Upload
bradley-susser
View
495
Download
2
Tags:
Embed Size (px)
DESCRIPTION
This research report studies the economic impact that Cyber Security attacks have on society as a whole. The aim of this analysis is to examine the negative and positive impact of these compromises on multiple entities. Our descriptive analysis focuses on individuals, private and public organizations, costs, revenues, innovations, and jobs to determine if proliferation's of these attacks are either, negative or positive. Although this paper draws upon the economic factors as result of cyber-attacks, it looks at the outlay in its historical context of capital expenditures to private and public organizations due to the increased number of compromises and factors of this paradigm helping to fuel the growth of innovations or spawn a new industry as a whole.
Citation preview
Cyber Attacks and the economic impact on Entities worldwide
Cyber Attacks Ahead
Bradley Sean Susser December 17, 2012
Abstract
1 | P a g e
This research report studies the economic impact that Cyber Security attacks have on
society as a whole. The aim of this analysis is to examine the negative and positive
impact of these compromises on multiple entities. Our descriptive analysis focuses on
individuals, private and public organizations, costs, revenues, innovations, and jobs to
determine if proliferations of these attacks are either, negative or positive. Although this
paper draws upon the economic factors as result of cyber-attacks, it looks at the outlay
in its historical context of capital expenditures to private and public organizations due to
the increased number of compromises and factors of this paradigm helping to fuel the
growth of innovations or spawn a new industry as a whole.
Table of Contents Page
2 | P a g e
Abstract 2
1. Introduction 4-5
2. Literature Review 62.1 Cyber Attack defined 6-82.2 Cyber Security defined 8-92.3 Brief History of Cyber Attacks 9-102.4 Economic Impacts Defined (inclusive Cost benefit Analysis) 10-132.5 Cyber Attacks Spawning New industry and Garnering Capital Investment 13-14
3. Methodology 14-153.1 Cyber Attacks and Hypothesis on their Growth over the Years 15-163.2 Cyber Attacks & Hypothesis on Financial Impacts of Entities Targeted 16-17 3.3 Cyber Attacks and Hypothesis on whether they spawned a New Industry Helping to Infuse Significant Capital 17-18
4. Discussion 18 4.1 Cyber Attacks Growth from a Historical Perspective & Beginnings 18-204.2 CSI/FBI/Technolytics Institute/ Janet Napolitano Statistics on Growth of Cyber Attacks through Historical Perspective 20-224.3 Mckinsey Global GDP Growth Statistics 22-234.4 Cost benefit Analysis & Difficulty in Obtaining Metrics 23-244.5 CSI/FBI Statistics on Financial Impact of Cyber Attacks 24-254.6 Ponemon/Verizon/Morgan Stanley Statistics on Compromises & Costs Due to Cyber Contemporary Threat Landscape 26-324.7 Growth of Cyber Security Industry Statistics (Gartner Research, Citi Group, Morgan Stanley, 451 Research & MarketsandMarkets) & Government Role Explained 33-44
5. Conclusion 45-46
6. References 47-51
7. List of Figures 51
1. Introduction:
3 | P a g e
Since the mid 1980’s as personal computers started becoming more prevalent so
too did a small group of people that chose to wreak havoc by exploiting and
compromising these devices for nefarious purposes or just pure curiosity. These events
were even depicted in movies such as War Games, which was introduced to the public
in 1983. The movie is based on a teenage boy who breaches the United States
Pentagons computer system and locates a game within the system known as “Global
Thermo Nuclear War”. Although he believes this is just a game in reality he
inadvertently causes the system to begin the process of launching a nuclear attack on a
number of sovereign nations.
This was the first time that such a scenario was brought to the forefront of the
general public and although this was just a movie in reality systems although in its
infancy, where becoming attractive targets for individuals and entities to manipulate and
unethically exploit. Then in the early 1990’s the Internet was introduced to the
commercial sector allowing for both private and public entities to leap frog off of this
medium and create whole new economies based on this technological innovation.
However as the internet, systems, personal computers and a plethora of
hardware/software devices are utilized more and more for routine activities the number
of people wishing to do harm to individuals and organizations that make use of these
technologies continues to grow at an alarming rate.
In fact, according to Verizon’s 2012 Data Breach Investigations Report, 2011 was
the year that organizations systems came under attack by a slew of groups with
different forms of motivation but the numbers are unprecedented. The report focused on
855 incidents that saw 174 million data records get compromised. This included
4 | P a g e
protesting entities such as the likes of Anonymous, cybercriminals performing attacks to
acquire trade secrets, classified information and other intellectual property, steal
personal credit card information, identity theft, take down organizational servers and the
list goes on and on. Verizon is quoted as saying “Doubly concerning for many
organizations and executives was that target selection by these groups didn’t follow the
logical lines of who has money and/or valuable information. Enemies are even scarier
when you can’t predict their behavior (Verizon 2012).”
In another scathing report released to the public in October of 2012 by Hewlett
Packard working with the Ponemon Institute indicated an exponential increase of Cyber
Crime from 2010 to 2011. In contrast to the Ponemon and Verizon, reports an article
written in the Baltimore Sun on October 21, 2012 quoted Cyber Security analysts as
saying that this sector of the market is anticipated to grow over 50 percent up until the
end of 2016 which will open up new opportunities for business and individuals. The
article goes on to say that Cyber Security spending by the Defense Department, even
with the absence of certain legislation will rise from $4.4 billion in 2011 to $6.7 billion in
2016, spending in civilian agencies will increase from $2.6 billion in the 2011 period to
$3.8 billion by 2016 and capital expenditures to be outlaid by U.S. Intelligence agencies
are expected to increase from $2.3 billion last year to $3.6 billion over the next four
years (Sentementes 2012). The statistics incorporated above show a dichotomy
whereby the economic impacts of Cyber Attacks can be both disadvantageous and
advantageous.
The point at issue is, is one more predominant over the other or do they balance
each other out? The question posed in the prior sentence is what this papers primary
5 | P a g e
objective seeks to ascertain, although other questions must be implemented and
investigated to garner an appropriate answer. So as you continue to migrate through the
sections to follow, we will look through an assortment of research to try and come up
with a valid answer to the aforementioned question.
2. Literature Review:
In reviewing the literature there is an abundance of material on growing number
of Cyber Attacks which has negative ramifications as well as helped to spur the growth
of a variety of disciplines and innovations within the IT Security arena. Therefore there
are a multitude of factors and questions one needs to take into account by means of
economic analysis.
2.1 Cyber Attack defined
Some of the essential questions that must be addressed include do the overall
economic impacts of these attacks way on the side of being more adverse or
advantageous? The aforementioned question should be broken down even further to
include the following.
What is a cyber-attack? There are a variety of ways to define and describe a
cyber-attack. Although, the term may appear simplistic on the surface, cyber-attacks are
comprised of a multitude of factors. The Ponemon Institute exclaims that this is any
criminal activity conducted over the Internet (Ponemon 2012) but is this not too
simplistic of a definition? According to the research paper “The Law of Cyber-Attack” the
authors explain that a Cyber Attack is “any action taken to undermine the functions of a
computer network for a political or national security purpose.” This group of writers than
6 | P a g e
further explains that the reason for lack of clarity among the community on what Cyber
Attacks are, is due to the inability to make a distinction between Cyber Crime, Cyber
Attack, and Cyber War. For example in their paper “a Cyber Attacks Objective must be
to undermine the function of a computer network” and “Must have a political or national
security purpose.” (Oona, Crootof, Levitz, Nix, Nowlan, Perdue, Spiegal, 2012).
The terms Cyber Crime and Cyber War discussed in the sentences above are
what makes up Cyber Attacks and therefore in addition further extrapolation on the true
meaning must be incorporated. Lt. Colonel David M. Keely hits the nail on the head in
stating that many of the definitions he came across where to narrow in scope. He
concluded that “A good definition of Cyber Attack can be found in discussions of the
Critical Infrastructures Protection Act (CIPA) of 2001: ―All intentional attacks on a
computer or computer network involving actions that are meant to disrupt, destroy, or
deny information. “ In addition he exclaims you must also incorporate the why aspect.
Inclusive should be the motivation of the attacker. “If the motivation of the attacker is
monetary gain, destruction of property, or espionage, then a crime has been
committed.” “If the desired result is ―to cause death or seriously bodily harm to civilians
or non-combatants, with the purpose of intimidating a population or compelling a
Government or an international organization to do or abstain from doing any act then an
act of terrorism has occurred.” “If the motivation is to wage or to assist in waging a
―armed hostile conflict between States or nations then an act of war has occurred.”
Lieutenant Keely’s assessment covers all the essential elements of Cyber Attacks that
impact sovereign nations, public and private entities and finally individuals therefore his
interpretation is quite effective for the purpose of our research endeavor (Keely, 2011).
7 | P a g e
Finally it is necessary to breakdown the types of exploits propagated by these Cyber
Attacks. Cyber Attacks are comprised of Malware, Web based attacks, stolen devices,
malicious code implementation, malicious insiders, phishing and social engineering and
denial of service attacks (DoS). Malware is defined as evil software and is made up of
subcategories which include viruses, Trojans, worms, rootkits, keyloggers etc however
in the chart provided by
2.2 Cyber Security defined
As with Cyber Attacks we need to try and come up with a concrete definition for
Cyber Security as it varies among Information and Communications Technology (ICT)
professionals. This is because the area of specialties could be substantial according to
The National Institute of Standards and Technology (NIST), a U.S. federal agency and
one of the leading organizations in charge of implementing security standard’s globally.
Although NIST’s numbers may be slightly overarching it provides additional affirmation
that the term Cyber Security cannot be so easily defined (National Institute of Standards
and Technology). Some believe the term to be interchangeable with Information
Security while others state that Information Security is a subset of Cyber Security. A
definition that we found to be most appropriate is Cyber Security refers to the protection
of any asset from being exploited by Cyber Attacks which we defined above, via
Information and Communication Technologies. Inclusive is additional components such
as countermeasures and activities that can either be technical in nature or non-technical
for the purpose of safeguarding computer networks, digital devices, hardware, software
and all the information that they contain and communicate from anyone that has malice
8 | P a g e
of intent. In addition Cyber Security encompasses a number of professionals that
perform continuous research and analysis in order to try and keep ahead of those
wishing to do us harm, described above by NIST. As you can see the word information
is embedded in the definition of Cyber Security so we can conclude that it is in fact a
subset of this area of discipline. Therefore Information Security references all aspects of
information protection. Subsequently three primary objectives lie at the heart of
Information Security. These include the terms confidentiality, integrity and availability.
Confidentiality makes sure that information is not disclosed to any unauthorized entity
and that those who which to disclose that information can do so but at their request,
Integrity assures one that information is modified only with proper authorization and
finally availability assures that information is provided promptly to authorized entities
and only denied to those who are not authorized [Dunn 2005].
2.3 Brief History of Cyber Attacks
From a historical perspective have the number of attacks grown over the years or
been on the decline? Furthermore have costs for entities accrued?
Cyber Attacks have become depicted in the media for quite some time therefore
one must look at these attacks in their historical context. The precursor to the present
day Internet was created by the U.S. governments Advanced Research Projects
Agency (ARPA) and was known as the ARPANET which was developed in the late
1960’s. ARPANET eventually was replaced by the Internet or what is known to many as
the information highway which connects local area networks to wide area networks
used by individuals and organizations worldwide (White, 2011). Unfortunately upon first
9 | P a g e
initiating the deployment of this medium, safeguards where never implemented as
Cyber Attacks where not even forethought. Some of the earliest attacks involved “phone
phreaking” in the early 1970’s and then with the invention of personal computers in the
early 1980’s attacks on systems began to proliferate. A number of congressional laws
were passed due to these early compromises to offer better protection of unauthorized
access to government computers. Title 18 United States Code: § 1030. “Fraud and
related activity in connection with computers” is one such law that was implemented in
1986 and modified over the years to punish those wishing to target systems, whether for
political reasons or criminal activity (Cornell University Law School 1986). Finally in the
early 1990’s the Internet was now open to the general public for private and commercial
use but with increasing reliance on the Internet and its expansion of interconnectivity
attacks became even easier to perform. The Computer Security Institute (CSI)/Federal
Bureau of Investigation (FBI) Computer Crime and Security Survey conducted over the
last several decades provides invaluable data, helping to further ascertain additional
information on the amount of attacks on organizations who have participated in the
study over the years and detailing their networks and cost estimates by the type of
attack.
2.4 Economic Impacts Defined (inclusive Cost benefit Analysis)
This leads us to the next area of topic, that being the economic impacts of these
increasing number of attacks but what do we mean by economic impacts?
It must be stated that in order to grasp an understanding of the term economic
impacts its essential that we include in our description economic
advantages/disadvantages and productivity as they all are intertwined. Economic impact
10 | P a g e
sometimes is difficult to describe because it is made up of a complexity of subcategories
but on its face this is any modification in the passage of capital (income) in the economy
between industry sectors, population groups, or local areas of the world and although
metrics are usually measured in terms of growth in income, jobs or output such data is
not necessarily easy to extract and often more times than not difficult to quantify.
Economic advantages/disadvantages is a broader concept of welfare gain than
economic impacts, in that it can incorporate both monetary advantages/disadvantages
(tangible) and non-monetary advantages/disadvantages (intangible) with a willingness
to pay value or remove value The previous sentences concepts are most useful for
performing a cost-benefit analysis (CBA). In using a simple example, a CBA can be the
benefit of safeguarding ones systems against Cyber Attacks and the costs associated
with these protective measures. Finally productivity typically refers to the increasing
growth in value added per worker or per unit of investment which has the potential to
produce an actual acceleration in income and jobs (Weisbrod 2011).In looking further
into productivity it can be utilized not only as an gauge of efficiency but also indicative of
economic development.
The research paper titled “Private Sector Cyber Security Investment Strategies:
An Empirical Analysis” suggests a cost benefit analysis approach is generally
Straightforward but found organizations inability to construct a rigorous cost benefits
analysis (CBA) framework. Furthermore expected damage or cost functions and threat
probabilities needed to conduct a CBA is difficult to attain therefore most often
companies rely more on a qualitative approach (Rowe, Gallaher 2006). Note that CBA
will be further described in the economic impact section to follow. Although the
11 | P a g e
aforementioned research study is slightly predated as quantitative analysis has
appeared to have improved as you will soon see in the Ponemon Intitute, the study was
able to conclude that regulations was the most often cited drivers increasing
organizations’ investments in Cyber Security. This is important as it shows a correlation
between government initiatives and spending discussed in the Baltimore Sun
introductory paragraph above. However in the article “Economic Analysis of Cyber
Security” the authors point out that a CBA framework which focuses on quantitative
analysis is expensive, difficult and in most cases even impossible to garner. This in turn
has forced most organizations to perform qualitative assessments, which are then
compared to quantitative analyses. Although the research paper dates back to 2006 this
is still mostly true today. It must be noted that they due endorse The Computer Security
Institute (CSI)/Federal Bureau of Investigation (FBI) Computer Crime and Security
Survey considering this to be the best available source. In contrast and to be fair the
authors of “The Economic Impact of Cyber Attacks” state that this survey is lacking in
certain areas due to incomplete metrics (Cashell, Jackson, Jickling, Webel, 2004). This
once again goes to how difficult it is many times to come up with complete and accurate
data which is why a number of sources should be used to reach the appropriate
balance. “The Economic Analysis of Cyber Security” paper also discusses how
organizations decipher how to invest in security. This is significant because these
organizations decisions are based on the impacts or potential impacts of Cyber Attacks
and therefore you can see how these firms collect data to perform their analysis.
Furthermore as part of this data collection process these entities implement the current
costs associated with being hit by these attacks in their investment analysis which
12 | P a g e
allows you to get a better understanding on how they come up with these costs they are
supplying to those conducting research on the financial impacts of Cyber
Attacks(Gallaher, Rowe, Rogozhin, Link 2006).
2.5 Cyber Attacks Spawning New industry and Garnering Capital Investment
Have Cyber Attacks spawned a new industry that has helped to garner a large
infusion of capital from the investment community?
It is essential that organizations implement Cyber Security controls either through
technological means or human analysis. Investments in the area of IT Security
organization and startups in the past have been slow due to a lack of understanding and
the inability to view security as an essential element that must be incorporated within
one’s business. However due to Cyber Attacks becoming more persistent an increasing
number of investments and the infusion of capital committed to this sector are starting to
take shape. One reason for this is the implementation of regulation but not so much as
to inhibit innovation. For instance federal and state statutes that penalize companies
that do not properly safeguard consumer information have forced these entities to
obtain the necessary financing and invest in the area of Cyber Security. United States
regulatory bodies such as the Federal Trade Commission (FTC), Department of Justice
(DOJ), Securities and Exchange Commission (SEC) [Department of Commerce Internet
Policy Task Force June 2011), Payment Credit Card regulatory agencies (PCI Security
Standards Council (2012) and many others has brought a number of legal enforcement
actions against entities that have been inept in protecting consumer data forcing them to
access additional capital. The capital is then used to pay for security.
13 | P a g e
In the wake of these legal actions and targeted attacks, Gartner Research in a
September 2012 release talks of the increasing amount of capital being deployed
throughout the Cyber Security Industry (Gartner 2012). In addition Certified Financial
Analyst for financial firm Citi Group conducted research whereby IT security budgets are
on the rise (Pritchard 2012) as well as a number of or other researching bodies.
3. Methodology:
In conducting our research the approach we have utilized and you will see whilst
continuing to view this document is one of a descriptive nature because although we
draw empirical data from prior research we focus primarily on the characteristics of
Cyber Attacks and its economic impacts on entities worldwide in the current day and
age. It should be also noted that due to the complex nature of Cyber Attacks and lack of
complete understanding data is vast and all over the map; therefore it is difficult to
acquire exact assessments and cost figures. The same also holds true for an
accurate account of the growth of the Cyber security industry although there have been
ongoing improvements to address these issues. Subsequently a compilation of primary,
secondary and general resources, those being from vetted educational research, public
companies such as Verizon, Certified Financial Analysts from investment houses,
leading information technology research and advisory firms, audited financial filings
from publicly traded companies and articles from newspapers/journals are utilized within
this paper. Again, the statistical data is fragmented as there has been no clear model
that has been adopted and many argue some numbers are skewed due to conflicts of
interest and in the ability to acquire the necessary resources (such as vetted papers
14 | P a g e
created by those that are in the educational arena) to conduct a proper study. The
figures comprised of various sample sizes among the population are compared and
contrasted so we can get a more accurate picture to determine whether the cost of
Cyber Attacks far outweighs the amount of money being generated by the Cyber
Security community or if the money being infused into the Cyber Security Industry has
economic benefits that exceed the costs generated by Cyber Attacks.
3.1 Cyber Attacks and Hypothesis on their Growth over the Years
We will begin our focus by asking the question once again from a historical
perspective have the number of attacks grown over the years and over the last several
decades have costs for entities accrued? This question is important because it lays the
ground work as to how the Internet and the technology that is embedded within it has
become a source utilized for nefarious purposes. Although some years have seen a
decline in the number of Cyber Attacks overall the trend one would think is likely to
show that these attacks are an everyday occurrence and ever increasing in numbers.
This is because the multitudes of devices that are connected to the Internet and make
use of its backbone are immense. In other words distributed systems have become
dominant as opposed to centralized systems which used to play more of a role among
entities but are in fact utilized less and less these days. Also due to complexity of the
network and programming code used in web applications worldwide, the vector of attack
has grown making it even more difficult to mitigate against and ripe for exploitation. For
example looking at web applications in particular, updates and patches are issued by
vendors who develop code for a number programs daily. The problem has become so
great that companies such as Microsoft and Oracle have a preset schedule for
15 | P a g e
distributing fixes on a monthly and quarterly basis. In fact firms like Red Hat employ
what is known as open source code, which is available to the general public for free and
offers the ability for any programmer to make modifications to the code when
necessary. Therefore vulnerabilities in open source software can be found more quickly
and what is also evident is the number of advisories for this type of code is deployed on
a daily basis. However there are still a number of programs that have vulnerabilities that
are not found for a number of months or even years. This is especially true in the way of
advanced persistent threats (APTs).In fact even when vendors issue advisories it takes
time for them to create patches for code therefore those wishing to do us harm have
plenty of time in between these fixes to propagate attacks by take advantage of these
vulnerable applications.
3.2 Cyber Attacks and Hypothesis on Financial Impacts of Entities targeted by Attacks
The next area we need to delve into once more is the economic impacts
that Cyber security has on society as a whole. More specifically, what are the financial
impacts on capital expenditures of private and public organizations targeted by Cyber
Attacks? As highlighted above, the Internet has become the primary backbone to
entities worldwide helping to create new innovations, increase collaboration and open
up new economies like we have never seen before. In addition with the simple click of a
browser, connectivity to this vast network has become so easy that even the average
laymen with no technological skills can access the information highway. Although it is
hard to dispute the advantages of the pervasive availability for anyone to connect online
16 | P a g e
it has also offered those seeking to do us harm a large vector that can be utilized to
attack and exploit individuals and organizations. The impact therefore of these attacks,
specifically Cyber Attacks, have come at a great cost to entities forcing them to outlay a
significant amount of capital and see a huge reduction in revenues . Inclusive are
entities going out of business, loss of jobs, the negative impact of productivity and the
vast amount of money or even identities being stolen from consumers. For example
organizational databases compromised or hit by a denial of service attacks, takes
enormous man power to recover from such attacks. This in turn negatively impacts
productivity.
3.3 Cyber Attacks and Hypothesis on whether they spawned a New Industry Helping to Infuse Significant Capital
Finally it is necessary to be redundant and ask whether Cyber Attacks spawned
a new industry that has helped to garner a large infusion of capital from the investment
community and increased organizational sales figures for Cyber Security firms? Despite
the adverse impacts Cyber Attacks have on the economy there is no doubt that it has
also created new opportunities as many subsectors such as cryptography, network
security, operating system security, database security, reverse engineering and
penetration testing just to name a few which have become essential components that
entities must make use of in order to safeguard systems. Therefore many venture
capital funds, private equity firms, individual investors and the overall capital markets
are continuing to pump money into the Cyber Security arena. These investments could
also have a positive effect on sales which is the exact opposite of entities who are
plagued by the current threat environment. The irony here is that the number
17 | P a g e
disciplines and income garnered by the Cyber Security Industry could possibly outweigh
the costs associated with Cyber Attacks.
The aforementioned questions and their hypotheses as stated in previous
paragraphs have been difficult to quantify however in the section to follow will attempt to
do just that!
4. Discussion
4.1 Cyber Attacks Growth from a Historical Perspective & Beginnings
Cyber Attacks have evolved over time therefore one must look at these attacks in
their historical context. The precursor to the present day Internet was created by the
U.S. governments Advanced Research Projects Agency (ARPA) and was known as the
ARPANET which was developed in the late 1960’s. The government allowed access to
ARPANET to only a selected few military bases, government labs and research
universities. The ARPANET was one of the first wide area packet switched networks
which provided services like electronic mail, the transferring of files and remote logins.
In 1983 the Department of Defense (DOD) broke ARPANET into two similar networks
keeping the name ARPANET for one of the networks and calling the other network
MILNET which would be used for military purposes. ARPANET eventually was phased
out and around this time the National Science Foundation funded the development of a
new high speed network known as the NSFnet which connected major router sites
across the U.S .than acting as the telecommunication backbone in turn connecting to
smaller regional networks or statewide networks. The statewide networks were then
connected to a set of campus networks and eventually the collection of all these
18 | P a g e
networks would then be known as the Internet (White, 2011). The previous sentences
are significant primarily because when this architectural medium was developed there
were no countermeasures or safeguards implemented. In fact nobody had the foresight
to think that the Internet would become the primary backbone for communications
globally, so instrumental to the economies worldwide and especially conceive that it
would be utilized as a medium for nefarious purposes.
Some of the earliest hackers were involved in “phone phreaking” which were
attackers looking to break into telephone networks in an effort to make free long
distance calls. Joybubbles AKA Joe Engressia was one of the first phone phreaks. He
was a blind boy with perfect pitch who could whistle any tone. Circuit switching centers
at the phone company were apparently tricked by the tones that he produced. One tone,
used by AT&T tone dialing switches, was a tone of 2600 Hz, which could be exploited to
provide free long distance and international calling. Engressia could imitate this tone,
while other phreaks used what was called a “blue box”. According to the New York
Times article written in 2007, Steve Jobs and Steve Wozniak, founders of Apple, were
also successful phone phreaks (Martin 2007).
In the early 1980’s personal computers came into being manufactured by
companies such as the likes of Apple and in turn individuals who tried to exploit
networks for all sorts of reasons began to emerge. One of the first well known attacks
was performed by Kevin Mitnick one of the most infamous attackers of the 1980’s. It
was back in 1979 when Mitnick at the tender age of 16 years old illegally accessed
Digital Equipment Corporation’s (DEC) computer network and obtained a copy of their
operating system software. He also hacked into the networks of Nokia, Motorola, Sun
19 | P a g e
Micro, Pacific Bell and other companies. Just over a year ago Kevin was interviewed by
ZDnet claiming none of the companies he compromised sustained any damages
however the FBI estimated Kevin's hacks and code reading into the $300 million range
(Hess 2011). In addition to Kevin, the Legion of Doom founded by Vincent Louis
Gelormine (“Lex Luther”) in the 1980s were involved in unauthorized access to a
number of corporate networks, including BellSouth Corp.(Dr. Hayes 2012).
4.2 CSI/FBI/Technolytics Institute/ Janet Napolitano Statistics on Growth of Cyber Attacks through Historical Perspective
In moving slightly ahead in time the Computer Security Institute which has been
a leading educational membership organization for information security professionals for
over 30 years, began its series of reports titled “CSI/FBI 2000 COMPUTER CRIME
AND SECURITY SURVEY”. The reports are advantageous as some of the others that
are produced are by those who may have ulterior motives such as the likes of many
vendors who produce and sell security tools. Thereby having a potential conflict of
interest. In contrast CSI security surveys are completely independent and collected
data is gathered from a team that is made up of security professionals spanning multiple
industries, separate from those who just work in organizations selling solely cyber
security tools and services. Having said that, sample size is not significant enough as it
only encompasses a small percentage of respondents solely within the United States.
However although participation has been on the decline we can focus on annual
financial impacts of major Malware attack data by CSI collected between the years 1995
to 1999. In 1995 the number totaled $500 million, in 1996 $1.8 billion, 1997 $3.3 billion,
1998 $6.1 billion and in 1999 $12.1 billion (Cashell, Jackson, Jickling, Webel 2004). The
20 | P a g e
percentage increases that can be denoted by these numbers are astonishing.
According to Kevin G. Colman of the Technolytics Institute back in November
2008 he acquired figures from several studies. One in particular conducted by Spy-Ops
stated that over a one year period from 2007 to 2008 information theft grew around 68
percent were every quarter of a second a file is stolen containing critical data in order to
steal a consumers identity. In 2008 it was also concluded that the United States
Pentagon was attacked 3 million times a day (Coleman 2011). Although not a precise
number in an article written by Voice of America Titled “Panetta Says US Boosting
Cyber Defense” Luis Ramirez who wrote the article backs up the 2008 document saying
thousands of enemy cyber-actors are targeting the Pentagon’s systems millions of times
a day (Ramirez 2012).
In 2012 Janet Napolitano US Secretary of Homeland Security, during her
opening keynote address at the ASIS/(ISC)² Congress 2012 conference in Philadelphia
stated that Cyber Attacks have increased “significantly over the past decade”, and that
number also includes the more than three years she has acted as US Secretary
of Homeland Security. To put this into context, Napolitano goes on to say “the United
States Computer Emergency Readiness Team (US-CERT) responded to more than
106,000 reports of Cyber Attacks during 2011 – releasing more than 5000 security
alerts to its public and private sector partner (Info Security Magazine 2012).”
Today attacks are no longer dominated by a few but many individuals and
entities. This is primarily due to the rise in distributed systems as opposed to the more
common centralized ones which were once dominant several decades back. According
21 | P a g e
to Information Week on February 1, 2012, “Cyber Attacks against government agencies
and businesses in the United States continue to rise, and cyber threats will one day
surpass the danger of terrorism to the United States, intelligence community officials
said in an open hearing of the Senate select intelligence community.” The article goes
on to mention countries such as China and Iran, to groups like Anonymous and LulzSec
targeting systems on a regular basis and it suggested it will only get worse (Hoover
2012). The historical trend certainly seems to indicate that there is a rise in attacks and
further proof of this can be seen in the paragraphs to follow.
4.3 Mckinsey Global GDP Growth Statistics
There is little doubt that the Internet has helped to create new innovations and
open up new areas of the economy leading to high areas of growth and prosperity for
many. This can be seen in the May 2011 Mckinsey Global Institute study which
explained that the Internet accounts for 3.4 percent of the GDP when examining thirteen
countries. The Internet for the developed nations among the 13 depicted in the previous
sentence over the last five years contributed to 21percent GDP growth. GDP is the
monetary value of all final goods and services produced within a nation in a particular
period of time, typically based on yearly estimates. It includes all of private and public
expenditures, government spending, investments and exports minus imports that are
representative of a certain region (Value Click). For the United States alone this
represents $440 billion to $580 billion of additional total output (Dowdy 2011).
Unfortunately along with GDP the information highway has also contributed to
adversely impacting these numbers because of the multitude of targeted attacks from a
22 | P a g e
variety of actors (hacktivists, cyber criminals and sovereign nations), on all
organizations and industries that add to GDP worldwide. Inclusive is Computer based
control systems that run much of the nation’s physical infrastructure. In other words no
public or private entity is immune from such threats.
4.4 Cost benefit Analysis & Difficulty in Obtaining Metrics
Just before we present you with the findings from a number of different entities
once again it must be emphasized that there is no one study that should be taken
completely at face value. The research paper titled “Private Sector Cyber Security
Investment Strategies: An Empirical Analysis” suggests a cost benefit analysis
approach is generally straightforward but found organizations inability to construct a
rigorous cost benefits analysis (CBA) framework. Furthermore expected damage or cost
functions and threat probabilities needed to conduct a CBA is difficult to attain therefore
most often companies rely more on a qualitative approach (Rowe 2006). Although the
aforementioned research study is slightly predated and quantitative analysis has
appeared to have improved figures remain inconsistent.
Examining a compilation of data and taking the average of all these numbers is
most appropriate. This is talked about above in particular the two differing opinions on
the “CSI/FBI Computer Crime and Security Survey”. One being from the authors of the
article titled “the article “Economic Analysis of Cyber Security” who endorse the survey
(Gallaher, Rowe, Rogozhin, Link 2006) and the other coming from the authors of “The
Economic Impact of Cyber-Attacks” who cites several sources claiming the data is not
chosen randomly nor is a representative sample of entities that are exposed to cyber-
risk but only taken from self-selected security professionals which is considered in
23 | P a g e
research circles to be somewhat biased. The reports on the 530 individuals who were
utilized nationally to conduct the survey are not accurate enough to obtain sound
figures. Additionally, cost data reported can be considered inept. For example in its
2003 survey fifteen percent of the participants could not tell you if there was unapproved
use of their network and systems indicating that some measurable losses were obtained
but this could significantly underestimate the totality of all losses. Also out of the seventy
five percent of the participants that reported losses only forty seven percent of them
could put an actual figure to those losses. The authors of “The Economic Impact of
Cyber-Attacks” do state however that this study is accepted by many papers that
comprise of computer security literature. Yet again, there is no one sound method that
can be modeled to quantify the costs associated when it comes to Cyber Attacks which
is why it is useful to extract data from a variety of sources (Cashell, Jackson, Jickling,
Webel, 2004).
4.5 CSI/FBI Statistics on Financial Impact of Cyber Attacks
In its 15th annual 2010/2011 “CSI/FBI Computer Crime and Security Survey” The
Computer Security Institute sent 5412 security practitioners by regular snail mail and
email, whereby 351 people replied back with feedback indicating the number of returns
would make the institute ninety five percent confident that there numbers are accurate
with only just slightly over five percent margin of error. They do however admit that
these respondents are only those who have paid to be members of the institute or paid
to attend their event which can skew the numbers but they represent a vast array of
industries except for the financial sector whose participation dropped around five
percent with this last study. Furthermore as with many of these surveys they do not
24 | P a g e
include consumers being compromised and a majority of the organizational respondents
came from companies making over $100 million a year as opposed to smaller entities.
Forty seven percent claimed they were affected by regulatory laws but this could be due
to the fact that laws may not be so clearly defined and respondents that are a part of a
government entity may not feel these laws affect them. Finally not for profit firms or
educational institutions may not feel they have customers so they do not believe it
affects them..
The CSI report for the year 2010 shows the types of attacks experienced by the surveys participants which include 67.1 percent were attacked with some type of
Malware infection, insider abuse of Net access or email 24.8 percent, laptop mobile
device theft 33.5 percent, phishing 38.9 percent, Denial of service 16.8 percent, Bots on
the network 28.9 percent, financial fraud 8.7 percent, password sniffing 11.4 percent
and exploiting a wireless network 7.4 percent. As you can see Malware infection
continues to be the most commonly seen attack. The percentages depicted in the prior
sentence are the main reason we incorporated the CSI survey and also their
commentary on the Symantec study which you will see below. As for the financial
losses they could not be properly accessed due to the fact that only 77 respondents
provided information and the numbers are not worth mentioning as this is far too small
of a sample but this does offer some proof on monetary losses (Richardson 2010).
4.6 Ponemon/Verizon/Morgan Stanley Statistics on Compromises & Costs Due to Cyber Contemporary Threat Landscape
25 | P a g e
In January of 2012 PGP corporation a global player in safeguarding
organizational data and research firm The Ponemon Institute performed a
comprehensive study specifically aimed at data breaches primarily and one must
remember these are only confirmed data breaches. The survey revealed that data
breach incidents cost U.S. companies $204 per compromised customer record in 2009,
compared to $202 in 2008. There was an overall decline in the figures of reported
breaches in 2009 compared to 2008 but still significant. The average total per-incident
costs in 2009 were $6.75 million, compared to an average per-incident cost of $6.65
million in 2008. Recently Ponemon came out with additional statistical data for the year
2010 but the numbers were also exceeding high. The chart below is a good
representation of the data compiled by Ponemon (Ponemon 2012). Using data provided
by Ponemon Institute, the chart depicted below shows that U.S. firms are now losing
more money to operational costs of Cyber Attacks than they are spending on security.
26 | P a g e
Figure 1. Chart Depicts Organizational Costs Outpacing IT Security Spending For United States Companies by Ponemon Institute 2012
In a Follow up study that came out in October of this year, Ponemon along with Hewlett
Packard for the first time studied several countries in addition to the United States. The
Institute conducted their research on Fifty Six Organizations and they concluded
businesses on average suffered losses of $8.9 million per annum, an increase from
$8.4 million indicative of the 2011 period. This represents a 6 percent increase over the
average cost reported in 2011, and a 38 percent increase over 2010 (Ponemon Institute
2012). The 2012 study also revealed a 42 percent increase in the number of Cyber
Attacks, with organizations experiencing an average of 102 successful attacks per
week, compared to 72 attacks per week in 2011 and 50 attacks per week in 2010
27 | P a g e
(Ponemon Institute 2012).”
Morgan Stanley Research came out with a report titled “Secular Should Outpace
Macro in Q3” whereby the firm conducted research on some of the leading Cyber
Security companies noting that Chief Information Officers (CIO’s) have explicitly said
that spending on security countermeasures will remain one of the top three priories for
the year 2012 (Weiss, Holt, Gorham 2012).
Furthermore Verizon Corporation which has conducted a survey from the years 2004 to
2011 titled “Data Breach Investigations Report” just came out with more recent figures.
The report is made up of those who confirmed that they were breached as many entities
refuse to report their compromises for fear of reputational consequences that can lead
to loss of business and in some cases firms may have been exploited but are unaware
of the attack until a future time. Collected data was captured by evidence during paid
external forensic investigations and making use of Verizon Enterprise Risk and Incident
Sharing (VERIS) framework that depicts security incidents in a structured and
repeatable manner and garners additional information through anonymous participants
to allow those to participate without fear for loss of reputation described in the above
sentence. Take note though that as with the Ponemon study, Verizon dealt mostly with
organizations where a significant breach occurred. The VERIS approach also provides
us with a better methodology and helping us answer the questions, what we need to
know and measure? The diagram below is representative of the model that aids
organizations in order to provide companies like Verizon with effective metrics so
approaches are improving. As you can see the chart is broken down into four quadrants
28 | P a g e
labeled Threat, Asset, Impact, and Control.
Figure 2. Baker, Hutton, Porter. The Graph is a Model Showing How Companies Collect Data For the Verizon Data Breach Reports by Verizon Enterprise Risk and Incident Sharing (VERIS)
To add further credibility to the study is the participation of United States Secret Service
(USSS), the Dutch National HighTech Crime Unit (NHTCU), the Australian Federal
Police (AFP), the Irish Reporting & Information Security Service (IRISS), and the Police
Central eCrimes Unit (PCeU) of the London Metropolitan Police as they contributed to
gathering data from 36 countries unlike The Computer Security Institute who only
gathered data from United States based entities. These countries include Australia,
Austria, Bahamas, Belgium, Brazil, Bulgaria, Canada, Denmark, France, Germany,
Ghana, Greece, India, Ireland, Israel, Japan, Jordan, Kuwait, Lebanon, Luxembourg,
Mexico, Netherlands, New Zealand, Philippines, Poland, Romania, Russian federation,
South Africa, Spain, Taiwan, Thailand, Turkey, United Arab emirates, Ukraine, United
29 | P a g e
Kingdom and the United states.
Results from participants comprised of 855 attacks considered sophisticated and
those less difficult to orchestrate with174 million compromised records for the year 2011
is coincidentally the second highest number since Verizon came out with these reports
in the beginning of 2004. Just taking Ponemons figures for 2009 (that are actually lower
than some more recent numbers) which references that each compromised record
costs $204, than spending becomes astronomical for many of these companies.
Multiplying $204 times Verizon’s 174 million compromised record cost you would garner
total costs coming in at $35.496 billion and those just are records breached from entities
who know they actually were compromised. The biggest change in this report as
opposed to previous research is that Cyber Attacks comprised of Malware and Hacking
against Servers and User Devices are growing substantially for large organizations but
even worse for smaller firms (Verizon 2012). These numbers are alarming as the
Verizon study for example does not take into account that compromises can weaken
product integrity, undermine software development and erode consumer confidence
leading to further future losses by organizations that are not depicted in the study.
Furthermore the survey focuses on organizations as opposed to effected individual
consumers and costs derived from those seeking legal action against these exploited
entities or negative effects on productivity such as downtime due to a system being
inoperable for a specified period of time also do not appear in the report. Remember,
productivity typically refers to the increasing growth or decline in value added/subtracted
per worker or per unit of investment which has the potential to produce an actual
acceleration in income and jobs or decline (Weisbrod 2011).
30 | P a g e
Finally in wrapping up this section we focus our attention on what even the
Computer Security Institute believes to be a highly accurate report, that being Symantec
Corporations’. The Institute believes the study covering the year 2010 is comprehensive
in nature because as they exclaim Symantec uses a “machine-generated approach to
obtain the data, using sensors of various types to capture information about the data
traversing networks and the configuration of all sorts of Internet-connected devices
(Richardson 2010). Symantec even says it acquires most of its data from more than 133
million client, server, and gateway system’s due to the worldwide deployment of its
antivirus products. Furthermore, Symantec has a distributed honeypot network which is
really just database decoys filled with false data. In addition to the vast resources the
multibillion dollar organization has at their disposal, they also had MessageLabs
intelligence, a respected source of data and analysis for messaging security issues,
trends and statistics provide excess aid. Before we move on with the company’s figures
it must again be stated that the reason there are not as many in depth reports coming
from academia and other sources is that unlike Symantec which is a publicly traded
company, with access to the capital markets unlimited amount of money, the other
entities are not able to gather the necessary resources to collect a significant amount of
data. Back to the survey the study was conducted in 24 countries among adults 18-64
specifically focusing on the cost of Cybercrime. Between February 6, 2011 and March
14, 2011, StrategyOne also interviewed 19,636 people and included 12,704 adults,
aged 18 and over 4,553 children aged 8-17 years and 2,379 grade 1-11 teachers from
24 countries (Australia, Brazil, Canada, China, France, Germany, India, Italy, Japan,
New Zealand, Spain, Sweden, United Kingdom, United States, Belgium, Denmark,
31 | P a g e
Holland, Hong Kong, Mexico, South Africa, Singapore, Poland, Switzerland, United
Arab Emirates). The company came up with its numbers by multiplying the number of
victims which were 431 million over a twelve month period by the average financial cost
of cybercrime (per country in US currency) totaling $114 billion in losses. Within that
$114 billion number Symantec was able to attain that more than 1 million became
victims every day and fourteen adults suffered from a cybercrime incident every second.
The publicly traded company took it even one step further by doing what other studies
could not and that is calculating the value of time lost which is correlated with
productivity based on cybercrime experiences over the 12 month period. This number
came to an astonishing $274 billion. In taking the sum of the two figures depicted in the
former sentences you come up with a total cost of $388 billion. Subsequently the study
surmised that targeted attacks, the use of social networking attacks, zero-day
vulnerabilities and rootkits (a type of Malware), attack kits and mobile threats all rose
sharply (Symantec 2012). The accumulation of studies on the financial impacts on
capital expenditures of individual and private/ public organizations targeted by Cyber
Attacks is indisputable. Therefore our hypothesis is on target, as the data substantiates
that Cyber Attacks do indeed cost the economy to incur losses, adversely impact
productivity and causing a significant decline in sales that are in the billions upon billions
of dollars. .
32 | P a g e
4.7 Growth of Cyber Security Industry Statistics (Gartner Research, Citi Group, Morgan Stanley, 451 Research & MarketsandMarkets) & Government Role Explained
It is essential that organizations implement Cyber Security controls either through
technological means or human analysis. Investments in the area of IT Security
organization and startups in the past have been slow due to a lack of understanding and
the inability to view security as an essential element that must be incorporated within
one’s business. However due to Cyber Attacks becoming more persistent an increasing
number of investments and the infusion of capital committed to this sector are starting to
take shape. One reason for this is the implementation of regulation but not so much as
to inhibit innovation. For instance federal and state statutes that penalize companies
who do not properly safeguard consumer information have forced these entities to
obtain the necessary financing and invest in the area of Cyber Security. The FTC has
brought a number of legal enforcement actions against entities that have been inept in
protecting consumer data. Sarbanes-Oxley which in particular pertains to public
companies require these firms to adhere with the Information Integrity provisions of this
law requiring executive management to make sure internal controls are implemented to
address a vast array of issues including data security. Another important law PCI
DSS, The Payment Card Industry Data Security Standard provides guidelines and
requirements for protecting cardholder data for those who accept credit/debit/prepaid
card payments which are transmitted, processed or stored. If these requirements are
not met entities can be penalized by the major credit card company brands at their
discretion by fining an acquiring bank $5,000 to $100,000 per month for PCI compliance
violations which would be passed down to the entity who accepts these transactions
33 | P a g e
and does not adhere to these requirements (PCI Security Standards Council 2012).
These regulatory initiatives in conjunction with the increasing number of attacks,
collaboration and awareness has all been helpful in garnering a large amount of capital
investment in the Cyber Security Industry further fueling innovation of new products and
services. In fact the United States Bureau of Labor Statistics (BLS) has not provided
any data over the years on the security industry in the way of job statistics however the
government fact finding agency has finally begun to recognize the importance of
collecting figures, albeit slowly. Although in its infancy the BLS began to implement a
category they coin “Security Analyst” which comprises of individuals that plan,
implement, upgrade, or monitor security measures for the protection of computer
networks and information. Embedded in the description of Security analysts and in
addition to the explanation of this group in the prior sentence, the BLS goes on to
expand upon their definition in saying “these workers may also ensure appropriate
security controls are in place that will safeguard digital files and vital electronic
infrastructure responding to computer security breaches and viruses.” Again this is
brought up to show that even the BLS has realized that investment in this area is
starting to have a direct impact on job growth, forcing their hand at having to come up
with figures to provide more accurate information on the economy as a whole. Numbers
garnered by the BLS to date are not yet a large enough sample that would allow one to
rely on such data but it is hopeful that this will soon change. One thing that does
resonate is that there was no unemployment among IT security professionals in the
U.S. and jobs grew dramatically while averaging four quarters of figures for the year
2011. Forty Four thousand Security Analysts were employed with the BLS seeing a rise
34 | P a g e
of more than one third in the fourth quarter of 2011to 51,000 from 37,000 in the first
quarter (Bureau of Labor Statistics 2012).
Gartner Research in a September 2012 release exclaimed that although a vast
sector of the world has been hit by the economic slowdown forcing many companies to
cut their Information Technology budgets this is not the case when it comes to the
global security infrastructure market. The research firm anticipates that security will
continue to be a top priority and therefore spending is slated to rise to $60 billion up
from $55 billion in the prior year and by 2016 reach $86 billion (Gartner 2012). In fact
Certified Financial Analyst for financial firm Citi Group came out with a 15 page report
titled “IT Security Survey Says…Network Security and Check Point Have Most
Favorable Trends” where he found IT security budgets in 2012 poised to grow faster
than overall IT spend, a reversal from last year positively impacting sales for several of
the major IT security vendors (Pritchard 2012). The bar graph below provided by Citi in
Figure 1, projects what was highlighted in the prior sentence
35 | P a g e
Figure 3. (Pritchard 2012)Graph Showing Security Spending Should Outpace Overall IT Budget Growth From Citi Investment Research & Analysis
Figure 4. (Pritchard 2012)Graph of Network Growth in the Network Security Market by Citi Investment Research & Analysis
36 | P a g e
The graph above indicates refresh growth in the Network Security appliance market
(unlike a single piece of security software network security appliances are security tools
typically bundled together), meaning CIO’s polled in the Citigroup survey will replace
their appliances more than in prior years. Although this includes a segment of the Cyber
Security Industry it can been incorporated as it provides further proof on the growth of
spending in security.
Morgan Stanley Research through their vast network and conversations with
several organizations who primarily conduct most of their business by partnering up with
manufacturer’s to market and sell manufacturer's products, services, or technologies is
where a significant amount of data was extracted. These are what the industry calls
channel partners and they cite that ongoing investments in data protection technologies,
multi-function network security solutions, and solutions to counter Advanced Persistent
Threats (APTs) will only continue to grow. They emphasize that these areas are
essential and is indicative of the large amount of negative publicity received over the
past 12 to18 months due to the growing number of Cyber Attacks. Breaking things down
a bit further Network security data points (the authorization of access to data on a
network including firewalls, antivirus, spam and content filtering through logs as well as
intrusion detection and prevention systems) (Weiss, Holt, Gorham 2012) are quite
robust as acquired data showed that 69% of CIOs plan to outlay capital on network
security in 2012 and very few entities, 8% to be precise, are planning to decrease
spending on security initiatives. Taking the last survey by Morgan Stanley that was
conducted in July of 2012 there was an overall improvement from 65%/20%
respectively. Separate from the number of CIO’s, the report solely focused on five of the
37 | P a g e
largest players in the IT security market, those being Fortinet Inc., Sourcefire,
Symantec, Websense and Checkpoint Software. The issue that arises with just
focusing on this small group is that it is not indicative of the overall Cyber Security
Industry unlike the Ponemon study. For example Symantec has appeared to plateau
compared too many of its rivals and this is because of increasing competition, the
substantial size of the company which impacts the rate of growth and internal controls
as opposed to lack of spending. To extrapolate on this a bit more back in March of
2012, Citigroup came out with a 15 page report titled “IT Security Survey
Says…Network Security and Check Point Have Most Favorable Trends” where the
analyst questioned via telephone 50 United States and European based Chief
Information Security Officers (CISO’s) detailing a lengthy series of in-depth questions on
the security market but here again it must be noted that the data just focused 90% on
firms with more than $1 billion in annual sales so although relevant the statistical
threshold falls slightly short due to sample size. Having said that Citi has conducted this
survey for the past three years which comprised of a broad spectrum of industries, the
most common were financial services (20%) and manufacturing (18%), while
government was underrepresented (just 4%) therefore the buying power should not be
ignored. They deciphered from the information that IT security budgets in 2012 are
poised to grow faster than overall IT spend, a reversal from last year positively
impacting sales for several of the major IT security vendors (Pritchard 2012).
There are internal and external factors that show the negative impact on bottom
line numbers (profit) such as litigation costs, employee overhead, taxes, Merger and
38 | P a g e
Acquisition activity, margins etc. but top line growth (revenues) remains strong again.
This is not indicative of internal cost controls and how well these security firms manage
their balance sheets but more in the way of cyclical trends (ie: effects of macroeconomic
conditions such as Europe’s debt crisis which can have an adverse impact on sales).
For example Sourcefire’s quarterly year over year (yoy) sales rose 30.10% with yearly
revenues of $ 208.94 million (Sourcefire 2012), Fortinet (yoy) sales grew 17.00% with
yearly revenues of $503.34 million (Fortinet 2012), Checkpoint (yoy) increased 7.80%
with yearly revenues of $1.33 billion (Checkpoint 2012), Symantec (yoy) rose 1.10%
with yearly revenues of $ 6.76 billion (Symantec 2012) and Websense rose slightly at
1%, with yearly revenues of $362.49 million to date (Websense). All data in the previous
sentence was compiled by the companies and audited by the world’s leading financial
advisory firms. This research has not taken into account what encompasses the bottom
line figures but rather just sales growth. Furthermore and to use an additional company
specific example NICE Systems which offers a wide array of security solutions is
labeled in another area of Cyber Security focusing primarily on management and
analysis. The Isreali firm saw quarterly revenue growth (yoy) rise 9.70% with $854.95
million in total sales this year thus far (NICE 2012). Quoted out of a Reuter’s article
written on October 31, 2012 of this year Tova Cohen exclaimed “Nice has benefited
from growing demand for tools to delve into data to improve business, spot fraud and
fend off security threats, and the company said compliance requirements in finance,
energy and other sectors had boosted business (Cohen 2012).” Therefore the Morgan
Stanley report should be taken with a grain of salt as it is only representative of five
companies which the Certified Financial Analysts (CFA’s) that performed the analysis
39 | P a g e
have admitted too. 451 Research a global analysis and data company solidifies
Ponemons results as you can see from the chart below and several number’s stick out,
in particular 45% of the security chiefs interviewed in their October 2012 research report
have expanded their company budget’s in 2012 compared to the 2011 year ago period
with a minimal amount of chiefs reducing their budgets this year compared to last year,,
that being 10% respectively. Subsequently, the outlay of capital goes towards security
becomes even more robust in 2013, with 47% of those surveyed planning on further
increases where in contrast only 8% believe their budgets will fall between 2012 and
2013.
Figure 5. (Kennedy 2012)Graph of Information Security Budget Trends From 451 Research
40 | P a g e
Some comments from those who participated in the 451 research study in reference to
expenditures on security include the following:
“It [budget] has increased, but percentage not disclosed. The increase is due to
voluntary projects to reduce complexity of meeting requirements.”
“Complicated — there was an increased [in budget allocation] allocation due to
regulations, but an overall budget decrease.”
“Half of the budget increase went to compliance issues.”
“The security budget is growing over time (Kennedy 2012)
We would be remised if we did not discuss one of the more astonishing statistical
financial data acquired to date by Advanced Technologies, Geographical Analysis &
Competitive Landscape, 280 page report. The firm that collected the data for the study
is a full service market research company and consulting firm, established in 2001 it
provides research on pharmaceuticals, energy and power, biotechnology, food and
beverage, chemicals, medical devices, advanced materials, semiconductor and
electronics, industrial automation, telecom and information Technology, consumer
goods, automotive and transportation, and banking & financial services sectors.
The report titled “Cyber-Security Market - Global Forecast & Trends (2012 –
2017) by Advanced Technologies, Geographical Analysis & Competitive Landscape”
acquires data from 24 large companies, and sub-segments/ micro-markets in North
America, Latin America, Western Europe, Eastern Europe, Middle East & Africa, and
APAC (Asia-Pacific) through analysis of a number of technology & solutions in particular
for the utilization of differing applications in the cyber security arena. This is all based on
41 | P a g e
functions and performance and the numbers are quite revealing. In 2011 the authors
state that the Cyber Security industry was calculated at being worth $63.7 billion and
that the figure in addition attributed to a larger number of entities focusing on a
comprehensive framework that covers the basis of network, end-point, application,
content, and wireless segments. Inclusive is Identity & Access Management, Risk &
Compliance Management, Data Encryption, DLPS, Data Recovery Solutions, UTM,
Anti-Virus, IPS/IDS, Web Filtering, Firewall, and Vulnerability management. To go off in
a tangent, just as with the Symantec study, Advanced technologies has the capability to
conduct such a detailed study because it’s a for profit research firm that on average
collects $4 650 for a single report, $ 7,150 for its corporate license and $9,000 for the
reportlinker.com site license. Therefore it has an unlimited amount of resources at their
beckoned call to conduct a study of this size unlike the vast majority of organizations or
individuals. In delving deeper into the numbers the company was able to model future
numbers based on historical data and past trends. Although these trends fluctuate a
sufficient average can be derived from an agreed upon and well established
mathematical formula among economic scholars. Extrapolating on this the research arm
was able to derive at an average compounded annual growth (CAGR) rate of 11.3
percent based on data collected by the firm from years past. In using a CAGR example
let’s say a company had just $10,000 on March 1, 2009 and by March 1, 2009, the
number grew to $13,000, then $14,000 by 2010, and finally ended up at $19,500 by
2011. The company’s CAGR would be the ratio of your ending value to beginning value
($19,500 / $10,000 = 1.95) raised to the power of 1/3 (since 1/# of years = 1/3), then
subtracting 1 from the resulting number: 1.95 raised to 1/3 power = 1.2493. (This could
42 | P a g e
be written as 1.95^0.3333). 1.2493 - 1 = 0.2493 another way of writing 0.2493 is
24.93% and there you would get your final CAGR figure (Value Click NA).
This figure, although pro forma was quite an eye opener, noting anticipated growth for
the Cyber Security market to be $120.1 billion by 2017. This number was also derived
based on security growth due to increased adoption of cloud computing, networks, data
centers, and wireless communication devices. Whereas, the service side is driven by
the need to service cyber security installations with security operations, managed
security services, and consulting services. In all participating global sovereign nations,
the private sector accounted for most of the outlaid capital expenditures for Cyber
Security countermeasures. The only anomaly was the United States, where government
expenditures were on par along with the private sector (MarketsandMarkets 2012) . In
2010 another interesting fact, which was issued by the Department of Commerce and
several other organizations. In their report they said that even though there has been
increased awareness in lewd of the risks of Cyber Attacks, a broad number of people
that contribute to the United States economy did not take advantage of available
technology and processes to secure their systems. Also countermeasures are not
evolving as rapidly in contrast to the threats (Department of Commerce 2011).If this is
the case we can make a slight assumption that Cyber Security market penetration could
grow even more substantially if more entities invested in the safety of their systems.
However even more evident on a change in this way of thinking can be seen over the
last year whereby the initial public offerings of IT security start-ups have outperformed
offerings that are not a part of this industry. Facebook is just one example. Imperva, a
data security company that went public last year saw its stock price rise nearly 30
43 | P a g e
percent on their first day of trading, and at the time if this report has it remains at 37
percent above the offering price. The stock price of Splunk, a data security company,
jumped nearly 65 percent from its offering in April of this year and in addition raised
$331 million in a secondary offering. “People are starting to realize that the billions of
dollars that have been invested into traditional network security are not working for them
anymore,” said Ted Schlein, a partner at Kleiner Perkins Caufield & Byers, the venture
capital firm. Merger and Acquisition activity is also seeing a pickup. Apple recently had
become a suitor of AuthenTec, paying $356 million last month which is reported as
being one of Apple’s largest acquisitions. These are just a few of the many deals that
are growing in number (PERLROTH and RUSLI 2012).
As you can see this last study is quite telling and provides support that Cyber
Attacks did develop a new market and subsectors within this industry helping to garner
a vast amount of money from the investment community in turn increasing
organizational revenue figures for Cyber Security firms. In addition the people and
organizations participating in the security infrastructure perform a wide array of
functions. These include education and training, research, publication, product
development and marketing, network security administration, security support services,
policy and standards making, law enforcement, and research funding.
44 | P a g e
5. Conclusion
As we have seen throughout this paper and especially in looking at the data
results incorporated in the discussion section, Cyber Attacks have cost the economies
of the world a substantial amount of money however it also helped to fuel investment
and the growth of the Cyber Security Industry at a rapid rate. It is unfortunate that the
numbers associated with both the overall negative economic impact on entities around
the world as well as the figures that can be derived from the Cyber Security industry in
reference to growth are not absolute or rigorous enough. However unlike individual
studies we have the ability to access information from a slew of research reports to help
obtain a more accurate evaluation. As for right now, one could certainly see that the
numbers effecting costs outweigh the capital being infused into the Cyber Security
Industry. Subsequently this year, we did see a change in increased collaboration and
awareness. Therefore it has forced organizations like the BLS to finally lay the
foundation to come up with an improved model in order to better acquire a closer
estimate on the growth of the Cyber Security realm. We than hopefully can effectively
come closer to finding out whether the Cyber Security Industry and the money that it
garners will surpass the cost figures associated with Cyber Attacks. It will be interesting
to see over the next several years if the BLS will help to bring this about. One other
thing to note is that although various research coming from organizations such as
Symantec are very comprehensive in nature, there is still a problem of gathering
information from organizations of all sizes that refuse to tell us whether they have been
breached for fear of loss of business due to reputational consequences. When it comes
to publicly traded corporations divulging such information can cause a decline in the
45 | P a g e
market capitalization for these companies, stock price declines and unwillingness for
those to invest in companies that can be infiltrated easily. The Securities and Exchange
Commission (SEC) guidelines are beginning to have an impact on publicly traded firms.
The SEC has now forced companies like Amazon, Google, Hartford Financial Services
Group Inc, Eastman Kodak and others to provide public information on any
compromises and costs that occur within their organizations. In an article written in
Business Week they exclaim the SEC sent out a number of letters to public companies,
asking about Cyber Security disclosures and later pushing companies to disclose.
Although this is not a law as of yet it paves the way for one. The reason this is brought
up is that it will be interesting to see if such a law finally passes, requiring companies to
report this information in their financial statements perhaps we can obtain even more
accurate figures on economic costs. Until than we have to rely on research offered by
multiple sources and take the average of all the compiled figures so we can come closer
in establishing whether the costs of Cyber Attacks far outweigh the capital being
accumulated by the Cyber Security industry or vice versa.
46 | P a g e
6. References
1. The Bureau of Labor Statistics (2012) “15-1122 Information Security Analysts” Retrieved 3 December 2012 from The Bureau of Labor Statistics http://www.bls.gov/soc/2010/soc151122.htm
2. Cashell, B., Jackson,W., Jickling,M., and Webel, B. (2004). “The Economic Impact of Cyber Attacks” published by Congressional Research Service, Library of Congress. Retrieved 23 November 2012 from Cisco Corporation
3. Checkpoint Software (2012). Form 6K filing period 10/17/2012. Retrieved 1 December 2012 from the Securities and Exchange Commission http://www.sec.gov/Archives/edgar/data/1015922/000117891312002883/0001178913-12-002883-index.htm
4. Cohen, T. Oct 31, 2012 “UPDATE 1-Nice raises 2012 profit forecast as Q3 beats estimates” published by Reuters http://www.reuters.com/article/2012/10/31/nice-results-idUSL3E8LV69Y20121031?feedType=RSS&feedName=marketsNews&rpc=43
5. Colman, K. (January 2011) “THE GROWING RISK OF CYBER ATTACK AND OTHER SECURITY THREATS” published by The Technolytics Institute. Retrieved 1 December 2012 from HWP Insurance http://www.hwphillips.com/wp-content/uploads/2012/09/The-Growing-Risk-of-Cyber-Attack-and-Other-Security-Threats.pdf
6. Cornell University Law School (1986). Fraud and related activity in connection with computers. Published by United States Congress, Retrieved 23 November 2012 from Cornell University Law School. http://www.law.cornell.edu/uscode/html/uscode18/usc_sec_18_00001030----000-.html
7. THE DEPARTMENT OF COMMERCE INTERNET POLICY TASK FORCE (June 2011). CYBERSECURITY,INNOVATION AND THE INTERNET ECONOMY. Retrieved 1 November 2012 from The National Institute of Security Standards. http://www.nist.gov/itl/upload/Cybersecurity_Green-Paper_FinalVersion.pdf
8. Dowdy, J. (2012).Chapter 5: The Cybersecurity Threat to U.S. Growth and Prosperity. Published by Aspen Institute bookstore and Brookings Press. Retrieved 22 November 2012 from McKinsey & Co. www.mckinsey.com
9. Dunn, Myriam (2005). A COMPARATIVE ANALYSIS OF CYBERSECURITY INITIATIVES WORLDWIDE. Retrieved 6 December 2012 from International Telecommunications Union: http://www.itu.int/osg/spu/cybersecurity/docs/Background_Paper_Comparative_Analysis_Cybersecurity_Initiatives_Worldwide.pdf
47 | P a g e
10.Fortinet (2012). Form 10Q filing report period 9/30/2012. Retrieved 1 December 2012 from the Securities and Exchange Commission http://www.sec.gov/Archives/edgar/data/1262039/000126203912000051/fortinet2012093010-q.htm
11.Gartner Research (2012). Gartner Says Worldwide Security Infrastructure Market Will Grow 8.4 Percent. Retrieved 1 December 2012. http://www.gartner.com/it/page.jsp?id=2156915
12.Gallaher, M., Rowe,B. Rogozhin, A., Link, A. (July 2006). ECONOMIC ANALYSIS OF CYBER SECURITY. Published by Research Triangle Institute. Retrieved 23 November 2012 from Defense Technical Information Center. http://www.dtic.mil/cgi-bin/GetTRDoc?AD=ADA455398
13.Hess, Ken (2011). Ghost in The Wires "The Keven Mitnick Interview. Retrieved 27, November 2012 from ZDNet: http://www.zdnet.com/blog/security/ghost-in-the-wires-the-kevin-mitnick-interview/9357
14.Hoover, N. (2012). Cyber Attacks Becoming Top Terror Threat, FBI Says Published by UBM Tech Retrieved 7 December 2012 from Information Week http://www.informationweek.com/government/security/cyber-attacks-becoming-top-terror-threat/232600046
15.HP Research: Cybercrime Costs Rise Nearly 40 Percent, Attack Frequency Doubles. PALO ALTO, Calif., Oct. 8, 2012. http://www.hp.com/hpinfo/newsroom/press/2012/121008a.html
16. Info Security Magazine (September 2012) “Cyber attacks “one of the most serious” threats facing the US, says Janet Napolitano published by Reed Exhibitions Retrieved 7 December 2012 from Info Security Magazine http://www.infosecurity-magazine.com/view/28145/cyber-attacks-one-of-the-most-serious-threats-facing-the-us-says-janet-napolitano/
17.Keely, David Lt. (April 13, 2011). “CYBER ATTACK! CRIME OR ACT OF WAR?” United States Air Force U.S. Army War College CARLISLE BARRACKS, PENNSYLVANIA 17013.
18.Kennedy, D. (October 2012). Information Security Budgets to Increase in 2013. Published by 451 Research Retrieved 27 November 2012 from 451 research Blog http://theinfopro.blogs.451research.com/index.php/2012/10/information-security-budgets-to-increase-in-2013/
19.MarketsandMarkets (June 2012) Cyber-Security Market - Global Forecast & Trends (2012 - 2017) Retrieved 27, November 2012 from reportlinker. http://www.reportlinker.com/p0923304-summary/Cyber-Security-Market-Global-Forecast-Trends--by-Advanced-Technologies-Geographical-Analysis-Competitive-Landscape.html
20.Martin, D. (2007) Joybubbles, 58, Peter Pan of Phone Hackers, Dies. Retrieved 1 December 2012 from The New York Times
48 | P a g e
http://www.nytimes.com/2007/08/20/us/20engressia.html?_r=3&ref=obituaries&oref=slogin&oref=slogin&
21.National Institute of Standards and Technology (NA). The National Cyber Security Workforce Framework. Retrieved 1 December 2012 from National Institute of Standards and Technology: http://csrc.nist.gov/nice/framework/documents/national_cybersecurity_workforce_framework_printable.pdf
22.NICE Systems (2012). Form 6K filing period 12/6/2012 Retrieved 1 December 2012 from the Securities and Exchange Commission http://www.sec.gov/Archives/edgar/data/1003935/000117891312003378/0001178913-12-003378-index.htm
23.Oona, H., Crootof, R., Levitz, P.,Nix, H,,Nowlan,A., Perdue, W. & Spiegal, J. (2012). The law of cyber-attack . California: California Law Review.
24.PCI Security Standards Council (2012). PCI SSC Data Security Standards Overviews. Retrieved 26 November 2o12 from PCI Security Standards Council https://www.pcisecuritystandards.org/security_standards/
25.PERLROTH, NICOLE and RUSLI, EVELYN M. (2012). Security Start-Ups Catch Fancy of Investors. Retrieved 1 December 2012 from The New York Times: http://www.nytimes.com/2012/08/06/technology/computer-security-start-ups-catch-venture-capitalists-eyes.html?_r=0
26.Pindar, J., Rigelsford, Dr. J. (July 2011).Cyber Security and Information Assurance. Mr. Joseph Published by The University of Sheffield.
27.Ponemon Institute (February 2012). Ponemon Study Shows the Cost of a Data Breach Continues to Increase. Retrieved 1 December 2012 from PR Newswire: http://www.ponemon.org/news-2/
28.Ponemon Institute (October 2012). 2012 Cost of Cyber Crime Study: United States Benchmark Study of U.S. Companies. Retrieved 1 December 2012 from Ponemon Institute: http://www.ponemon.org/local/upload/fckjail/generalcontent/18/file/2012_US_Cost_of_Cyber_Crime_Study_FINAL6%20.pdf
29.Pritchard, W., CFA (March 2012). IT Security Survey Says…Network Security and Check Point Have Most Favorable Trends. Citi Investment Research & Analysis.
30.Ramirez, L. (October 2012) “Panetta Says US Boosting Cyber Defense” published by Voice of America Retrieved 6 December 2012 http://www.voanews.com/content/panetta-appeals-for-stepped-up-cyber-security/1525450.html
31.Richardson, R., CSI Director (2010). 2010/2011 CSI Computer Crime and Security Survey. Retrieved 27, November 2012 from The Computer Security Institute. https://cours.etsmtl.ca/log619/documents/divers/CSIsurvey2010.pdf
49 | P a g e
32.Rowe, B., Gallaher, M. (2006). Private Sector Cyber Security Investment Strategies: An Empirical Analysis Published by Technology Economics and Policy RTI International Retrieved 21 November 2012 from The Ninth Workshop on the Economics of Information Security http://www.weis2006.econinfosec.org/docs/18.pdf
33.Securing Cyberspace: A New Domain for National Securing Cyberspace: A New Domain for National Security Nicholas Burns and Jonathon Price
34.Sentementes, Gus G. (2012). Cybersecurity business, jobs expected to grow through 2016. Retrieved 5 December 2012 from The Baltimore Sun: http://www.baltimoresun.com/business/bs-bz-cybersecurity-maryland-forecast-20121018,0,6945767.
35.Sourcefire (2012) Form 10Q filing report period. Retrieved 1 December 2012 from the Securities and Exchange Commission 9/30/2012 http://www.sec.gov/Archives/edgar/data/1168195/000116819512000007/0001168195-12-000007-index.htm
36.Symantec Corporation (2012) Norton Cybercrime Report, September 2012. Retrieved 22 November 2012 from Symantec. http://www.norton.com/2012cybercrimereport
37.Symantec Corp. (2012) Form 10Q filing report period 9/28/2012. Retrieved 1 December 2012 from the Securities and Exchange Commission http://www.sec.gov/cgi-bin/viewer?action=view&cik=849399&accession_number=0001193125-12-441366&xbrl_type=v
38.Value Click (Date NA) Compounded Annual Growth Definition. Retrieved 1 December 2012 from Investopedia. http://www.investopedia.com/terms/c/cagr.asp#ixzz2FEDxVIqH
39.Value Click (Date NA) GDP Definition. Published by Value Click Retrieved 1 December 2012 from Investopedia. http://www.investopedia.com/terms/g/gdp.asp#ixzz2Eark1U7v
40.Verizon RISK Team(2012). 2012 Data Breach Investigations Report. Retrieved 7 December 2012 from Verizon Corporation: http://www.verizonbusiness.com/resources/reports/rp_data-breach-investigations-report-2012_en_xg.pdf
41.Websense (2012) Form 10Q filing report period 9/30/2012. Retrieved 1 December 2012 from the Securities and Exchange Commission http://www.sec.gov/cgi-bin/viewer?action=view&cik=1098277&accession_number=0001098277-12-000004&xbrl_type=v
42.Weisbrod, Glen (2011). DEFINING ECONOMIC IMPACT AND BENEFIT METRICS FROM MULTIPLE PERSPECTIVES: LESSONS TO BE LEARNED FROM BOTH SIDES OF THE ATLANTIC. Retrieved 6 December 2012 from
50 | P a g e
Economic Development Research Group, Boston, Massachusetts, USA: http://www.edrgroup.com/pdf/Weisbrod-Simmonds-ETC-Oct2011R.pdf
43.Weiss, Holt, Gorham (October 2012). Security Preview: Secular Should Outpace Macro in Q3 published by Morgan Stanley Research of North America
44.White, C. (2011). Data communications and computer networks “a business users approach” . (6th ed., Vol. ISBN-10: 0538452617 , p. 17, 17, 297, 308 & 330). Course Technology, Cengage Learning
7. List of Figures
a. Figure 1: Ponemon Institute (October 2012). 2012 Cost of Cyber Crime Study: United States Benchmark Study of U.S. Companies. Retrieved 1 December 2012 from Ponemon Institute: http://www.ponemon.org/local/upload/fckjail/generalcontent/18/file/2012_US_Cost_of_Cyber_Crime_Study_FINAL6%20.pdf
b. Figure 2: Baker, Hutton, Porter (Date NA). A Framework for Gathering Risk Management Information From Security Incidents. Published by Verizon Risk Management Retrieved 6 December 2012 from Security Metrics Organization http://www.securitymetrics.org/content/attach/MetriCon4.5/mm_VZ.pdf
c. Figure 3: 29. Pritchard, W., CFA (March 2012). IT Security Survey Says…Network Security and Check Point Have Most Favorable Trends. Citi Investment Research & Analysis
d. Figure 4: Pritchard, W., CFA (March 2012). IT Security Survey Says…Network Security and Check Point Have Most Favorable Trends. Citi Investment Research & Analysis
e. Figure 5: Kennedy, D. (October 2012). Information Security Budgets to Increase in 2013. Published by 451 Research Retrieved 27 November 2012 from 451 research Blog http://theinfopro.blogs.451research.com/index.php/2012/10/information-security-budgets-to-increase-in-2013/
51 | P a g e