3 rd Japan & US Computer Crime & Security Survey Katsuya Uchida Associate Professor Institute of Information Security uchidak@gol.com Graduate School of Information Security Intentionally blank
Respondents by Number of Employees Respondents: = 699 Japan= 1,002 Respondents by Revenue Respondents: = 549 Japan=898
Respondents by Industry Sector Financial Hightech Manufacturing Federal Government Medical Educational State Government Telecommunication Utilities Local Government Transportation Retail Legal Others 17% 1 7% 6% 4% 4% 1 Manufacturing Retail Educational Construction Telecommunication Government Complex retail Transportation Financial Real estate Food / Hotel Medical / Welfare Hightech Utilities Legal Others 34% 14% 1 8% 7% 0% 0% 6% Respondents: = 699 Japan= 1,004 Respondents by Job Description Respondents: = 690 Japan= 1,004
Number of PCs Respondents: Japan= 1,004 Percentage of IT Budget Spent on Security = 690 Japan = 964 Japan 1 16% 1 24% 16% 3 24% 18% 6 7% 8% 6% 8 10% 1 10% 8% 1 Unknown 1 2 Respondents: = 690 Japan= 1,004
Percentage of Organizations Using ROI, NPV and IRR Metrics Japan ROI NPV IRR Unknown Not Calc. 228 108 114 10 3 4 94 869 Respondents: = 599 Japan= 980 Organizations with External Insurance Against Cybersecurity Risks Respondents: = 652 Japan= 997
Organizations Conducting Security Audits Respondents: = 681 Japan= 997 Percentage of Security Function Outsourced Respondents: = 682 Japan= 923
Average Percent of Security Outsourced By Organization Revenue Respondents: = 682 Japan= 923 Security Technologies Used AntiVirus Software Firewall Serverbased Access Control Lists Intrusion Detection System : IDS Encryption for data in transit Reusable account/login passwords Intrusion Protection System : IPS Encryption files Smart cards/other onetime password tokens One time passwords Public Key Infrastructure Biometrics Others 96% 97% 70% 7 68% 5 3 46% 4 3 1 94% 9 7 2 3 8 10% 27% 1 1 10% Respondents: = 687 Japan= 987
Unauthorized Use of Computer Systems within the Last 12 Months Respondents: = 693 Japan= 984 Types of Attacks or Misuse Detected in the Last 12 Months Virus Insider Abuse of Net Access Laptop/Mobile Theft Unauthorized access to Information System Penetration Denial of Service Theft of Proprietary Information Sabotage Telecom Fraud Abuse of Wireless Network Misuse of Public Web Application Others No attack / Misuse 3 7 3 10% 48% 7% 48% 16% 67% 18% 2 4% 1 0% 2 Note: Percentages of is calculated from Fig. 14 in 2005 /FBI survey Respondents: = 700 Japan= 984
How Many Incidents? From the Outside? From the Inside? Inside Outside Inside Outside 1 5 46% 47% 3 4 6 10 7% 10% 4% 11 30 8% 31 Don t know 44% 3 1 No incident 5 4 Respondents: = 453 Japan= 887 Percentage Experiencing Web Site Incidents 1 5 6 10 10 9 7 6% Respondents: = 453 Japan= 887 Dollar Amount Losses by Type Virus $42,787,767 1 $5,029,847 1 Laptop theft $4,107,300 6 $3,769,338 2 Insider Net abuse $6,856,450 5 $579,987 3 Denial of Service $7,310,725 4 $258,132 4 Theft of proprietary info $30,933,000 3 $230,382 5 Unauthorized access $31,233,100 2 $213,200 6 System penetration $841,400 9 $64,310 7 Financial fraud $2,565,000 7 $50,000 8 Web site defacement $115,000 13 $38,585 9 Telecom fraud $242,000 12 $20,000 10 Sabotage $340,600 11 $12,200 11 Misuse of public Web application $2,227,500 8 $12,100 12 Abuse of wireless network $544,700 10 $11,300 13 Others $1,231,160 Total Losses $130,104,542 $11,520,541 Avarage of Losses/Respondent $ 203,606 $ 53,335 Respondents: = 639 Japan= 216
Actions Taken After Computer Intrusion(s) Patched holes Did not report Reported to law enforcement Reported to legal counsel 7 37% 20% 1 67% 16% 8% Respondents: = 320 Japan= 230 Reason Organization Did Not Report the Intrusion to Law Enforcement Negative publicity would hurt stock/image 4 94% Competitors would use to their advantage 3 6% Civil remedy seemed best course 16% 0% Unaware of law enforcement interest 16% Respondents: = 320 Japan= 230