New CSI/FBI Computer Crime and Security Survey Out

For the past 9 years the Computer Security Institute has done a joint study with the FBI on computer crime and security. The 2004 study has just been released and you can get it here.

Here were some of the key findings in this years research:

• Unauthorized use of computer systems is on the decline, as is the reported dollar amount of annual financial losses resulting from security breaches.
  
• In a shift from previous years, the most expensive computer crime over the past year was due to denial of service.
  
• The percentage of organizations reporting computer intrusions to law enforcement over the last year is on the decline. The key reason cited for not reporting intrusions to law enforcement is the concern for negative
  publicity.
  
• Most organizations conduct some form of economic evaluation of their security expenditures, with 55 percent using Return on Investment (ROI), 28 percent using Internal Rate of Return (IRR), and 25 percent using Net Present Value (NPV).
  
• Over 80 percent of the organizations conduct security audits.
  
• The majority of organizations do not outsource computer security activities. Among those organizations that do outsource some computer security activities, the percentage of security activities outsourced is quite low.
  
• The Sarbanes-Oxley Act is beginning to have an impact on information security in some industries
  
• The vast majority of the organizations view security awareness training as important, although (on average) respondents from all sectors do not believe their organization invests enough in this area.

If you are in the infosec space, you really should take some time and read the report. You can really get a trend analysis of what has changed in the last few years, and where the industry will be going.