KEY FINDINGS Some of the key findings from the participants in this year s survey are summarized here. The findings discussed below emphasize changes taking place in the computer security arena, as well as items not considered in previous CSI/FBI surveys.

- Unauthorized use of computer systems is on the decline, as is the reported dollar amount of annual financial losses resulting from security breaches.

- In a shift from previous years, the most expensive computer crime over the past year was due to denial of service.

- The percentage of organizations reporting computer intrusions to law enforcement over the last year is on the decline. The key reason cited for not reporting intrusions to law enforcement is the concern for negative publicity.

- Most organizations conduct some form of economic evaluation of their security expenditures, with 55 percent using Return on Investment (ROI), 28 percent using Internal Rate of Return (IRR), and 25 percent using Net Present Value (NPV).

- Over 80 percent of the organizations conduct security audits.

- The majority of organizations do not outsource computer security activities. Among those organizations that do outsource some computer security activities, the percentage of security activities outsourced is quite low.

- The Sarbanes-Oxley Act is beginning to have an impact on information security in some industries

- The vast majority of the organizations view security awareness training as important, although (on average) respondents from all sectors do not believe their organization invests enough in this area.
The Sarbanes-Oxley, IIRC, is the one that requires due diligence by CEOs to shareholders. It puts more responsibility on the CEO and Board of Directories to ensure that the company is sound and safe. Looking at the figures of the survey it's interesting. The numbers went down in the number of respondents (485 compared to 525). Based on the survey, all types of attacks were down. Most of the money lost, and it's about half of last year, was due to DoS ($26 million this year compared to about $60 million last year).

It's always made me wonder. Our society has become the Microsoft society IMHO. That is, we want everything to work but not necessarily understand the underlying mechanics of how it works. This means that our attackers are losing their finesse. When you think about it, there really hasn't been any major breaches by someone in years (at least not anything that's public).

On the other hand, if companies aren't willing to report it (this figure went down from 30% last year to 20% this year!) because of negative publicity (56% said that's the reason they don't report it) how do we know they're being honest in the survey?