Respond to Cybercrime and Security Trends
2005 - A recent survey report by the Computer Research Institute,
with the participation of the San Francisco Federal Bureau
of Investigation’s (FBI) Computer Intrusion Squad, analyzed
important computer security trends. Key findings include the
The Sarbanes-Oxley Act (SOA) has begun to affect information
security in more industry sectors. The 2004 survey introduced
a question to determine how SOA affects information security
activities. Out of 14 sector categories, respondents in
eight (utility, high-tech, manufacturing, medical, telecommunications,
educational, financial, and other) believe SOA affects
their organization’s information security. In contrast,
last year’s survey showed an impact in only five
sector categories. The survey report recognizes that,
due to the phased-in nature of Sarbanes-Oxley, a greater
impact on information security may be seen in future years.
Computer virus attacks continue as the source of the greatest
financial losses. Unauthorized access, however, showed
a dramatic cost increase and replaced denial of service
as the second-most significant contributor to computer
crime losses during the past year.
Financial losses resulting from cybercrime are decreasing.
Two areas, however—unauthorized access to information
and theft of proprietary information—showed significant
increases in average loss per respondent.
Website defacement and similar incidents have increased
dramatically, but are still insignificant compared to
virus attacks and unauthorized use of systems.
State governments currently have the largest information-security
investment per employee of all industry/government segments.
Despite a perception of increasing outsourcing, survey
results indicate very little outsourcing of information
security activities. Among organizations that do outsource
computer security activities, the percentage of activities
outsourced is low.
Despite many articles on the emerging role of cybersecurity
insurance, its use remains low.
The percentage of organizations reporting computer intrusions
to law enforcement has continued to decline over the past
several years. The key reason cited for not reporting
intrusions to law enforcement is concern about negative
A significant number of organizations conduct some form
of economic evaluation of their security expenditures,
with 38% using return on investment (ROI), 19% using internal
rate of return (IRR), and 18% using net present value
More than 87% of the responding organizations conduct
security audits, up from 82% last year.
The vast majority of respondents view security awareness
training as important. On average, however, respondents
do not believe their organization invests enough in it.
an October presentation of the survey findings, Bruce Helman,
head of the FBI cybercrimes squad, noted that large e-commerce
websites are the most vulnerable to cybercrime, including
extortion. To report all types of cybercrime, Helman recommended
the Internet Crime Complaint Center (www.ic3.gov;
report on the survey, the tenth annual study conducted by
the Computer Research Institute with the participation of
the San Francisco FBI’s Computer Intrusion Squad,
is available at the CSI website, www.gocsi.com.