Computer Crime and Security Analysis Report

683 Words2 Pages

In order to compile the 2008 report on computer crime and security, The Computer Security Institute (CSI) sent out five thousand surveys to member companies and the organizations of people who had attended security events, such as conferences. Of the five thousand surveys, five hundred and twenty-two were completed and returned. The following is an analysis of CSI’s findings, with particular regard to total respondents and total loss, the top five attack types, and how the attacks likely occurred.
The Survey Respondents
Five hundred and twenty-two organizations responded to the survey requests, or a little more than ten percent. The largest organization types to participate included; 22% financial institutions, 15% consulting firms, 13% federal and state agencies, 9% information technology organizations, 7% health services, 7% educational institutions, and 5% manufacturing (Robert Richardson, 2008, p.5). The remaining respondent organizations were in much smaller percentages, which included law enforcement, military, retail, and transportation. The average financial loss to these organizations was $288,618, for a total loss of $150.7 million dollars between 522 organizations.
The most expensive security incidents were financial fraud, with an average cost of $500,000. The next most expensive incident type was bot-network breaches, with an average cost of $350,000 (Robert Richardson, 2008, p.2). Only 1% of surveyed organizations said that they did not have any kind of network security plan (Robert Richardson, 2008, p.2). A quarter of those who participated in the survey were security officers for their organization.
The Top Five Security Incidents and Analysis
Of the incidents that were reported, the top five most common were virus infection with 50%, insider abuse at 44%, laptop/mobile device theft at 42%, unauthorized access with 29%, and denial of service (DoS) attacks at 21% (Robert Richardson, 2008, p.15). The fact that virus infection was the highest reported security incident has a couple likely causes. The first likely cause is lack of an email security policy or employees who ignore the policy. Traditionally email has been the most likely vector of computer virus transmission, but more recently, malicious and compromised websites have become a major source. According to Dennis O'Reilly, “Now infections are more likely to occur after you browse to an infected Web site or download and open a file” (2009). The other likely cause of many virus infections is lack antivirus software or antivirus software that is not regularly updated.
Insider abuse and laptop theft are not entirely unpreventable, as with many network threats, but both of these threats can be discouraged by having formal policies in place in which the organization takes a zero tolerance stance on these activities.

More about Computer Crime and Security Analysis Report

Open Document