Computer Crime & Security Survey

(1)

3

rd

_{Japan & US}

Computer Crime & Security Survey

Katsuya Uchida

Associate Professor Institute of Information Security

[email protected]

G r a d u a t e S c h o o l o f I n f o r m a t i o n S e c u r i t y

(2)

Katusya Uchida, Associate Professor, Institute of Information Security

Respondents by Number of Employees

3 4 % 5 6 % 1 5 % 2 7 % 2 3 % 1 5 % 2 6 % 2 % 0 % 1 0 % 2 0 % 3 0 % 4 0 % 5 0 % 6 0 % 1 - 4 9 9 5 0 0 - 1 ,4 9 9 1 ,5 0 0 - 9 ,9 9 9 1 0 ,0 0 0 -ＣＳＩ JAP AN

Respondents: CSI= 699 Japan= 1,002

Respondents by Revenue

2 5 % 1 5 % 1 8 % 2 9 % 2 0 % 4 4 % 3 7 % 1 2 % 0 % 5 % 1 0 % 1 5 % 2 0 % 2 5 % 3 0 % 3 5 % 4 0 % 4 5 % - $ 1 0 Millio n $ 1 0 M - $ 1 0 0 M $ 1 0 0 M - $ 1 B $ 1 B -CSI JAPAN

(3)

Respondents by Industry Sector

6% Others 0% Legal 0% Utilities 19% Others 1% High-tech 1% Legal 1% Medical / Welfare 1% Retail 1% Food / Hotel 1% Transportation 2% Real estate 2% Local Government 2% Financial 4% Utilities 3% Transportation 4% Telecommunication 5% Complex retail 5% State Government 5% Government 6% Educational 7% Telecommunication 7% Medical 8% Construction 9% Federal Government 12% Educational 9% Manufacturing 14% Retail 15% High-tech 34% Manufacturing 17% Financial JAPAN CSI

Respondents: CSI= 699 Japan= 1,004

Respondents by Job Description

8% 1% 6% 1% 5% 1% 13% 1% 26% 19% 7% 52% 35% 26% 0 % 1 0 % 2 0 % 3 0 % 4 0 % 5 0 % 6 0 %

CE O CIO CSO CISO Sec.Of f i cer/ Mng r/Di rect.

Sy s tems A dmi n

Others

CSI JAPAN

(4)

Katusya Uchida, Associate Professor, Institute of Information Security Respondents: Japan= 1,004 1 % 1 6 % 5 7 % 2 6 % 0 % 1 0 % 2 0 % 3 0 % 4 0 % 5 0 % 6 0 % - 1 0 1 1 - 9 9 1 0 0 - 9 9 9 1 ,0 0 0

-Number of PCs

Percentage of IT Budget Spent on Security

2 4 % 2 4 % 8 % 1 1 % 1 5 % 8 % 1 1 % 1 6 % 2 3 % 1 1 % 9 % 6 % 1 8 % 1 6 % CSI = 690 Japan = 964 23% 11% 9% 6% 18% 16% 16% Japan 15% 8% 11% 8% 24% 24% 11% CSI Unknown 10% -8 – 10% 6 – 7% 3 – 5% 1 – 2% - 1%

(5)

Katusya Uchida, Associate Professor, Institute of Information Security Respondents: CSI= 599 Japan= 980

Percentage of Organizations

Using ROI, NPV and IRR Metrics

3 8 % 1 % 1 8 % 0 .3 0 % 1 9 % 0 .4 0 % 0 9 .6 0 % 0 % 5 % 1 0 % 1 5 % 2 0 % 2 5 % 3 0 % 3 5 % 4 0 % RO I NP V I RR Un kn o wn CSI JAPAN 869 94 4 3 10 Japan -114 108 228 CSI Not Calc. Unknown IRR NPV ROI

Organizations with External

Insurance Against Cybersecurity Risks

25% 8% 75% 92% 0 % 1 0 % 2 0 % 3 0 % 4 0 % 5 0 % 6 0 % 7 0 % 8 0 % 9 0 % 1 0 0 % I n su r an c e No I n su r an c e CSI JAPAN

(6)

Organizations Conducting Security Audits

87% 38% 13% 62% 0 % 1 0 % 2 0 % 3 0 % 4 0 % 5 0 % 6 0 % 7 0 % 8 0 % 9 0 % Au dit No Au dit CSI JAPAN

Percentage of Security Function Outsourced

6 3 % 5 4 % 2 6 % 2 2 % 6 % 5 % _{2 %} 6 % 2 % 5 % _{0 %} 8 % 0 % 1 0 % 2 0 % 3 0 % 4 0 % 5 0 % 6 0 % 7 0 % No n e 1 ∼2 0 % 2 1 ∼4 0 % 4 1 ∼6 0 % 6 1 ∼8 0 % 8 0 ∼1 0 0 ％ C SI JAPAN

(7)

Average Percent of Security Outsourced

By Organization Revenue

4% 21% 8% 38% 7% 49% 9% 66% 0 % 1 0 % 2 0 % 3 0 % 4 0 % 5 0 % 6 0 % 7 0 % - $ 1 0 M $ 1 M - $ 9 9 M $ 1 0 0 M - $ 1 B 1 B -CSI JAPAN

Respondents: CSI= 682 Japan= 923

Security Technologies Used

5% -Others 9% 15% Biometrics 10% 35%

Public Key Infrastructure

11% One time passwords

15% 42%

Smart cards/Other one-time password tokens

27% 46%

Encryption files

10% 35%

Intrusion Protection System : IPS

83% 52%

Reusable account/login passwords

32% 68%

Encryption for data in transit

21% 72%

Intrusion Detection System : IDS

75% 70%

Server-based Access Control Lists

91% 97% Firewall 94% 96% Anti-Virus Software JAPAN CSI

(8)

Unauthorized Use of Computer Systems

within the Last 12 Months

5 6 % 5 % 3 1 % 7 1 % 1 3 % 2 4 % 0 % 1 0 % 2 0 % 3 0 % 4 0 % 5 0 % 6 0 % 7 0 % 8 0 % Ye s No Do n 't K n o w CS I JAP AN

Types of Attacks or Misuse

Detected in the Last 12 Months

23% -No attack / Misuse 2% -Others 3% 5%

Misuse of Public Web Application

3% 16%

Abuse of Wireless Network

0% 48% Telecom Fraud 1% 7% Sabotage 2% 2%

Theft of Proprietary Information

11% 48% Denial of Service 4% 10% System Penetration 5% 32%

Unauthorized access to Information

23% 75%

Laptop/Mobile Theft

18% 9%

Insider Abuse of Net Access

67% 32%

Virus

JAPAN CSI

(9)

How Many Incidents?

From the Outside? From the Inside?

41% 9% 1% 3% 4% 42% Outside 52% 12% 1% 1% 3% 31% Inside JAPAN -35% 8% 10% 47% Outside -44% 3% 7% 46% Inside CSI No incident Don’t know 31 -11 – 30 6 – 10 1 - 5

Percentage Experiencing Web Site Incidents

6%

1%

73%

JAPAN

95%

3%

2%

CSI

10 -6 – 10

1 – 5

Respondents: CSI= 453 Japan= 887

Dollar Amount Losses by Type

$ 53,335

$ 203,606

Avarage of Losses/Respondent

$11,520,541

$130,104,542

Total Losses

-$1,231,160

-Others

13 $11,300

10 $544,700

Abuse of wireless network

12 $12,100

8 $2,227,500

Misuse of public Web application

11 $12,200

11 $340,600

Sabotage

10 $20,000

12 $242,000

Telecom fraud

9 $38,585

13 $115,000

Web site defacement

8 $50,000

7 $2,565,000

Financial fraud

7 $64,310

9 $841,400

System penetration

6 $213,200

2 $31,233,100

Unauthorized access

5 $230,382

3 $30,933,000

Theft of proprietary info

4 $258,132

4 $7,310,725

Denial of Service

3 $579,987

5 $6,856,450

Insider Net abuse

2 $3,769,338

6 $4,107,300

Laptop theft

1 $5,029,847

1 $42,787,767

Virus

JAPAN

CSI

(10)