecution of suspected wrongdoer. The investigation and mitigation of a computer flaw in an online database at the University of Southern California totaled $140,000, according to the school--a number that will be used in prosecuting Eric McCarty--who found the flaw--and could have a major impact on sentencing.

Posted by: Robert Lemos
    Digg this story   Add to  
Comments Mode:


Privacy Statement
Copyright 2009, SecurityFocus