Computer Economics conducts original research on IT security budgeting and staffing metrics, the adoption rates of security best practices. and the economic impact of various types of IT security threats, such as malware. These publications provide metrics to support IT executives in managing the security function.
The following is a list of our most recent major publications on IT security. Additional publications may be found in the Risk Management research section of our Management Advisories.
Malicious Insider Threats
This special report, based on our survey of IT security professionals and executives worldwide, analyzes malicious insider threats to businesses. Basic categories of malicious threats include accessing confidential information without authorization, disclosing confidential information, executing fraudulent transactions, and sabotage of the organization’s systems, network, or data. For each of these four categories of threat, we present data concerning the perceived seriousness of the threat and actual incidents and risks of each type. We then analyze the popularity of various methods for preventing, countering, and detecting incidents of malicious insider activity. (47 pp., 27 figs.)
Insider Misuse of Computing Resources
This special report, based on our survey of IT security professionals and executives worldwide, analyzes the threat of insider misuse of computing resources--that is, any violation of an organization's policies regarding acceptable use. Examples include unauthorized file copying; downloading of software, music, or other media; P2P file-sharing; rogue remote access programs, modems, and wireless access points; misuse of business or personal email; instant messaging; blogging and posting to message boards; and personal web surfing. For each of these 14 types of insider misuse, we present data concerning the perceived seriousness of the threat, typical organizational policies or lack thereof, frequency of violations against company policy, analysis of preventive and detective actions taken by organizations to deter the misuse, and typical levels of enforcement. (77 pp., 75 figs.)
2007 Malware Report: The Economic Impact of Viruses, Spyware, Adware, Botnets, and Other Malicious Code
Malware continues to be a major security threat, but obtaining a quantitative risk assessment is a difficult exercise. This special report, based on our survey of IT security professionals and managers, reports on the overall change in the malware threat level by type. Malware types include destructive viruses, spyware, adware, botnet code, and hacker tools. For each malware type, the report provides statistics for remediation cost, user hours lost, system downtime, and total dollar damages. It then summarizes the annual damages by organization size, and estimates the total economic impact of malware by year for the period of 1997-2006. Analysis of the top ten malware entities in 2006 is also provided. This report is an unbiased source for estimating malware damages and analyzing the cost-benefit of anti-malware investments. (51 pp., 36 figs.)
Trends in IT Security Threats: 2007
This special study, based on a survey of over 100 IT security professionals and managers, analyzes current trends in IT security threats and changes in threat levels over the past year. Categories analyzed include malware, phishing, pharming, spam, denial-of-service (DoS), unauthorized access by outsiders and insiders, vandalism and sabotage, extortion, fraudulent transactions, physical loss of computing devices or storage, and insider misuse. Additional statistics are provided on the number of incidents in each category reported by survey participants. This assessment includes analysis of differences between the perceptions of IT security professionals versus the potential impact of cyber-crime in each category. (40 pp., 30 figs.)
The 2006 IT Security Study
This study, based on a survey of North American IT security managers, analyzes information security spending, staffing, incidents, the rate of technology adoption, and the deployment of security best practices for large, medium, and small organizations. This year's study found that large firms lag behind mid-size organizations in IT security spending, staffing, technology, and management best practices. It also found that many companies of all sizes fail to implement a number of basic security management best practices. Yet, in spite of these deficiencies, most companies are not authorizing more money for IT security. (186 pp., 150 figs.)
[More about the study, and special pricing per chapter]