Computer Crime & Security Survey

Transcription

1 3 rd Japan & US Computer Crime & Security Survey Katsuya Uchida Associate Professor Institute of Information Security Graduate School of Information Security Intentionally blank

2 Respondents by Number of Employees Respondents: = 699 Japan= 1,002 Respondents by Revenue Respondents: = 549 Japan=898

3 Respondents by Industry Sector Financial Hightech Manufacturing Federal Government Medical Educational State Government Telecommunication Utilities Local Government Transportation Retail Legal Others 17% 1 7% 6% 4% 4% 1 Manufacturing Retail Educational Construction Telecommunication Government Complex retail Transportation Financial Real estate Food / Hotel Medical / Welfare Hightech Utilities Legal Others 34% 14% 1 8% 7% 0% 0% 6% Respondents: = 699 Japan= 1,004 Respondents by Job Description Respondents: = 690 Japan= 1,004

4 Number of PCs Respondents: Japan= 1,004 Percentage of IT Budget Spent on Security = 690 Japan = 964 Japan 1 16% 1 24% 16% 3 24% 18% 6 7% 8% 6% 8 10% 1 10% 8% 1 Unknown 1 2 Respondents: = 690 Japan= 1,004

5 Percentage of Organizations Using ROI, NPV and IRR Metrics Japan ROI NPV IRR Unknown Not Calc Respondents: = 599 Japan= 980 Organizations with External Insurance Against Cybersecurity Risks Respondents: = 652 Japan= 997

6 Organizations Conducting Security Audits Respondents: = 681 Japan= 997 Percentage of Security Function Outsourced Respondents: = 682 Japan= 923

7 Average Percent of Security Outsourced By Organization Revenue Respondents: = 682 Japan= 923 Security Technologies Used AntiVirus Software Firewall Serverbased Access Control Lists Intrusion Detection System : IDS Encryption for data in transit Reusable account/login passwords Intrusion Protection System : IPS Encryption files Smart cards/other onetime password tokens One time passwords Public Key Infrastructure Biometrics Others 96% 97% 70% 7 68% % % % 27% % Respondents: = 687 Japan= 987

8 Unauthorized Use of Computer Systems within the Last 12 Months Respondents: = 693 Japan= 984 Types of Attacks or Misuse Detected in the Last 12 Months Virus Insider Abuse of Net Access Laptop/Mobile Theft Unauthorized access to Information System Penetration Denial of Service Theft of Proprietary Information Sabotage Telecom Fraud Abuse of Wireless Network Misuse of Public Web Application Others No attack / Misuse % 48% 7% 48% 16% 67% 18% 2 4% 1 0% 2 Note: Percentages of is calculated from Fig. 14 in 2005 /FBI survey Respondents: = 700 Japan= 984

9 How Many Incidents? From the Outside? From the Inside? Inside Outside Inside Outside % 47% % 10% 4% % 31 Don t know 44% 3 1 No incident 5 4 Respondents: = 453 Japan= 887 Percentage Experiencing Web Site Incidents % Respondents: = 453 Japan= 887 Dollar Amount Losses by Type Virus $42,787,767 1 $5,029,847 1 Laptop theft $4,107,300 6 $3,769,338 2 Insider Net abuse $6,856,450 5 $579,987 3 Denial of Service $7,310,725 4 $258,132 4 Theft of proprietary info $30,933,000 3 $230,382 5 Unauthorized access $31,233,100 2 $213,200 6 System penetration $841,400 9 $64,310 7 Financial fraud $2,565,000 7 $50,000 8 Web site defacement $115, $38,585 9 Telecom fraud $242, $20, Sabotage $340, $12, Misuse of public Web application $2,227,500 8 $12, Abuse of wireless network $544, $11, Others $1,231,160 Total Losses $130,104,542 $11,520,541 Avarage of Losses/Respondent $ 203,606 $ 53,335 Respondents: = 639 Japan= 216

10 Actions Taken After Computer Intrusion(s) Patched holes Did not report Reported to law enforcement Reported to legal counsel 7 37% 20% 1 67% 16% 8% Respondents: = 320 Japan= 230 Reason Organization Did Not Report the Intrusion to Law Enforcement Negative publicity would hurt stock/image 4 94% Competitors would use to their advantage 3 6% Civil remedy seemed best course 16% 0% Unaware of law enforcement interest 16% Respondents: = 320 Japan= 230