Interesting piece in ComputerWorld about why companies don’t report security breaches-- the piece says it might hurt their reputation, and their business. The inverse of this is that security matters and that companies have incentives to get secure (this on the theory that eventually, most everything becomes public….).
The piece cites the 2004 CSI/FBI (see upper right of page) 9th Annual Computer Crime and Security Survey, which I find to be about the best set of statistics on security incidents. It has been tracking data consistently for years and shows trends over 5-6 years. Other interesting stats in the FBI study include: the other big reason people didn’t report is because ‘competitors would use to their advantage’ (Figure 21); 82% of companies preform security audits (Figure 17); the biggest $ losses are from targeted events -- DDoS, theft of IPR, and insiders (Figure 15); expenditure varies widely by sector — of course the risk varies widely by sector-- one size does not fit all (Figure 7); and most firms use Return on Investment (ROI), Net Present Value (NPV), or Internal Rate of Return (IRR) calculations to determine investments, with 55% using ROI (Figure 8). This survey is worth a look.
The ComputerWorld piece ends asking about whether mandatory disclosures of breaches provides disincentives to look for them… Interesting area….. Will look at this more later… Cheers.