CSI Computer Crime and Security Survey Shows Poor Security Awareness Training in Public and Private Sectors

It's no secret that security pros worry about cyber-attacks that can happen anytime in a networked world, but apparently, they also worry about how much end-users know about good computer hygiene and their organizations' abilities to assess how secure they are - or aren't.

The Computer Security Institute (CSI), which holds conferences and educational events for IT workers, released the 14th edition of its annual CSI Computer Crime and Security Survey in December 2009, with an assessment of how respondents felt about their own cyber-security situations and what that assessment may mean for 2010. The institute partnered with General Dynamics Advanced Information Systems to glean insight from 443 U.S.-based respondents across the public and private sectors.

The institute asked respondents to rate how satisfied they were with their technologies on a scale of 1 to 5. All technologies fell within the 3.0 to 3.6 range, which isn't bad, but the tools that scored the lowest in that zone were the ones that are supposed to indicate how secure an organization is at any given moment.

"They weren't wildly happy with anything nor, on the other hand, were they wildly unhappy with anything, but it sort of indicates to me that there's an acceptance of the tools we have," said Robert Richardson, CSI's director.

But he also said the respondents don't feel like they have a comprehensive solution tool for monitoring. The tools mentioned in the survey overview included log management tools, data leak prevention, content monitoring and intrusion detection tools.

"I think, as an industry, we are struggling with measuring and monitoring what's going on," Richardson said. "If you ask me what people are going to be focusing on in 2010, I think one of the things is how to extract meaning from all of the log information or the auditing information that's sitting out there in the enterprise, government agency or wherever."

But respondents also expressed even greater concern over a perceived lack of proper security awareness training for users at endpoints. A whopping 43.4 percent of them said that less than 1 percent of their security budget was allocated to awareness training, and 55 percent said current investments in this area were inadequate.

"I think that's too bad it is that way, but consider that you could cut half of the losses simply by taking care of that problem," Richardson said.

Twenty-five percent of respondents said more than 60 percent of financial losses came from accidental breaches by insiders, not external hacks, and 16.1 percent said 81 to 100 percent of all losses came from accidental breaches as well.

The CSI figures included other cyber-security data as well about the occurrence of threats in 2009 compared to those in 2008:

• 64.3 percent of respondents experienced malware infection, compared to 2008's 50 percent;
• 29.2 percent experienced denial-of-service attacks, compared to 2008's 21 percent;
• 17.3 percent experienced password sniffing, compared to 9 percent in 2008;
• 13.5 percent experienced Web site defacement, compared to 2008's 6 percent; and
• 7.6 percent experienced instant messaging abuse, down from 21 percent in 2008.

Richardson said governments should pay special attention to security because they're more visible as targets for cyber-attacks. Government agencies constituted more than 13 percent of survey participants, comprising people from federal, local, military and law enforcement jurisdictions.

CSI sent the survey questionnaire to 6,100 CSI members, those who've joined and those who've attended live events and webcasts. Richardson thought the results were telling, but he wondered about the experiences of those who didn't respond.

"There's an enormous amount of discomfort around what happens when you have a really serious incident. There are, relative to the number of organizations in the world or in the United States, few headline-making total disaster breaches, but if it happens to you, it can be devastating," he said, and doubted the pool of the 443 respondents was large enough to capture many serious victims.

"If the company is seriously damaged by that kind of incident, my suspicion is they don't answer the survey," Richardson said.