a look at the 2004 csi/fbi computer crime and security survey
DESCRIPTION
How to Use Statistics in Your Awareness Program:. A Look at the 2004 CSI/FBI Computer Crime and Security Survey. Robert Richardson Editorial Director Computer Security Institute. Called the cops?. Utility 5%. Other 19%. Manufacturing 12%. Local Gov. 3%. State Gov. 3%. - PowerPoint PPT PresentationTRANSCRIPT
A Look at the 2004 CSI/FBI Computer Crime and Security Survey
Robert RichardsonEditorial Director
Computer Security Institute
How to Use Statistics in Your Awareness Program:
Called the cops?Called the cops?
Respondents by IndustryRespondents by Industry
By industry sector : Figure 1
Utility 5%
Manufacturing 12%Local Gov.
3%
Other 19%
Transportation 1%
Telecom 2%
Financial 19%
Legal 1%
Federal Gov. 7%
State Gov. 3%
Retail 3%
Medical 6% High Tech 13%
Education 7%
High Tech 13%
Respondents by EmployeesRespondents by Employees
By number of employees : Figure 2
1 – 9919%
1,500 – 9,99931%
50,000 or more7%
10,000 – 49,99914%
500 – 1,49913%
100 – 49915%
Respondents by RevenueRespondents by Revenue
By revenue : Figure 3
2004: 392 Respondents
Under $10M20%
Over $1B37%
$100M – $1B20%
$10M - $99M23%
Under $10M20%
Over $1B37%
$100M – $1B20%
$10M - $99M23%
RespondentsRespondents
Called the cops?Called the cops?
Crime ReportingCrime Reporting
The Eternal QuestionThe Eternal Question
• Can I use anything you just told me for my awareness program?
The Eternal QuestionThe Eternal Question
• Can I use anything you just told me for my awareness program?
• Not exactly….
Types of attack by percentTypes of attack by percent
0%
20%
40%
60%
80%
100%
120%
1999 2000 2001 2002 2003 2004
Denial of Service
Laptop/Mobile Theft
Telecom Fraud
Unauthorized access to information
Virus
Financial Fraud
Insider Abuse of Net Access
System Penetration
Sabotage
Theft of Proprietary Info
Abuse of Wireless Network
Web Site Defacement
Misuse of Public Web Application
Types of attack by percentTypes of attack by percent
0%
20%
40%
60%
80%
100%
120%
1999 2000 2001 2002 2003 2004
Denial of Service
Laptop/Mobile Theft
Telecom Fraud
Unauthorized access to information
Virus
Financial Fraud
Insider Abuse of Net Access
System Penetration
Sabotage
Theft of Proprietary Info
Abuse of Wireless Network
Web Site Defacement
Misuse of Public Web Application
Virus
Insider Abuse
Laptop/Mobile Theft
Statistics reduced to their essence…
Coffee Cup DeviationCoffee Cup Deviation
Figure 15: dollar losses
-1
-0.5
0
0.5
1
1.5
2
Cybercrime LossesCybercrime Losses
Figure 15: dollar losses
0
10
20
30
40
50
60
Millions
Cybercrime LossesCybercrime Losses
Figure 15: dollar losses
020406080
100120140160180
Millions
Virus DoS Theft ofInfo
InsiderAbuse
200220032004
Average Cybercrime LossesAverage Cybercrime Losses
0
500
1000
1500
2000
2500
3000
3500
1999 2000 2001 2002 2003 2004
Avg. DollarLosses inThousands
Average Cybercrime LossesAverage Cybercrime Losses
0
500
1000
1500
2000
2500
3000
3500
1999 2000 2001 2002 2003 2004
Avg. DollarLosses inThousands
Average Cybercrime LossesAverage Cybercrime Losses
0
500
1000
1500
2000
2500
3000
3500
1999 2000 2001 2002 2003 2004
Avg. DollarLosses inThousands
Average Cybercrime LossesAverage Cybercrime Losses
0
500
1000
1500
2000
2500
3000
3500
1999 2000 2001 2002 2003 2004
Avg. DollarLosses inThousands
How to Use…How to Use…
• Average losses in a survey of about 500 security professionals were down for the third straight year.
• While this is good news (paying attention to security seems to reduce crime), it’s also true that identity fraud—the costs of which aren’t directly measured in this survey—are skyrocketing.
Tell a Tell a CredibleCredible Truth Truth
• Be sure the base in survey statistics is justified
• Consider the magnitude of change arising from possible different interpretations of data
14) What is the total monetary value of losses your organization sustained due to electronic crimes or system intrusions in 2003?
We do not track monetary losses due to electronic or related crimes (Base: 500) 32.4%
(Base: 338)$100 million or more 0.3%$10 million to $99.9 million 2.4%$1 million to $9.9 million 5.0%$500,000 to $999,999 5.0%$100,000 to $499,999 11.2%Less then $100,000 26.3%Don’t know/not sure 49.7%
source: CSO magazine/U.S. SecretService/CERT Coordination Center.
CSO/Secret Service/CERT Survey
Mean $3,920,000Median $100,000Sum* $666,000,000
*Sum figure calculated using midpoints within each range.
source: CSO magazine/U.S. SecretService/CERT Coordination Center.
(Base: 338)$100 million or more 0.3% 1$10 million to $99.9 million 2.4% 8$1 million to $9.9 million 5.0% 17$500,000 to $999,999 5.0% 17$100,000 to $499,999 11.2% 38Less then $100,000 26.3% 89
Don’t know/not sure 49.7% 168
(Base: 338)$100 million or more 1 100,000,000$10 million to $99.9 million 8 439,600,000$1 million to $9.9 million 17 92,650,000$500,000 to $999,999 17 12,750,000$100,000 to $499,999 38 11,400,000Less then $100,000 89 4,450,000
Total: 660,850,000
Don’t know/not sure 49.7%
(Base: 338)$100 million or more 1 100,000,000$10 million to $99.9 million 8 80,000,000$1 million to $9.9 million 17 17,000,000$500,000 to $999,999 17 8,500,000$100,000 to $499,999 38 3,800,000Less than $100,000 89 4,450,000
Total: 213,750,000
Don’t know/not sure 49.7%
IT Budget AllocationIT Budget Allocation
Per EmployeePer Employee
Tools & TechnologyTools & Technology
AwarenessAwareness
Financial MetricsFinancial Metrics
Anecdotes Make Stats RealAnecdotes Make Stats Real
• The number of bot-infected computers declined from 30,000+ a day in July to an average of less than 5,000 a day by December, according to Symantec. (The Register)
• The [Honeynet Project] report pointed out that "more than one million hosts are compromised and can be controlled by malicious attackers" although it warned that this was a probable underestimate. The company also made an estimate as to the scope of distributed denial of service (DDOS) attacks. In the tracking period, from November 2004 to January 2005, Honeynet detected a staggering 226,585 IP addresses joining at least one of the channels being monitored. (Techworld.com)
Anecdotes Make Stats RealAnecdotes Make Stats Real
• an executive at a satellite TV firm in Massachusetts has been charged with hiring several botnets to disrupt the websites of three rivals, costing one of their web-hosting firms $1 million. (New Scientist.com)
Tie to PolicyTie to Policy
• Obviously, anyone acting like this executive would be dismissed and possibly criminally prosecuted
• Policies used to “lock down” systems are in part in place to prevent your system from becoming a “bot.”
• If your system is compromised, it may be used to perpetrate crimes.
TakeawaysTakeaways
• Use believable stats – explain important elements such as sample skew
• Graphic representations of comparison stats are often easier to interpret
TakeawaysTakeaways
• Keep it positive (for the most part)
• Relate statistics to anecdotes, then tie to policies.
Contact:Robert [email protected]
Contact:Robert [email protected]