Professional Documents
Culture Documents
2003
CSI/FBI
COMPUTER CRIME
AND SECURITY SURVEY
2003 CSI/FBI Computer Crime and Security Survey
By Robert Richardson survey remains that the risk of cyber attacks con-
The Computer Crime and Security Survey is con- tinues to be high. Even organizations that have
ducted by CSI with the participation of the San deployed a wide range of security technologies
Francisco Federal Bureau of Investigations can fall victim to significant losses. Furthermore,
Computer Intrusion Squad. The survey, now in the percentage of these incidents that are re-
its eighth year, has the distinction of being the ported to law enforcement agencies remains low.
longest-running survey in the information secu- So attackers may reasonably infer that the odds
rity field. As in previous years, the survey paints a against their being caught and prosecuted re-
compelling portrait of just how often crime oc- main strongly in their favor.
curs on computer networks and just how expen-
sive such crime can be. ABOUT THE RESPONDENTS
Based on the responses of 530 computer secu-
rity practitioners in U.S. corporations, govern- Those answering the survey represent companies and
ment agencies, financial institutions, medical organizations across the spectrum of modern life.
institutions and universities, the 2003 findings Some 17 percent are from high-tech companies; an
once again show that there is no shortage of at- additional 15 percent come from the financial sector.
tacks, but suggest this year that the severity and Government agencies make up, in total, about 15 per-
cost of these attacks has trended downward for cent of the survey responses. Thus, about half of the
the first time since 1999. responses come from quarters where its hardly sur-
Despite the lower number for aggregate finan- prising that computer security would be an impor-
cial losses among survey respondents, the most tant concern. This tracks closely to previous years,
important conclusion one must draw from the although those answering Other rose to 17 percent
Mediccal
8%
%
Financia
al
15%
High-Tech
17% Teleccom
Transp
portation
portatio
on
n 4%%
1%%
CSI/FBI 2003 Computer Crime and Security Survey 2003: 530 Respondents/100%
Source: Computer Security Institute Totals 101% due to rounding.
1,000 to 5,000
22%
500 to 999
7% 1 to 99
18%
100 to 499
9
16%
CSI/FBI 2003 Computer Crime and Security Survey 2003: 528 Respondents/99%
Source: Computer Security Institute
from just 5 percent in the 2002 survey. CSI. These are people who are paying attention
More than half of the organizations repre- to computer crime and who have a direct inter-
sented in the survey employ more than 1,000 em- est in stopping it.
ployees, with approximately one-quarter of the
respondents (28 percent) reporting more than
SURVEY HIGHLIGHTS
10,000 employees. This roughly corresponds to
revenues: 34 percent report more than $1 billion While the percentage of respondents reporting
in annual revenues. some form of unauthorized computer use re-
While this clearly shows that large-scale corpo- mained approximately the same as in previous
rate America is well represented both among the years, the financial losses reported for these
CSI membership and among survey respon- losses plummeted. Fifty-six percent of respon-
dents, it is not the case that the experiences of dents reported unauthorized use, compared to
small business find no voice in the survey. In fact, 60 percent last year (and compared to an aver-
18 percent of respondents work at organizations age of 59 percent over the previous seven years
with 99 or fewer employees and 23 percent work of the survey). The total annual losses reported
at organizations reporting less than $10 million in the 2003 survey were $201,797,340, a figure
in annual revenues. that is down 56 percent from the high-water
Those actually answering the survey questions mark of $455 million reported last year. It
are, not surprisingly, security professionals. should be noted, though, that this figure is in
They are, furthermore, self-selecting and one line with figures reported prior to 2001. Addi-
presumes are more likely to be sensitive to secu- tionally, it is important to remember that this
rity incidents than are those who are not affili- figure is simply the total losses reported by a
ated with professional organizations such as specific number of organizations (251 of them)
3
2003 CSI/FBI Computer Crime and Security Survey
$100 to $5
500
million
n
15%
$10 to $9
99 million
19
9%
Under $10 million
23%
CSI/FBI 2003 Computer Crime and Security Survey 2003: 393 respondents /74%
Source: Computer Security Institute
and is not any kind of more broadly extrapo- Respondents again weighed in strongly op-
lated total. posed to the idea of hiring reformed hackers
(68 percent were against).
OTHER KEY FINDINGS The percentage of those who reported suffer-
ing incidents in the prior year who said they
The overall number of significant incidents re- reported those incidents to law enforcement
mained roughly the same as last year, despite the remained low (30 percent).
drop in financial losses.
As in prior years, theft of proprietary informa-
SECURITY TECHNOLOGIES USED
tion caused the greatest financial loss
($70,195,900 was lost, with the average re- For the sixth consecutive year, survey takers
ported loss being approximately $2.7 mil- were asked what kind of security technologies
lion). they had employed to protect their organiza-
In a shift from previous years, the second most tions. Though not all questions on the survey
expensive computer crime among survey re- are answered by all respondents, the question
spondents was denial of service, with a cost of that queries the use of various sorts of technol-
$65,643,300. ogy is answered by 99 percent (525 of 530) of
Losses reported for financial fraud were drasti- the respondents.
cally lower, at $10,186,400. This compares to Virtually all organizations use anti-virus soft-
nearly $116 million reported last year. ware (99 percent) and firewalls (98 percent). As
As in previous years, virus incidents (82 per- one might expect, most (91 percent) employ some
cent) and insider abuse of network access (80 kind of physical security to protect their com-
percent) were the most cited forms of attack puter and information assets and most employ
or abuse. some measure of access control (92 percent).
4
2003 CSI/FBI Computer Crime and Security Survey
49
38
8
Digital IDs 42
34
20
003
73 20
002
60 20
001
Intrusion Detection 61
50
42 20
000
19
999
35
PCMCIA
39
91
84
4
Physical Security 90
91
58
50
5
Encrypted Login 53
50
46
98
89
9
Firewalls 95
7
78
91
47
Reusable Passwords 48
54
61
99
9
90
Anti-virus Software
100
98
69
58
58
Encrypted Files
62
6
61
6
11
10
Biometrics 9
8
9
92
82
Access control 9
90
92
9
93
0 20 40 60 80 100
Percentage of Respondents
80
70
20
003
64
62 20
002
60
0
60 56
6 20
001
Percentage of Respondents
20
0
000
19
999
40
29
9
27
7
25
21
16
6 17
7
20
15
5
12
2 111 12
2
CSI/FBI 2003 Computer Crime and Security Survey 2003: 524 Respondents/99%
Source: Computer Security Institute 2002: 481 Respondents/96%
2001: 532 Respondents/99.6%
2000: 585 Respondents/91%
1999: 512 Respondents/98%
These last two categories are perhaps an ap- simply whether the office premise as a whole is
propriate moment to say something about the locked during the off hours. Others may quite
nature of these sorts of responses. The survey it- justifiably interpret the question to be asking
self is deliberately kept very short and has been whether there are specific measures (special
left largely the same over its eight-year lifespan alarms or locked areas) designed to protect
(this in the interest of preserving trend informa- computer and network assets.
tion). Thus, respondents are asked to interpret Perhaps the most interesting aspect of this
various possible answers on the survey accord- particular finding, then, is that almost one in
ing to their own understanding of the security ten organizations do not use any extra physical
industry and its terminology. For the most part, precautions to protect their computer assets. It
this is a sensible approachmost of the termi- is quite possible, in other words, that they do
nology within the industry is sufficiently settled not have server equipment within specially
that there isnt much question about what it locked rooms or that they do not equip mobile
means when the survey asks, for instance, equipment such as notebook computers with
whether firewalls are in use. There isnt much locking cables.
debate about what a firewall is. While access control as a category is well un-
In the case of physical security, though, the derstood, it makes for a broad question. We
term is arguably overly broad. Some respon- would anticipate that any organization that re-
dents may interpret this question to be asking quired users to provide passwords for access
6
2003 CSI/FBI Computer Crime and Security Survey
CSI/FBI 2003 Computer Crime and Security Survey *Totals 101% due to rounding
Source: Computer Security Institute
would answer in the affirmative. So, again, its in- prietary information.
teresting that 8 percent of respondents say no, Among the past years buzzword technolo-
they do not employ access control. Of the 48 re- gies, intrusion detection systems (IDSs) were
spondents who said they didnt use access con- widely deployed (73 percent) and biometrics
trol, only six said they produced revenues in were not (11 percent). Not surprisingly,
excess of $1 billion, with two of those answering though, the organizations that deployed bio-
that they used reusable passwords. In contrast, metrics were more likely than the average or-
23 (or almost half) of the respondents not using ganization in the sample to deploy other
access control were reporting from organizations leading-edge technologies. Some 83 percent of
with less than $100 million in revenues. organizations using biometrics said they used
Apparently those not using access controls encrypted logins; 72 percent used digital IDs
have made their security decisions with appropri- or certificates; and 87 percent said they used
ate insight: they are not among the respondents file encryption. These figures compare to
who report financial losses at the higher end of overall averages of 58 percent using encrypted
the spectrum. Indeed, none of these 48 respon- logins, 49 percent using digital IDs or certifi-
dents reports a financially significant loss of pro- cates, and 69 percent using file encryption.
7
2003 CSI/FBI Computer Crime and Security Survey
100
20
003 78
78
80
20
002 74
70
20
001
Percentage of Respondents
20
0
000 59
9
60 57
19
999
51
40 38
8
33
3
30
0 311
28
22
2
18 18
8
20
12
2
CSI/FBI 2003 Computer Crime and Security Survey 2003: 445 Respondents/84
Respondents/84%%
Source: Computer Security Institute 2002: 481 Respondents/96%
2001: 384 Respondents/72%
2000: 443 Respondents/68%
1999: 324 Respondents/62%
That last statisticthat 69 percent of respon- seven years of the survey was that 16.3 per-
dents using file encryptionmay indicate a cent didnt know.
mild upward trend. This is up from 58 percent
last year, which would be a statistically signifi-
PROPRIETARY INFO
cant uptick. The five-year average for this
question is 59 percent, which lends credence Throughout the surveys history, the theft of
to the notion that the use of encrypted files is proprietary information has been one of the
increasing. costliest forms of computer crime. Indeed, since
Regardless of the tools used, it is still the 1999 it has consistently topped the rankings of
case that many respondents simply do not reported financial losses. This shouldnt be sur-
know whats going on within their networks. prising in an economy where a great deal of over-
Fifteen percent of respondents say they all productivity hinges on information and
dont know whether there was any unautho- highly technical know-how.
rized use of their computer systems last year. Within the world of the Internet, issues sur-
This is disturbing, one could argue. At the rounding intellectual property were front and
same time, however, its about the same per- center in 2002. The high-profile news items
centage as always: the average for the past werent necessarily about the theft of trade se-
8
2003 CSI/FBI Computer Crime and Security Survey
100
86
82
82 81 81
77
80 20
003 7
74 7576
76
20
002
Percentage of Respondents
20
001
60 20
0
000
53
19
999 49
44
40
4 038
40
31 3
30
28
8
25
2 25
2 21
21 2
20
0
Hackers Competitors Employees
CSI/FBI 2003 Computer Crime and Security Survey 2003: 488 Respondents/
Respondents/92
92%%
Source: Computer Security Institute 2002: 414 Respondents/82%
2001: 484 Respondents/91%
2000: 583 Respondents/90%
1999: 460 Respondents/88%
crets, which is the greater threat to most compa- wanted with copyright terms.
nies, but even focus on copyright infringement That Congress would want to make terms
has created a climate in which interest in en- longer is a clear expression in a general change in
cryption-based controls such as Microsofts new corporate and government sensibilities toward
Digital Rights Management server has in- more clear and outright ownership of intellectual
creased steadily. property. Within this framework, the RIAA in
Major intellectual property issues last year in- particular was particularly active last year. In
cluded the Supreme Courts consideration of April, the organization won a $1 million out-of-
Congresss 1998 extension of the terms of U.S. court settlement in a suit against Integrated In-
copyright. What critics termed the Disney Bill formation Systems (IIS), which had run an
because it extended (among plenty of other internal server where employees traded MP3 files
things) that companys control over its Mickey that the RIAA claimed infringed thousands of
Mouse character, was the eleventh extension to copyrights. Another settlement with Audio-
copyright terms in 40 years. The Supreme galaxy.com forced what had been a Napster-like
Courts decision wasnt delivered until January music-trading service into newfound respectabil-
2003, but the writing was already on the wall in ity, such that the service now is subscription
the latter half of 2002: Congress could do what it based and charges users on a per-track basis for
9
2003 CSI/FBI Computer Crime and Security Survey
42
40
36
6
Denial of Service 27
7
31 20
003
59 20
002
55
Laptop 64 20
001
60
6
69
20
000
19
999
2
10
9
Telecom Fraud 11
17
7
45
38
38 49
by Insiders 71
55
82
85
5
94
85
8 5
90
15
12
Financial Fraud
11
14
80
Insider Abuse of 78
7
91
Net Access 79
9
97
36
40
System Penetration 40
25
5
30
6
Telecom Eavesdropping 6
10
7
14
21
8
Sabotage 1
18
17
7
13
21
Theft of Proprietary Info 20
26
20
25
0 20 40 60 80 100
Percentage 0f Respondents
111
123
Denial of Service 95
101
74
254
318
319
334
2311
250
222
Laptop Theft 250
288
8
249
180
189
8
217
182
2
34
32
Telecom Fraud 9
41
48
72
74
Unauthorized Access 7
71
7
76
85
61
54
Theft of Proprietary Info 72
61
61
4
46
Financial Fraud 40
40 20
003
65
53 20
002
61 20
001
5
56
Sabotage 44
4
61
49 19
999
88
8
113
System Penetration 70
68
52
0 50 100 150 200 250 300 350
Number of Respondents
Virus $2
27,382,340
7 382 340
Laptop Thef $6
6,830,500
6 830 500
$70
05,000
CSI/FBI
/ 2003 Computer Crime and Security Survey 2003: 251 Respondents/47%
R d / %
Source: Computer Security Institute
the right to burn songs to their own CDs. In formation from a protected computer. Heres
September the group obtained a subpoena to ob- the summary from the Department of Justices
tain subscriber information from Verizon in Web page on computer crime cases:
order to track down the identity of an alleged Until February 2001, Dopps was employed by The
copyright infringeran unprecedented move Bergman Companies (TBC), a contracting firm based
against an individual rather than a company. in Chino. After leaving TBC to go work for a competi-
And although they werent saying much about it, tor, Dopps used his Internet connection to gain access to
the RIAA worked rather diligently behind the TBCs computer systems on more than 20 occasions.
scenes last year to poison the well for music Once Dopps was inside the TBC systems, he read e-
traders, creating and distributing bogus files that mail messages of TBC executives to stay informed of
appear to be real song files but that in fact con- TBCs ongoing business and to obtain a commercial ad-
tain noise or, in one case in 2003, Madonna curs- vantage for his new employer.
ing out her fans. Dopps unauthorized access into TBCs computer sys-
This doesnt mean there wasnt plenty of con- tem caused approximately $21,636 in damages and
ventional theft of business information. Con- costs to TBC.
sider the case of Richard Glenn Dopps, who There are plenty more where this came from.
plead guilty to one felony count of obtaining in- Indeed, browsing through the DOJs case list (at
12
2003 CSI/FBI Computer Crime and Security Survey
70
60 20
003
53 20
002
49
9 49 20
001
50 47
Percentage of Respondents
20
0
000
3
38 41
40 19
999
2 33
32
30 27
7
25
5
23 22
2 21
19 20
20
10
CSI/FBI 2003 Computer Crime and Security Survey 2003: 503 Respondents/95%
Source: Computer Security Institute 2002: 472 Respondents/94%
2001: 509 Respondents/95%
2000: 603 Respondents/93%
1999: 479 Respondents/92%
13
2003 CSI/FBI Computer Crime and Security Survey
58
60 20
003
20
002
50 20
001
Percentage of Respondents
45
20
000
38 19
999 39
9
40
36 35
5
30
30 27
4 25
24 26
23
3
21 19
9
20 17
7
9 9 10
10
4
3
0
5 5
CSI/FBI 2003 Computer Crime and Security Survey 2003: 135 Respondents/25%
Source: Computer Security Institute 2002: 244 Respondents/49%
2001: 211 Respondents/40%
2000: 120 Respondents/18%
1999: 92 Respondents/18%
Percentage totals 101% due to rounding
2003, Microsoft began showing prototype vari- in the real world, needless to say, will take
ants of its Windows operating system that would some time to assess, perhaps as much as five to
natively support this hardware. ten years.
Although Microsoft and Intel have both tried
to keep the focus of these efforts on the way they
FINANCIAL FRAUD
protect software from tampering, numerous ob-
servers have pointed out that the same mecha- The survey first asked about losses due to finan-
nisms are exactly whats needed for systems that cial fraud in 1997, at which time 12 percent of re-
manage access and use of dataDigital Rights spondents acknowledged detecting financial
Management systems. Indeed, critics of these fraud. This years 15 percent reporting financial
trusted computing initiatives argue that what fraud is the highest level seen in the history of
they really do is secure content providers from the survey, but is only 1 percent over the previous
would-be copyright infringers (and corporations high, recorded in 1999. So while its possible that
from whistle-blowers, who presumably will no the increase marks the beginning of an upward
longer be able to send copies of incriminating trend, it seems somewhat more likely that the
documents to the press or government agencies), rate of financial fraud loss has stayed more or
rather than securing users from outside attacks. less constant, hovering around 13 to 14 percent.
The effects of all this on computer security Whats really startling about the financial
14
2003 CSI/FBI Computer Crime and Security Survey
WWW Site Incidents: Did the Attacks Come From Inside or Outside?
60 60
53
3
20
003
49
50 47
7 20
002
20
001
41
20
000
Percentage of Respondents
38
40
19
999
32
30
26
24
4 24
22
2
21
20 18
14
10 7
5 5 6
4
2
0
In
nsid
de Ou
utssiide
e Bo
Both
CSI/FBI 2003 Computer Crime and Security Survey 2003: 181 Respondents/34%
Source: Computer Security Institute 2002: 209 Respondents/42%
2001: 163 Respondents/31%
2000: 153 Respondents/23%
1999: 125 Respondents/24%
fraud numbers this year, however, are the re- $328,594 was literally millions less than the pre-
ported financial losses, which are roughly one- vious three years, when the averages were
tenth what they were last year. It is probably not $4,632,000 in 2002, $4,420,738 in 2001, and
reasonable to assume anything at all about the $1,646,941 in 2000.
broader situation in the U.S. business world, but
it may indeed be the case that the sample group
WHERE TO FIND EXPERTISE
in the survey has enjoyed a better-than-average
experience in the past year. While 15 percent of One of the ongoing debates in the information
respondents reported financial lossslightly security industry concerns the efficacy of hiring
more than in previous yearsit is also the case hackers who claim to have reformed. 2002 was an
that the most expensive loss reported was $4 mil- interesting year in this respect because it saw the
lion. This is a fraction of last years highest re- return to active (but legal) duty of one of societys
ported loss, which was $50 million. That single more widely known hackers, Kevin Mitnick. After
reported instance last year was nearly five times a 1995 arrest and conviction on several counts of
higher than all the losses reported due to finan- computer crime the following year, Mitnick was
cial fraud this year. released from prison in 2000. Various restrictions
As one would expect, the average loss due to fi- in the terms of his release kept him laying low for
nancial fraud this year was correspondingly a while, but in 2002 he published a book on social
lower than previous years. This years average of engineering, The Art of Deception, and launched a
15
2003 CSI/FBI Computer Crime and Security Survey
Other Vandalism
19% 36%
Theft of
Transactionn
Information 6%
Fiinaan
ncial
Frraud
4
4%
Denial of
Service
35%
consulting company, Defensive Thinking. The exclamation points, and notes scrawled in the
thinking among most of the survey respondents, margin to support their position (this doesnt
though, seems to be that the best defense is steer- happen elsewhere on the survey form).
ing clear of reformed hackers. Only 15 percent say they would hire ex-hackers.
The reasoning among security practitioners By contrast, 68 percent say they wouldnt, with 17
seems to be that hackers may reform themselves, percent unsure of their position on the subject.
but theres no compelling reason to rely on that As a general proposition, though, it would ap-
fact, given that there are lots of skilled practition- pear that having been caught and successfully
ers who dont have hacker backgrounds. Yes, it prosecuted as a computer criminal is not a sure
may muddy the waters that some hackers are ticket to later success in the security industry, as
convicted, where many others commit the same three-quarters of the marketplace would rather
crimes uncaught, and thus can present clean cre- not hire you.
dentials. And yes, it may be possible to hire ex-
hackers in roles where they arent handed access
STILL NOT REPORTING
to sensitive production systems. But most re-
spondents dont seem inclined to lose sleep over The aim of the annual CSI/FBI Computer Crime
these distinctions. and Security survey is not only to gather data on
The survey asks whether respondents would the dark side of cyberspace, but to foster greater
consider hiring a reformed hacker and the an- cooperation between law enforcement and the
swers are emphatic. Respondents have a habit of private sector so that there is a viable deterrent to
answering this question with emphatic circling, cyber crime.
16
2003 CSI/FBI Computer Crime and Security Survey
100
80 20
003
20
002
8 69
68 9 67
65
Percentage of Respondents
20
001
61
60 20
0
000
19
999
40
6 20 17
16 7 17
7 16
6 17
7 19
9 19
20 15
5 14
4
CSI/FBI 2003 Computer Crime and Security Survey 2003: 513 Respondents/97%
Source: Computer Security Institute 2002: 442 Respondents/88%
2001: 524 Respondents/98%
2000: 620 Respondents/96%
1999: 506 Respondents/97%
For the first three years of the survey, only 17 turn to when someone has been hacking, say,
percent of those who suffered serious attacks re- your Web storefronts customer database.
ported them to law enforcement. Should you turn to the local police? By and
In subsequent years, that number roughly dou- large, you wont get much help there. Should
bled. The current years numbers remain at you turn to the FBI? In some cases they can help
roughly this doubled level, with 30 percent saying you and in others they cant (but it sure doesnt
they reported their incidents to law enforcement. hurt to call).
Why isnt this number larger? Only 45 percent An interesting story that made the rounds early
of overall survey respondents answered a ques- in 2002 makes clear the difficulties that some-
tion about why they didnt report incidents to times arise when dealing with cyber crime. Jason
law enforcement, but of those, fully 53 percent Eric Smith sold his Apple Powerbook via eBay, de-
said they were not aware that they could report livering it c.o.d. and receiving what turned out to
these incidents. While this may seem strange, be a forged bank cashiers check. Now, admittedly,
given that plenty of hacking cases get high-pro- this isnt a case of corporate high-tech hacking
file media coverage (and the authorities are obvi- and it isnt even directly a case of theft over the
ously very much involved in them), it makes wire. On the other hand, its a straightforward on-
more sense in that it isnt always obvious who to line fraud case where a crime was clearly commit-
17
2003 CSI/FBI Computer Crime and Security Survey
100 94
93 96
85
20
003
77
80 20
002
20
001
Percentage of Respondents
20
0
000
60 19
999
50 48
8
44
40 40
4 36
40
34 32
30 30 28
25
21 19 20
20
CSI/FBI
/ 2003
3 Computer
p Crime and
a Securityy Surveyy 2003:
3 37
376 Respondents/71%
p /7
Source: Computer Security Institute 2002: 389 Respondents/77%
2001: 345 Respondents/64%
2000: 407 Respondents/63%
1999: 295 Respondents/57%
tedthe check was forged. Even when Smith ABOUT THE SURVEY
went to the trouble of tracking down the forger
himself, though, he couldnt get authorities to The CSI/FBI Computer Crime and Security Sur-
break on work from larger cases to drive out and vey has historically been a fairly informal under-
make the arrest. The theft was below the FBIs taking, and this year is no exception. Its aim is to
$5,000 threshold and similarly not a sufficiently heighten security awareness, promote informa-
significant counterfeiting case for the Secret Ser- tion protection, and encourage cooperation be-
vice to pursue. Eventually, though, Smith got his tween law enforcement and the private sector.
man by working with a local police department. Informality notwithstanding, there are reasons
Says Smith in a write-up of his pursuit (at to have a fair degree of confidence in the statisti-
www.remodern.com/caught.html): cal rigor of the surveys findings. First, the same
After talking to two detectives in Chicago, an FBI survey has been administered for eight straight
field agent, an agent in the New Orleans field office of years and the results this year are certainly quite
the Secret Service, an agent with the L.A. Secret Service, plausible when compared to averages and trend-
and having a conference call with a large group of lines from previous years.
agents from the Chicago Secret Service, I finally was get- A second point has to do with the nature of
ting somewhere. the sample taken in this survey. It is certainly
18
2003 CSI/FBI Computer Crime and Security Survey
100
20
003
3 84
83 20
002
75 79
80 20
001
74
4
70
0 72 20
0
000
Percentage of Respondents
65 19
999
611 60 5
58
60 55
5 56
6
53
3 53
3 53 51
48
8
46
36
40
20
CSI/FBI 2003 Computer Crime and Security Survey 2003: 241 Respondents/45%
Source: Computer Security Institute 2002: 143 Respondents/28%
2001: 151 Respondents/28%
2000: 209 Respondents/32%
1999: 107 Respondents/20%
true that survey recipients are not randomly people who are paying close attention might
chosen. They come from a group of security provide better-informed responses than those
professionals and, among that wider group, who are not.
they are self selected. Of course, it is also possible that this group
If we ask what the result of that self-selection might have reason to overstate their losses, as a
may be, however, it seems likely that this doesnt way of arming themselves with dire statistics to
undermine the validity of whats reported. These bring to their bosses when the budgeting season
are people who are paying good attention to the rolls around. While this may have seemed likely
security postures and experiences of their organi- in the several years when total financial losses
zations. Theyre arguably in a better position moved inexorably upward, its harder to support
than most, in other words, to know what inci- this theory given the significant drop in reported
dents theyve suffered in the past year. It isnt al- losses in this years survey. Beyond that, though,
ways obvious when a computer system has been the self-interest theory (if one can call it that) is
attackednote as proof of this that 22 percent of built on the notion that respondents are some-
respondents dont know whether their Web sites how aware of some group capability to fudge the
were hacked last yearso it stands to reason that numbers and are acting on that notion. If that
19
2003 CSI/FBI Computer Crime and Security Survey
CSI/FBI 2003 Computer Crime and Security Survey Total Annual Losses 265,337,990 377,828,700 455,848,000 201,797,340
Source: Computer Security Institute
were the case, one would expect to find most re- The report is free at the CSI Web site
spondents reporting losses in most categories (www.gocsi.com), where a hardcopy edition can
(why not push up all the losses, after all?). But also be ordered as a print-on-demand document
this is not how individual answers lookmost re- (this is offered at cost).
spondents only report three or four categories of The participation of the FBIs San Francisco
loss. Furthermore, considerably more respon- office has been invaluable. They provided input
dents claim various kinds of attacks than report into the development of the survey and acted as
losses for those attacks. One might expect every our partners in the effort to encourage response.
attack to have a price if the overall interest was But we have no contractual or financial relation-
padding the numbers. ship with the FBI. It is simply an outreach and
Assuming that respondents are honest and education effort on the part of both organiza-
the numbers legitimate, there is still the basic tions. CSI funds the project and is solely respon-
problem of surveysthey never are as unassail- sible for the results.
able as youd like them to be. This survey, like
most others, is at best a series of snapshots of Opinions offered in this study are those of the author
how people in the trenches viewed their situa- and the individuals cited and not necessarily those of the
tion at a given time. Federal Bureau of Investigation, Computer Security In-
CSI offers the survey results as a public service. stitute, or any other organization.
CONTACT INFORMATION
For referrals on specific criminal investigations: For information on the CSI/FBI study:
Mary Kimura, Special Agent Robert Richardson, Editorial Director
San Francisco FBI Computer Crime Squad, Computer Security Institute,
22320 Foothill Blvd., Hayward, CA. 94541, Home Office,
Ph: 510-886-7447 Ph: 610-604-4604, Fax: 610-604-4606
nccs-sf@fbi.gov rrichardson@cmp.com
For general information, go to www.nipc.gov For general information, go www.gocsi.com
20
2003 CSI/FBI Computer Crime and Security Survey 2003 CSI/FBI Computer Crime and Security Survey
Contact CSI
Phone 415-947-6320
Fax 415-947-6023
E-mail csi@cmp.com
Not a CSI member? To start
receiving the Alert, Computer
Security Journal and other
Membership benefits, go to
Visit us online www.gocsi.com or call
Ron Cylc, Membership
www.gocsi.com Coordinator at 215-396-4004.