A couple months ago, the Computer Security Institute released its annual CSI/FBI Computer Crime and Security Survey. Some of the survey's findings might surprise you. First, the total financial losses resulting from unauthorized use of computer systems dropped from $201.8 million last year to $141.5 million this year. Likewise, the percentage of respondents reporting unauthorized use of computer systems dropped from 58 percent 12 months earlier to 53 percent. How could financial losses and unauthorized use have dropped when all we hear and read about is security vulnerabilities and breaches? Does this desirable downward trend in the survey correspond to IT security incidents in general among companies and organizations? It's hard to tell from this survey because CSI doesn't explain how it selected the respondents. The press release announcing the survey suggests that the respondents were CSI member organizations. The press release quotes CSI Director Chris Keating as saying, "Although the CSI/FBI survey clearly shows that cybercrime continues to be a significant threat to American organizations, our survey respondents appear to be getting real results from their focus on information security. ... We don't believe that all organizations maintain the same defenses as our members--financial damages for less protected organizations are almost certainly worse." If the respondents were CSI members, it supports Keating's assessment that the survey "suggests that organizations that raise their level of security awareness have reason to hope for measurable returns on their investments."

Indeed, the survey could provide some ammunition to help you make your business case to management that investing in security pays off. But you can claim ROI only if you collect the right information over a sufficient period of time and analyze it properly. The survey shows that most of the organizations that experienced an overall decline in security incidents and losses also use one or more financial metrics to quantify the cost/benefit aspect of their security expenditures. Fifty-five percent of the total respondents reported using ROI, and about 25 percent used Net Present Value or Internal Rate of Return. What about you? Have you experienced a decline in security incidents or financial losses as the respondents in this survey have? Does your organization use a financial metric such as ROI, Net Present Value, or Internal Rate of Return to measure security problems in dollars and cents?

Another interesting statistic re-affirms what I've long held to be the case. Security incidents were fairly evenly split between insiders and outsiders, but insider incidents still led, especially in organizations with more than five incidents during the year. The lesson to learn here is that you need to spend just as much or more time thinking about security threats behind the firewall and designing countermeasures against internal threats as you do working against outsider threats.

As you might expect in this era of increased scrutiny on public organizations and accountability, companies aren't always anxious to make their security incidents public. In fact, the percentage of respondents reporting intrusions to the authorities declined from the previous year. This lack of "information sharing" makes it difficult for any of us to know the real story about IT security. It also highlights the fact that your incident response procedures should address more than just the technical risks of an incident--they should also spell out the public relations steps employees should take.

The survey has lots of other good information. Take a look, and tell me what you think. Are the results representative of the state of IT security at large? What other facts or trends did you find notable?