2006 CSI/FBI computer crime and security survey

Computer Security Journal

Volumn 22, Issue 3, 2006, Pages 1-21

  Gordon, Lawrence A ^a,c   Loeb, Martin P ^a,b,c   Lucyshyn, William ^c   Richardson, Robert ^d  

^a UNIVERSITY OF MARYLAND   (United States)

^b Department of Accounting and Information Assurance ^*  (United States)

^c UNIVERSITY OF MARYLAND   (United States)

^d Computer Security Institute ^*  (United States)

Author keywords

[No Author keywords available]

Indexed keywords

COMPUTER SECURITY INVESTMENTS; CYBER INSURANCE; SECURITY AUDITS; SECURITY SURVEY;

DATA PRIVACY; INVESTMENTS; LARGE SCALE SYSTEMS; SECURITY OF DATA;

COMPUTER CRIME;

EID: 33749646491     PISSN: 02770865     EISSN: None     Source Type: Trade Journal    
DOI: None     Document Type: Article

References (8)

1. For a discussion of the limitations of ROI, see Lawrence A. Gordon and Martin P. Loeb, "Return of Information Security Investments: Myth vs. Reality, " Strategic Finance, November 2002, pp. 26-31.
2. For further analysis of the economics underlying cybersecuriy insurance, along with examples of cyber insurance policies, see Lawrence A. Gordon, Martin P. Loeb and Tashfeen Sohail "A Framework for Using Insurance for Cyber Risk Management, " Communications of the ACM, March 2003, pp. 81-85.
3. See http://www.whitehouse.gov/pcipb/cyberspace_strategy.pdf.
4. This is consistent with recent research by Katherine Campbell, Lawrence A. Gordon, Martin P. Loeb and Lei Zhou ("The Economic Cost of Publicly Announced Information Security Breaches: Empirical Evidence from the Stock Market, "Journal of Computer Security, Vol. 11, No. 3, 2003, pp. 431-448) that found reports of security breaches can adversely affect a stock's firm price.
5. See Lawrence A. Gordon, Martin P Loeb and William Lucyshyn, "Sharing Information on Computer Systems: An Economic Analysis," Journal of Accounting and Public Policy, Vol. 22, No. 6, 2003, pp. 461-485.
6. The new version of OMB Circular A-123 - the implementing guidance for the Federal Managers Financial Integrity Act requires agency heads to accept responsibility for, and annually assert to the effectiveness of their internal controls over financial reporting, similar to Section 404 of the Sarbanes - Oxley Act.
7. A 2003 Federal Trade Commission identified about $48 billion in losses to institutions and an additional $5 billion in losses to individuals. Although not pan of this CSI/FBI survey, the FTC findings help to explain the perception of losses much larger than the respondents indicated.
8. Readers interested in a more detailed explanation on how to use economics/financial metrics in managing cybersecurity resources should see Managing Cybersecurity Resources: A Cost-Benefit Analysis, by Lawrence A. Gordon and Martin P. Loeb (2006).