CSI/FBI STUDY SAYS: SECURITY BREACHES ON THE RISE
The Computer Security Institute (CSI) last week released
its fifth annual survey on computer crime and security.
Conducted with the assistance of the FBI's Computer
Intrusion Squad, the survey found that computer crimes
have increased in number, severity and cost.
Respondents included 643 U.S. computer security
personnel in businesses, government agencies and
nonprofit organizations. Ninety percent of respondents
reported at least one breach of computer security in
1999. Some 70 percent reported more severe breaches of
security, including theft of proprietary information,
fraud, system penetration (27 percent), denial-of-service
(DoS) attacks (25 percent) and sabotage. While 74 percent
acknowledged financial losses due to security breaches,
only 42 percent would put a dollar figure to their
losses. Those 273 respondents reported a total of $265
million in losses. The average annual total loss reported
over the last three years was $120 million.
The figures show increases in security breaches, the
severity of breaches and the dollar losses due to
computer crime. However, "the results do not mean that
dollar losses from computer crime have necessarily
doubled in the past year," says Dorothy E. Denning,
professor of Computer Science at Georgetown University.
"This year, 273 respondents quantified their losses,
compared with only 163 last year. Looking at the average
loss per company (of those that reported figures), the
increase is up from about $76,000 to about $97,000 --
significant, but less dramatic."
Furthermore, the numbers, in the past, have been heavily
skewed by a few companies that suffered staggering
losses, Denning says. For example, in 1998, three
companies accounted for $90 million of the $137 million
total reported losses. "Thus, there are at least three
possible explanations for the larger figures," she says.
"One, the problem is indeed getting worse and more costly
for companies; two, companies are keeping better tabs on
the costs of computer crimes; or three, a few companies
suffered enormous losses, which heavily impacted the
results. I expect that all of these are factors."
"Although the CSI survey is valuable, it always suffers
from the same problem: self-selection of the
respondents," says M. E. Kabay, security leader of the
information security group at Adario, a Menlo Park,
Calif.-based consulting firm. "Differences from group to
group and from year to year inevitably confound several
sources of variation, including possible differences in
the underlying phenomena, in the nature of responses and
in the nature of the respondents."
Moreover, there are those who believe that the numbers
are, in fact, too optimistic. "I think we are still
conservatively reporting these costs," says Robert
Moskowitz, senior technical director at ICSA.net.
Winn Schwartau, chief operating officer of Seminole,
Fla.-based consulting firm The Security Experts, agrees.
"The best guesses today range from $20 billion to $300
billion in annual losses [nationally]," he says. "The
FBI's and my studies suggest that the higher figure is
closer to the truth. What this shows is that the amount
of crime reported was higher than last year, which seems
to indicate that computer crime is up. Unfortunately,
with computer crime, there is no clear cut means to value
my losses and compare them to your losses without a
metric to do so."
However, seeing an increase in computer crime is no
surprise to Clark L. Staten, CEO of the Chicago-based
Emergency Response & Research Institute. "It's something
we have been warning about for a number of years," he
says. "Willie Sutton said he robbed banks 'because that's
where the money is.' The same can be said for the
Internet today: That's where the money is flowing and
where the security may not be of the same quality as that
which protects the brick-and-mortar corporate and
For more information on the CSI/FBI report, visit