CSI/FBI - People

NINTH ANNUAL

G o C S I . c o m

CSI/FBI COMPUTER CRIME

AND SECURITY SURVEY

2004

The Computer Crime and Security Survey is con-ducted by CSI with the participation of the SanFrancisco Federal Bureau of Investigation’sComputer Intrusion Squad. The survey is now inits ninth year and is, we believe, the longest-run-ning survey in the information security field.This year’s survey results are based on the re-sponses of 494 computer security practitionersin U.S. corporations, government agencies, fi-nancial institutions, medical institutions anduniversities.

The 2004 survey addresses the major issues con-sidered in earlier CSI/FBI surveys, thus allowingus to analyze important computer securitytrends. In addition, this year’s survey also ad-dresses several new emerging security issues thathave not been considered in previous CSI/FBIsurveys. The new issues assessed in this year’s sur-vey include:

(1) the way organizations evaluate the perfor-mance of their investments in computersecurity

(2) the portion of the IT budget organizationsdevote to computer security

(3) the security training needs of organizations(4) the level of organizational spending on secu-

rity investments(5) the impact of outsourcing on computer se-

curity activities(6) the role of the Sarbanes-Oxley Act of 2002 on

security activities(7) the use of security audits and external in-

surance. One way or the other, all of the new issues consid-

ered in this year’s survey relate to the economic deci-sions that organizations make regarding computersecurity and the way they manage the risk associ-ated with security breaches.1

2004 CSI/FBI Computer Crime and Security Survey

© 2004 by Computer Security Institute. All rights reserved.

by Lawrence A. Gordon, Martin P. Loeb, William Lucyshyn and Robert Richardson

❒ Unauthorized use of computer systems is onthe decline, as is the reported dollar amountof annual financial losses resulting from se-curity breaches.

❒ In a shift from previous years, both virus attacksand denial of service outpaced the former topcost, theft of proprietary information. Viruscosts jumped to $55 million.

❒ The percentage of organizations reportingcomputer intrusions to law enforcement overthe last year is on the decline. The key reasoncited for not reporting intrusions to law en-forcement is the concern for negative publicity.

❒ Most organizations conduct some form ofeconomic evaluation of their security expen-ditures, with 55 percent using Return on In-vestment (ROI), 28 percent using Internal

Rate of Return (IRR), and 25 percent usingNet Present Value (NPV).

❒ Over 80 percent of the organizations conductsecurity audits.

❒ The majority of organizations do not out-source computer security activities. Amongthose organizations that do outsource somecomputer security activities, the percentageof security activities outsourced is quite low.

❒ The Sarbanes-Oxley Act is beginning to havean impact on information security in someindustries.

❒ The vast majority of the organizations view se-curity awareness training as important, al-though (on average) respondents from allsectors do not believe their organization in-vests enough in this area.

KEY FINDINGS Some of the key findings from the participants in this year’s survey are summarized here. The findingsdiscussed below emphasize changes taking place in the computer security arena, as well as items notconsidered in previous CSI/FBI surveys.

DETAILED SURVEY RESULTSNOTE: The dates on the figures refer to the year ofthe report; the supporting data is based on the preced-ing year.

ABOUT THE RESPONDENTS Information on the organizations and the indi-viduals representing those organizations that re-sponded to this year’s survey are summarized infigures 1–4. As figure 1 shows, organizations par-

ticipating in the sur-vey cover many areasof both private andpublic sectors. Thelargest portion of re-sponses came fromthe financial sector(19 percent), fol-lowed by high-tech(13 percent) andmanufacturing (12percent). The por-tion coming fromgovernment agencies(combining federal,state and local levels)was 13 percent, andeducational institu-tions accounted for 7percent of the re-sponses. The diver-sity of organizationsresponding was also

2


Figure 2. Respondents by Number of Employees

Figure 1. Respondents by Industry Sector

reflected in the large portion (19 percent) desig-nated as “Other.”

The size of the organizations that are repre-sented in the survey—as measured by number ofemployees—can be seen in figure 2. Organizationswith 1,500 or more employees accounted for overhalf of the responses. The single largest size cate-gory of organizations re-sponding was thecategory having from1,500 to 9,999 employees.This category accountedfor 31 percent of all re-sponses. The categorycovering the biggest ofthe organizations, thosewith 50,000 or more em-ployees, made up 7 per-cent of all responses.While large firms thisyear again accounted formost of the responses, itis noteworthy that a sub-stantial portion of re-sponses, 19 percent, camefrom firms having fewerthan 100 employees.

Figure 3 shows thecomposition of the re-sponding commercial en-

terprises by the an-nual revenue theygenerated. Since 57percent of the firmsresponding gener-ated annual revenuesin excess of $100M,including 37 percentgenerating annualrevenues in excess of$1B, the largest firmsin America are wellrepresented. Never-theless, 20 percent ofthe responding firmsgenerated annual rev-enues under $10M.

New to this year’ssurvey is a categoriza-tion of respondentsby job title. Figure 4

illustrates that 18 percent of the respondents weresenior executives with the titles of chief executiveofficer (4 percent), chief information officer (8percent) or chief security officer (6 percent). Themajority (53 percent) of respondents had job titlesof security officer, security manager or security di-rector. An additional 9 percent of respondents had

3


Figure 3. Respondents by Revenue

Figure 4. Respondents by Job Description

the title of system administrator, while 19 percenthad various other titles. Given the mission of theComputer Security Institute, it is not surprisingthat nearly all respondents have crucial informa-tion security management responsibilities.

BUDGETING ISSUESPast CSI/FBI surveys contained a number of ques-tions related to financial aspects of information se-curity, particularly to the costs associated withinformation security breaches. Over the years, secu-

4


Figure 5. Percentage of IT Budget Spent on Security

Figure 6. Average Reported Computer Security Expenditure per Employee

rity managers have become increasingly aware thatthe financial aspects of information security man-agement demand an increasing portion of theirtime and effort. Consequently, the 2004 survey wasdesigned to further explore a number of issues re-lated to budgeting and financial management ofinformation security risk.

One new question was aimed at determining thetypical size of an organization’s information securitybudget relative to the organization’s overall IT bud-get. As seen in figure 5, 46 percent of respondents in-dicated that their organization allocated between 1percent and 5 percent of the total IT budget to secu-rity. Only 16 percent of respondents indicated thatsecurity received less than 1 percent of the IT budget,23 percent of respondents indicated that security re-ceived more that 5 percent of the budget, while 14percent of the respondents indicated that the por-tion was unknown to them.

Additional new survey questions examined thereported average computer security operating ex-pense and investment per employee. One wouldexpect that as a firm’s revenue grows, the numberof employees would also grow, as would the firm’scomputer hardware and software needs. Figure 6is consistent with the notion that as a firm grows,

computer security operating and capital expendi-tures grow less rapidly; i.e., there are economies ofscale when it comes to information security. Inparticular, firm’s with annual sales under $10Mspent an average of approximately $500 per em-ployee ($334 in operating expense and $163 incapital expenditures) on computer security, whilethe largest firm’s (those with annual sale over$1B), spent an average of about $110 per em-ployee ($82 in operating expense and $30 in capi-tal expenditures).

Spending per employee on computer securityis shown in figure 7, broken down by sector forboth private and public sector organizations.The highest average computer security spendingper employee ($608) was reported by organiza-tions in the transportation sector ($449 of oper-ating expenditures per employee and $159 ofcapital expenditures per employee). In terms ofthe operating expenditures on computer secu-rity per employee, the next-highest sectors in de-scending order were the federal government($261), telecommunications ($209) and high-tech ($183). In terms of the capital expenditureson computer security per employee, the next-highest sectors in descending order were

5


Figure 7. Average Reported Computer Security Expenditure/Investment per Employee

telecommunications ($150), high-tech ($83),followed by the federal government ($61). It isinteresting to note that while the federal govern-ment reports among the highest computer secu-

rity spending per employee, local government re-ports among the least ($17 per employee foreach of operating and capital expenditures), andstate governments are somewhere in the middle

6


Figure 9. Percentage of Security Function Outsourced

0

10

20

30

40

50

60

70

80

0

10

20

30

40

50

60

Figure 8. Percentage of Organizations Using ROI, NPV and IRR Metrics

(a total of about $154 combined operating andcapital expenditures per employee).

Managers responsible for computer securityare increasingly required to justify their budgetrequests in purely economic terms. There hasbeen considerable discussion of financial metricsused to justify and evaluate investments in com-puter security at trade and academic meetings, aswell as in the computer security journals. There-fore, the 2004 CSI/FBI Survey initiated a newquestion to determine the popularity of Returnon Investment (ROI), Net Present Value (NPV)and Internal Rate of Return (IRR) as financialmetrics for quantifying the cost and benefits ofcomputer security expenditures. In particular,survey participants were asked to indicate on aseven-point scale whether they agree or disagreethat their organization uses ROI (NPV, IRR) toquantify the cost/benefit aspects of computer se-curity expenditures. A response of 1, 2 or 3 wasinterpreted as disagreeing with the statement; aresponse of 4 was interpreted as neither agreeingnor disagreeing; and a response of 5, 6 or 7 wasinterrupted as agreeing with the statement. Fig-ure 8 illustrates that 55 percent of respondentsindicate their organizations use ROI as a metric,

28 percent use IRR and 25 percent use NPV. Al-though ROI has a number of limitations whencompared with NPV and IRR, ROI is by far themost popular metric used.2 The significant use ofNPV and/or IRR may strike some as surprising,given the oft-heard claim that traditional eco-nomic analysis is not applicable to computer se-curity area investments.

Two other new areas of inquiry in this year’sCSI/FBI Survey deal with outsourcing cybersecurityand insurance as tool for managing cybersecurityrisks. Outsourcing computer security work is not ascommon as one might suppose. Only 7 percent of re-spondents indicated that their organizations out-source more than 20 percent of the security function(see figure 9). In contrast, 63 percent of respondentsindicated that their organizations do no outsourcingof the security function. It will be interesting to trackthe outsourcing percentage in future surveys.

Looking at external insurance to manage cyber-security risks, we found confirmation that it’s stillearly days (figure 10). Technical computer securitymeasures such as the use of passwords, biometrics,antivirus software and intrusion detection systemscannot totally reduce an organization’s risk tocomputer security breaches with their associated

7


0

10

20

30

40

50

60

70

80

Figure 10. Does your organization have any external insurance policies to help manage cybersecu-rity risks?

financial losses. Hence, it’snatural that organizationswould turn to insurance todeal with the risk of sub-stantial financial lossesthat remain after technicalsecurity measures havebeen instituted. Althoughinsurance companies donot currently have goodactuarial data on which tobase cybersecurity insur-ance rates, a number ofcompanies do offer suchpolices.3 The survey shows,as noted in figure 10, thatless than 30 percent of re-spondents indicated thattheir organizations use ex-ternal insurance to helpmanage cybersecurityrisks. As with the questionon outsourcing, the re-sponse to this new ques-tion will provide a baselinereference to judge futuretrends in an area of receiv-

8


Figure 12. How Many Incidents? From Outside? From Inside?

0

10

20

30

40

50

60

70

80

Figure 11. Unauthorized Use of Computer Systems within the Last 12 Months

ing considerable interest and discussion in thecomputer security field.

FREQUENCY, NATURE AND COST OFCYBERSECURITY BREACHESTurning to figure 11, we can see that the overallfrequency of (successful) attacks on computer sys-tems declined this year, a continuing a trend thatbegan in 2001. This year the percentage of respon-dents answering that their organization experi-enced unauthorized use of computer systems inthe last 12 months declined to 53 percent, thesmallest percentage since this question first ap-peared in the survey in 1999. Moreover, the per-centage of respondents answering that there wasno unauthorized use of their organization’s com-puter systems increased to 35 percent, as the re-

spondents not knowing if such unauthorized useoccurred dropped to a low of 11 percent.

Figure 12 also demonstrates that cybersecu-rity breaches are declining, and the source ofthe breaches appears fairly evenly split betweenthose originating on the outside and those orig-inating within the organization. Over the years,the first panel of figure 12 shows that the per-centage of respondents estimating that theirfirm experienced between six and ten computersecurity incidents within the previous year ap-pears to have leveled off at 20 percent, while thepercentage of respondents estimating that theirfirm experienced between one and five com-puter security incidents increased to 47 percent.This year showed the lowest percentage (12 per-cent) of respondents estimating that organiza-

tion experienced morethan ten computer se-curity incidents duringthe past year.Figure 13 provides a vi-sual demonstration thatattacks of computer sys-tems or (detected) misuseof these systems has beenslowly, but fairly steadilydecreasing over manyyears in nearly all cate-gories. As seen in the fig-ure, there has been adramatic drop in reportsof system penetrations,insider abuse, and theftof proprietary informa-tion. Three new cate-gories were added to thisyear’s survey, and obvi-ously trend data is notavailable. However, forthis year’s survey, 15 per-cent of the respondentsreported abuse of wire-less networks, 7 percentreported Web site deface-ment, and 10 percent re-ported misuse of publicWeb applications. All the organizationscovered by this year’ssurvey experienced some

9


Figure 13. Types of Attacks or Misuse Detected in the Last 12 Months (by percent)

Web site incidents. This is seen in figure 14, whichalso shows that only 5 percent of respondents re-ported that their organizations experienced morethan ten Web site incidents. The vast majority (89percent) of respondents indicated that their organi-zations experienced between one and five Web siteincidents in the previous twelve months.

Respondents’ estimates of the losses caused bytype of computer security incident are shown in fig-

ure 15. A number of important points are related tofigure 15, some of which are not readily accessiblefrom inspection of the figure. First, the real story oflosses is that the total losses reported (on a per re-spondent basis) declined. Although the dollaramounts/employee were not available from previ-ous surveys, total losses for 2004 were$141,496,560, down from $201,797,340 in 2003.Second, as in the past, respondents are generally ei-

10


Figure 14. Percentage Experiencing Web Site Incidents

CSI/FBI 2004 Computer Crime and Security SurveySource: Computer Security Institute

L

2004: 269 Respondents

Total Losses for 2004 — $141,496,560

$871,000

$901,500

$958,100$2,747,000

$3,997,500

$4,278,205

$6,734,500

$7,670,500

$10,159,250

$10,601,055

$11,460,000

$26,064,050 $55,053,900

Figure 15. Dollar Amount of Losses by Type

ther unable or unwilling to estimate the dollarlosses. In this year’s survey, 269 respondents out ofa total of 494 provided dollar loss estimates. Third,the virus category emerged for the first time as theincident type generating the largest total losses (re-placing theft of proprietary information, which hadbeen the most expensive category of loss for fiveconsecutive years, which fell to third). To the extentthat this result can be generalized to the whole pop-ulation, it may be due to last year’s rise in the degreeto which virus threats were entwined with denial ofservice attacks (witness the numerous variants ofthe MyDoom worm, which carried as its payload atime-triggered denial of service attack program).

SECURITY TECHNOLOGIES USEDAs in previous years, survey takers were asked toidentify the types of security technology used bytheir organizations. This year’s survey, however,updated the categories, clarifying and addingsome, and eliminating others (see figure 16).

Several categories addressed systems defendingagainst network attack. As in previous years, anti-virus software was reported as being used by 99percent of the organizations. Nearly all organiza-tions, 98 percent, also reported using firewalls. In-trusion detection systems were being used by 68percent of the organizations (a 5-percent dropfrom last year), while 45 percent of the respon-dents’ organizations jumped on the intrusion pre-vention system bandwagon. Intrusion prevention

systems attempt to identify and block maliciousnetwork activity in real time. Although these sys-tems look like firewalls they work differently—fire-walls block all traffic except that which they have areason to pass, while intrusion prevention systemspass all traffic unless they have a reason to block it.

Several categories shown in figure 16 deal withaccess control. Server-based access control listswere reported to be used by 71 percent of the re-spondents. Reusable account/login passwords wasreported to be used by 56 percent, the use of smartcards and other one-time password tokens usedwas claimed by 35 percent, and biometrics re-mained flat at 11 percent. Measures to protect in-formation while in transit included encryption ofdata in transit, reported to be used by 64 percentof respondents, use of encrypted files at 42 per-cent, and use of public key infrastructure systemat 30 percent.

SECURITY AUDITS AND SECURITYAWARENESS TRAININGSeveral new questions in this year’s survey dealt withvarious aspects of improving computer security (be-yond the use of technologies discussed above). Al-though the industry literature long has suggestedusing an audit as the first step toward a meaningfulinformation security program, no data had beencollected concerning the use of security audits priorto this year’s survey. Make no mistake: audits arewidely used, just as the textbooks prescribe. Figure

11


Figure 16. Security Technologies Used

17 shows that 82 percent of respondents indicatedthat their organizations conduct security audits.

There’s a noticeable flip side to this statistic, how-ever. While the vast majority of organizations sur-veyed do use computer security audits, it is a bitsurprising that use of security audits is far from uni-versal. Future surveys will help determine if there isa trend in security audit use.

In addition to proposingthe use of security audits,the computer security liter-ature makes it clear that or-ganizations shouldsupplement technologicalsecurity measures with in-vestments in security train-ing. Two new questions inthis year’s survey addressthe extent and importanceof security awareness train-ing. First, respondents wereasked to rate the degree towhich they agreed with thestatement, “My organiza-tion invests the appropriateamount on security aware-ness.” Figure 18 illustratesthat, on average, respon-dents from all sectors donot believe that their orga-

nization invests enough insecurity awareness. Survey participants were alsoasked to rate the importanceof security awareness trainingto their organizations in eachof several areas. Figure 19shows the percentages of re-spondents indicating that se-curity awareness was veryimportant (as measured byimportance ratings of five orabove on seven-point scale) inthe various areas of security.For five of the eight securityareas listed, the average rat-ing indicated that trainingfor that area was very impor-tant. Security awarenesstraining was perceived mostvaluable in the areas of secu-

rity policy (70 percent) and network security (70 per-cent), followed by access control systems (63 percent),security management (62 percent), and economic as-pects of computer security (51 percent). The threeareas in which security awareness was perceived to bethe least valuable were security systems architecture(47 percent), investigations and legal issues (43 per-cent) and cryptography (28 percent).

12


Figure 18. Organization Invests an Appropriate Amount on SecurityTraining: Mean Values Reported on a Seven-Point Scale

0 1 2 3 4 5 6 7

Figure 17. Does your organization conduct security audits?

0

20

40

60

80

100

INFORMATION SHARINGAlthough information sharing has recently been pro-moted by the Department of Homeland Securityand various leaders in the computer security com-

munity, this year’sCSI/FBI ComputerCrime and SecuritySurvey detected no in-crease in the disposi-tion to shareinformation about se-curity intrusions. Fig-ure 20 shows how theorganizations surveyedresponded to computerintrusions in each yearof the survey beginningwith 1999. The top lineshows that more than90 percent of respon-dents indicated thattheir organization re-sponds by patching se-curity holes. The highpercentage of organiza-

tions that react by patching holes has remained highthrough the years, and only once dipped below 80percent. The next line down in the figure shows thatonly half of all respondents indicated that their orga-

13


Figure 19. Importance of Security Awareness Training: Percentage ofRespondents Identifying as Important

Figure 20. If your organization has experienced computer intrusion(s) within the last 12 months,which of the following actions did you take?

0

20

40

60

80

100

120

nization shares information about a security breach.The percentage sharing did not increase in the pastyear, and remains at virtually the same level as in the1999 survey. Surprisingly, as shown by the third linedown in figure 20, the latest year shows a noticeabledownturn in the percentage of organizations that re-ported computer intrusions to law enforcement.

Figure 21 summarizesthe reasons why organiza-tions did not report intru-sions to law enforcement.This figure shows the per-centages of respondentsidentifying each stated rea-son as being very impor-tant (as measured by animportance rating of fiveor above on a seven-pointscale) in the decision not toreport the computer intru-sion. Over 50 percent of re-spondents (of thoseindicating that their orga-nizations would not reportan intrusion to law en-forcement) cited as veryimportant the perceptionthat the negative publicitywould hurt their organiza-

tion’s stock and/or image.4

Nearly 35 percent of re-spondents cited the ad-vantage competitorscould use as very impor-tant. Only 20 percent ofrespondents thought thatusing a civil remedy was avery important reason fornot reporting the intru-sion. Less than one of fiverespondents claimed thatbeing unaware of law en-forcement’s interest in thebreach was a very impor-tant reason for failure toreport the intrusion. Inother words, organiza-tions are aware, by andlarge, of law enforce-ment’s role in combatingcomputer security crime,

but choose nonetheless not to report most computercrimes.

To add depth to our understanding of informa-tion sharing among respondents, the survey this yearalso asked if organizations belong to an informationsharing organization. Although some organizationsbelong to multiple sharing groups, you can see from

14


Figure 21. Reason organization did not report intrusion to law enforcement:Percentage of respondents identifying as important

Figure 22. Percentage of organizations that belong to an information shar-ing organization

the bottom bar in figure 22 that about 57 percent ofthe respondents indicated that their organizationsdo not belong to any information sharing organiza-tion. About 38 percent of organizations in the surveybelong to InfraGard, 18 percent belong to an ISAC,and 26 percent to some other security sharing orga-nization. Overall, the survey results concerning thewillingness of organizations to participate fully in in-formation sharing of security breaches is consistentwith recent theoretical work by academicians.5

EFFECT OF SARBANES-OXLEY ACT Finally, this year’s survey introduced a new question todetermine the effect, if any, of the Sarbanes-Oxley Acton the information security activities. As shown in fig-ure 23, the respondents in the financial, utility andtelecommunications sectors believe the Sarbanes-Oxley Act is having an impact on their organizations’information security. In contrast, however, most ofthe respondents in the other sectors did not agree thatthe Sarbanes-Oxley Act either raised the level of inter-est in information security in their organizations orshifted the focus in their organizations from technol-ogy to corporate governance. Of course, due to thephasing-in nature of the Act, we will have to wait fornext year’s survey results to assess the full impact ofthe Sarbanes-Oxley Act on information security.

CONCLUDING COMMENTSComputer-based information systems have been ofcritical importance to most major organizations forseveral decades. Since the mid-1990s, the Internethas solidified the central role of computers in thefunctioning of modern organizations. Concern withcomputer security has also moved to center stagesince the emergence of the Internet.

Computer security has focused on several issuesover the years. In the initial stages, computer securityfocused largely on technical issues like encryption,access controls and intrusion detection systems.More recently, as highlighted by the results of thisyear’s CSI/FBI Computer Crime and Security Survey,economic, financial and risk management aspects ofcomputer security have also become important con-cerns to today’s organizations. These latter concernsare complements to, rather than substitutes for, thetechnical aspects of computer security.

The more knowledge we have about the causes andconsequences of computer security breaches, as wellas the way organizations address computer securityissues, the more likely it is that computer securitywill improve. The survey results presented in this re-port represent what we hope to be valuable additionsto this required knowledge base. As with earlierCSI/FBI Computer Crime and Security Surveys, the

15


Figure 23. Sarbanes-Oxley Act impact on information security: Percentage of respondents that agree

overall objectives underlying this year’s survey are toassess the key trends surrounding computer securityand to identify important changes emerging on thecomputer security landscape. Future CSI/FBI sur-veys will continue to focus on these twin objectives.

A NOTE FROM ROBERT RICHARDSON,CSI’S EDITORIAL DIRECTOR CSI offers the survey results as a public service.The report is free at the CSI Web site (GoCSI.com).

The participation of the FBI’s San Francisco Com-puter Crime Squad office has been invaluable. Overthe years, the squad has provided input into the de-velopment of the survey and acted as our partnersin the effort to encourage response. This year, Spe-cial Agent Shelagh Sayers was instrumental in pro-viding insight for the newly developed surveyquestions. We should note, however, that CSI hasno contractual or financial relationship with theFBI. The survey is simply an outreach and educationeffort on the part of both organizations. CSI fundsthe project and is solely responsible for the results.

New to the undertaking this year, as readers willcertainly already have noticed, is the involvement ofthree academicians (their biographies are below)who specialize in the economics of information se-curity. These three have graciously joined me in co-authoring this report. Both I and the entire CSI teamthank the academic team of Gordon, Loeb andLucyshyn and look forward to future collaborations.

Opinions offered in the this report are those of the authors andnot necessarily those of the Federal Bureau of Investigation,Computer Security Institute, or any other organization.

About the Authors: Lawrence A. Gordon is the Ernst &Young Alumni Professor of Managerial Accounting andInformation Assurance in the Robert H. Smith School ofBusiness at the University of Maryland ([email protected]). Martin P. Loeb is Professor of Accountingand Information Assurance and Deloitte & Touche Fac-ulty Fellow in the Robert H. Smith School of Business at

the University of Maryland ([email protected]).William Lucyshyn is Visiting Senior Research Scholar inthe School of Public Affairs at the University of Maryland([email protected]). Robert Richardson is Editorial Di-rector at the Computer Security Institute ([email protected]).

NOTES

1 For an overview of the impact of economics oninformation security, see Lawrence A. Gordonand Robert Richardson, “The New Economics ofInformation Security,” InformationWeek, March29, 2004, pp. 53-56.

2 For a discussion of the limitations of ROI, seeLawrence A. Gordon and Martin P. Loeb, “Returnon Information Security Investments: Myths vs. Re-ality,” Strategic Finance, November 2002, pp. 26-31.

3 For examples of such insurance firms and furtheranalysis of cybersecurity insurance, see LawrenceA. Gordon, Martin P. Loeb Gordon, and Tash-feen Sohail, “A Framework for Using Insurancefor Cyber Risk Management,” Communications ofthe ACM, March 2003, pp. 81-85.

4 This is consistent with recent research byKatherine Campbell, Lawrence A. Gordon, Mar-tin P. Loeb, and Lei Zhou (“The Economic Costof Publicly Announced Information SecurityBreaches: Empirical Evidence from the StockMarket,” Journal of Computer Security, Vol. 11,No. 3, 2003, pp. 431-448) that found reports ofsecurity breaches can adversely affect a firm’sstock price.

5 See Lawrence A. Gordon, Martin P. Loeb Gor-don, and William Lucyshyn, “Sharing Informa-tion on Computer Systems: An EconomicAnalysis,” Journal of Accounting and Public Policy,Vol. 22, No. 6, 2003, pp. 461-485.

16


For referrals on specific criminal investigations:Shelagh Sayers, Special AgentSan Francisco FBI Computer Crime Squad(415) [email protected], subject line: CSI ReportFor general information: www.nipc.gov

For information on the CSI/FBI study:Robert Richardson, Editorial DirectorComputer Security [email protected] general information: GoCSI.com

Contact Information

The results of this survey clearly indicate that thestakes involved in information systems securityhave risen. Your organization is vulnerable tonumerous types of attack from many differentsources and the results of an intrusion can bedevastating in terms of lost assets and good will.There are steps you can take to minimize therisks to your information security and ComputerSecurity Institute can help.

Computer Security Institute (CSI) is theworld’s premier membership association and edu-cation provider serving the information securitycommunity, dedicated to advancing the view thatinformation is a critical asset and must be pro-tected. Through conferences, seminars,publications and membership benefits, CSI hashelped thousands of security professionals gainthe knowledge and skills necessary for success.For 31 years, CSI conferences and training havewon the reputation as being the most well-re-spected in the industry.

As a member of CSI you are linked to a high-powered information source and an organizationdedicated to providing you with unlimited profes-sional development in one package.

Contact CSIPhone 415-947-6320Fax 415-947-6023E-mail [email protected]

How CSI Can Help

Not a CSI member? To startreceiving the Alert, Computer

Security Journal and otherMembership benefits, go to

GoCSI.comor call 866-271-8529.

Conferences:31st Annual Computer Security

Conference & Exhibition November 8-10, 2004, Washington, D.C.The world’s largest conference devoted to computer and information security

NetSec 2005June 13-15, 2005, Scottsdale, AZA balanced perspective of managerial and technicalissues makes this the most popular conferencedevoted to network security.

32nd Annual Computer SecurityConference & ExhibitionNovember 14-16, 2005, Washington, D.C.

Training on a wide variety of topics including:

Awareness Risk AnalysisPolicies Social EngineeringIntrusion Prevention Wireless Security

FrontLine End User Awareness Newsletter

TopLine Executive Newsletter

Working Peer Groups

Membership Benefits:• Computer Security Alert

• Computer Security Journal (quarterly)

• SecurCompass® Automated Standards-basedProgram Assessment and Design Tool

• Discounts on conferences, training and publications

Date post:	06-Dec-2021
Category:	Documents
Upload:	others
View:	1 times
Download:	0 times

CSI/FBI - People

Documents