SlideShare une entreprise Scribd logo

Cyber Attacks economic impact on entities worldwide

Télécharger en tant que DOCX, PDF
Bradley Susser
Bradley Susser

This document analyzes the economic impacts of cyber attacks on entities worldwide. It examines both the negative and positive impacts on individuals, organizations, costs, revenues, innovations, and jobs. While cyber attacks impose costs on targeted entities, they may also spur growth in cybersecurity and related industries. The paper aims to determine whether the overall economic effects of cyber attacks are more positive or negative. It reviews literature on defining cyber attacks and security, the history of attacks, and methods for analyzing economic impacts through cost-benefit analysis.

Technologie
1  sur  51
Cyber Attacks and the economic impact on Entities worldwide Cyber Attacks Ahead Bradley Sean Susser December 17, 2012 1|Page
Abstract This research report studies the economic impact that Cyber Security attacks have on society as a whole. The aim of this analysis is to examine the negative and positive impact of these compromises on multiple entities. Our descriptive analysisfocuseson individuals, private and public organizations, costs, revenues, innovations, and jobs to determine if proliferations of these attacks are either, negative or positive. Although this paper draws upon the economic factors as result of cyber-attacks, it looks at the outlay in its historical context of capital expenditures to private and public organizations due to the increased number of compromisesand factors of this paradigm helping to fuel the growth of innovations or spawn a new industry as a whole. 2|Page
Table of Contents Page Abstract2 1. Introduction 4-5 2. Literature Review 6 2.1 Cyber Attack defined 6-8 2.2 Cyber Security defined 8-9 2.3 Brief History of Cyber Attacks 9-10 2.4 Economic Impacts Defined (inclusive Cost benefit Analysis) 10-13 2.5 Cyber Attacks Spawning New industry and Garnering Capital Investment13-14 3. Methodology 14-15 3.1 Cyber Attacks and Hypothesis on their Growth over the Years 15-16 3.2 Cyber Attacks &Hypothesis on Financial Impacts of Entities Targeted 16-17 3.3 Cyber Attacks and Hypothesis on whether they spawned a New Industry Helping to Infuse Significant Capital 17-18 4. Discussion 18 4.1 Cyber Attacks Growth from a Historical Perspective & Beginnings 18-20 4.2 CSI/FBI/Technolytics Institute/ Janet Napolitano Statistics on Growth of Cyber Attacks through Historical Perspective 20-22 4.3 Mckinsey Global GDP Growth Statistics 22-23 4.4 Cost benefit Analysis & Difficulty in Obtaining Metrics 23-24 4.5 CSI/FBI Statistics on Financial Impact of Cyber Attacks 24-25 4.6 Ponemon/Verizon/Morgan Stanley Statistics on Compromises & Costs Due to Cyber Contemporary Threat Landscape 26-32 4.7 Growth of Cyber Security Industry Statistics (Gartner Research, Citi Group, Morgan Stanley, 451 Research & MarketsandMarkets) & Government Role Explained 33-44 5. Conclusion 45-46 6. References 47-51 7. List of Figures 51 3|Page
1. Introduction: Since the mid 1980’s as personal computers started becoming more prevalent so too did a small group of people that chose to wreak havoc by exploiting and compromising these devices for nefarious purposes or just pure curiosity. These events were even depicted in movies such as War Games, which was introduced to the public in 1983. The movie is based on a teenage boy who breaches the United States Pentagons computer system and locates a game within the system known as ―Global Thermo Nuclear War‖. Although he believes this is just a game in reality he inadvertently causes the system to begin the process of launching a nuclear attack on a number of sovereign nations. This was the first time that such a scenario was brought to the forefront of the general public and although this was just a movie in reality systems althoughin its infancy, where becoming attractive targets for individuals and entities to manipulate and unethically exploit. Then in the early 1990’s the Internet was introduced to the commercial sector allowing for both private and public entities to leap frog off of this medium and create whole new economies based on this technological innovation. However as the internet, systems, personal computers and a plethora of hardware/software devices are utilized more and more for routine activities the number of people wishing to do harm to individuals and organizations that make use of these technologies continues to grow at an alarming rate. In fact, according to Verizon’s 2012 Data Breach Investigations Report, 2011 was the year that organizations systems came under attack by a slew of groups with different forms of motivation but the numbers are unprecedented. The report focused on 4|Page
855 incidents that saw 174 million data records get compromised. This included protesting entities such as the likes of Anonymous, cybercriminals performing attacks to acquire trade secrets, classified information and other intellectual property, steal personal credit card information, identity theft, take down organizational servers and the list goes on and on. Verizon is quoted as saying ―Doubly concerning for many organizations and executives was that target selection by these groups didn’t follow the logical lines of who has money and/or valuable information. Enemies are even scarier when you can’t predict their behavior(Verizon 2012).‖ In another scathing report released to the public in October of 2012 by Hewlett Packard working with the Ponemon Institute indicated an exponential increase of Cyber Crimefrom 2010 to 2011. In contrast to the Ponemon and Verizon, reports an article written in the Baltimore Sun on October 21, 2012 quoted Cyber Security analysts as saying that this sector of the market is anticipated to grow over 50 percent up until the end of 2016 which will open up new opportunities for business and individuals. The article goes on to say that Cyber Security spending by the Defense Department, even with the absence of certain legislation will rise from $4.4 billion in 2011 to $6.7 billion in 2016, spending in civilian agencies will increase from $2.6 billion in the 2011 period to $3.8 billion by 2016 and capital expenditures to be outlaid by U.S. Intelligence agencies are expected to increase from $2.3 billion last year to $3.6 billion over the next four years (Sentementes 2012). The statistics incorporated above show a dichotomy whereby the economic impacts of Cyber Attacks can be both disadvantageous and advantageous. The point at issue is, is one more predominant over the other or do they balance 5|Page
each other out? The question posed in the prior sentence is what this papers primary objective seeks to ascertain, although other questions must be implemented and investigated to garner an appropriate answer. So as you continue to migrate through the sections to follow,we will look through an assortment of research to try and come up with a valid answer to the aforementioned question. 2. Literature Review: In reviewing the literature there is an abundance of material ongrowing number of Cyber Attacks which has negative ramifications as well as helped to spur the growth of a variety of disciplines and innovations within the IT Security arena. Therefore there are a multitude of factors and questions one needs to take into account by means of economic analysis. 2.1 Cyber Attack defined Some of the essential questions that must be addressed include do the overall economic impacts of these attacks way on the side of being more adverse or advantageous? The aforementioned question should be broken down even further to include the following. What is a cyber-attack? There are a variety of ways to define and describe a cyber-attack.Although, the term may appear simplistic on the surface, cyber-attacks are comprised of a multitude of factors. The Ponemon Institute exclaims that this is any criminal activity conducted over the Internet (Ponemon 2012) but is this not too simplistic of a definition?According to the research paper ―The Law of Cyber-Attack‖ the authors explain that a Cyber Attack is ―any action taken to undermine the functions of a 6|Page
computer network for a political or national security purpose.‖ This group of writers than further explains that the reason for lack of clarity among the community on what Cyber Attacks are, is due to the inability to make a distinction between Cyber Crime, Cyber Attack, and Cyber War. For example in their paper ―a Cyber Attacks Objective must be to undermine the function of a computer network‖ and ―Must have a political or national security purpose.‖ (Oona, Crootof, Levitz, Nix,Nowlan, Perdue, Spiegal, 2012). The terms Cyber Crime and Cyber War discussed in the sentencesabove are what makes up Cyber Attacks and therefore in addition further extrapolation on the true meaning must be incorporated. Lt. Colonel David M. Keely hits the nail on the head in stating that many of the definitions he came across where to narrow in scope. He concluded that ―A good definition of Cyber Attack can be found in discussions of the Critical Infrastructures Protection Act (CIPA) of 2001: ―All intentional attacks on a computer or computer network involving actions that are meant to disrupt, destroy, or deny information. ― In addition he exclaims you must also incorporate the why aspect. Inclusive should be the motivation of the attacker. ―If the motivation of the attacker is monetary gain, destruction of property, or espionage, then a crime has been committed.‖ ―If the desired result is ―to cause death or seriously bodily harm to civilians or non-combatants, with the purpose of intimidating a population or compelling a Government or an international organization to do or abstain from doing any act then an act of terrorism has occurred.‖ ―If the motivation is to wage or to assist in waging a ―armed hostile conflict between States or nations then an act of war has occurred.‖ Lieutenant Keely’s assessment covers all the essential elements of Cyber Attacks that impact sovereign nations, public and private entities and finally individuals therefore his 7|Page
interpretation is quite effective for the purpose of our research endeavor (Keely, 2011). Finally it is necessary to breakdown the types of exploits propagated by these Cyber Attacks. Cyber Attacks are comprised of Malware, Web based attacks, stolen devices, malicious code implementation, malicious insiders, phishing and social engineering and denial of service attacks (DoS). Malware is defined as evil software and is made up of subcategories which include viruses, Trojans, worms, rootkits, keyloggers etc however in the chart provided by 2.2 Cyber Security defined As with Cyber Attacks we need to try and come up with a concrete definition for Cyber Security as it varies among Information and Communications Technology (ICT) professionals. This is because the area of specialties could be substantial according to The National Institute of Standards and Technology (NIST), aU.S. federal agency and one of the leading organizations in charge of implementing security standard’s globally. Although NIST’s numbers may be slightly overarching it provides additional affirmation that the term Cyber Security cannot be so easily defined (National Institute of Standards and Technology). Some believe the term to be interchangeable with Information Security while others state that Information Security is a subset of Cyber Security. A definition that we found to be most appropriate is Cyber Security refers to the protection of any asset from being exploited by Cyber Attacks which we defined above, via Information and Communication Technologies. Inclusive is additional components such as countermeasures and activities that can either be technical in nature or non-technical for the purpose of safeguarding computer networks, digital devices, hardware, software and all the information that they contain and communicate from anyone that has malice 8|Page
of intent. In addition Cyber Security encompasses a number of professionals that perform continuous research and analysis in order to try and keep ahead of those wishing to do us harm, described above by NIST. As you can see the word information is embedded in the definition of Cyber Security so we can conclude that it is in fact a subset of this area of discipline. Therefore Information Security references all aspects of information protection. Subsequently three primary objectives lie at the heart of Information Security. These include the terms confidentiality, integrity and availability. Confidentiality makes sure that information is not disclosed to any unauthorized entity and that those who which to disclose that information can do so but at their request, Integrity assures one that information is modified only with proper authorization and finally availability assures that information is provided promptly to authorized entities and only denied to those who are not authorized [Dunn 2005]. 2.3 Brief History of Cyber Attacks From a historical perspective have the number of attacks grown over the years or been on the decline?Furthermore have costs for entities accrued? Cyber Attacks have become depicted in the media for quite some time therefore one must look at these attacks in their historical context. The precursor to the present day Internet was created by the U.S. governments Advanced Research Projects Agency (ARPA) and was known as the ARPANET which was developed in the late 1960’s. ARPANET eventually was replaced by the Internet or what is known to many as the information highway which connects local area networks to wide area networks used by individuals and organizations worldwide (White, 2011). Unfortunatelyupon first 9|Page
initiating the deployment of this medium, safeguards where never implemented as Cyber Attacks where not even forethought. Some of the earliest attacks involved ―phone phreaking‖ in the early 1970’s and then with the invention of personal computers in the early 1980’s attacks on systems began to proliferate. A number of congressional laws were passed due to these early compromises to offer better protection of unauthorized access to government computers. Title 18 United States Code: § 1030. ―Fraud and related activity in connection with computers‖ is one such law that was implemented in 1986 and modified over the years to punish those wishing to target systems, whether for political reasons or criminal activity(Cornell University Law School 1986). Finally in the early 1990’s the Internet was now open to the general public for private and commercial use but with increasing reliance on the Internet and its expansion of interconnectivity attacks became even easier to perform. The Computer Security Institute (CSI)/Federal Bureau of Investigation (FBI) Computer Crime and Security Survey conducted over the last several decades provides invaluable data, helping to further ascertain additional information on the amount of attacks on organizations who have participated in the study over the years and detailing their networks and cost estimates by the type of attack. 2.4 Economic Impacts Defined (inclusive Cost benefit Analysis) This leads us to the next area of topic, that being the economic impacts of these increasing number of attacks but what do we mean by economic impacts? It must be stated that in order to grasp an understanding of the term economic impacts its essential that we include in our description economic 10 | P a g e
advantages/disadvantages and productivity as they all are intertwined. Economic impact sometimes is difficult to describe because it is made up of a complexity of subcategories but on its face this is any modification in the passage of capital (income) in the economy between industry sectors, population groups, or local areas of the world and although metrics are usually measured in terms of growth in income, jobs or output such data is not necessarily easy to extract and often more times than not difficult to quantify. Economic advantages/disadvantages is a broader concept of welfare gain than economic impacts, in that it can incorporate both monetary advantages/disadvantages (tangible) and non-monetary advantages/disadvantages (intangible) with a willingness to pay value or remove value The previous sentences concepts are most useful for performing a cost-benefit analysis (CBA). In using a simple example, a CBA can be the benefit of safeguarding ones systems against Cyber Attacks and the costs associated with these protective measures. Finally productivity typically refers to the increasing growth in value added per worker or per unit of investment which has the potential to produce an actual acceleration in income and jobs (Weisbrod 2011).In looking further into productivity it can be utilized not only as an gauge of efficiency but also indicative of economic development. The research paper titled ―Private Sector Cyber Security Investment Strategies: An Empirical Analysis‖ suggests a cost benefit analysis approach is generally Straightforward but found organizations inability to construct a rigorous cost benefits analysis (CBA) framework. Furthermore expected damage or cost functions and threat probabilities needed to conduct a CBA is difficult to attain therefore most often companies rely more on a qualitative approach(Rowe, Gallaher 2006).Note that CBA 11 | P a g e
will be further described in the economic impact section to follow. Although the aforementioned research study is slightly predated as quantitative analysis has appeared to have improved as you will soon see in the Ponemon Intitute, the study was able to conclude that regulations was the most often cited drivers increasing organizations’ investments in Cyber Security. This is important as it shows a correlation between government initiatives and spending discussed in the Baltimore Sun introductory paragraph above. However in the article ―Economic Analysis of Cyber Security‖ the authors point out that a CBA framework which focuses on quantitative analysis is expensive, difficult and in most cases even impossible to garner. This in turn has forced most organizations to perform qualitative assessments, which are then compared to quantitative analyses. Although the research paper dates back to 2006 this is still mostly true today. It must be noted that they due endorse The Computer Security Institute (CSI)/Federal Bureau of Investigation (FBI) Computer Crime and Security Survey considering this to be the best available source. In contrast and to be fair the authors of ―The Economic Impact of Cyber Attacks‖ state that this survey is lacking in certain areas due to incomplete metrics (Cashell, Jackson, Jickling, Webel, 2004). This once again goes to how difficult it is many times to come up with complete and accurate data which is why a number of sources should be used to reach the appropriate balance. ―The Economic Analysis of Cyber Security‖ paper also discusses how organizations decipher how to invest in security. This is significant because these organizations decisions are based on the impacts or potential impacts of Cyber Attacks and therefore you can see how these firms collect data to perform their analysis. Furthermore as part of this data collection process these entities implement the current 12 | P a g e
costs associated with being hit by these attacks in their investment analysis which allows you to get a better understanding on how they come up with these costs they are supplying to those conducting research on the financial impacts of Cyber Attacks(Gallaher, Rowe, Rogozhin, Link 2006). 2.5 Cyber Attacks Spawning New industry and Garnering Capital Investment Have Cyber Attacks spawned a new industry that has helped to garner a large infusion of capital from the investment community? It is essential that organizations implement Cyber Security controls either through technological means or human analysis. Investments in the area of IT Security organization and startups in the past have been slow due to a lack of understanding and the inability to view security as an essential element that must be incorporated within one’s business. However due to Cyber Attacks becoming more persistent an increasing number of investments and the infusion of capital committed to this sector are starting to take shape. One reason for this is the implementation of regulation but not so much as to inhibit innovation. For instance federal and state statutes that penalize companies that do not properly safeguard consumer information have forced these entities to obtain the necessary financing and invest in the area of Cyber Security. United States regulatory bodies such as theFederal Trade Commission (FTC), Department of Justice (DOJ), Securities and Exchange Commission (SEC)[Department of Commerce Internet Policy Task Force June 2011), Payment Credit Card regulatory agencies(PCI Security Standards Council (2012) and many others has brought a number of legal enforcement actions against entities that have been inept in protecting consumer data forcing them to 13 | P a g e
access additional capital. The capital is then used to pay for security. In the wake of these legal actions and targeted attacks, Gartner Research in a September 2012 release talks of the increasing amount of capital being deployed throughout the Cyber Security Industry (Gartner 2012). In addition Certified Financial Analyst for financial firm Citi Group conducted research whereby IT security budgets are on the rise (Pritchard 2012) as well as a number of or other researching bodies. 3. Methodology: In conducting our research the approach we have utilized and you will see whilst continuing to view this document is one of a descriptive nature because although we draw empirical data from prior research we focus primarily on the characteristics of Cyber Attacks and its economic impacts on entities worldwide in the current day and age. It should be also noted that due to the complex nature of Cyber Attacks and lack of complete understanding data is vast and all over the map;therefore it is difficult to acquire exact assessments and cost figures.The same also holds true for an accurate account of the growth of the Cyber security industry although there have been ongoing improvements to address these issues. Subsequently a compilation of primary, secondary and general resources, those being from vetted educational research, public companies such as Verizon, Certified Financial Analysts from investment houses, leading information technology research and advisory firms, audited financial filings from publicly traded companies and articles from newspapers/journals are utilized within this paper. Again, the statistical data is fragmented as there has been no clear model that has been adopted and many argue some numbers are skewed due to conflicts of interest and in the ability to acquire the necessary resources (such as vetted papers 14 | P a g e
created by those that are in the educational arena) to conduct a proper study. The figures comprised of various sample sizes among the population are compared and contrasted so we can get a more accurate picture to determine whether the cost of Cyber Attacks far outweighs the amount of money being generated by the Cyber Security communityor if the money being infused into the Cyber Security Industry has economic benefits that exceed the costs generated by Cyber Attacks. 3.1 Cyber Attacks and Hypothesis on their Growth over the Years We will begin our focus by asking the question once again from a historical perspective have the number of attacks grown over the years and over the last several decades have costs for entities accrued?This question is important because it lays the ground work as to how the Internet and the technology that is embedded within it has become a source utilized for nefarious purposes. Although some years have seen a decline in the number of Cyber Attacks overall the trend one would think is likely to show that these attacks are an everyday occurrence and ever increasing in numbers. This is because the multitudes of devices that are connected to the Internet and make use of its backbone are immense. In other words distributed systems have become dominant as opposed to centralized systems which used to play more of a role among entities but are in fact utilized less and less these days. Also due to complexity of the network and programming code used in web applications worldwide, the vector of attack has grown making it even more difficult to mitigate against and ripe for exploitation. For example looking at web applications in particular, updates and patches are issued by vendors who develop code for a number programs daily. The problem has become so 15 | P a g e
great that companies such as Microsoft and Oracle have a preset schedule for distributing fixes on a monthly and quarterly basis. In fact firms like Red Hat employ what is known as open source code, which is available to the general public for free and offers the ability for any programmer to make modifications to the code when necessary. Therefore vulnerabilities in open source software can be found more quickly and what is also evident is the number of advisories for this type of code is deployed on a daily basis. However there are still a number of programs that have vulnerabilities that are not found for a number of months or even years. This is especially true in the way of advanced persistent threats (APTs).In fact even when vendors issue advisories it takes time for them to create patches for code therefore those wishing to do us harm have plenty of time in between these fixes to propagate attacks by take advantage of these vulnerable applications. 3.2 Cyber Attacks and Hypothesis on Financial Impacts of Entities targeted by Attacks The next area we need to delve into once more is the economic impacts that Cyber security has on society as a whole. More specifically, what are the financial impacts on capital expenditures of private and public organizations targeted by Cyber Attacks?As highlighted above, the Internet has become the primary backbone to entities worldwide helping to create new innovations, increase collaboration and open up new economies like we have never seen before. In addition with the simple click of a browser, connectivity to this vast network has become so easy that even the average laymen with no technological skills can access the information highway. Although it is hard to dispute the advantages of the pervasive availability for anyone to connect online 16 | P a g e
it has also offered those seeking to do us harm a large vector that can be utilized to attack and exploit individuals and organizations. The impact therefore of these attacks, specifically Cyber Attacks, have come at a great cost to entities forcing them to outlay a significant amount of capital and see a huge reduction in revenues . Inclusive are entities going out of business, loss of jobs, the negative impact of productivity and the vast amount of money or even identities being stolen from consumers. For example organizational databases compromised or hit by a denial of service attacks, takes enormous man power to recover from such attacks. This in turn negatively impacts productivity. 3.3 Cyber Attacks and Hypothesis on whether they spawned a New Industry Helping to Infuse Significant Capital Finally it is necessary to be redundant and ask whether Cyber Attacks spawned a new industry that has helped to garner a large infusion of capital from the investment community and increased organizational salesfiguresfor Cyber Security firms?Despite the adverse impacts Cyber Attacks have on the economy there is no doubt that it has also created new opportunities as many subsectors such as cryptography, network security, operating system security, database security, reverse engineering and penetration testing just to name a few which have become essential components that entities must make use of in order to safeguard systems. Therefore many venture capital funds, private equity firms, individual investors and the overall capital markets are continuing to pump money into the Cyber Security arena. These investments could also have a positive effect on sales which is the exact opposite of entities who are plagued by the current threat environment. The irony here is that the number 17 | P a g e
disciplines and income garnered by the Cyber Security Industry could possibly outweigh the costs associated with Cyber Attacks. The aforementioned questions and their hypotheses as stated in previous paragraphs have been difficult to quantify however in the section to follow will attempt to do just that! 4. Discussion 4.1 Cyber Attacks Growth from a Historical Perspective& Beginnings Cyber Attacks have evolved over time therefore one must look at these attacks in their historical context. The precursor to the present day Internet was created by the U.S. governments Advanced Research Projects Agency (ARPA) and was known as the ARPANET which was developed in the late 1960’s. The government allowed access to ARPANET to only a selected few military bases, government labs and research universities. The ARPANET was one of the first wide area packet switched networks which provided services like electronic mail, the transferring of files and remote logins. In 1983 the Department of Defense (DOD) broke ARPANET into two similar networks keeping the name ARPANET for one of the networks and calling the other network MILNET which would be used for military purposes. ARPANET eventually was phased out and around this time the National Science Foundation funded the development of a new high speed network known as the NSFnet which connected major router sites across the U.S .than acting as the telecommunication backbone in turn connecting to smaller regional networks or statewide networks. The statewide networks were then 18 | P a g e
connected to a set of campus networks and eventually the collection of all these networks would then be known as the Internet (White, 2011). The previous sentences are significant primarily because when this architectural medium was developed there were no countermeasures or safeguards implemented. In fact nobody had the foresight to think that the Internet would become the primary backbone for communications globally, so instrumental to the economies worldwide and especially conceive that it would be utilized as a medium for nefarious purposes. Some of the earliest hackers were involved in ―phone phreaking‖ which were attackers looking to break into telephone networks in an effort to make free long distance calls. Joybubbles AKA Joe Engressia was one of the first phone phreaks. He was a blind boy with perfect pitch who could whistle any tone. Circuit switching centers at the phone company were apparently tricked by the tones that he produced. One tone, used by AT&T tone dialing switches, was a tone of 2600 Hz, which could be exploited to provide free long distance and international calling. Engressia could imitate this tone, while other phreaks used what was called a ―blue box‖. According to the New York Times article written in 2007, Steve Jobs and Steve Wozniak, founders of Apple, were also successful phone phreaks (Martin 2007). In the early 1980’s personal computers came into being manufactured by companies such as the likes of Apple and in turn individuals who tried to exploit networks for all sorts of reasons began to emerge. One of the first well known attacks was performed by Kevin Mitnick one of the most infamous attackers of the 1980’s. It was back in 1979 when Mitnick at the tender age of 16 years old illegally accessed Digital Equipment Corporation’s (DEC) computer network and obtained a copy of their 19 | P a g e
operating system software. He also hacked into the networks of Nokia, Motorola, Sun Micro, Pacific Bell and other companies. Just over a year ago Kevin was interviewed by ZDnet claiming none of the companies he compromised sustained any damages however the FBI estimated Kevin's hacks and code reading into the $300 million range (Hess 2011). In addition to Kevin, the Legion of Doom founded by Vincent Louis Gelormine (―Lex Luther‖) in the 1980s were involved in unauthorized access to a number of corporate networks, including BellSouth Corp.(Dr. Hayes 2012). 4.2 CSI/FBI/Technolytics Institute/Janet Napolitano Statistics on Growth of Cyber Attacks through Historical Perspective In moving slightly ahead in time the Computer Security Institute which has been a leading educational membership organization for information security professionals for over 30 years, began its series of reports titled ―CSI/FBI 2000 COMPUTER CRIME AND SECURITY SURVEY‖. The reports are advantageous as some of the others that are produced are by those who may have ulterior motives such as the likes of many vendors who produce and sell security tools. Thereby having a potential conflict of interest. In contrast CSI security surveys are completely independent and collected data is gathered from a team that is made up of security professionals spanning multiple industries, separate from those who just work in organizations selling solely cyber security tools and services. Having said that, sample size is not significant enough as it only encompasses a small percentage of respondents solely within the United States. However although participation has been on the decline we can focus on annual financial impacts of major Malware attack data by CSI collected between the years 1995 to 1999. In 1995 the number totaled $500 million, in 1996 $1.8 billion, 1997 $3.3 billion, 20 | P a g e
1998 $6.1 billion and in 1999 $12.1 billion (Cashell, Jackson, Jickling, Webel 2004). The percentage increases that can be denoted by these numbers are astonishing. According to Kevin G. Colman of the Technolytics Institute back in November 2008 he acquired figures from several studies. One in particular conducted by Spy-Ops stated that over a one year period from 2007 to 2008 information theft grew around 68 percent were every quarter of a second a file is stolen containing critical data in order to steal a consumers identity. In 2008 it was also concluded that the United States Pentagon was attacked 3 million times a day (Coleman 2011). Although not a precise number in an article written by Voice of America Titled ―Panetta Says US Boosting Cyber Defense‖ Luis Ramirez who wrote the article backs up the 2008 document saying thousands of enemy cyber-actors are targeting the Pentagon’s systems millions of times a day (Ramirez 2012). In 2012 Janet Napolitano US Secretary of Homeland Security, during her opening keynote address at the ASIS/(ISC)² Congress 2012 conference in Philadelphia stated that Cyber Attacks have increased ―significantly over the past decade‖, and that number also includes the more than three years she has acted as US Secretary of Homeland Security. To put this into context, Napolitano goes on to say ―the United States Computer Emergency Readiness Team (US-CERT) responded to more than 106,000 reports of Cyber Attacks during 2011 – releasing more than 5000 security alerts to its public and private sector partner (Info Security Magazine 2012).‖ Today attacks are no longer dominated by a few but many individuals and entities. This is primarily due to the rise in distributed systems as opposed to the more 21 | P a g e
common centralized ones which were once dominant several decades back. According to Information Week on February 1, 2012, ―Cyber Attacks against government agencies and businesses in the United States continue to rise, and cyber threats will one day surpass the danger of terrorism to the United States, intelligence community officials said in an open hearing of the Senate select intelligence community.‖ The article goes on to mention countries such as China and Iran, to groups like Anonymous and LulzSec targeting systems on a regular basis and it suggested it will only get worse (Hoover 2012). The historical trend certainly seems to indicate that there is a rise in attacks and further proof of this can be seen in the paragraphs to follow. 4.3 Mckinsey Global GDP Growth Statistics There is little doubt that the Internet has helped to create new innovations and open up new areas of the economy leading to high areas of growth and prosperity for many. This can be seen in the May 2011 Mckinsey Global Institute study which explained that the Internet accounts for 3.4 percent of the GDP when examining thirteen countries. The Internet for the developed nations among the 13 depicted in the previous sentence over the last five years contributed to 21percent GDP growth. GDP is the monetary value of all final goods and services produced within a nation in a particular period of time, typically based on yearly estimates. It includes all of private and public expenditures, government spending, investments and exports minus imports that are representative of a certain region(Value Click). For the United States alone this represents$440 billion to $580 billion of additional total output(Dowdy 2011). Unfortunately along with GDP the information highway has also contributed to adversely impacting these numbers because of the multitude of targeted attacks from a 22 | P a g e
variety of actors (hacktivists, cyber criminals and sovereign nations), on all organizations and industries that add to GDP worldwide.Inclusive is Computer based control systems that run much of the nation’s physical infrastructure. In other words no public or private entity is immune from such threats. 4.4Cost benefit Analysis &Difficulty in Obtaining Metrics Just before we present you with the findings from a number of different entities once again it must be emphasized that there is no one study that should be taken completely at face value. The research paper titled ―Private Sector Cyber Security Investment Strategies: An Empirical Analysis‖ suggests a cost benefit analysis approach is generally straightforward but found organizations inability to construct a rigorous cost benefits analysis (CBA) framework. Furthermore expected damage or cost functions and threat probabilities needed to conduct a CBA is difficult to attain therefore most often companies rely more on a qualitative approach (Rowe 2006). Although the aforementioned research study is slightly predated and quantitative analysis has appeared to have improved figures remain inconsistent. Examining a compilation of data and taking the average of all these numbers is most appropriate. This is talked about above in particular the two differing opinions on the ―CSI/FBI Computer Crime and Security Survey‖. One being from the authors of the article titled ―the article ―Economic Analysis of Cyber Security‖ who endorse the survey (Gallaher, Rowe, Rogozhin, Link 2006) and the other coming from the authors of ―The Economic Impact of Cyber-Attacks‖ who cites several sources claiming the data is not chosen randomly nor is a representative sample of entities that are exposed to cyber- 23 | P a g e
risk but only taken from self-selected security professionals which is considered in research circles to be somewhat biased. The reports on the 530 individuals who were utilized nationally to conduct the survey are not accurateenough to obtain sound figures. Additionally, cost data reported can be considered inept. For example in its 2003 survey fifteen percent of the participants could not tell you if there was unapproved use of their network and systems indicating that some measurable losses were obtained but this could significantly underestimate the totality of all losses. Also out of the seventy five percent of the participants that reported losses only forty seven percent of them could put an actual figure to those losses. The authors of ―The Economic Impact of Cyber-Attacks‖ do state however that this study is accepted by many papers that comprise of computer security literature. Yet again,thereis no one sound method that can be modeled to quantify the costs associated when it comes to Cyber Attacks which is why it is useful to extract data from a variety of sources(Cashell, Jackson, Jickling, Webel, 2004). 4.5 CSI/FBI Statistics on Financial Impact of Cyber Attacks In its 15th annual 2010/2011 ―CSI/FBI Computer Crime and Security Survey‖ The Computer Security Institute sent 5412 security practitioners by regular snail mail and email, whereby 351 people replied back with feedback indicating the number of returns would make the institute ninety five percent confident that there numbers are accurate with only just slightly over five percent margin of error. They do however admit that these respondents are only those who have paid to be members of the institute or paid to attend their event which can skew the numbers but they represent a vast array of industries except for the financial sector whose participation dropped around five 24 | P a g e
percent with this last study. Furthermore as with many of these surveys they do not include consumers being compromised and a majority of the organizational respondents came from companies making over $100 million a year as opposed to smaller entities. Forty seven percentclaimed they were affected by regulatory laws but this could be due to the fact that laws may not be so clearly defined and respondents that are a part of a government entity may not feel these laws affect them. Finally not for profit firms or educational institutions may not feel they have customers so they do not believe it affects them.. The CSI report for the year 2010 shows the types of attacks experienced by the surveys participants which include 67.1 percent were attacked with some type of Malware infection, insider abuse of Net access or email 24.8 percent, laptop mobile device theft 33.5 percent, phishing 38.9 percent, Denial of service 16.8 percent, Bots on the network 28.9 percent, financial fraud 8.7 percent, password sniffing 11.4 percent and exploiting a wireless network 7.4 percent. As you can see Malware infection continues to be the most commonly seen attack. The percentages depicted in the prior sentence are the main reason we incorporated the CSI survey and also their commentary on the Symantec study which you will see below. As for the financial losses they could not be properly accessed due to the fact that only 77 respondents provided information and the numbers are not worth mentioning as this is far too small of a sample but this does offer some proof on monetary losses (Richardson 2010). 25 | P a g e
4.6 Ponemon/Verizon/Morgan Stanley Statistics on Compromises& Costs Due to Cyber Contemporary Threat Landscape In January of 2012 PGP corporation a global player in safeguarding organizational data and research firm The Ponemon Institute performed a comprehensive study specifically aimed at data breaches primarily and one must remember these are only confirmed data breaches. The survey revealed that data breach incidents cost U.S. companies $204 per compromised customer record in 2009, compared to $202 in 2008. There was an overall decline in the figures of reported breaches in 2009 compared to 2008 but still significant. The average total per-incident costs in 2009 were $6.75 million, compared to an average per-incident cost of $6.65 million in 2008. Recently Ponemon came out with additional statistical data for the year 2010 but the numbers were also exceeding high.The chart below is a good representation of the data compiled by Ponemon (Ponemon 2012). Using data provided by Ponemon Institute, the chart depicted below shows that U.S. firms are now losing more money to operational costs of Cyber Attacks than they are spending on security. 26 | P a g e
Figure 1. Chart Depicts Organizational Costs Outpacing IT Security Spending For United States Companies by Ponemon Institute 2012 In a Follow up study that came out in October of this year, Ponemon along with Hewlett Packard for the first time studied several countries in addition to the United States. The Institute conducted their research on Fifty Six Organizations and they concluded businesses on average suffered losses of $8.9 million per annum, an increase from $8.4 million indicative of the 2011 period.This represents a 6 percent increase over the average cost reported in 2011, and a 38 percent increase over 2010 (Ponemon Institute 2012). The 2012 study also revealed a 42 percent increase in the number of Cyber Attacks, with organizations experiencing an average of 102 successful attacks per week, compared to 72 attacks per week in 2011 and 50 attacks per week in 2010 27 | P a g e
(Ponemon Institute 2012).‖ Morgan Stanley Research came out with a report titled ―Secular Should Outpace Macro in Q3‖ whereby the firm conducted research on some of the leading Cyber Security companies noting that Chief Information Officers (CIO’s) have explicitly said that spending on security countermeasures will remain one of the top three priories for the year 2012 (Weiss, Holt, Gorham 2012). Furthermore Verizon Corporation which has conducted a survey from the years 2004 to 2011 titled ―Data Breach Investigations Report‖ just came out with more recent figures. The report is made up of those who confirmed that they were breached as many entities refuse to report their compromises for fear of reputational consequences that can lead to loss of business and in some cases firms may have been exploited but are unaware of the attack until a future time.Collected data was captured by evidence during paid external forensic investigations and making use of Verizon Enterprise Risk and Incident Sharing (VERIS) framework that depicts security incidents in a structured and repeatable manner and garners additional information through anonymous participants to allow those to participate without fear for loss of reputation described in the above sentence. Take note though that as with the Ponemon study, Verizon dealt mostly with organizations where a significant breach occurred. The VERIS approach also provides us with a better methodology and helping us answer the questions, what we need to know and measure? The diagram below is representative of the model that aids organizations in order to provide companies like Verizon with effective metrics so approaches are improving. As you can see the chart is broken down into four quadrants 28 | P a g e
labeled Threat, Asset, Impact, and Control. Figure 2. Baker, Hutton, Porter. The Graph is a Model Showing How Companies Collect Data For the Verizon Data Breach Reports by Verizon Enterprise Risk and Incident Sharing (VERIS) To add further credibility to the study is the participation of United States Secret Service (USSS), the Dutch National HighTech Crime Unit (NHTCU), the Australian Federal Police (AFP), the Irish Reporting & Information Security Service (IRISS), and the Police Central eCrimes Unit (PCeU) of the London Metropolitan Police as they contributed to gathering data from 36 countries unlike The Computer Security Institute who only gathered data from United States based entities. These countries include Australia, Austria, Bahamas, Belgium, Brazil, Bulgaria,Canada, Denmark, France, Germany, Ghana, Greece, India, Ireland, Israel, Japan, Jordan, Kuwait, Lebanon, Luxembourg, Mexico, Netherlands, New Zealand, Philippines, Poland, Romania, Russian federation, South Africa, Spain, Taiwan, Thailand, Turkey, United Arab emirates, Ukraine, United 29 | P a g e
Kingdom and the United states. Results from participants comprised of855 attacks considered sophisticated and those less difficult to orchestrate with174 million compromised records for the year 2011 is coincidentally the second highest number since Verizon came out with these reports in the beginning of 2004. Justtaking Ponemons figures for 2009 (that are actually lower than some more recent numbers) which references that each compromised record costs $204, than spending becomes astronomical for many of these companies. Multiplying $204 times Verizon’s 174 million compromised record cost you would garner total costs coming in at $35.496 billion and those just are records breached from entities who know they actually were compromised. The biggest change in this report as opposed to previous research is that Cyber Attacks comprised of Malware and Hacking against Servers and User Devices are growing substantially for large organizations but even worse for smaller firms (Verizon 2012). These numbers are alarming as the Verizon study for example does not take into account that compromises can weaken product integrity, undermine software development and erode consumer confidence leading to further future losses by organizations that are not depicted in the study. Furthermore the survey focuses on organizations as opposed to effected individual consumers and costs derived from those seeking legal action against these exploited entities or negative effects on productivity such as downtime due to a system being inoperable for a specified period of time also do not appear in the report. Remember, productivity typically refers to the increasing growth or decline in value added/subtracted per worker or per unit of investment which has the potential to produce an actual acceleration in income and jobs or decline(Weisbrod 2011). 30 | P a g e
Finally in wrapping up this section we focus our attention on what even the Computer Security Institute believes to be a highly accurate report, that being Symantec Corporations’. The Institute believes the study covering the year 2010 is comprehensive in nature because as they exclaim Symantec uses a ―machine-generated approach to obtain the data, using sensors of various types to capture information about the data traversing networks and the configuration of all sorts of Internet-connected devices (Richardson 2010). Symantec even says it acquires most of its data from more than 133 million client, server, and gateway system’s due to the worldwide deployment of its antivirus products. Furthermore, Symantec has a distributed honeypot network which is really just database decoys filled with false data. In addition to the vast resources the multibillion dollar organization has at their disposal, they also had MessageLabs intelligence, a respected source of data and analysis for messaging security issues, trends and statistics provide excess aid. Before we move on with the company’s figures it must again be stated that the reason there are not as many in depth reports coming from academia and other sources is that unlike Symantec which is a publicly traded company, with access to the capital markets unlimited amount of money, the other entities are not able to gather the necessary resources to collect a significant amount of data. Back to the survey the study was conducted in 24 countries among adults 18-64 specifically focusing on the cost of Cybercrime. Between February 6, 2011 and March 14, 2011, StrategyOne also interviewed 19,636 people and included 12,704 adults, aged 18 and over 4,553 children aged 8-17 years and 2,379 grade 1-11 teachers from 24 countries (Australia, Brazil, Canada, China, France, Germany, India, Italy, Japan, New Zealand, Spain, Sweden, United Kingdom, United States, Belgium, Denmark, 31 | P a g e
Holland, Hong Kong, Mexico, South Africa, Singapore, Poland, Switzerland, United Arab Emirates). The company came up with its numbers by multiplying the number of victims which were 431 million over a twelve month period by the average financial cost of cybercrime (per country in US currency) totaling $114 billion in losses. Within that $114 billion number Symantec was able to attain that more than 1 million became victims every day and fourteen adults suffered from a cybercrime incident every second. The publicly traded company took it even one step further by doing what other studies could not and that is calculating the value of time lost which is correlated with productivity basedon cybercrime experiences over the 12 month period. This number came to an astonishing $274 billion. In taking the sum of the two figures depicted in the former sentences you come up with a total cost of $388 billion. Subsequently the study surmised that targeted attacks, the use of social networking attacks, zero-day vulnerabilities and rootkits (a type of Malware), attack kits and mobile threats all rose sharply (Symantec 2012). The accumulation of studies on the financial impacts on capital expenditures of individual and private/ public organizations targeted by Cyber Attacks is indisputable. Therefore our hypothesis is on target, as the data substantiates that Cyber Attacks do indeed cost the economy to incur losses, adversely impact productivity and causing a significant decline in sales that are in the billions upon billions of dollars. . 32 | P a g e
4.7 Growth of Cyber Security Industry Statistics (Gartner Research, Citi Group,Morgan Stanley, 451 Research & MarketsandMarkets) & Government Role Explained It is essential that organizations implement Cyber Security controls either through technological means or human analysis. Investments in the area of IT Security organization and startups in the past have been slow due to a lack of understanding and the inability to view security as an essential element that must be incorporated within one’s business. However due to Cyber Attacks becoming more persistent an increasing number of investments and the infusion of capital committed to this sector are starting to take shape. One reason for this is the implementation of regulation but not so much as to inhibit innovation. For instance federal and state statutes that penalize companies who do not properly safeguard consumer information have forced these entities to obtain the necessary financing and invest in the area of Cyber Security. The FTC has brought a number of legal enforcement actions against entities that have been inept in protecting consumer data. Sarbanes-Oxley which in particular pertains to public companies require these firms to adhere with the Information Integrity provisions of this law requiring executive management to make sure internal controls are implemented to address a vast array of issues including data security. Another important law PCI DSS, The Payment Card Industry Data Security Standard provides guidelines and requirements for protecting cardholder data for those who accept credit/debit/prepaid card payments which are transmitted, processed or stored. If these requirements are not met entities can be penalized by the major credit card company brands at their discretion by fining an acquiring bank $5,000 to $100,000 per month for PCI compliance violations which would be passed down to the entity who accepts these transactions 33 | P a g e
and does not adhere to these requirements (PCI Security Standards Council 2012). These regulatory initiatives in conjunction with the increasing number of attacks, collaboration and awareness has all been helpful in garnering a large amount of capital investment in the Cyber Security Industry further fueling innovation of new products and services. In fact the United States Bureau of Labor Statistics (BLS)has not provided any data over the years on the security industryin the way of job statistics however the government fact finding agency has finally begun to recognize the importance of collecting figures, albeit slowly. Although in its infancy the BLS began to implement a category they coin ―Security Analyst‖ which comprises of individuals that plan, implement, upgrade, or monitor security measures for the protection of computer networks and information. Embedded in the description of Security analysts and in addition to the explanation of this group in the prior sentence, the BLS goes on to expand upon their definition in saying ―these workers may also ensure appropriate security controls are in place that will safeguard digital files and vital electronic infrastructure responding to computer security breaches and viruses.‖ Again this is brought up to show that even the BLS has realized that investment in this area is starting to have a direct impact on job growth, forcing their hand at having to come up with figures to provide more accurate information on the economy as a whole. Numbers garnered by the BLS to date are not yet a large enough sample that would allow one to rely on such data but it is hopeful that this will soon change. One thing that does resonate is that there was no unemployment among IT security professionals in the U.S. and jobs grew dramatically while averaging four quarters of figures for the year 2011. Forty Four thousand Security Analysts were employed with the BLS seeing a rise 34 | P a g e
of more than one third in the fourth quarter of 2011to 51,000 from 37,000 in the first quarter (Bureau of Labor Statistics 2012). Gartner Research in a September 2012 release exclaimed that although a vast sector of the world has been hit by the economic slowdown forcing many companies to cut their Information Technology budgets this is not the case when it comes to the global security infrastructure market. The research firm anticipates that security will continue to be a top priority and therefore spending is slated to rise to $60 billion up from $55 billion in the prior year and by 2016 reach $86 billion (Gartner 2012). In fact Certified Financial Analyst for financial firm Citi Group came out with a 15 page report titled ―IT Security Survey Says…Network Security and Check Point Have Most Favorable Trends‖ where he found IT security budgets in 2012 poised to grow faster than overall IT spend, a reversal from last year positively impacting sales for several of the major IT security vendors (Pritchard 2012). The bar graph below provided by Citi in Figure 1, projects what was highlighted in the prior sentence 35 | P a g e
Figure 3. (Pritchard 2012)Graph Showing Security Spending Should Outpace Overall IT Budget Growth FromCiti Investment Research& Analysis Figure 4. (Pritchard 2012)Graph of Network Growth in the Network Security Market by Citi Investment Research & Analysis 36 | P a g e
The graph above indicates refresh growth in the Network Security appliance market (unlike a single piece of security software network security appliances are security tools typically bundled together), meaning CIO’s polled in the Citigroup survey will replace their appliances more than in prior years. Although this includes a segment of the Cyber Security Industry it can been incorporated as it provides further proof on the growth of spending in security. Morgan Stanley Research through their vast network and conversations with several organizations who primarily conduct most of their business by partnering up with manufacturer’s to market and sell manufacturer's products, services, or technologies is where a significant amount of data was extracted.These are what the industry calls channel partners and they cite that ongoing investments in data protection technologies, multi-function network security solutions, and solutions to counter Advanced Persistent Threats (APTs) will only continue to grow. They emphasize that these areas are essential and is indicative of the large amount of negative publicity received over the past 12 to18 months due to the growing number of Cyber Attacks. Breaking things down a bit further Network security data points (the authorization of access to data on a networkincludingfirewalls, antivirus, spam and content filtering through logs as well as intrusion detection and prevention systems)(Weiss, Holt, Gorham 2012)are quite robust as acquired data showed that 69% of CIOs plan to outlay capital on network security in 2012 and very few entities,8% to be precise, are planning to decrease spending on security initiatives. Taking the last survey by Morgan Stanley that was conducted in July of 2012 there was an overall improvement from 65%/20% respectively.Separate from the number of CIO’s, the report solely focused on five of the 37 | P a g e
largest players in the IT security market, those being Fortinet Inc., Sourcefire, Symantec, Websense and Checkpoint Software. The issue that arises with just focusing on this small group is that it is not indicative of the overall Cyber Security Industry unlike the Ponemon study. For example Symantec has appeared to plateau compared too many of its rivals and this is because of increasing competition, the substantial size of the company which impacts the rate of growth and internal controls as opposed to lack of spending. To extrapolate on this a bit more back in March of 2012, Citigroup came out with a 15 page report titled ―IT Security Survey Says…Network Security and Check Point Have Most Favorable Trends‖ where the analyst questioned via telephone 50 United States and European based Chief Information Security Officers (CISO’s) detailing a lengthy series of in-depth questions on the security market but here again it must be noted that the data just focused 90% on firms with more than $1 billion in annual sales so although relevant the statistical threshold falls slightly short due to sample size. Having said that Citi has conducted this survey for the past three years which comprised of a broad spectrum of industries, the most common were financial services (20%) and manufacturing (18%), while government was underrepresented (just 4%) therefore the buying power should not be ignored. They deciphered from the information that IT security budgets in 2012 are poised to grow faster than overall IT spend, a reversal from last year positively impacting sales for several of the major IT security vendors (Pritchard 2012). There are internal and external factors that show the negative impact on bottom line numbers (profit) such as litigation costs, employee overhead, taxes, Merger and 38 | P a g e
Acquisition activity, margins etc. but top line growth (revenues) remains strong again. This isnot indicative of internal cost controls and how well these security firms manage their balance sheets but more in the way of cyclical trends (ie: effects of macroeconomic conditions such as Europe’s debt crisis which can have an adverse impact on sales). For example Sourcefire’s quarterly year over year (yoy) sales rose 30.10%with yearly revenues of$208.94 million (Sourcefire 2012), Fortinet (yoy) sales grew 17.00%with yearly revenues of $503.34 million (Fortinet 2012), Checkpoint (yoy) increased 7.80% with yearly revenues of $1.33 billion (Checkpoint 2012), Symantec (yoy) rose 1.10% with yearly revenues of $ 6.76 billion (Symantec 2012)and Websense rose slightly at 1%,with yearly revenues of$362.49 million to date (Websense). All data in the previous sentence was compiled by the companies and audited by the world’s leading financial advisory firms. This research has not taken into account what encompasses the bottom line figures but rather just sales growth. Furthermore and to use an additional company specific example NICE Systems which offers a wide array of security solutions is labeled in another area of Cyber Security focusing primarily on management and analysis. The Isreali firm saw quarterly revenue growth (yoy) rise 9.70% with $854.95 million in total sales this year thus far (NICE 2012). Quoted out of a Reuter’s article written on October 31, 2012 of this year Tova Cohen exclaimed ―Nice has benefited from growing demand for tools to delve into data to improve business, spot fraud and fend off security threats, and the company said compliance requirements in finance, energy and other sectors had boosted business (Cohen 2012).‖Therefore the Morgan Stanley report should be taken with a grain of salt as it is only representative of five companies which the Certified Financial Analysts (CFA’s) that performed the analysis 39 | P a g e
have admitted too. 451 Research a global analysis and data company solidifies Ponemons results as you can see from the chart below and several number’s stick out, in particular 45% of the security chiefs interviewed in their October 2012 research report have expandedtheir company budget’sin 2012 compared to the 2011 year ago period with a minimal amount of chiefs reducing their budgets this year compared to last year,, that being 10% respectively. Subsequently, the outlay of capital goes towards security becomes even more robust in 2013, with 47% of those surveyed planning on further increaseswhere in contrast only 8% believe their budgets will fall between 2012 and 2013. Figure 5. (Kennedy 2012)Graph of Information Security Budget Trends From451 Research 40 | P a g e
Some comments from those who participated in the 451 research study in reference to expenditures on security include the following: ―It [budget] has increased, but percentage not disclosed. The increase is due to voluntary projects to reduce complexity of meeting requirements.‖ ―Complicated — there was an increased [in budget allocation] allocation due to regulations, but an overall budget decrease.‖ ―Half of the budget increase went to compliance issues.‖ ―The security budget is growing over time (Kennedy 2012) We would be remised if we did not discuss one of the more astonishing statistical financial data acquired to date by Advanced Technologies, Geographical Analysis & Competitive Landscape,280 page report. The firm that collected the data for the study is a full service market research company and consulting firm, established in 2001 it provides research on pharmaceuticals, energy and power, biotechnology, food and beverage, chemicals, medical devices, advanced materials, semiconductor and electronics, industrial automation, telecom and information Technology, consumer goods, automotive and transportation, and banking & financial services sectors. The report titled ―Cyber-Security Market - Global Forecast & Trends (2012 – 2017) by Advanced Technologies, Geographical Analysis & Competitive Landscape‖ acquires data from 24 large companies, and sub-segments/ micro-markets in North America, Latin America, Western Europe, Eastern Europe, Middle East & Africa, and APAC (Asia-Pacific) through analysis of a number of technology & solutions in particular for the utilization of differing applications in the cyber security arena. This is all based on 41 | P a g e
functions and performance and the numbers are quite revealing. In 2011 the authors state that the Cyber Security industry was calculated at being worth $63.7 billion and that the figure in addition attributed to a larger number of entities focusing on a comprehensive framework that covers the basis of network, end-point, application, content, and wireless segments. Inclusive is Identity & Access Management, Risk & Compliance Management, Data Encryption, DLPS, Data Recovery Solutions, UTM, Anti-Virus, IPS/IDS, Web Filtering, Firewall, and Vulnerability management. To go off in a tangent, just as with the Symantec study, Advanced technologies has the capability to conduct such a detailed study because it’s a for profit research firm that on average collects $4 650 for a single report, $ 7,150 for its corporate license and $9,000 for the reportlinker.com site license. Therefore it has an unlimited amount of resources at their beckoned call to conduct a study of this size unlike the vast majority of organizations or individuals. In delving deeper into the numbers the company was able to model future numbers based on historical data and past trends. Although these trends fluctuate a sufficient average can be derived from an agreed upon and well established mathematical formula among economic scholars. Extrapolating on this the research arm was able to derive at an average compounded annual growth (CAGR) rate of 11.3 percent based on data collected by the firm from years past. In using a CAGR example let’s say a company had just $10,000 on March 1, 2009 and by March 1, 2009, the number grewto $13,000, then $14,000 by 2010, and finally ended up at $19,500 by 2011. The company’s CAGR would be the ratio of your ending value to beginning value ($19,500 / $10,000 = 1.95) raised to the power of 1/3 (since 1/# of years = 1/3), then subtracting 1 from the resulting number: 1.95 raised to 1/3 power = 1.2493. (This could 42 | P a g e
be written as 1.95^0.3333). 1.2493 - 1 = 0.2493 another way of writing 0.2493 is 24.93% and there you would get your final CAGR figure (Value Click NA). This figure, although pro forma was quite an eye opener, noting anticipated growth for the Cyber Security market to be $120.1 billion by 2017. This number was also derived based on security growth due to increased adoption of cloud computing, networks, data centers, and wireless communication devices. Whereas, the service side is driven by the need to service cyber security installations with security operations, managed security services, and consulting services. In all participating global sovereign nations, the private sector accounted for most of the outlaid capital expenditures for Cyber Security countermeasures. The only anomaly was the United States, where government expenditures were on par along with the private sector(MarketsandMarkets 2012) .In 2010 another interesting fact, which was issued by the Department of Commerce and several other organizations. In their report they said that even though there has been increased awareness in lewd of the risks of Cyber Attacks, a broad number of people that contribute to the United States economy did not take advantage of available technology and processes to secure their systems. Also countermeasures are not evolving as rapidly in contrast to the threats (Department of Commerce 2011).If this is the case we can make a slight assumption that Cyber Security market penetration could grow even more substantially if more entities invested in the safety of their systems. However even more evident on a change in this way of thinking can be seen over the last year whereby the initial public offerings of IT security start-ups have outperformed offerings that are not a part of this industry. Facebook is just one example. Imperva, a data security company that went public last year saw its stock price rise nearly 30 43 | P a g e
percent on their first day of trading, and at the time if this report has it remains at 37 percent above the offering price. The stock price of Splunk, a data security company, jumped nearly 65 percent from its offering in April of this year and in addition raised $331 million in a secondary offering. ―People are starting to realize that the billions of dollars that have been invested into traditional network security are not working for them anymore,‖ said Ted Schlein, a partner at Kleiner Perkins Caufield & Byers, the venture capital firm. Merger and Acquisition activity is also seeing a pickup. Applerecently had become a suitor of AuthenTec, paying $356 million last month which is reported as being one of Apple’s largest acquisitions. These are just a few of the many deals that are growing in number (PERLROTH and RUSLI 2012). As you can see this last study is quite telling and provides support that Cyber Attacks did develop a new market and subsectors within this industry helping to garner a vast amount of money from the investment community in turn increasing organizational revenue figures for Cyber Security firms. In addition the people and organizations participating in the security infrastructure perform a wide array of functions. These include education and training, research, publication, product development and marketing, network security administration, security support services, policy and standards making, law enforcement, and research funding. 44 | P a g e
5. Conclusion As we have seen throughout this paper and especially in looking at the data results incorporated in the discussion section, Cyber Attacks have cost the economies of the world a substantial amount of money however it also helped to fuel investment and the growth of the Cyber Security Industry at a rapid rate. It is unfortunate that the numbers associated with both the overall negative economic impact on entities around the world as well as the figures that can be derived from the Cyber Security industry in reference to growth are not absolute or rigorous enough. However unlike individual studies we have the ability to access information from a slew of research reports to help obtain a more accurate evaluation. As for right now, one could certainly see that the numbers effecting costs outweigh the capital being infused into the Cyber Security Industry. Subsequently this year, we did see a change in increased collaboration and awareness. Therefore it has forced organizations like the BLS to finally lay the foundation to come up with an improved model in order to better acquire a closer estimate on the growth of the Cyber Security realm. We than hopefully can effectively come closer to finding out whether the Cyber Security Industry and the money that it garners will surpass the cost figures associated with Cyber Attacks. It will be interesting to see over the next several years if the BLS will help to bring this about. One other thing to note is that although various research coming from organizations such as Symantec are very comprehensive in nature, there is still a problem of gathering information from organizations of all sizes that refuse to tell us whether they have been breached for fear of loss of business due to reputational consequences. When it comes to publicly traded corporations divulging such information can cause a decline in the 45 | P a g e
market capitalization for these companies, stock price declines and unwillingness for those to invest in companies that can be infiltrated easily. The Securities and Exchange Commission (SEC) guidelines are beginning to have an impact on publicly traded firms. The SEC has now forced companies like Amazon, Google, Hartford Financial Services Group Inc, Eastman Kodak and others to provide public information on any compromises and costs that occur within their organizations. In an article written in Business Week they exclaim the SEC sent out a number of letters to public companies, asking about Cyber Security disclosures and later pushing companies to disclose. Although this is not a law as of yet it paves the way for one. The reason this is brought up is that it will be interesting to see if such a law finally passes, requiring companies to report this information in their financial statements perhaps we can obtain even more accurate figures on economic costs. Until than we have to rely on research offered by multiple sources and take the average of all the compiled figures so we can come closer in establishing whether the costs of Cyber Attacks far outweigh the capital being accumulated by the Cyber Security industry or vice versa. 46 | P a g e
6. References 1. The Bureau of Labor Statistics (2012) ―15-1122 Information Security Analysts‖ Retrieved 3 December 2012 from The Bureau of Labor Statistics http://www.bls.gov/soc/2010/soc151122.htm 2. Cashell, B., Jackson,W., Jickling,M., and Webel, B. (2004). ―The Economic Impact of Cyber Attacks‖ published by Congressional Research Service, Library of Congress. Retrieved 23 November 2012 from Cisco Corporation 3. Checkpoint Software (2012). Form 6K filing period 10/17/2012. Retrieved 1 December 2012 from the Securities and Exchange Commission http://www.sec.gov/Archives/edgar/data/1015922/000117891312002883/000117 8913-12-002883-index.htm 4. Cohen, T. Oct 31, 2012 ―UPDATE 1-Nice raises 2012 profit forecast as Q3 beats estimates‖ published by Reuters http://www.reuters.com/article/2012/10/31/nice- results- idUSL3E8LV69Y20121031?feedType=RSS&feedName=marketsNews&rpc=43 5. Colman, K. (January 2011) ―THE GROWING RISK OF CYBER ATTACK AND OTHER SECURITY THREATS‖ published by The Technolytics Institute. Retrieved 1 December 2012 from HWP Insurance http://www.hwphillips.com/wp- content/uploads/2012/09/The-Growing-Risk-of-Cyber-Attack-and-Other-Security- Threats.pdf 6. Cornell University Law School (1986). Fraud and related activity in connection with computers. Published by United States Congress, Retrieved 23 November 2012 from Cornell University Law School. http://www.law.cornell.edu/uscode/html/uscode18/usc_sec_18_00001030----000- .html 7. THE DEPARTMENT OF COMMERCE INTERNET POLICY TASK FORCE (June 2011). CYBERSECURITY,INNOVATION AND THE INTERNET ECONOMY. Retrieved 1 November 2012 from The National Institute of Security Standards. http://www.nist.gov/itl/upload/Cybersecurity_Green-Paper_FinalVersion.pdf 8. Dowdy, J. (2012).Chapter 5: The Cybersecurity Threat to U.S. Growth and Prosperity. Published by Aspen Institute bookstore and Brookings Press. Retrieved 22 November 2012 from McKinsey & Co. www.mckinsey.com 9. Dunn, Myriam (2005). A COMPARATIVE ANALYSIS OF CYBERSECURITY INITIATIVES WORLDWIDE. Retrieved 6 December 2012 from International Telecommunications Union: http://www.itu.int/osg/spu/cybersecurity/docs/Background_Paper_Comparative_A nalysis_Cybersecurity_Initiatives_Worldwide.pdf 47 | P a g e
10. Fortinet (2012). Form 10Q filing report period 9/30/2012. Retrieved 1 December 2012 from the Securities and Exchange Commission http://www.sec.gov/Archives/edgar/data/1262039/000126203912000051/fortinet2 012093010-q.htm 11. Gartner Research (2012). Gartner Says Worldwide Security Infrastructure Market Will Grow 8.4 Percent. Retrieved 1 December 2012. http://www.gartner.com/it/page.jsp?id=2156915 12. Gallaher, M., Rowe,B. Rogozhin, A., Link, A. (July 2006). ECONOMIC ANALYSIS OF CYBER SECURITY. Published by Research Triangle Institute. Retrieved 23 November 2012 from Defense Technical Information Center. http://www.dtic.mil/cgi-bin/GetTRDoc?AD=ADA455398 13. Hess, Ken (2011). Ghost in The Wires "The Keven Mitnick Interview. Retrieved 27, November 2012 from ZDNet: http://www.zdnet.com/blog/security/ghost-in- the-wires-the-kevin-mitnick-interview/9357 14. Hoover, N. (2012). Cyber Attacks Becoming Top Terror Threat, FBI Says Published by UBM Tech Retrieved 7 December 2012 from Information Week http://www.informationweek.com/government/security/cyber-attacks-becoming- top-terror-threat/232600046 15. HP Research: Cybercrime Costs Rise Nearly 40 Percent, Attack Frequency Doubles. PALO ALTO, Calif., Oct. 8, 2012. http://www.hp.com/hpinfo/newsroom/press/2012/121008a.html 16. Info Security Magazine (September 2012) ―Cyber attacks ―one of the most serious‖ threats facing the US, says Janet Napolitano published by Reed Exhibitions Retrieved 7 December 2012 from Info Security Magazine http://www.infosecurity-magazine.com/view/28145/cyber-attacks-one-of-the- most-serious-threats-facing-the-us-says-janet-napolitano/ 17. Keely, David Lt. (April 13, 2011). ―CYBER ATTACK! CRIME OR ACT OF WAR?‖ United States Air Force U.S. Army War College CARLISLE BARRACKS, PENNSYLVANIA 17013. 18. Kennedy, D. (October 2012). Information Security Budgets to Increase in 2013. Published by 451 Research Retrieved 27 November 2012 from 451 research Blog http://theinfopro.blogs.451research.com/index.php/2012/10/information- security-budgets-to-increase-in-2013/ 19. MarketsandMarkets (June 2012) Cyber-Security Market - Global Forecast & Trends (2012 - 2017) Retrieved 27, November 2012 from reportlinker. http://www.reportlinker.com/p0923304-summary/Cyber-Security-Market-Global- Forecast-Trends--by-Advanced-Technologies-Geographical-Analysis- Competitive-Landscape.html 20. Martin, D. (2007) Joybubbles, 58, Peter Pan of Phone Hackers, Dies. Retrieved 1 December 2012 from The New York Times 48 | P a g e
http://www.nytimes.com/2007/08/20/us/20engressia.html?_r=3&ref=obituaries&or ef=slogin&oref=slogin& 21. National Institute of Standards and Technology (NA). The National Cyber Security Workforce Framework. Retrieved 1 December 2012 from National Institute of Standards and Technology: http://csrc.nist.gov/nice/framework/documents/national_cybersecurity_workforce_ framework_printable.pdf 22. NICE Systems (2012). Form 6K filing period 12/6/2012 Retrieved 1 December 2012 from the Securities and Exchange Commission http://www.sec.gov/Archives/edgar/data/1003935/000117891312003378/000117 8913-12-003378-index.htm 23. Oona, H., Crootof, R., Levitz, P.,Nix, H,,Nowlan,A., Perdue, W. & Spiegal, J. (2012). The law of cyber-attack . California: California Law Review. 24. PCI Security Standards Council (2012). PCI SSC Data Security Standards Overviews. Retrieved 26 November 2o12 from PCI Security Standards Council https://www.pcisecuritystandards.org/security_standards/ 25. PERLROTH, NICOLE and RUSLI, EVELYN M. (2012). Security Start-Ups Catch Fancy of Investors. Retrieved 1 December 2012 from The New York Times: http://www.nytimes.com/2012/08/06/technology/computer-security-start-ups- catch-venture-capitalists-eyes.html?_r=0 26. Pindar, J., Rigelsford, Dr. J. (July 2011).Cyber Security and Information Assurance. Mr. Joseph Published by The University of Sheffield. 27. Ponemon Institute (February 2012). Ponemon Study Shows the Cost of a Data Breach Continues to Increase. Retrieved 1 December 2012 from PR Newswire: http://www.ponemon.org/news-2/ 28. Ponemon Institute (October 2012). 2012 Cost of Cyber Crime Study: United States Benchmark Study of U.S. Companies. Retrieved 1 December 2012 from Ponemon Institute: http://www.ponemon.org/local/upload/fckjail/generalcontent/18/file/2012_US_Cos t_of_Cyber_Crime_Study_FINAL6%20.pdf 29. Pritchard, W., CFA (March 2012). IT Security Survey Says…Network Security and Check Point Have Most Favorable Trends. Citi Investment Research & Analysis. 30. Ramirez, L. (October 2012) ―Panetta Says US Boosting Cyber Defense‖ published by Voice of America Retrieved 6 December 2012 http://www.voanews.com/content/panetta-appeals-for-stepped-up-cyber- security/1525450.html 31. Richardson, R., CSI Director (2010). 2010/2011 CSI Computer Crime and Security Survey. Retrieved 27, November 2012 from The Computer Security Institute. https://cours.etsmtl.ca/log619/documents/divers/CSIsurvey2010.pdf 49 | P a g e
32. Rowe, B., Gallaher, M. (2006). Private Sector Cyber Security Investment Strategies: An Empirical Analysis Published by Technology Economics and Policy RTI International Retrieved 21 November 2012 from The Ninth Workshop on the Economics of Information Security http://www.weis2006.econinfosec.org/docs/18.pdf 33. Securing Cyberspace: A New Domain for National Securing Cyberspace: A New Domain for National Security Nicholas Burns and Jonathon Price 34. Sentementes, Gus G. (2012). Cybersecurity business, jobs expected to grow through 2016. Retrieved 5 December 2012 from The Baltimore Sun: http://www.baltimoresun.com/business/bs-bz-cybersecurity-maryland-forecast- 20121018,0,6945767. 35. Sourcefire (2012) Form 10Q filing report period. Retrieved 1 December 2012 from the Securities and Exchange Commission 9/30/2012 http://www.sec.gov/Archives/edgar/data/1168195/000116819512000007/000116 8195-12-000007-index.htm 36. Symantec Corporation (2012) Norton Cybercrime Report, September 2012. Retrieved 22 November 2012 from Symantec. http://www.norton.com/2012cybercrimereport 37. Symantec Corp. (2012) Form 10Q filing report period 9/28/2012. Retrieved 1 December 2012 from the Securities and Exchange Commission http://www.sec.gov/cgi- bin/viewer?action=view&cik=849399&accession_number=0001193125-12- 441366&xbrl_type=v 38. Value Click (Date NA) Compounded Annual Growth Definition. Retrieved 1 December 2012 from Investopedia. http://www.investopedia.com/terms/c/cagr.asp#ixzz2FEDxVIqH 39. Value Click (Date NA) GDP Definition. Published by Value Click Retrieved 1 December 2012 from Investopedia. http://www.investopedia.com/terms/g/gdp.asp#ixzz2Eark1U7v 40. Verizon RISK Team(2012). 2012 Data Breach Investigations Report. Retrieved 7 December 2012 from Verizon Corporation: http://www.verizonbusiness.com/resources/reports/rp_data-breach- investigations-report-2012_en_xg.pdf 41. Websense (2012) Form 10Q filing report period 9/30/2012. Retrieved 1 December 2012 from the Securities and Exchange Commission http://www.sec.gov/cgi- bin/viewer?action=view&cik=1098277&accession_number=0001098277-12- 000004&xbrl_type=v 42. Weisbrod, Glen (2011). DEFINING ECONOMIC IMPACT AND BENEFIT METRICS FROM MULTIPLE PERSPECTIVES: LESSONS TO BE LEARNED 50 | P a g e
FROM BOTH SIDES OF THE ATLANTIC. Retrieved 6 December 2012 from Economic Development Research Group, Boston, Massachusetts, USA: http://www.edrgroup.com/pdf/Weisbrod-Simmonds-ETC-Oct2011R.pdf 43. Weiss, Holt, Gorham (October 2012). Security Preview: Secular Should Outpace Macro in Q3 published by Morgan Stanley Research of North America 44. White, C. (2011). Data communications and computer networks ―a business users approach‖ . (6th ed., Vol. ISBN-10: 0538452617 , p. 17, 17, 297, 308 & 330). Course Technology, Cengage Learning 7. List of Figures a. Figure 1: Ponemon Institute (October 2012). 2012 Cost of Cyber Crime Study: United States Benchmark Study of U.S. Companies. Retrieved 1 December 2012 from Ponemon Institute: http://www.ponemon.org/local/upload/fckjail/generalcontent/18/file/2012_US_Cos t_of_Cyber_Crime_Study_FINAL6%20.pdf b. Figure 2: Baker, Hutton, Porter (Date NA). A Framework for Gathering Risk Management Information From Security Incidents. Published by Verizon Risk Management Retrieved 6 December 2012 from Security Metrics Organization http://www.securitymetrics.org/content/attach/MetriCon4.5/mm_VZ.pdf c. Figure 3: 29. Pritchard, W., CFA (March 2012). IT Security Survey Says…Network Security and Check Point Have Most Favorable Trends. Citi Investment Research& Analysis d. Figure 4: Pritchard, W., CFA (March 2012). IT Security Survey Says…Network Security and Check Point Have Most Favorable Trends. Citi Investment Research & Analysis e. Figure 5: Kennedy, D. (October 2012). Information Security Budgets to Increase in 2013. Published by 451 Research Retrieved 27 November 2012 from 451 research Blog http://theinfopro.blogs.451research.com/index.php/2012/10/information-security- budgets-to-increase-in-2013/ 51 | P a g e

Recommandé

B susser researchpaper (3)
B susser researchpaper (3)B susser researchpaper (3)
B susser researchpaper (3)Bradley Susser
 
IMC 618 - Public Relations Campaign
IMC 618 - Public Relations CampaignIMC 618 - Public Relations Campaign
IMC 618 - Public Relations CampaignStephanie Holman
 
Online security – an assessment of the new
Online security – an assessment of the newOnline security – an assessment of the new
Online security – an assessment of the newsunnyjoshi88
 
Etude PwC/CIO/CSO sur la sécurité de l'information (2014)
Etude PwC/CIO/CSO sur la sécurité de l'information (2014)Etude PwC/CIO/CSO sur la sécurité de l'information (2014)
Etude PwC/CIO/CSO sur la sécurité de l'information (2014)PwC France
 
Cyber Warfare
Cyber WarfareCyber Warfare
Cyber WarfareJason Fernandes
 
Hacking Municipal Government Best Practices for Protection of Sensitive Loc...
Hacking Municipal Government Best Practices for Protection of Sensitive Loc...Hacking Municipal Government Best Practices for Protection of Sensitive Loc...
Hacking Municipal Government Best Practices for Protection of Sensitive Loc...Ben Griffith
 
A Cyber Security Review
A Cyber Security ReviewA Cyber Security Review
A Cyber Security ReviewSimon Moffatt
 
Policy Guide for Legislators
Policy Guide for LegislatorsPolicy Guide for Legislators
Policy Guide for LegislatorsKristin Judge
 

Recommandé

B susser researchpaper (3)
B susser researchpaper (3)B susser researchpaper (3)
B susser researchpaper (3)Bradley Susser
 
IMC 618 - Public Relations Campaign
IMC 618 - Public Relations CampaignIMC 618 - Public Relations Campaign
IMC 618 - Public Relations CampaignStephanie Holman
 
Online security – an assessment of the new
Online security – an assessment of the newOnline security – an assessment of the new
Online security – an assessment of the newsunnyjoshi88
 
Etude PwC/CIO/CSO sur la sécurité de l'information (2014)
Etude PwC/CIO/CSO sur la sécurité de l'information (2014)Etude PwC/CIO/CSO sur la sécurité de l'information (2014)
Etude PwC/CIO/CSO sur la sécurité de l'information (2014)PwC France
 
Cyber Warfare
Cyber WarfareCyber Warfare
Cyber WarfareJason Fernandes
 
Hacking Municipal Government Best Practices for Protection of Sensitive Loc...
Hacking Municipal Government Best Practices for Protection of Sensitive Loc...Hacking Municipal Government Best Practices for Protection of Sensitive Loc...
Hacking Municipal Government Best Practices for Protection of Sensitive Loc...Ben Griffith
 
A Cyber Security Review
A Cyber Security ReviewA Cyber Security Review
A Cyber Security ReviewSimon Moffatt
 
Policy Guide for Legislators
Policy Guide for LegislatorsPolicy Guide for Legislators
Policy Guide for LegislatorsKristin Judge
 
Global Commision on Internet Governance
Global Commision on Internet GovernanceGlobal Commision on Internet Governance
Global Commision on Internet GovernanceDominic A Ienco
 
ISTR Internet Security Threat Report 2019
ISTR Internet Security Threat Report 2019ISTR Internet Security Threat Report 2019
ISTR Internet Security Threat Report 2019- Mark - Fullbright
 
BLURRING BOUNDARIES
BLURRING BOUNDARIESBLURRING BOUNDARIES
BLURRING BOUNDARIES- Mark - Fullbright
 
Cyber Crime is Wreaking Havoc
Cyber Crime is Wreaking HavocCyber Crime is Wreaking Havoc
Cyber Crime is Wreaking HavocHewlett Packard Enterprise Business Value Exchange
 
Internet Security Threat
Internet Security ThreatInternet Security Threat
Internet Security ThreatMichael Yatskievych
 
2020 Data Breach Investigations Report (DBIR)
2020 Data Breach Investigations Report (DBIR)2020 Data Breach Investigations Report (DBIR)
2020 Data Breach Investigations Report (DBIR)- Mark - Fullbright
 
1. security 20 20 - ebook-vol2
1. security 20 20 - ebook-vol21. security 20 20 - ebook-vol2
1. security 20 20 - ebook-vol2Adela Cocic
 
IBM 2015 Cyber Security Intelligence Index
IBM 2015 Cyber Security Intelligence IndexIBM 2015 Cyber Security Intelligence Index
IBM 2015 Cyber Security Intelligence IndexAndreanne Clarke
 
6 Cybersecurity Trends to Watch in 2019
6 Cybersecurity Trends to Watch in 20196 Cybersecurity Trends to Watch in 2019
6 Cybersecurity Trends to Watch in 2019BluePayProcessing
 
CyberSecurityBook[Final]
CyberSecurityBook[Final]CyberSecurityBook[Final]
CyberSecurityBook[Final]Lucy Kitchin
 
IC3 2019 Internet Crime Report
IC3 2019 Internet Crime ReportIC3 2019 Internet Crime Report
IC3 2019 Internet Crime Report- Mark - Fullbright
 
Cyber savvy (2)
Cyber savvy (2)Cyber savvy (2)
Cyber savvy (2)naveen p
 
Delusions of-safety-cyber-savvy-ceo
Delusions of-safety-cyber-savvy-ceoDelusions of-safety-cyber-savvy-ceo
Delusions of-safety-cyber-savvy-ceoJoão Rufino de Sales
 
As telcos go digital, cybersecurity risks intensify by pwc
As telcos go digital, cybersecurity risks intensify by pwcAs telcos go digital, cybersecurity risks intensify by pwc
As telcos go digital, cybersecurity risks intensify by pwcMert Akın
 
idg_secops-solutions
idg_secops-solutionsidg_secops-solutions
idg_secops-solutionsJonny Nässlander
 
Symantec Intelligence Report - Oct 2015
Symantec Intelligence Report - Oct 2015Symantec Intelligence Report - Oct 2015
Symantec Intelligence Report - Oct 2015CheapSSLUSA
 
Volume2 chapter1 security
Volume2 chapter1 securityVolume2 chapter1 security
Volume2 chapter1 securityat MicroFocus Italy ❖✔
 
employee-awareness-and-training-the-holy-grail-of-cybersecurity
employee-awareness-and-training-the-holy-grail-of-cybersecurityemployee-awareness-and-training-the-holy-grail-of-cybersecurity
employee-awareness-and-training-the-holy-grail-of-cybersecurityPaul Ferrillo
 
5 main trends in cyber security for 2020
5 main trends in cyber security for 20205 main trends in cyber security for 2020
5 main trends in cyber security for 2020Agnieszka Guźniczak-Beim
 
Bsusser digitalsignageresearchpaper
Bsusser digitalsignageresearchpaperBsusser digitalsignageresearchpaper
Bsusser digitalsignageresearchpaperBradley Susser
 
B susser researchpaper (2)
B susser researchpaper (2)B susser researchpaper (2)
B susser researchpaper (2)Bradley Susser
 
How to Effectively Manage IT Project Risks
How to Effectively Manage IT Project Risks How to Effectively Manage IT Project Risks
How to Effectively Manage IT Project Risks Bradley Susser
 

Contenu connexe

Tendances

Global Commision on Internet Governance
Global Commision on Internet GovernanceGlobal Commision on Internet Governance
Global Commision on Internet GovernanceDominic A Ienco
 
ISTR Internet Security Threat Report 2019
ISTR Internet Security Threat Report 2019ISTR Internet Security Threat Report 2019
ISTR Internet Security Threat Report 2019- Mark - Fullbright
 
2020 Data Breach Investigations Report (DBIR)
2020 Data Breach Investigations Report (DBIR)2020 Data Breach Investigations Report (DBIR)
2020 Data Breach Investigations Report (DBIR)- Mark - Fullbright
 
1. security 20 20 - ebook-vol2
1. security 20 20 - ebook-vol21. security 20 20 - ebook-vol2
1. security 20 20 - ebook-vol2Adela Cocic
 
IBM 2015 Cyber Security Intelligence Index
IBM 2015 Cyber Security Intelligence IndexIBM 2015 Cyber Security Intelligence Index
IBM 2015 Cyber Security Intelligence IndexAndreanne Clarke
 
6 Cybersecurity Trends to Watch in 2019
6 Cybersecurity Trends to Watch in 20196 Cybersecurity Trends to Watch in 2019
6 Cybersecurity Trends to Watch in 2019BluePayProcessing
 
CyberSecurityBook[Final]
CyberSecurityBook[Final]CyberSecurityBook[Final]
CyberSecurityBook[Final]Lucy Kitchin
 
Cyber savvy (2)
Cyber savvy (2)Cyber savvy (2)
Cyber savvy (2)naveen p
 
As telcos go digital, cybersecurity risks intensify by pwc
As telcos go digital, cybersecurity risks intensify by pwcAs telcos go digital, cybersecurity risks intensify by pwc
As telcos go digital, cybersecurity risks intensify by pwcMert Akın
 
Symantec Intelligence Report - Oct 2015
Symantec Intelligence Report - Oct 2015Symantec Intelligence Report - Oct 2015
Symantec Intelligence Report - Oct 2015CheapSSLUSA
 
employee-awareness-and-training-the-holy-grail-of-cybersecurity
employee-awareness-and-training-the-holy-grail-of-cybersecurityemployee-awareness-and-training-the-holy-grail-of-cybersecurity
employee-awareness-and-training-the-holy-grail-of-cybersecurityPaul Ferrillo
 

Tendances (19)

Global Commision on Internet Governance
Global Commision on Internet GovernanceGlobal Commision on Internet Governance
Global Commision on Internet Governance
 
ISTR Internet Security Threat Report 2019
ISTR Internet Security Threat Report 2019ISTR Internet Security Threat Report 2019
ISTR Internet Security Threat Report 2019
 
BLURRING BOUNDARIES
BLURRING BOUNDARIESBLURRING BOUNDARIES
BLURRING BOUNDARIES
 
Cyber Crime is Wreaking Havoc
Cyber Crime is Wreaking HavocCyber Crime is Wreaking Havoc
Cyber Crime is Wreaking Havoc
 
Internet Security Threat
Internet Security ThreatInternet Security Threat
Internet Security Threat
 
2020 Data Breach Investigations Report (DBIR)
2020 Data Breach Investigations Report (DBIR)2020 Data Breach Investigations Report (DBIR)
2020 Data Breach Investigations Report (DBIR)
 
1. security 20 20 - ebook-vol2
1. security 20 20 - ebook-vol21. security 20 20 - ebook-vol2
1. security 20 20 - ebook-vol2
 
IBM 2015 Cyber Security Intelligence Index
IBM 2015 Cyber Security Intelligence IndexIBM 2015 Cyber Security Intelligence Index
IBM 2015 Cyber Security Intelligence Index
 
6 Cybersecurity Trends to Watch in 2019
6 Cybersecurity Trends to Watch in 20196 Cybersecurity Trends to Watch in 2019
6 Cybersecurity Trends to Watch in 2019
 
CyberSecurityBook[Final]
CyberSecurityBook[Final]CyberSecurityBook[Final]
CyberSecurityBook[Final]
 
IC3 2019 Internet Crime Report
IC3 2019 Internet Crime ReportIC3 2019 Internet Crime Report
IC3 2019 Internet Crime Report
 
Cyber savvy (2)
Cyber savvy (2)Cyber savvy (2)
Cyber savvy (2)
 
Delusions of-safety-cyber-savvy-ceo
Delusions of-safety-cyber-savvy-ceoDelusions of-safety-cyber-savvy-ceo
Delusions of-safety-cyber-savvy-ceo
 
As telcos go digital, cybersecurity risks intensify by pwc
As telcos go digital, cybersecurity risks intensify by pwcAs telcos go digital, cybersecurity risks intensify by pwc
As telcos go digital, cybersecurity risks intensify by pwc
 
idg_secops-solutions
idg_secops-solutionsidg_secops-solutions
idg_secops-solutions
 
Symantec Intelligence Report - Oct 2015
Symantec Intelligence Report - Oct 2015Symantec Intelligence Report - Oct 2015
Symantec Intelligence Report - Oct 2015
 
Volume2 chapter1 security
Volume2 chapter1 securityVolume2 chapter1 security
Volume2 chapter1 security
 
employee-awareness-and-training-the-holy-grail-of-cybersecurity
employee-awareness-and-training-the-holy-grail-of-cybersecurityemployee-awareness-and-training-the-holy-grail-of-cybersecurity
employee-awareness-and-training-the-holy-grail-of-cybersecurity
 
5 main trends in cyber security for 2020
5 main trends in cyber security for 20205 main trends in cyber security for 2020
5 main trends in cyber security for 2020
 

En vedette

Bsusser digitalsignageresearchpaper
Bsusser digitalsignageresearchpaperBsusser digitalsignageresearchpaper
Bsusser digitalsignageresearchpaperBradley Susser
 
B susser researchpaper (2)
B susser researchpaper (2)B susser researchpaper (2)
B susser researchpaper (2)Bradley Susser
 
How to Effectively Manage IT Project Risks
How to Effectively Manage IT Project Risks How to Effectively Manage IT Project Risks
How to Effectively Manage IT Project Risks Bradley Susser
 
The Evolution of VoIP-A look into how VoIP has proliferated into the global d...
The Evolution of VoIP-A look into how VoIP has proliferated into the global d...The Evolution of VoIP-A look into how VoIP has proliferated into the global d...
The Evolution of VoIP-A look into how VoIP has proliferated into the global d...Bradley Susser
 
The Significance of IT Security Management & Risk Assessment
The Significance of IT Security Management & Risk AssessmentThe Significance of IT Security Management & Risk Assessment
The Significance of IT Security Management & Risk AssessmentBradley Susser
 

En vedette (6)

Bsusser digitalsignageresearchpaper
Bsusser digitalsignageresearchpaperBsusser digitalsignageresearchpaper
Bsusser digitalsignageresearchpaper
 
B susser researchpaper (2)
B susser researchpaper (2)B susser researchpaper (2)
B susser researchpaper (2)
 
How to Effectively Manage IT Project Risks
How to Effectively Manage IT Project Risks How to Effectively Manage IT Project Risks
How to Effectively Manage IT Project Risks
 
The Evolution of VoIP-A look into how VoIP has proliferated into the global d...
The Evolution of VoIP-A look into how VoIP has proliferated into the global d...The Evolution of VoIP-A look into how VoIP has proliferated into the global d...
The Evolution of VoIP-A look into how VoIP has proliferated into the global d...
 
The Significance of IT Security Management & Risk Assessment
The Significance of IT Security Management & Risk AssessmentThe Significance of IT Security Management & Risk Assessment
The Significance of IT Security Management & Risk Assessment
 
Grandmothers Eulogy
Grandmothers EulogyGrandmothers Eulogy
Grandmothers Eulogy
 

Similaire à Cyber Attacks economic impact on entities worldwide

DESIGNING A CYBER-SECURITY CULTURE ASSESSMENT SURVEY TARGETING CRITICAL INFRA...
DESIGNING A CYBER-SECURITY CULTURE ASSESSMENT SURVEY TARGETING CRITICAL INFRA...DESIGNING A CYBER-SECURITY CULTURE ASSESSMENT SURVEY TARGETING CRITICAL INFRA...
DESIGNING A CYBER-SECURITY CULTURE ASSESSMENT SURVEY TARGETING CRITICAL INFRA...IJNSA Journal
 
DESIGNING A CYBER-SECURITY CULTURE ASSESSMENT SURVEY TARGETING CRITICAL INFRA...
DESIGNING A CYBER-SECURITY CULTURE ASSESSMENT SURVEY TARGETING CRITICAL INFRA...DESIGNING A CYBER-SECURITY CULTURE ASSESSMENT SURVEY TARGETING CRITICAL INFRA...
DESIGNING A CYBER-SECURITY CULTURE ASSESSMENT SURVEY TARGETING CRITICAL INFRA...IJNSA Journal
 
DBryant-Cybersecurity Challenge
DBryant-Cybersecurity ChallengeDBryant-Cybersecurity Challenge
DBryant-Cybersecurity Challengemsdee3362
 
Whitepaper 2015 industry_drilldown_finance_en
Whitepaper 2015 industry_drilldown_finance_enWhitepaper 2015 industry_drilldown_finance_en
Whitepaper 2015 industry_drilldown_finance_enBankir_Ru
 
A1 - Cibersegurança - Raising the Bar for Cybersecurity
A1 - Cibersegurança - Raising the Bar for CybersecurityA1 - Cibersegurança - Raising the Bar for Cybersecurity
A1 - Cibersegurança - Raising the Bar for CybersecuritySpark Security
 
12Cyber Research ProposalCyb
12Cyber Research ProposalCyb12Cyber Research ProposalCyb
12Cyber Research ProposalCybAnastaciaShadelb
 
Cybersecurity Business Risk, Literature Review
Cybersecurity Business Risk, Literature ReviewCybersecurity Business Risk, Literature Review
Cybersecurity Business Risk, Literature ReviewEnow Eyong
 
1. Sean WroteThe first and most critical success factor is effe.docx
1. Sean WroteThe first and most critical success factor is effe.docx1. Sean WroteThe first and most critical success factor is effe.docx
1. Sean WroteThe first and most critical success factor is effe.docxjackiewalcutt
 
2022 Sonicwall Cyber Threat Report
2022 Sonicwall Cyber Threat Report2022 Sonicwall Cyber Threat Report
2022 Sonicwall Cyber Threat ReportAlex492583
 
Clinton- Cyber IRT Balto 10_2012
Clinton- Cyber IRT Balto 10_2012Clinton- Cyber IRT Balto 10_2012
Clinton- Cyber IRT Balto 10_2012Don Grauel
 
EA&SP_GROUP_ASSIGNMENT_1.pdf
EA&SP_GROUP_ASSIGNMENT_1.pdfEA&SP_GROUP_ASSIGNMENT_1.pdf
EA&SP_GROUP_ASSIGNMENT_1.pdfTirthShah760404
 
White Paper :- Spear-phishing, watering hole and drive-by attacks :- The New ...
White Paper :- Spear-phishing, watering hole and drive-by attacks :- The New ...White Paper :- Spear-phishing, watering hole and drive-by attacks :- The New ...
White Paper :- Spear-phishing, watering hole and drive-by attacks :- The New ...Invincea, Inc.
 
Cyber Warfare: Can business trust the government to protect them?
Cyber Warfare: Can business trust the government to protect them?Cyber Warfare: Can business trust the government to protect them?
Cyber Warfare: Can business trust the government to protect them?Jason Fernandes
 
Is Your Organization in Crisis?
Is Your Organization in Crisis?Is Your Organization in Crisis?
Is Your Organization in Crisis?BlackBerry
 
The Hacked World Order By Adam Segal
The Hacked World Order By Adam SegalThe Hacked World Order By Adam Segal
The Hacked World Order By Adam SegalLeslie Lee
 
Security - intelligence - maturity-model-ciso-whitepaper
Security - intelligence - maturity-model-ciso-whitepaperSecurity - intelligence - maturity-model-ciso-whitepaper
Security - intelligence - maturity-model-ciso-whitepaperCMR WORLD TECH
 

Similaire à Cyber Attacks economic impact on entities worldwide (20)

Delusions of-safety-cyber-savvy-ceo
Delusions of-safety-cyber-savvy-ceoDelusions of-safety-cyber-savvy-ceo
Delusions of-safety-cyber-savvy-ceo
 
DESIGNING A CYBER-SECURITY CULTURE ASSESSMENT SURVEY TARGETING CRITICAL INFRA...
DESIGNING A CYBER-SECURITY CULTURE ASSESSMENT SURVEY TARGETING CRITICAL INFRA...DESIGNING A CYBER-SECURITY CULTURE ASSESSMENT SURVEY TARGETING CRITICAL INFRA...
DESIGNING A CYBER-SECURITY CULTURE ASSESSMENT SURVEY TARGETING CRITICAL INFRA...
 
DESIGNING A CYBER-SECURITY CULTURE ASSESSMENT SURVEY TARGETING CRITICAL INFRA...
DESIGNING A CYBER-SECURITY CULTURE ASSESSMENT SURVEY TARGETING CRITICAL INFRA...DESIGNING A CYBER-SECURITY CULTURE ASSESSMENT SURVEY TARGETING CRITICAL INFRA...
DESIGNING A CYBER-SECURITY CULTURE ASSESSMENT SURVEY TARGETING CRITICAL INFRA...
 
DBryant-Cybersecurity Challenge
DBryant-Cybersecurity ChallengeDBryant-Cybersecurity Challenge
DBryant-Cybersecurity Challenge
 
Whitepaper 2015 industry_drilldown_finance_en
Whitepaper 2015 industry_drilldown_finance_enWhitepaper 2015 industry_drilldown_finance_en
Whitepaper 2015 industry_drilldown_finance_en
 
A1 - Cibersegurança - Raising the Bar for Cybersecurity
A1 - Cibersegurança - Raising the Bar for CybersecurityA1 - Cibersegurança - Raising the Bar for Cybersecurity
A1 - Cibersegurança - Raising the Bar for Cybersecurity
 
Get Prepared
Get PreparedGet Prepared
Get Prepared
 
12Cyber Research ProposalCyb
12Cyber Research ProposalCyb12Cyber Research ProposalCyb
12Cyber Research ProposalCyb
 
12Cyber Research ProposalCyb
12Cyber Research ProposalCyb12Cyber Research ProposalCyb
12Cyber Research ProposalCyb
 
Cybersecurity Business Risk, Literature Review
Cybersecurity Business Risk, Literature ReviewCybersecurity Business Risk, Literature Review
Cybersecurity Business Risk, Literature Review
 
1. Sean WroteThe first and most critical success factor is effe.docx
1. Sean WroteThe first and most critical success factor is effe.docx1. Sean WroteThe first and most critical success factor is effe.docx
1. Sean WroteThe first and most critical success factor is effe.docx
 
2022 Sonicwall Cyber Threat Report
2022 Sonicwall Cyber Threat Report2022 Sonicwall Cyber Threat Report
2022 Sonicwall Cyber Threat Report
 
Clinton- Cyber IRT Balto 10_2012
Clinton- Cyber IRT Balto 10_2012Clinton- Cyber IRT Balto 10_2012
Clinton- Cyber IRT Balto 10_2012
 
EA&SP_GROUP_ASSIGNMENT_1.pdf
EA&SP_GROUP_ASSIGNMENT_1.pdfEA&SP_GROUP_ASSIGNMENT_1.pdf
EA&SP_GROUP_ASSIGNMENT_1.pdf
 
White Paper :- Spear-phishing, watering hole and drive-by attacks :- The New ...
White Paper :- Spear-phishing, watering hole and drive-by attacks :- The New ...White Paper :- Spear-phishing, watering hole and drive-by attacks :- The New ...
White Paper :- Spear-phishing, watering hole and drive-by attacks :- The New ...
 
Cyber Warfare: Can business trust the government to protect them?
Cyber Warfare: Can business trust the government to protect them?Cyber Warfare: Can business trust the government to protect them?
Cyber Warfare: Can business trust the government to protect them?
 
Is Your Organization in Crisis?
Is Your Organization in Crisis?Is Your Organization in Crisis?
Is Your Organization in Crisis?
 
The Hacked World Order By Adam Segal
The Hacked World Order By Adam SegalThe Hacked World Order By Adam Segal
The Hacked World Order By Adam Segal
 
Trends_in_my_profession(revised)
Trends_in_my_profession(revised)Trends_in_my_profession(revised)
Trends_in_my_profession(revised)
 
Security - intelligence - maturity-model-ciso-whitepaper
Security - intelligence - maturity-model-ciso-whitepaperSecurity - intelligence - maturity-model-ciso-whitepaper
Security - intelligence - maturity-model-ciso-whitepaper
 

Dernier

Take control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test SuiteTake control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test SuiteDianaGray10
 
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Mark Simos
 
TrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data PrivacyTrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data PrivacyTrustArc
 
Powerpoint exploring the locations used in television show Time Clash
Powerpoint exploring the locations used in television show Time ClashPowerpoint exploring the locations used in television show Time Clash
Powerpoint exploring the locations used in television show Time Clashcharlottematthew16
 
Streamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupStreamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupFlorian Wilhelm
 
Developer Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLDeveloper Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLScyllaDB
 
CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):comworks
 
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek SchlawackFwdays
 
Hyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdf
Hyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdfHyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdf
Hyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdfPrecisely
 
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage Cost
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage CostLeverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage Cost
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage CostZilliz
 
WordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your BrandWordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your Brandgvaughan
 
Unraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfUnraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfAlex Barbosa Coqueiro
 
DevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsDevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsSergiu Bodiu
 
What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024Stephanie Beckett
 
The Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsThe Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsPixlogix Infotech
 
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptxMerck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptxLoriGlavin3
 
SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024Lorenzo Miniero
 
DevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache MavenDevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache MavenHervé Boutemy
 

Dernier (20)

Take control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test SuiteTake control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test Suite
 
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
 
TrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data PrivacyTrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data Privacy
 
Powerpoint exploring the locations used in television show Time Clash
Powerpoint exploring the locations used in television show Time ClashPowerpoint exploring the locations used in television show Time Clash
Powerpoint exploring the locations used in television show Time Clash
 
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptxE-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
 
Streamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupStreamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project Setup
 
Developer Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLDeveloper Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQL
 
CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):
 
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
 
Hyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdf
Hyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdfHyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdf
Hyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdf
 
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage Cost
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage CostLeverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage Cost
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage Cost
 
WordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your BrandWordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your Brand
 
Unraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfUnraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdf
 
DevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsDevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platforms
 
DMCC Future of Trade Web3 - Special Edition
DMCC Future of Trade Web3 - Special EditionDMCC Future of Trade Web3 - Special Edition
DMCC Future of Trade Web3 - Special Edition
 
What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024
 
The Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsThe Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and Cons
 
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptxMerck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
 
SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024
 
DevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache MavenDevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache Maven
 

Cyber Attacks economic impact on entities worldwide

  • 1. Cyber Attacks and the economic impact on Entities worldwide Cyber Attacks Ahead Bradley Sean Susser December 17, 2012 1|Page
  • 2. Abstract This research report studies the economic impact that Cyber Security attacks have on society as a whole. The aim of this analysis is to examine the negative and positive impact of these compromises on multiple entities. Our descriptive analysisfocuseson individuals, private and public organizations, costs, revenues, innovations, and jobs to determine if proliferations of these attacks are either, negative or positive. Although this paper draws upon the economic factors as result of cyber-attacks, it looks at the outlay in its historical context of capital expenditures to private and public organizations due to the increased number of compromisesand factors of this paradigm helping to fuel the growth of innovations or spawn a new industry as a whole. 2|Page
  • 3. Table of Contents Page Abstract2 1. Introduction 4-5 2. Literature Review 6 2.1 Cyber Attack defined 6-8 2.2 Cyber Security defined 8-9 2.3 Brief History of Cyber Attacks 9-10 2.4 Economic Impacts Defined (inclusive Cost benefit Analysis) 10-13 2.5 Cyber Attacks Spawning New industry and Garnering Capital Investment13-14 3. Methodology 14-15 3.1 Cyber Attacks and Hypothesis on their Growth over the Years 15-16 3.2 Cyber Attacks &Hypothesis on Financial Impacts of Entities Targeted 16-17 3.3 Cyber Attacks and Hypothesis on whether they spawned a New Industry Helping to Infuse Significant Capital 17-18 4. Discussion 18 4.1 Cyber Attacks Growth from a Historical Perspective & Beginnings 18-20 4.2 CSI/FBI/Technolytics Institute/ Janet Napolitano Statistics on Growth of Cyber Attacks through Historical Perspective 20-22 4.3 Mckinsey Global GDP Growth Statistics 22-23 4.4 Cost benefit Analysis & Difficulty in Obtaining Metrics 23-24 4.5 CSI/FBI Statistics on Financial Impact of Cyber Attacks 24-25 4.6 Ponemon/Verizon/Morgan Stanley Statistics on Compromises & Costs Due to Cyber Contemporary Threat Landscape 26-32 4.7 Growth of Cyber Security Industry Statistics (Gartner Research, Citi Group, Morgan Stanley, 451 Research & MarketsandMarkets) & Government Role Explained 33-44 5. Conclusion 45-46 6. References 47-51 7. List of Figures 51 3|Page
  • 4. 1. Introduction: Since the mid 1980’s as personal computers started becoming more prevalent so too did a small group of people that chose to wreak havoc by exploiting and compromising these devices for nefarious purposes or just pure curiosity. These events were even depicted in movies such as War Games, which was introduced to the public in 1983. The movie is based on a teenage boy who breaches the United States Pentagons computer system and locates a game within the system known as ―Global Thermo Nuclear War‖. Although he believes this is just a game in reality he inadvertently causes the system to begin the process of launching a nuclear attack on a number of sovereign nations. This was the first time that such a scenario was brought to the forefront of the general public and although this was just a movie in reality systems althoughin its infancy, where becoming attractive targets for individuals and entities to manipulate and unethically exploit. Then in the early 1990’s the Internet was introduced to the commercial sector allowing for both private and public entities to leap frog off of this medium and create whole new economies based on this technological innovation. However as the internet, systems, personal computers and a plethora of hardware/software devices are utilized more and more for routine activities the number of people wishing to do harm to individuals and organizations that make use of these technologies continues to grow at an alarming rate. In fact, according to Verizon’s 2012 Data Breach Investigations Report, 2011 was the year that organizations systems came under attack by a slew of groups with different forms of motivation but the numbers are unprecedented. The report focused on 4|Page
  • 5. 855 incidents that saw 174 million data records get compromised. This included protesting entities such as the likes of Anonymous, cybercriminals performing attacks to acquire trade secrets, classified information and other intellectual property, steal personal credit card information, identity theft, take down organizational servers and the list goes on and on. Verizon is quoted as saying ―Doubly concerning for many organizations and executives was that target selection by these groups didn’t follow the logical lines of who has money and/or valuable information. Enemies are even scarier when you can’t predict their behavior(Verizon 2012).‖ In another scathing report released to the public in October of 2012 by Hewlett Packard working with the Ponemon Institute indicated an exponential increase of Cyber Crimefrom 2010 to 2011. In contrast to the Ponemon and Verizon, reports an article written in the Baltimore Sun on October 21, 2012 quoted Cyber Security analysts as saying that this sector of the market is anticipated to grow over 50 percent up until the end of 2016 which will open up new opportunities for business and individuals. The article goes on to say that Cyber Security spending by the Defense Department, even with the absence of certain legislation will rise from $4.4 billion in 2011 to $6.7 billion in 2016, spending in civilian agencies will increase from $2.6 billion in the 2011 period to $3.8 billion by 2016 and capital expenditures to be outlaid by U.S. Intelligence agencies are expected to increase from $2.3 billion last year to $3.6 billion over the next four years (Sentementes 2012). The statistics incorporated above show a dichotomy whereby the economic impacts of Cyber Attacks can be both disadvantageous and advantageous. The point at issue is, is one more predominant over the other or do they balance 5|Page
  • 6. each other out? The question posed in the prior sentence is what this papers primary objective seeks to ascertain, although other questions must be implemented and investigated to garner an appropriate answer. So as you continue to migrate through the sections to follow,we will look through an assortment of research to try and come up with a valid answer to the aforementioned question. 2. Literature Review: In reviewing the literature there is an abundance of material ongrowing number of Cyber Attacks which has negative ramifications as well as helped to spur the growth of a variety of disciplines and innovations within the IT Security arena. Therefore there are a multitude of factors and questions one needs to take into account by means of economic analysis. 2.1 Cyber Attack defined Some of the essential questions that must be addressed include do the overall economic impacts of these attacks way on the side of being more adverse or advantageous? The aforementioned question should be broken down even further to include the following. What is a cyber-attack? There are a variety of ways to define and describe a cyber-attack.Although, the term may appear simplistic on the surface, cyber-attacks are comprised of a multitude of factors. The Ponemon Institute exclaims that this is any criminal activity conducted over the Internet (Ponemon 2012) but is this not too simplistic of a definition?According to the research paper ―The Law of Cyber-Attack‖ the authors explain that a Cyber Attack is ―any action taken to undermine the functions of a 6|Page
  • 7. computer network for a political or national security purpose.‖ This group of writers than further explains that the reason for lack of clarity among the community on what Cyber Attacks are, is due to the inability to make a distinction between Cyber Crime, Cyber Attack, and Cyber War. For example in their paper ―a Cyber Attacks Objective must be to undermine the function of a computer network‖ and ―Must have a political or national security purpose.‖ (Oona, Crootof, Levitz, Nix,Nowlan, Perdue, Spiegal, 2012). The terms Cyber Crime and Cyber War discussed in the sentencesabove are what makes up Cyber Attacks and therefore in addition further extrapolation on the true meaning must be incorporated. Lt. Colonel David M. Keely hits the nail on the head in stating that many of the definitions he came across where to narrow in scope. He concluded that ―A good definition of Cyber Attack can be found in discussions of the Critical Infrastructures Protection Act (CIPA) of 2001: ―All intentional attacks on a computer or computer network involving actions that are meant to disrupt, destroy, or deny information. ― In addition he exclaims you must also incorporate the why aspect. Inclusive should be the motivation of the attacker. ―If the motivation of the attacker is monetary gain, destruction of property, or espionage, then a crime has been committed.‖ ―If the desired result is ―to cause death or seriously bodily harm to civilians or non-combatants, with the purpose of intimidating a population or compelling a Government or an international organization to do or abstain from doing any act then an act of terrorism has occurred.‖ ―If the motivation is to wage or to assist in waging a ―armed hostile conflict between States or nations then an act of war has occurred.‖ Lieutenant Keely’s assessment covers all the essential elements of Cyber Attacks that impact sovereign nations, public and private entities and finally individuals therefore his 7|Page
  • 8. interpretation is quite effective for the purpose of our research endeavor (Keely, 2011). Finally it is necessary to breakdown the types of exploits propagated by these Cyber Attacks. Cyber Attacks are comprised of Malware, Web based attacks, stolen devices, malicious code implementation, malicious insiders, phishing and social engineering and denial of service attacks (DoS). Malware is defined as evil software and is made up of subcategories which include viruses, Trojans, worms, rootkits, keyloggers etc however in the chart provided by 2.2 Cyber Security defined As with Cyber Attacks we need to try and come up with a concrete definition for Cyber Security as it varies among Information and Communications Technology (ICT) professionals. This is because the area of specialties could be substantial according to The National Institute of Standards and Technology (NIST), aU.S. federal agency and one of the leading organizations in charge of implementing security standard’s globally. Although NIST’s numbers may be slightly overarching it provides additional affirmation that the term Cyber Security cannot be so easily defined (National Institute of Standards and Technology). Some believe the term to be interchangeable with Information Security while others state that Information Security is a subset of Cyber Security. A definition that we found to be most appropriate is Cyber Security refers to the protection of any asset from being exploited by Cyber Attacks which we defined above, via Information and Communication Technologies. Inclusive is additional components such as countermeasures and activities that can either be technical in nature or non-technical for the purpose of safeguarding computer networks, digital devices, hardware, software and all the information that they contain and communicate from anyone that has malice 8|Page
  • 9. of intent. In addition Cyber Security encompasses a number of professionals that perform continuous research and analysis in order to try and keep ahead of those wishing to do us harm, described above by NIST. As you can see the word information is embedded in the definition of Cyber Security so we can conclude that it is in fact a subset of this area of discipline. Therefore Information Security references all aspects of information protection. Subsequently three primary objectives lie at the heart of Information Security. These include the terms confidentiality, integrity and availability. Confidentiality makes sure that information is not disclosed to any unauthorized entity and that those who which to disclose that information can do so but at their request, Integrity assures one that information is modified only with proper authorization and finally availability assures that information is provided promptly to authorized entities and only denied to those who are not authorized [Dunn 2005]. 2.3 Brief History of Cyber Attacks From a historical perspective have the number of attacks grown over the years or been on the decline?Furthermore have costs for entities accrued? Cyber Attacks have become depicted in the media for quite some time therefore one must look at these attacks in their historical context. The precursor to the present day Internet was created by the U.S. governments Advanced Research Projects Agency (ARPA) and was known as the ARPANET which was developed in the late 1960’s. ARPANET eventually was replaced by the Internet or what is known to many as the information highway which connects local area networks to wide area networks used by individuals and organizations worldwide (White, 2011). Unfortunatelyupon first 9|Page
  • 10. initiating the deployment of this medium, safeguards where never implemented as Cyber Attacks where not even forethought. Some of the earliest attacks involved ―phone phreaking‖ in the early 1970’s and then with the invention of personal computers in the early 1980’s attacks on systems began to proliferate. A number of congressional laws were passed due to these early compromises to offer better protection of unauthorized access to government computers. Title 18 United States Code: § 1030. ―Fraud and related activity in connection with computers‖ is one such law that was implemented in 1986 and modified over the years to punish those wishing to target systems, whether for political reasons or criminal activity(Cornell University Law School 1986). Finally in the early 1990’s the Internet was now open to the general public for private and commercial use but with increasing reliance on the Internet and its expansion of interconnectivity attacks became even easier to perform. The Computer Security Institute (CSI)/Federal Bureau of Investigation (FBI) Computer Crime and Security Survey conducted over the last several decades provides invaluable data, helping to further ascertain additional information on the amount of attacks on organizations who have participated in the study over the years and detailing their networks and cost estimates by the type of attack. 2.4 Economic Impacts Defined (inclusive Cost benefit Analysis) This leads us to the next area of topic, that being the economic impacts of these increasing number of attacks but what do we mean by economic impacts? It must be stated that in order to grasp an understanding of the term economic impacts its essential that we include in our description economic 10 | P a g e
  • 11. advantages/disadvantages and productivity as they all are intertwined. Economic impact sometimes is difficult to describe because it is made up of a complexity of subcategories but on its face this is any modification in the passage of capital (income) in the economy between industry sectors, population groups, or local areas of the world and although metrics are usually measured in terms of growth in income, jobs or output such data is not necessarily easy to extract and often more times than not difficult to quantify. Economic advantages/disadvantages is a broader concept of welfare gain than economic impacts, in that it can incorporate both monetary advantages/disadvantages (tangible) and non-monetary advantages/disadvantages (intangible) with a willingness to pay value or remove value The previous sentences concepts are most useful for performing a cost-benefit analysis (CBA). In using a simple example, a CBA can be the benefit of safeguarding ones systems against Cyber Attacks and the costs associated with these protective measures. Finally productivity typically refers to the increasing growth in value added per worker or per unit of investment which has the potential to produce an actual acceleration in income and jobs (Weisbrod 2011).In looking further into productivity it can be utilized not only as an gauge of efficiency but also indicative of economic development. The research paper titled ―Private Sector Cyber Security Investment Strategies: An Empirical Analysis‖ suggests a cost benefit analysis approach is generally Straightforward but found organizations inability to construct a rigorous cost benefits analysis (CBA) framework. Furthermore expected damage or cost functions and threat probabilities needed to conduct a CBA is difficult to attain therefore most often companies rely more on a qualitative approach(Rowe, Gallaher 2006).Note that CBA 11 | P a g e
  • 12. will be further described in the economic impact section to follow. Although the aforementioned research study is slightly predated as quantitative analysis has appeared to have improved as you will soon see in the Ponemon Intitute, the study was able to conclude that regulations was the most often cited drivers increasing organizations’ investments in Cyber Security. This is important as it shows a correlation between government initiatives and spending discussed in the Baltimore Sun introductory paragraph above. However in the article ―Economic Analysis of Cyber Security‖ the authors point out that a CBA framework which focuses on quantitative analysis is expensive, difficult and in most cases even impossible to garner. This in turn has forced most organizations to perform qualitative assessments, which are then compared to quantitative analyses. Although the research paper dates back to 2006 this is still mostly true today. It must be noted that they due endorse The Computer Security Institute (CSI)/Federal Bureau of Investigation (FBI) Computer Crime and Security Survey considering this to be the best available source. In contrast and to be fair the authors of ―The Economic Impact of Cyber Attacks‖ state that this survey is lacking in certain areas due to incomplete metrics (Cashell, Jackson, Jickling, Webel, 2004). This once again goes to how difficult it is many times to come up with complete and accurate data which is why a number of sources should be used to reach the appropriate balance. ―The Economic Analysis of Cyber Security‖ paper also discusses how organizations decipher how to invest in security. This is significant because these organizations decisions are based on the impacts or potential impacts of Cyber Attacks and therefore you can see how these firms collect data to perform their analysis. Furthermore as part of this data collection process these entities implement the current 12 | P a g e
  • 13. costs associated with being hit by these attacks in their investment analysis which allows you to get a better understanding on how they come up with these costs they are supplying to those conducting research on the financial impacts of Cyber Attacks(Gallaher, Rowe, Rogozhin, Link 2006). 2.5 Cyber Attacks Spawning New industry and Garnering Capital Investment Have Cyber Attacks spawned a new industry that has helped to garner a large infusion of capital from the investment community? It is essential that organizations implement Cyber Security controls either through technological means or human analysis. Investments in the area of IT Security organization and startups in the past have been slow due to a lack of understanding and the inability to view security as an essential element that must be incorporated within one’s business. However due to Cyber Attacks becoming more persistent an increasing number of investments and the infusion of capital committed to this sector are starting to take shape. One reason for this is the implementation of regulation but not so much as to inhibit innovation. For instance federal and state statutes that penalize companies that do not properly safeguard consumer information have forced these entities to obtain the necessary financing and invest in the area of Cyber Security. United States regulatory bodies such as theFederal Trade Commission (FTC), Department of Justice (DOJ), Securities and Exchange Commission (SEC)[Department of Commerce Internet Policy Task Force June 2011), Payment Credit Card regulatory agencies(PCI Security Standards Council (2012) and many others has brought a number of legal enforcement actions against entities that have been inept in protecting consumer data forcing them to 13 | P a g e
  • 14. access additional capital. The capital is then used to pay for security. In the wake of these legal actions and targeted attacks, Gartner Research in a September 2012 release talks of the increasing amount of capital being deployed throughout the Cyber Security Industry (Gartner 2012). In addition Certified Financial Analyst for financial firm Citi Group conducted research whereby IT security budgets are on the rise (Pritchard 2012) as well as a number of or other researching bodies. 3. Methodology: In conducting our research the approach we have utilized and you will see whilst continuing to view this document is one of a descriptive nature because although we draw empirical data from prior research we focus primarily on the characteristics of Cyber Attacks and its economic impacts on entities worldwide in the current day and age. It should be also noted that due to the complex nature of Cyber Attacks and lack of complete understanding data is vast and all over the map;therefore it is difficult to acquire exact assessments and cost figures.The same also holds true for an accurate account of the growth of the Cyber security industry although there have been ongoing improvements to address these issues. Subsequently a compilation of primary, secondary and general resources, those being from vetted educational research, public companies such as Verizon, Certified Financial Analysts from investment houses, leading information technology research and advisory firms, audited financial filings from publicly traded companies and articles from newspapers/journals are utilized within this paper. Again, the statistical data is fragmented as there has been no clear model that has been adopted and many argue some numbers are skewed due to conflicts of interest and in the ability to acquire the necessary resources (such as vetted papers 14 | P a g e
  • 15. created by those that are in the educational arena) to conduct a proper study. The figures comprised of various sample sizes among the population are compared and contrasted so we can get a more accurate picture to determine whether the cost of Cyber Attacks far outweighs the amount of money being generated by the Cyber Security communityor if the money being infused into the Cyber Security Industry has economic benefits that exceed the costs generated by Cyber Attacks. 3.1 Cyber Attacks and Hypothesis on their Growth over the Years We will begin our focus by asking the question once again from a historical perspective have the number of attacks grown over the years and over the last several decades have costs for entities accrued?This question is important because it lays the ground work as to how the Internet and the technology that is embedded within it has become a source utilized for nefarious purposes. Although some years have seen a decline in the number of Cyber Attacks overall the trend one would think is likely to show that these attacks are an everyday occurrence and ever increasing in numbers. This is because the multitudes of devices that are connected to the Internet and make use of its backbone are immense. In other words distributed systems have become dominant as opposed to centralized systems which used to play more of a role among entities but are in fact utilized less and less these days. Also due to complexity of the network and programming code used in web applications worldwide, the vector of attack has grown making it even more difficult to mitigate against and ripe for exploitation. For example looking at web applications in particular, updates and patches are issued by vendors who develop code for a number programs daily. The problem has become so 15 | P a g e
  • 16. great that companies such as Microsoft and Oracle have a preset schedule for distributing fixes on a monthly and quarterly basis. In fact firms like Red Hat employ what is known as open source code, which is available to the general public for free and offers the ability for any programmer to make modifications to the code when necessary. Therefore vulnerabilities in open source software can be found more quickly and what is also evident is the number of advisories for this type of code is deployed on a daily basis. However there are still a number of programs that have vulnerabilities that are not found for a number of months or even years. This is especially true in the way of advanced persistent threats (APTs).In fact even when vendors issue advisories it takes time for them to create patches for code therefore those wishing to do us harm have plenty of time in between these fixes to propagate attacks by take advantage of these vulnerable applications. 3.2 Cyber Attacks and Hypothesis on Financial Impacts of Entities targeted by Attacks The next area we need to delve into once more is the economic impacts that Cyber security has on society as a whole. More specifically, what are the financial impacts on capital expenditures of private and public organizations targeted by Cyber Attacks?As highlighted above, the Internet has become the primary backbone to entities worldwide helping to create new innovations, increase collaboration and open up new economies like we have never seen before. In addition with the simple click of a browser, connectivity to this vast network has become so easy that even the average laymen with no technological skills can access the information highway. Although it is hard to dispute the advantages of the pervasive availability for anyone to connect online 16 | P a g e
  • 17. it has also offered those seeking to do us harm a large vector that can be utilized to attack and exploit individuals and organizations. The impact therefore of these attacks, specifically Cyber Attacks, have come at a great cost to entities forcing them to outlay a significant amount of capital and see a huge reduction in revenues . Inclusive are entities going out of business, loss of jobs, the negative impact of productivity and the vast amount of money or even identities being stolen from consumers. For example organizational databases compromised or hit by a denial of service attacks, takes enormous man power to recover from such attacks. This in turn negatively impacts productivity. 3.3 Cyber Attacks and Hypothesis on whether they spawned a New Industry Helping to Infuse Significant Capital Finally it is necessary to be redundant and ask whether Cyber Attacks spawned a new industry that has helped to garner a large infusion of capital from the investment community and increased organizational salesfiguresfor Cyber Security firms?Despite the adverse impacts Cyber Attacks have on the economy there is no doubt that it has also created new opportunities as many subsectors such as cryptography, network security, operating system security, database security, reverse engineering and penetration testing just to name a few which have become essential components that entities must make use of in order to safeguard systems. Therefore many venture capital funds, private equity firms, individual investors and the overall capital markets are continuing to pump money into the Cyber Security arena. These investments could also have a positive effect on sales which is the exact opposite of entities who are plagued by the current threat environment. The irony here is that the number 17 | P a g e
  • 18. disciplines and income garnered by the Cyber Security Industry could possibly outweigh the costs associated with Cyber Attacks. The aforementioned questions and their hypotheses as stated in previous paragraphs have been difficult to quantify however in the section to follow will attempt to do just that! 4. Discussion 4.1 Cyber Attacks Growth from a Historical Perspective& Beginnings Cyber Attacks have evolved over time therefore one must look at these attacks in their historical context. The precursor to the present day Internet was created by the U.S. governments Advanced Research Projects Agency (ARPA) and was known as the ARPANET which was developed in the late 1960’s. The government allowed access to ARPANET to only a selected few military bases, government labs and research universities. The ARPANET was one of the first wide area packet switched networks which provided services like electronic mail, the transferring of files and remote logins. In 1983 the Department of Defense (DOD) broke ARPANET into two similar networks keeping the name ARPANET for one of the networks and calling the other network MILNET which would be used for military purposes. ARPANET eventually was phased out and around this time the National Science Foundation funded the development of a new high speed network known as the NSFnet which connected major router sites across the U.S .than acting as the telecommunication backbone in turn connecting to smaller regional networks or statewide networks. The statewide networks were then 18 | P a g e
  • 19. connected to a set of campus networks and eventually the collection of all these networks would then be known as the Internet (White, 2011). The previous sentences are significant primarily because when this architectural medium was developed there were no countermeasures or safeguards implemented. In fact nobody had the foresight to think that the Internet would become the primary backbone for communications globally, so instrumental to the economies worldwide and especially conceive that it would be utilized as a medium for nefarious purposes. Some of the earliest hackers were involved in ―phone phreaking‖ which were attackers looking to break into telephone networks in an effort to make free long distance calls. Joybubbles AKA Joe Engressia was one of the first phone phreaks. He was a blind boy with perfect pitch who could whistle any tone. Circuit switching centers at the phone company were apparently tricked by the tones that he produced. One tone, used by AT&T tone dialing switches, was a tone of 2600 Hz, which could be exploited to provide free long distance and international calling. Engressia could imitate this tone, while other phreaks used what was called a ―blue box‖. According to the New York Times article written in 2007, Steve Jobs and Steve Wozniak, founders of Apple, were also successful phone phreaks (Martin 2007). In the early 1980’s personal computers came into being manufactured by companies such as the likes of Apple and in turn individuals who tried to exploit networks for all sorts of reasons began to emerge. One of the first well known attacks was performed by Kevin Mitnick one of the most infamous attackers of the 1980’s. It was back in 1979 when Mitnick at the tender age of 16 years old illegally accessed Digital Equipment Corporation’s (DEC) computer network and obtained a copy of their 19 | P a g e
  • 20. operating system software. He also hacked into the networks of Nokia, Motorola, Sun Micro, Pacific Bell and other companies. Just over a year ago Kevin was interviewed by ZDnet claiming none of the companies he compromised sustained any damages however the FBI estimated Kevin's hacks and code reading into the $300 million range (Hess 2011). In addition to Kevin, the Legion of Doom founded by Vincent Louis Gelormine (―Lex Luther‖) in the 1980s were involved in unauthorized access to a number of corporate networks, including BellSouth Corp.(Dr. Hayes 2012). 4.2 CSI/FBI/Technolytics Institute/Janet Napolitano Statistics on Growth of Cyber Attacks through Historical Perspective In moving slightly ahead in time the Computer Security Institute which has been a leading educational membership organization for information security professionals for over 30 years, began its series of reports titled ―CSI/FBI 2000 COMPUTER CRIME AND SECURITY SURVEY‖. The reports are advantageous as some of the others that are produced are by those who may have ulterior motives such as the likes of many vendors who produce and sell security tools. Thereby having a potential conflict of interest. In contrast CSI security surveys are completely independent and collected data is gathered from a team that is made up of security professionals spanning multiple industries, separate from those who just work in organizations selling solely cyber security tools and services. Having said that, sample size is not significant enough as it only encompasses a small percentage of respondents solely within the United States. However although participation has been on the decline we can focus on annual financial impacts of major Malware attack data by CSI collected between the years 1995 to 1999. In 1995 the number totaled $500 million, in 1996 $1.8 billion, 1997 $3.3 billion, 20 | P a g e
  • 21. 1998 $6.1 billion and in 1999 $12.1 billion (Cashell, Jackson, Jickling, Webel 2004). The percentage increases that can be denoted by these numbers are astonishing. According to Kevin G. Colman of the Technolytics Institute back in November 2008 he acquired figures from several studies. One in particular conducted by Spy-Ops stated that over a one year period from 2007 to 2008 information theft grew around 68 percent were every quarter of a second a file is stolen containing critical data in order to steal a consumers identity. In 2008 it was also concluded that the United States Pentagon was attacked 3 million times a day (Coleman 2011). Although not a precise number in an article written by Voice of America Titled ―Panetta Says US Boosting Cyber Defense‖ Luis Ramirez who wrote the article backs up the 2008 document saying thousands of enemy cyber-actors are targeting the Pentagon’s systems millions of times a day (Ramirez 2012). In 2012 Janet Napolitano US Secretary of Homeland Security, during her opening keynote address at the ASIS/(ISC)² Congress 2012 conference in Philadelphia stated that Cyber Attacks have increased ―significantly over the past decade‖, and that number also includes the more than three years she has acted as US Secretary of Homeland Security. To put this into context, Napolitano goes on to say ―the United States Computer Emergency Readiness Team (US-CERT) responded to more than 106,000 reports of Cyber Attacks during 2011 – releasing more than 5000 security alerts to its public and private sector partner (Info Security Magazine 2012).‖ Today attacks are no longer dominated by a few but many individuals and entities. This is primarily due to the rise in distributed systems as opposed to the more 21 | P a g e
  • 22. common centralized ones which were once dominant several decades back. According to Information Week on February 1, 2012, ―Cyber Attacks against government agencies and businesses in the United States continue to rise, and cyber threats will one day surpass the danger of terrorism to the United States, intelligence community officials said in an open hearing of the Senate select intelligence community.‖ The article goes on to mention countries such as China and Iran, to groups like Anonymous and LulzSec targeting systems on a regular basis and it suggested it will only get worse (Hoover 2012). The historical trend certainly seems to indicate that there is a rise in attacks and further proof of this can be seen in the paragraphs to follow. 4.3 Mckinsey Global GDP Growth Statistics There is little doubt that the Internet has helped to create new innovations and open up new areas of the economy leading to high areas of growth and prosperity for many. This can be seen in the May 2011 Mckinsey Global Institute study which explained that the Internet accounts for 3.4 percent of the GDP when examining thirteen countries. The Internet for the developed nations among the 13 depicted in the previous sentence over the last five years contributed to 21percent GDP growth. GDP is the monetary value of all final goods and services produced within a nation in a particular period of time, typically based on yearly estimates. It includes all of private and public expenditures, government spending, investments and exports minus imports that are representative of a certain region(Value Click). For the United States alone this represents$440 billion to $580 billion of additional total output(Dowdy 2011). Unfortunately along with GDP the information highway has also contributed to adversely impacting these numbers because of the multitude of targeted attacks from a 22 | P a g e
  • 23. variety of actors (hacktivists, cyber criminals and sovereign nations), on all organizations and industries that add to GDP worldwide.Inclusive is Computer based control systems that run much of the nation’s physical infrastructure. In other words no public or private entity is immune from such threats. 4.4Cost benefit Analysis &Difficulty in Obtaining Metrics Just before we present you with the findings from a number of different entities once again it must be emphasized that there is no one study that should be taken completely at face value. The research paper titled ―Private Sector Cyber Security Investment Strategies: An Empirical Analysis‖ suggests a cost benefit analysis approach is generally straightforward but found organizations inability to construct a rigorous cost benefits analysis (CBA) framework. Furthermore expected damage or cost functions and threat probabilities needed to conduct a CBA is difficult to attain therefore most often companies rely more on a qualitative approach (Rowe 2006). Although the aforementioned research study is slightly predated and quantitative analysis has appeared to have improved figures remain inconsistent. Examining a compilation of data and taking the average of all these numbers is most appropriate. This is talked about above in particular the two differing opinions on the ―CSI/FBI Computer Crime and Security Survey‖. One being from the authors of the article titled ―the article ―Economic Analysis of Cyber Security‖ who endorse the survey (Gallaher, Rowe, Rogozhin, Link 2006) and the other coming from the authors of ―The Economic Impact of Cyber-Attacks‖ who cites several sources claiming the data is not chosen randomly nor is a representative sample of entities that are exposed to cyber- 23 | P a g e
  • 24. risk but only taken from self-selected security professionals which is considered in research circles to be somewhat biased. The reports on the 530 individuals who were utilized nationally to conduct the survey are not accurateenough to obtain sound figures. Additionally, cost data reported can be considered inept. For example in its 2003 survey fifteen percent of the participants could not tell you if there was unapproved use of their network and systems indicating that some measurable losses were obtained but this could significantly underestimate the totality of all losses. Also out of the seventy five percent of the participants that reported losses only forty seven percent of them could put an actual figure to those losses. The authors of ―The Economic Impact of Cyber-Attacks‖ do state however that this study is accepted by many papers that comprise of computer security literature. Yet again,thereis no one sound method that can be modeled to quantify the costs associated when it comes to Cyber Attacks which is why it is useful to extract data from a variety of sources(Cashell, Jackson, Jickling, Webel, 2004). 4.5 CSI/FBI Statistics on Financial Impact of Cyber Attacks In its 15th annual 2010/2011 ―CSI/FBI Computer Crime and Security Survey‖ The Computer Security Institute sent 5412 security practitioners by regular snail mail and email, whereby 351 people replied back with feedback indicating the number of returns would make the institute ninety five percent confident that there numbers are accurate with only just slightly over five percent margin of error. They do however admit that these respondents are only those who have paid to be members of the institute or paid to attend their event which can skew the numbers but they represent a vast array of industries except for the financial sector whose participation dropped around five 24 | P a g e
  • 25. percent with this last study. Furthermore as with many of these surveys they do not include consumers being compromised and a majority of the organizational respondents came from companies making over $100 million a year as opposed to smaller entities. Forty seven percentclaimed they were affected by regulatory laws but this could be due to the fact that laws may not be so clearly defined and respondents that are a part of a government entity may not feel these laws affect them. Finally not for profit firms or educational institutions may not feel they have customers so they do not believe it affects them.. The CSI report for the year 2010 shows the types of attacks experienced by the surveys participants which include 67.1 percent were attacked with some type of Malware infection, insider abuse of Net access or email 24.8 percent, laptop mobile device theft 33.5 percent, phishing 38.9 percent, Denial of service 16.8 percent, Bots on the network 28.9 percent, financial fraud 8.7 percent, password sniffing 11.4 percent and exploiting a wireless network 7.4 percent. As you can see Malware infection continues to be the most commonly seen attack. The percentages depicted in the prior sentence are the main reason we incorporated the CSI survey and also their commentary on the Symantec study which you will see below. As for the financial losses they could not be properly accessed due to the fact that only 77 respondents provided information and the numbers are not worth mentioning as this is far too small of a sample but this does offer some proof on monetary losses (Richardson 2010). 25 | P a g e
  • 26. 4.6 Ponemon/Verizon/Morgan Stanley Statistics on Compromises& Costs Due to Cyber Contemporary Threat Landscape In January of 2012 PGP corporation a global player in safeguarding organizational data and research firm The Ponemon Institute performed a comprehensive study specifically aimed at data breaches primarily and one must remember these are only confirmed data breaches. The survey revealed that data breach incidents cost U.S. companies $204 per compromised customer record in 2009, compared to $202 in 2008. There was an overall decline in the figures of reported breaches in 2009 compared to 2008 but still significant. The average total per-incident costs in 2009 were $6.75 million, compared to an average per-incident cost of $6.65 million in 2008. Recently Ponemon came out with additional statistical data for the year 2010 but the numbers were also exceeding high.The chart below is a good representation of the data compiled by Ponemon (Ponemon 2012). Using data provided by Ponemon Institute, the chart depicted below shows that U.S. firms are now losing more money to operational costs of Cyber Attacks than they are spending on security. 26 | P a g e
  • 27. Figure 1. Chart Depicts Organizational Costs Outpacing IT Security Spending For United States Companies by Ponemon Institute 2012 In a Follow up study that came out in October of this year, Ponemon along with Hewlett Packard for the first time studied several countries in addition to the United States. The Institute conducted their research on Fifty Six Organizations and they concluded businesses on average suffered losses of $8.9 million per annum, an increase from $8.4 million indicative of the 2011 period.This represents a 6 percent increase over the average cost reported in 2011, and a 38 percent increase over 2010 (Ponemon Institute 2012). The 2012 study also revealed a 42 percent increase in the number of Cyber Attacks, with organizations experiencing an average of 102 successful attacks per week, compared to 72 attacks per week in 2011 and 50 attacks per week in 2010 27 | P a g e
  • 28. (Ponemon Institute 2012).‖ Morgan Stanley Research came out with a report titled ―Secular Should Outpace Macro in Q3‖ whereby the firm conducted research on some of the leading Cyber Security companies noting that Chief Information Officers (CIO’s) have explicitly said that spending on security countermeasures will remain one of the top three priories for the year 2012 (Weiss, Holt, Gorham 2012). Furthermore Verizon Corporation which has conducted a survey from the years 2004 to 2011 titled ―Data Breach Investigations Report‖ just came out with more recent figures. The report is made up of those who confirmed that they were breached as many entities refuse to report their compromises for fear of reputational consequences that can lead to loss of business and in some cases firms may have been exploited but are unaware of the attack until a future time.Collected data was captured by evidence during paid external forensic investigations and making use of Verizon Enterprise Risk and Incident Sharing (VERIS) framework that depicts security incidents in a structured and repeatable manner and garners additional information through anonymous participants to allow those to participate without fear for loss of reputation described in the above sentence. Take note though that as with the Ponemon study, Verizon dealt mostly with organizations where a significant breach occurred. The VERIS approach also provides us with a better methodology and helping us answer the questions, what we need to know and measure? The diagram below is representative of the model that aids organizations in order to provide companies like Verizon with effective metrics so approaches are improving. As you can see the chart is broken down into four quadrants 28 | P a g e
  • 29. labeled Threat, Asset, Impact, and Control. Figure 2. Baker, Hutton, Porter. The Graph is a Model Showing How Companies Collect Data For the Verizon Data Breach Reports by Verizon Enterprise Risk and Incident Sharing (VERIS) To add further credibility to the study is the participation of United States Secret Service (USSS), the Dutch National HighTech Crime Unit (NHTCU), the Australian Federal Police (AFP), the Irish Reporting & Information Security Service (IRISS), and the Police Central eCrimes Unit (PCeU) of the London Metropolitan Police as they contributed to gathering data from 36 countries unlike The Computer Security Institute who only gathered data from United States based entities. These countries include Australia, Austria, Bahamas, Belgium, Brazil, Bulgaria,Canada, Denmark, France, Germany, Ghana, Greece, India, Ireland, Israel, Japan, Jordan, Kuwait, Lebanon, Luxembourg, Mexico, Netherlands, New Zealand, Philippines, Poland, Romania, Russian federation, South Africa, Spain, Taiwan, Thailand, Turkey, United Arab emirates, Ukraine, United 29 | P a g e
  • 30. Kingdom and the United states. Results from participants comprised of855 attacks considered sophisticated and those less difficult to orchestrate with174 million compromised records for the year 2011 is coincidentally the second highest number since Verizon came out with these reports in the beginning of 2004. Justtaking Ponemons figures for 2009 (that are actually lower than some more recent numbers) which references that each compromised record costs $204, than spending becomes astronomical for many of these companies. Multiplying $204 times Verizon’s 174 million compromised record cost you would garner total costs coming in at $35.496 billion and those just are records breached from entities who know they actually were compromised. The biggest change in this report as opposed to previous research is that Cyber Attacks comprised of Malware and Hacking against Servers and User Devices are growing substantially for large organizations but even worse for smaller firms (Verizon 2012). These numbers are alarming as the Verizon study for example does not take into account that compromises can weaken product integrity, undermine software development and erode consumer confidence leading to further future losses by organizations that are not depicted in the study. Furthermore the survey focuses on organizations as opposed to effected individual consumers and costs derived from those seeking legal action against these exploited entities or negative effects on productivity such as downtime due to a system being inoperable for a specified period of time also do not appear in the report. Remember, productivity typically refers to the increasing growth or decline in value added/subtracted per worker or per unit of investment which has the potential to produce an actual acceleration in income and jobs or decline(Weisbrod 2011). 30 | P a g e
  • 31. Finally in wrapping up this section we focus our attention on what even the Computer Security Institute believes to be a highly accurate report, that being Symantec Corporations’. The Institute believes the study covering the year 2010 is comprehensive in nature because as they exclaim Symantec uses a ―machine-generated approach to obtain the data, using sensors of various types to capture information about the data traversing networks and the configuration of all sorts of Internet-connected devices (Richardson 2010). Symantec even says it acquires most of its data from more than 133 million client, server, and gateway system’s due to the worldwide deployment of its antivirus products. Furthermore, Symantec has a distributed honeypot network which is really just database decoys filled with false data. In addition to the vast resources the multibillion dollar organization has at their disposal, they also had MessageLabs intelligence, a respected source of data and analysis for messaging security issues, trends and statistics provide excess aid. Before we move on with the company’s figures it must again be stated that the reason there are not as many in depth reports coming from academia and other sources is that unlike Symantec which is a publicly traded company, with access to the capital markets unlimited amount of money, the other entities are not able to gather the necessary resources to collect a significant amount of data. Back to the survey the study was conducted in 24 countries among adults 18-64 specifically focusing on the cost of Cybercrime. Between February 6, 2011 and March 14, 2011, StrategyOne also interviewed 19,636 people and included 12,704 adults, aged 18 and over 4,553 children aged 8-17 years and 2,379 grade 1-11 teachers from 24 countries (Australia, Brazil, Canada, China, France, Germany, India, Italy, Japan, New Zealand, Spain, Sweden, United Kingdom, United States, Belgium, Denmark, 31 | P a g e
  • 32. Holland, Hong Kong, Mexico, South Africa, Singapore, Poland, Switzerland, United Arab Emirates). The company came up with its numbers by multiplying the number of victims which were 431 million over a twelve month period by the average financial cost of cybercrime (per country in US currency) totaling $114 billion in losses. Within that $114 billion number Symantec was able to attain that more than 1 million became victims every day and fourteen adults suffered from a cybercrime incident every second. The publicly traded company took it even one step further by doing what other studies could not and that is calculating the value of time lost which is correlated with productivity basedon cybercrime experiences over the 12 month period. This number came to an astonishing $274 billion. In taking the sum of the two figures depicted in the former sentences you come up with a total cost of $388 billion. Subsequently the study surmised that targeted attacks, the use of social networking attacks, zero-day vulnerabilities and rootkits (a type of Malware), attack kits and mobile threats all rose sharply (Symantec 2012). The accumulation of studies on the financial impacts on capital expenditures of individual and private/ public organizations targeted by Cyber Attacks is indisputable. Therefore our hypothesis is on target, as the data substantiates that Cyber Attacks do indeed cost the economy to incur losses, adversely impact productivity and causing a significant decline in sales that are in the billions upon billions of dollars. . 32 | P a g e
  • 33. 4.7 Growth of Cyber Security Industry Statistics (Gartner Research, Citi Group,Morgan Stanley, 451 Research & MarketsandMarkets) & Government Role Explained It is essential that organizations implement Cyber Security controls either through technological means or human analysis. Investments in the area of IT Security organization and startups in the past have been slow due to a lack of understanding and the inability to view security as an essential element that must be incorporated within one’s business. However due to Cyber Attacks becoming more persistent an increasing number of investments and the infusion of capital committed to this sector are starting to take shape. One reason for this is the implementation of regulation but not so much as to inhibit innovation. For instance federal and state statutes that penalize companies who do not properly safeguard consumer information have forced these entities to obtain the necessary financing and invest in the area of Cyber Security. The FTC has brought a number of legal enforcement actions against entities that have been inept in protecting consumer data. Sarbanes-Oxley which in particular pertains to public companies require these firms to adhere with the Information Integrity provisions of this law requiring executive management to make sure internal controls are implemented to address a vast array of issues including data security. Another important law PCI DSS, The Payment Card Industry Data Security Standard provides guidelines and requirements for protecting cardholder data for those who accept credit/debit/prepaid card payments which are transmitted, processed or stored. If these requirements are not met entities can be penalized by the major credit card company brands at their discretion by fining an acquiring bank $5,000 to $100,000 per month for PCI compliance violations which would be passed down to the entity who accepts these transactions 33 | P a g e
  • 34. and does not adhere to these requirements (PCI Security Standards Council 2012). These regulatory initiatives in conjunction with the increasing number of attacks, collaboration and awareness has all been helpful in garnering a large amount of capital investment in the Cyber Security Industry further fueling innovation of new products and services. In fact the United States Bureau of Labor Statistics (BLS)has not provided any data over the years on the security industryin the way of job statistics however the government fact finding agency has finally begun to recognize the importance of collecting figures, albeit slowly. Although in its infancy the BLS began to implement a category they coin ―Security Analyst‖ which comprises of individuals that plan, implement, upgrade, or monitor security measures for the protection of computer networks and information. Embedded in the description of Security analysts and in addition to the explanation of this group in the prior sentence, the BLS goes on to expand upon their definition in saying ―these workers may also ensure appropriate security controls are in place that will safeguard digital files and vital electronic infrastructure responding to computer security breaches and viruses.‖ Again this is brought up to show that even the BLS has realized that investment in this area is starting to have a direct impact on job growth, forcing their hand at having to come up with figures to provide more accurate information on the economy as a whole. Numbers garnered by the BLS to date are not yet a large enough sample that would allow one to rely on such data but it is hopeful that this will soon change. One thing that does resonate is that there was no unemployment among IT security professionals in the U.S. and jobs grew dramatically while averaging four quarters of figures for the year 2011. Forty Four thousand Security Analysts were employed with the BLS seeing a rise 34 | P a g e
  • 35. of more than one third in the fourth quarter of 2011to 51,000 from 37,000 in the first quarter (Bureau of Labor Statistics 2012). Gartner Research in a September 2012 release exclaimed that although a vast sector of the world has been hit by the economic slowdown forcing many companies to cut their Information Technology budgets this is not the case when it comes to the global security infrastructure market. The research firm anticipates that security will continue to be a top priority and therefore spending is slated to rise to $60 billion up from $55 billion in the prior year and by 2016 reach $86 billion (Gartner 2012). In fact Certified Financial Analyst for financial firm Citi Group came out with a 15 page report titled ―IT Security Survey Says…Network Security and Check Point Have Most Favorable Trends‖ where he found IT security budgets in 2012 poised to grow faster than overall IT spend, a reversal from last year positively impacting sales for several of the major IT security vendors (Pritchard 2012). The bar graph below provided by Citi in Figure 1, projects what was highlighted in the prior sentence 35 | P a g e
  • 36. Figure 3. (Pritchard 2012)Graph Showing Security Spending Should Outpace Overall IT Budget Growth FromCiti Investment Research& Analysis Figure 4. (Pritchard 2012)Graph of Network Growth in the Network Security Market by Citi Investment Research & Analysis 36 | P a g e
  • 37. The graph above indicates refresh growth in the Network Security appliance market (unlike a single piece of security software network security appliances are security tools typically bundled together), meaning CIO’s polled in the Citigroup survey will replace their appliances more than in prior years. Although this includes a segment of the Cyber Security Industry it can been incorporated as it provides further proof on the growth of spending in security. Morgan Stanley Research through their vast network and conversations with several organizations who primarily conduct most of their business by partnering up with manufacturer’s to market and sell manufacturer's products, services, or technologies is where a significant amount of data was extracted.These are what the industry calls channel partners and they cite that ongoing investments in data protection technologies, multi-function network security solutions, and solutions to counter Advanced Persistent Threats (APTs) will only continue to grow. They emphasize that these areas are essential and is indicative of the large amount of negative publicity received over the past 12 to18 months due to the growing number of Cyber Attacks. Breaking things down a bit further Network security data points (the authorization of access to data on a networkincludingfirewalls, antivirus, spam and content filtering through logs as well as intrusion detection and prevention systems)(Weiss, Holt, Gorham 2012)are quite robust as acquired data showed that 69% of CIOs plan to outlay capital on network security in 2012 and very few entities,8% to be precise, are planning to decrease spending on security initiatives. Taking the last survey by Morgan Stanley that was conducted in July of 2012 there was an overall improvement from 65%/20% respectively.Separate from the number of CIO’s, the report solely focused on five of the 37 | P a g e
  • 38. largest players in the IT security market, those being Fortinet Inc., Sourcefire, Symantec, Websense and Checkpoint Software. The issue that arises with just focusing on this small group is that it is not indicative of the overall Cyber Security Industry unlike the Ponemon study. For example Symantec has appeared to plateau compared too many of its rivals and this is because of increasing competition, the substantial size of the company which impacts the rate of growth and internal controls as opposed to lack of spending. To extrapolate on this a bit more back in March of 2012, Citigroup came out with a 15 page report titled ―IT Security Survey Says…Network Security and Check Point Have Most Favorable Trends‖ where the analyst questioned via telephone 50 United States and European based Chief Information Security Officers (CISO’s) detailing a lengthy series of in-depth questions on the security market but here again it must be noted that the data just focused 90% on firms with more than $1 billion in annual sales so although relevant the statistical threshold falls slightly short due to sample size. Having said that Citi has conducted this survey for the past three years which comprised of a broad spectrum of industries, the most common were financial services (20%) and manufacturing (18%), while government was underrepresented (just 4%) therefore the buying power should not be ignored. They deciphered from the information that IT security budgets in 2012 are poised to grow faster than overall IT spend, a reversal from last year positively impacting sales for several of the major IT security vendors (Pritchard 2012). There are internal and external factors that show the negative impact on bottom line numbers (profit) such as litigation costs, employee overhead, taxes, Merger and 38 | P a g e
  • 39. Acquisition activity, margins etc. but top line growth (revenues) remains strong again. This isnot indicative of internal cost controls and how well these security firms manage their balance sheets but more in the way of cyclical trends (ie: effects of macroeconomic conditions such as Europe’s debt crisis which can have an adverse impact on sales). For example Sourcefire’s quarterly year over year (yoy) sales rose 30.10%with yearly revenues of$208.94 million (Sourcefire 2012), Fortinet (yoy) sales grew 17.00%with yearly revenues of $503.34 million (Fortinet 2012), Checkpoint (yoy) increased 7.80% with yearly revenues of $1.33 billion (Checkpoint 2012), Symantec (yoy) rose 1.10% with yearly revenues of $ 6.76 billion (Symantec 2012)and Websense rose slightly at 1%,with yearly revenues of$362.49 million to date (Websense). All data in the previous sentence was compiled by the companies and audited by the world’s leading financial advisory firms. This research has not taken into account what encompasses the bottom line figures but rather just sales growth. Furthermore and to use an additional company specific example NICE Systems which offers a wide array of security solutions is labeled in another area of Cyber Security focusing primarily on management and analysis. The Isreali firm saw quarterly revenue growth (yoy) rise 9.70% with $854.95 million in total sales this year thus far (NICE 2012). Quoted out of a Reuter’s article written on October 31, 2012 of this year Tova Cohen exclaimed ―Nice has benefited from growing demand for tools to delve into data to improve business, spot fraud and fend off security threats, and the company said compliance requirements in finance, energy and other sectors had boosted business (Cohen 2012).‖Therefore the Morgan Stanley report should be taken with a grain of salt as it is only representative of five companies which the Certified Financial Analysts (CFA’s) that performed the analysis 39 | P a g e
  • 40. have admitted too. 451 Research a global analysis and data company solidifies Ponemons results as you can see from the chart below and several number’s stick out, in particular 45% of the security chiefs interviewed in their October 2012 research report have expandedtheir company budget’sin 2012 compared to the 2011 year ago period with a minimal amount of chiefs reducing their budgets this year compared to last year,, that being 10% respectively. Subsequently, the outlay of capital goes towards security becomes even more robust in 2013, with 47% of those surveyed planning on further increaseswhere in contrast only 8% believe their budgets will fall between 2012 and 2013. Figure 5. (Kennedy 2012)Graph of Information Security Budget Trends From451 Research 40 | P a g e
  • 41. Some comments from those who participated in the 451 research study in reference to expenditures on security include the following: ―It [budget] has increased, but percentage not disclosed. The increase is due to voluntary projects to reduce complexity of meeting requirements.‖ ―Complicated — there was an increased [in budget allocation] allocation due to regulations, but an overall budget decrease.‖ ―Half of the budget increase went to compliance issues.‖ ―The security budget is growing over time (Kennedy 2012) We would be remised if we did not discuss one of the more astonishing statistical financial data acquired to date by Advanced Technologies, Geographical Analysis & Competitive Landscape,280 page report. The firm that collected the data for the study is a full service market research company and consulting firm, established in 2001 it provides research on pharmaceuticals, energy and power, biotechnology, food and beverage, chemicals, medical devices, advanced materials, semiconductor and electronics, industrial automation, telecom and information Technology, consumer goods, automotive and transportation, and banking & financial services sectors. The report titled ―Cyber-Security Market - Global Forecast & Trends (2012 – 2017) by Advanced Technologies, Geographical Analysis & Competitive Landscape‖ acquires data from 24 large companies, and sub-segments/ micro-markets in North America, Latin America, Western Europe, Eastern Europe, Middle East & Africa, and APAC (Asia-Pacific) through analysis of a number of technology & solutions in particular for the utilization of differing applications in the cyber security arena. This is all based on 41 | P a g e
  • 42. functions and performance and the numbers are quite revealing. In 2011 the authors state that the Cyber Security industry was calculated at being worth $63.7 billion and that the figure in addition attributed to a larger number of entities focusing on a comprehensive framework that covers the basis of network, end-point, application, content, and wireless segments. Inclusive is Identity & Access Management, Risk & Compliance Management, Data Encryption, DLPS, Data Recovery Solutions, UTM, Anti-Virus, IPS/IDS, Web Filtering, Firewall, and Vulnerability management. To go off in a tangent, just as with the Symantec study, Advanced technologies has the capability to conduct such a detailed study because it’s a for profit research firm that on average collects $4 650 for a single report, $ 7,150 for its corporate license and $9,000 for the reportlinker.com site license. Therefore it has an unlimited amount of resources at their beckoned call to conduct a study of this size unlike the vast majority of organizations or individuals. In delving deeper into the numbers the company was able to model future numbers based on historical data and past trends. Although these trends fluctuate a sufficient average can be derived from an agreed upon and well established mathematical formula among economic scholars. Extrapolating on this the research arm was able to derive at an average compounded annual growth (CAGR) rate of 11.3 percent based on data collected by the firm from years past. In using a CAGR example let’s say a company had just $10,000 on March 1, 2009 and by March 1, 2009, the number grewto $13,000, then $14,000 by 2010, and finally ended up at $19,500 by 2011. The company’s CAGR would be the ratio of your ending value to beginning value ($19,500 / $10,000 = 1.95) raised to the power of 1/3 (since 1/# of years = 1/3), then subtracting 1 from the resulting number: 1.95 raised to 1/3 power = 1.2493. (This could 42 | P a g e
  • 43. be written as 1.95^0.3333). 1.2493 - 1 = 0.2493 another way of writing 0.2493 is 24.93% and there you would get your final CAGR figure (Value Click NA). This figure, although pro forma was quite an eye opener, noting anticipated growth for the Cyber Security market to be $120.1 billion by 2017. This number was also derived based on security growth due to increased adoption of cloud computing, networks, data centers, and wireless communication devices. Whereas, the service side is driven by the need to service cyber security installations with security operations, managed security services, and consulting services. In all participating global sovereign nations, the private sector accounted for most of the outlaid capital expenditures for Cyber Security countermeasures. The only anomaly was the United States, where government expenditures were on par along with the private sector(MarketsandMarkets 2012) .In 2010 another interesting fact, which was issued by the Department of Commerce and several other organizations. In their report they said that even though there has been increased awareness in lewd of the risks of Cyber Attacks, a broad number of people that contribute to the United States economy did not take advantage of available technology and processes to secure their systems. Also countermeasures are not evolving as rapidly in contrast to the threats (Department of Commerce 2011).If this is the case we can make a slight assumption that Cyber Security market penetration could grow even more substantially if more entities invested in the safety of their systems. However even more evident on a change in this way of thinking can be seen over the last year whereby the initial public offerings of IT security start-ups have outperformed offerings that are not a part of this industry. Facebook is just one example. Imperva, a data security company that went public last year saw its stock price rise nearly 30 43 | P a g e
  • 44. percent on their first day of trading, and at the time if this report has it remains at 37 percent above the offering price. The stock price of Splunk, a data security company, jumped nearly 65 percent from its offering in April of this year and in addition raised $331 million in a secondary offering. ―People are starting to realize that the billions of dollars that have been invested into traditional network security are not working for them anymore,‖ said Ted Schlein, a partner at Kleiner Perkins Caufield & Byers, the venture capital firm. Merger and Acquisition activity is also seeing a pickup. Applerecently had become a suitor of AuthenTec, paying $356 million last month which is reported as being one of Apple’s largest acquisitions. These are just a few of the many deals that are growing in number (PERLROTH and RUSLI 2012). As you can see this last study is quite telling and provides support that Cyber Attacks did develop a new market and subsectors within this industry helping to garner a vast amount of money from the investment community in turn increasing organizational revenue figures for Cyber Security firms. In addition the people and organizations participating in the security infrastructure perform a wide array of functions. These include education and training, research, publication, product development and marketing, network security administration, security support services, policy and standards making, law enforcement, and research funding. 44 | P a g e
  • 45. 5. Conclusion As we have seen throughout this paper and especially in looking at the data results incorporated in the discussion section, Cyber Attacks have cost the economies of the world a substantial amount of money however it also helped to fuel investment and the growth of the Cyber Security Industry at a rapid rate. It is unfortunate that the numbers associated with both the overall negative economic impact on entities around the world as well as the figures that can be derived from the Cyber Security industry in reference to growth are not absolute or rigorous enough. However unlike individual studies we have the ability to access information from a slew of research reports to help obtain a more accurate evaluation. As for right now, one could certainly see that the numbers effecting costs outweigh the capital being infused into the Cyber Security Industry. Subsequently this year, we did see a change in increased collaboration and awareness. Therefore it has forced organizations like the BLS to finally lay the foundation to come up with an improved model in order to better acquire a closer estimate on the growth of the Cyber Security realm. We than hopefully can effectively come closer to finding out whether the Cyber Security Industry and the money that it garners will surpass the cost figures associated with Cyber Attacks. It will be interesting to see over the next several years if the BLS will help to bring this about. One other thing to note is that although various research coming from organizations such as Symantec are very comprehensive in nature, there is still a problem of gathering information from organizations of all sizes that refuse to tell us whether they have been breached for fear of loss of business due to reputational consequences. When it comes to publicly traded corporations divulging such information can cause a decline in the 45 | P a g e
  • 46. market capitalization for these companies, stock price declines and unwillingness for those to invest in companies that can be infiltrated easily. The Securities and Exchange Commission (SEC) guidelines are beginning to have an impact on publicly traded firms. The SEC has now forced companies like Amazon, Google, Hartford Financial Services Group Inc, Eastman Kodak and others to provide public information on any compromises and costs that occur within their organizations. In an article written in Business Week they exclaim the SEC sent out a number of letters to public companies, asking about Cyber Security disclosures and later pushing companies to disclose. Although this is not a law as of yet it paves the way for one. The reason this is brought up is that it will be interesting to see if such a law finally passes, requiring companies to report this information in their financial statements perhaps we can obtain even more accurate figures on economic costs. Until than we have to rely on research offered by multiple sources and take the average of all the compiled figures so we can come closer in establishing whether the costs of Cyber Attacks far outweigh the capital being accumulated by the Cyber Security industry or vice versa. 46 | P a g e
  • 47. 6. References 1. The Bureau of Labor Statistics (2012) ―15-1122 Information Security Analysts‖ Retrieved 3 December 2012 from The Bureau of Labor Statistics http://www.bls.gov/soc/2010/soc151122.htm 2. Cashell, B., Jackson,W., Jickling,M., and Webel, B. (2004). ―The Economic Impact of Cyber Attacks‖ published by Congressional Research Service, Library of Congress. Retrieved 23 November 2012 from Cisco Corporation 3. Checkpoint Software (2012). Form 6K filing period 10/17/2012. Retrieved 1 December 2012 from the Securities and Exchange Commission http://www.sec.gov/Archives/edgar/data/1015922/000117891312002883/000117 8913-12-002883-index.htm 4. Cohen, T. Oct 31, 2012 ―UPDATE 1-Nice raises 2012 profit forecast as Q3 beats estimates‖ published by Reuters http://www.reuters.com/article/2012/10/31/nice- results- idUSL3E8LV69Y20121031?feedType=RSS&feedName=marketsNews&rpc=43 5. Colman, K. (January 2011) ―THE GROWING RISK OF CYBER ATTACK AND OTHER SECURITY THREATS‖ published by The Technolytics Institute. Retrieved 1 December 2012 from HWP Insurance http://www.hwphillips.com/wp- content/uploads/2012/09/The-Growing-Risk-of-Cyber-Attack-and-Other-Security- Threats.pdf 6. Cornell University Law School (1986). Fraud and related activity in connection with computers. Published by United States Congress, Retrieved 23 November 2012 from Cornell University Law School. http://www.law.cornell.edu/uscode/html/uscode18/usc_sec_18_00001030----000- .html 7. THE DEPARTMENT OF COMMERCE INTERNET POLICY TASK FORCE (June 2011). CYBERSECURITY,INNOVATION AND THE INTERNET ECONOMY. Retrieved 1 November 2012 from The National Institute of Security Standards. http://www.nist.gov/itl/upload/Cybersecurity_Green-Paper_FinalVersion.pdf 8. Dowdy, J. (2012).Chapter 5: The Cybersecurity Threat to U.S. Growth and Prosperity. Published by Aspen Institute bookstore and Brookings Press. Retrieved 22 November 2012 from McKinsey & Co. www.mckinsey.com 9. Dunn, Myriam (2005). A COMPARATIVE ANALYSIS OF CYBERSECURITY INITIATIVES WORLDWIDE. Retrieved 6 December 2012 from International Telecommunications Union: http://www.itu.int/osg/spu/cybersecurity/docs/Background_Paper_Comparative_A nalysis_Cybersecurity_Initiatives_Worldwide.pdf 47 | P a g e
  • 48. 10. Fortinet (2012). Form 10Q filing report period 9/30/2012. Retrieved 1 December 2012 from the Securities and Exchange Commission http://www.sec.gov/Archives/edgar/data/1262039/000126203912000051/fortinet2 012093010-q.htm 11. Gartner Research (2012). Gartner Says Worldwide Security Infrastructure Market Will Grow 8.4 Percent. Retrieved 1 December 2012. http://www.gartner.com/it/page.jsp?id=2156915 12. Gallaher, M., Rowe,B. Rogozhin, A., Link, A. (July 2006). ECONOMIC ANALYSIS OF CYBER SECURITY. Published by Research Triangle Institute. Retrieved 23 November 2012 from Defense Technical Information Center. http://www.dtic.mil/cgi-bin/GetTRDoc?AD=ADA455398 13. Hess, Ken (2011). Ghost in The Wires "The Keven Mitnick Interview. Retrieved 27, November 2012 from ZDNet: http://www.zdnet.com/blog/security/ghost-in- the-wires-the-kevin-mitnick-interview/9357 14. Hoover, N. (2012). Cyber Attacks Becoming Top Terror Threat, FBI Says Published by UBM Tech Retrieved 7 December 2012 from Information Week http://www.informationweek.com/government/security/cyber-attacks-becoming- top-terror-threat/232600046 15. HP Research: Cybercrime Costs Rise Nearly 40 Percent, Attack Frequency Doubles. PALO ALTO, Calif., Oct. 8, 2012. http://www.hp.com/hpinfo/newsroom/press/2012/121008a.html 16. Info Security Magazine (September 2012) ―Cyber attacks ―one of the most serious‖ threats facing the US, says Janet Napolitano published by Reed Exhibitions Retrieved 7 December 2012 from Info Security Magazine http://www.infosecurity-magazine.com/view/28145/cyber-attacks-one-of-the- most-serious-threats-facing-the-us-says-janet-napolitano/ 17. Keely, David Lt. (April 13, 2011). ―CYBER ATTACK! CRIME OR ACT OF WAR?‖ United States Air Force U.S. Army War College CARLISLE BARRACKS, PENNSYLVANIA 17013. 18. Kennedy, D. (October 2012). Information Security Budgets to Increase in 2013. Published by 451 Research Retrieved 27 November 2012 from 451 research Blog http://theinfopro.blogs.451research.com/index.php/2012/10/information- security-budgets-to-increase-in-2013/ 19. MarketsandMarkets (June 2012) Cyber-Security Market - Global Forecast & Trends (2012 - 2017) Retrieved 27, November 2012 from reportlinker. http://www.reportlinker.com/p0923304-summary/Cyber-Security-Market-Global- Forecast-Trends--by-Advanced-Technologies-Geographical-Analysis- Competitive-Landscape.html 20. Martin, D. (2007) Joybubbles, 58, Peter Pan of Phone Hackers, Dies. Retrieved 1 December 2012 from The New York Times 48 | P a g e
  • 49. http://www.nytimes.com/2007/08/20/us/20engressia.html?_r=3&ref=obituaries&or ef=slogin&oref=slogin& 21. National Institute of Standards and Technology (NA). The National Cyber Security Workforce Framework. Retrieved 1 December 2012 from National Institute of Standards and Technology: http://csrc.nist.gov/nice/framework/documents/national_cybersecurity_workforce_ framework_printable.pdf 22. NICE Systems (2012). Form 6K filing period 12/6/2012 Retrieved 1 December 2012 from the Securities and Exchange Commission http://www.sec.gov/Archives/edgar/data/1003935/000117891312003378/000117 8913-12-003378-index.htm 23. Oona, H., Crootof, R., Levitz, P.,Nix, H,,Nowlan,A., Perdue, W. & Spiegal, J. (2012). The law of cyber-attack . California: California Law Review. 24. PCI Security Standards Council (2012). PCI SSC Data Security Standards Overviews. Retrieved 26 November 2o12 from PCI Security Standards Council https://www.pcisecuritystandards.org/security_standards/ 25. PERLROTH, NICOLE and RUSLI, EVELYN M. (2012). Security Start-Ups Catch Fancy of Investors. Retrieved 1 December 2012 from The New York Times: http://www.nytimes.com/2012/08/06/technology/computer-security-start-ups- catch-venture-capitalists-eyes.html?_r=0 26. Pindar, J., Rigelsford, Dr. J. (July 2011).Cyber Security and Information Assurance. Mr. Joseph Published by The University of Sheffield. 27. Ponemon Institute (February 2012). Ponemon Study Shows the Cost of a Data Breach Continues to Increase. Retrieved 1 December 2012 from PR Newswire: http://www.ponemon.org/news-2/ 28. Ponemon Institute (October 2012). 2012 Cost of Cyber Crime Study: United States Benchmark Study of U.S. Companies. Retrieved 1 December 2012 from Ponemon Institute: http://www.ponemon.org/local/upload/fckjail/generalcontent/18/file/2012_US_Cos t_of_Cyber_Crime_Study_FINAL6%20.pdf 29. Pritchard, W., CFA (March 2012). IT Security Survey Says…Network Security and Check Point Have Most Favorable Trends. Citi Investment Research & Analysis. 30. Ramirez, L. (October 2012) ―Panetta Says US Boosting Cyber Defense‖ published by Voice of America Retrieved 6 December 2012 http://www.voanews.com/content/panetta-appeals-for-stepped-up-cyber- security/1525450.html 31. Richardson, R., CSI Director (2010). 2010/2011 CSI Computer Crime and Security Survey. Retrieved 27, November 2012 from The Computer Security Institute. https://cours.etsmtl.ca/log619/documents/divers/CSIsurvey2010.pdf 49 | P a g e
  • 50. 32. Rowe, B., Gallaher, M. (2006). Private Sector Cyber Security Investment Strategies: An Empirical Analysis Published by Technology Economics and Policy RTI International Retrieved 21 November 2012 from The Ninth Workshop on the Economics of Information Security http://www.weis2006.econinfosec.org/docs/18.pdf 33. Securing Cyberspace: A New Domain for National Securing Cyberspace: A New Domain for National Security Nicholas Burns and Jonathon Price 34. Sentementes, Gus G. (2012). Cybersecurity business, jobs expected to grow through 2016. Retrieved 5 December 2012 from The Baltimore Sun: http://www.baltimoresun.com/business/bs-bz-cybersecurity-maryland-forecast- 20121018,0,6945767. 35. Sourcefire (2012) Form 10Q filing report period. Retrieved 1 December 2012 from the Securities and Exchange Commission 9/30/2012 http://www.sec.gov/Archives/edgar/data/1168195/000116819512000007/000116 8195-12-000007-index.htm 36. Symantec Corporation (2012) Norton Cybercrime Report, September 2012. Retrieved 22 November 2012 from Symantec. http://www.norton.com/2012cybercrimereport 37. Symantec Corp. (2012) Form 10Q filing report period 9/28/2012. Retrieved 1 December 2012 from the Securities and Exchange Commission http://www.sec.gov/cgi- bin/viewer?action=view&cik=849399&accession_number=0001193125-12- 441366&xbrl_type=v 38. Value Click (Date NA) Compounded Annual Growth Definition. Retrieved 1 December 2012 from Investopedia. http://www.investopedia.com/terms/c/cagr.asp#ixzz2FEDxVIqH 39. Value Click (Date NA) GDP Definition. Published by Value Click Retrieved 1 December 2012 from Investopedia. http://www.investopedia.com/terms/g/gdp.asp#ixzz2Eark1U7v 40. Verizon RISK Team(2012). 2012 Data Breach Investigations Report. Retrieved 7 December 2012 from Verizon Corporation: http://www.verizonbusiness.com/resources/reports/rp_data-breach- investigations-report-2012_en_xg.pdf 41. Websense (2012) Form 10Q filing report period 9/30/2012. Retrieved 1 December 2012 from the Securities and Exchange Commission http://www.sec.gov/cgi- bin/viewer?action=view&cik=1098277&accession_number=0001098277-12- 000004&xbrl_type=v 42. Weisbrod, Glen (2011). DEFINING ECONOMIC IMPACT AND BENEFIT METRICS FROM MULTIPLE PERSPECTIVES: LESSONS TO BE LEARNED 50 | P a g e
  • 51. FROM BOTH SIDES OF THE ATLANTIC. Retrieved 6 December 2012 from Economic Development Research Group, Boston, Massachusetts, USA: http://www.edrgroup.com/pdf/Weisbrod-Simmonds-ETC-Oct2011R.pdf 43. Weiss, Holt, Gorham (October 2012). Security Preview: Secular Should Outpace Macro in Q3 published by Morgan Stanley Research of North America 44. White, C. (2011). Data communications and computer networks ―a business users approach‖ . (6th ed., Vol. ISBN-10: 0538452617 , p. 17, 17, 297, 308 & 330). Course Technology, Cengage Learning 7. List of Figures a. Figure 1: Ponemon Institute (October 2012). 2012 Cost of Cyber Crime Study: United States Benchmark Study of U.S. Companies. Retrieved 1 December 2012 from Ponemon Institute: http://www.ponemon.org/local/upload/fckjail/generalcontent/18/file/2012_US_Cos t_of_Cyber_Crime_Study_FINAL6%20.pdf b. Figure 2: Baker, Hutton, Porter (Date NA). A Framework for Gathering Risk Management Information From Security Incidents. Published by Verizon Risk Management Retrieved 6 December 2012 from Security Metrics Organization http://www.securitymetrics.org/content/attach/MetriCon4.5/mm_VZ.pdf c. Figure 3: 29. Pritchard, W., CFA (March 2012). IT Security Survey Says…Network Security and Check Point Have Most Favorable Trends. Citi Investment Research& Analysis d. Figure 4: Pritchard, W., CFA (March 2012). IT Security Survey Says…Network Security and Check Point Have Most Favorable Trends. Citi Investment Research & Analysis e. Figure 5: Kennedy, D. (October 2012). Information Security Budgets to Increase in 2013. Published by 451 Research Retrieved 27 November 2012 from 451 research Blog http://theinfopro.blogs.451research.com/index.php/2012/10/information-security- budgets-to-increase-in-2013/ 51 | P a g e