A new security survey being produced by Santa Monica, Calif.-based Rand Corporation on behalf of the U.S. Departments of Justice (DOJ) and Homeland Security (DHS) seeks to connect the islands of information available on information security into a more coherent whole.
Due to be published in early 2007, the survey will produce industry-level statistics in 36 sectors on the number and consequences of cyber attacks, frauds and thefts of information.
The surveys have been sent to about 36,000 companies, says Lois Davis, one of the lead researchers on the project.
While the response rate will be a small percentage of that population, as is typical in most surveys, the findings will be scientific. As an incentive to share information, Rand will provide participants a confidential benchmark report for their sector that will allow them to compare their company’s standing relative to their sectors.
Aggregate information will also be publicly available in 2007. “Once analyzed, a summary report providing general trends and crime statistics will be available to the general public,” says Davis. “Rand will also be conducting different analyses to address several policy issues that concern the DOJ and DHS. This will be a rich database.”
The Rand survey, observers hope, will fill an existing void in the realm of information security information.
Fearing a backlash from customers and investors, many companies have powerful incentives not to share information about cybercrime experiences where they have been the victims.
Result: a scarcity of information for real risk analysis. Companies could have used such information – were it available –to protect themselves by allocating funds and resources to the right areas.
What about the various information security surveys that are available? Many of these offer data that is useful but limited, according to James Quin, senior research analyst at Info-Tech Research Group Inc. in London, Ont.
He says the annual CSI/FBI Computer Crime and Security Survey , conducted by the San Francisco-based Computer Security Institute (CSI) for example, is typically based on feedback from a small population size of about 600 information security professionals.
While the information is valuable it is nevertheless anecdotal, says Quin. Findings aren’t scientific and may not necessarily represent trends in the wider North American business sphere. And due to the reluctance to provide information, most survey-based findings are limited in size and subjective in nature since respondents self-report experiences.
Quin says reports released by global managed security services companies such as Symantec Corp. based in Cupertino, Calif., provide aggregate, anonymized findings culled from thousands of customers. This type of analysis offers a larger population base and also removes the issue of self-reporting subjectivity in surveys.
“They each take a different tack,” says Quin. “The CSI survey provides high-level information about numbers of attacks, net value of losses and does a lot of relative measurement. Symantec gets into counts on specific types of attacks such as phishing and new vulnerabilities – it’s very granular and gets into the weeds.”
Quin says he’s eager to see the findings, as the lack of scientific industry-level benchmarking data is a major stumbling block for companies that want to improve their security. For example, an SMB company that manufactures widgets for a few automotive companies can’t benchmark itself against the security practices and expenditures of a big bank.
“There is absolutely no comparison between the two if the company wants to determine how much it should be spending,” he says. Since the nature of the business and types of attacks a small manufacturing firm needs to deal are very different from a bank’s, companies can’t even extrapolate findings on a per capita basis.
“So what you get are very general estimations: a financial institution should be spending about 12 per cent of its IT budget on security, a manufacturing company should be spending seven per cent, and so on,” says Quin. “Having a survey like Rand’s that can help companies benchmark accurately will be gold.”
In the case of the Rand survey, although Canadian companies have not been included in sample, Davis points out that many of their U.S.-based parent organizations will be participating in the survey. And Quin believes the survey findings can be very useful in the Canadian business context.
“While the U.S. market is ten times bigger, an SMB widget manufacturer here needs to deal with the same issues as a widget manufacturer there,” he says. “If only 30 of Rand’s industry categories apply in Canada, that’s still more information that we have now.”