B susser researchpaper (3)

Cyber Attacks and the economic impact on Entities worldwide

Cyber Attacks Ahead

Bradley Sean Susser Pace University

IS692 Research Project Seminar Jennifer D E Thomas December 17, 2012

Abstract

1 | P a g e

This research report studies the economic impact that Cyber Security attacks have on

society as a whole. The aim of this analysis is to examine the negative and positive

impact of these compromises on multiple entities. Our descriptive analysis focuses on

individuals, private and public organizations, costs, revenues, innovations, and jobs to

determine if proliferations of these attacks are either, negative or positive. Although this

paper draws upon the economic factors as result of cyber-attacks, it looks at the outlay

in its historical context of capital expenditures to private and public organizations due to

the increased number of compromises and factors of this paradigm helping to fuel the

growth of innovations or spawn a new industry as a whole.

Table of Contents Page

2 | P a g e

Abstract 2

1. Introduction 4-5

2. Literature Review 62.1 Cyber Attack defined 6-82.2 Cyber Security defined 8-92.3 Brief History of Cyber Attacks 9-102.4 Economic Impacts Defined (inclusive Cost benefit Analysis) 10-132.5 Cyber Attacks Spawning New industry and Garnering Capital Investment 13-14

3. Methodology 14-153.1 Cyber Attacks and Hypothesis on their Growth over the Years 15-163.2 Cyber Attacks & Hypothesis on Financial Impacts of Entities Targeted 16-17 3.3 Cyber Attacks and Hypothesis on whether they spawned a New Industry Helping to Infuse Significant Capital 17-18

4. Discussion 18 4.1 Cyber Attacks Growth from a Historical Perspective & Beginnings 18-204.2 CSI/FBI/Technolytics Institute/ Janet Napolitano Statistics on Growth of Cyber Attacks through Historical Perspective 20-224.3 Mckinsey Global GDP Growth Statistics 22-234.4 Cost benefit Analysis & Difficulty in Obtaining Metrics 23-244.5 CSI/FBI Statistics on Financial Impact of Cyber Attacks 24-254.6 Ponemon/Verizon/Morgan Stanley Statistics on Compromises & Costs Due to Cyber Contemporary Threat Landscape 26-324.7 Growth of Cyber Security Industry Statistics (Gartner Research, Citi Group, Morgan Stanley, 451 Research & MarketsandMarkets) & Government Role Explained 33-44

5. Conclusion 45-46

6. References 47-51

7. List of Figures 51

1. Introduction:

3 | P a g e

Since the mid 1980’s as personal computers started becoming more prevalent so

too did a small group of people that chose to wreak havoc by exploiting and

compromising these devices for nefarious purposes or just pure curiosity. These events

were even depicted in movies such as War Games, which was introduced to the public

in 1983. The movie is based on a teenage boy who breaches the United States

Pentagons computer system and locates a game within the system known as “Global

Thermo Nuclear War”. Although he believes this is just a game in reality he

inadvertently causes the system to begin the process of launching a nuclear attack on a

number of sovereign nations.

This was the first time that such a scenario was brought to the forefront of the

general public and although this was just a movie in reality systems although in its

infancy, where becoming attractive targets for individuals and entities to manipulate and

unethically exploit. Then in the early 1990’s the Internet was introduced to the

commercial sector allowing for both private and public entities to leap frog off of this

medium and create whole new economies based on this technological innovation.

However as the internet, systems, personal computers and a plethora of

hardware/software devices are utilized more and more for routine activities the number

of people wishing to do harm to individuals and organizations that make use of these

technologies continues to grow at an alarming rate.

In fact, according to Verizon’s 2012 Data Breach Investigations Report, 2011 was

the year that organizations systems came under attack by a slew of groups with

different forms of motivation but the numbers are unprecedented. The report focused on

855 incidents that saw 174 million data records get compromised. This included

4 | P a g e

protesting entities such as the likes of Anonymous, cybercriminals performing attacks to

acquire trade secrets, classified information and other intellectual property, steal

personal credit card information, identity theft, take down organizational servers and the

list goes on and on. Verizon is quoted as saying “Doubly concerning for many

organizations and executives was that target selection by these groups didn’t follow the

logical lines of who has money and/or valuable information. Enemies are even scarier

when you can’t predict their behavior (Verizon 2012).”

In another scathing report released to the public in October of 2012 by Hewlett

Packard working with the Ponemon Institute indicated an exponential increase of Cyber

Crime from 2010 to 2011. In contrast to the Ponemon and Verizon, reports an article

written in the Baltimore Sun on October 21, 2012 quoted Cyber Security analysts as

saying that this sector of the market is anticipated to grow over 50 percent up until the

end of 2016 which will open up new opportunities for business and individuals. The

article goes on to say that Cyber Security spending by the Defense Department, even

with the absence of certain legislation will rise from $4.4 billion in 2011 to $6.7 billion in

2016, spending in civilian agencies will increase from $2.6 billion in the 2011 period to

$3.8 billion by 2016 and capital expenditures to be outlaid by U.S. Intelligence agencies

are expected to increase from $2.3 billion last year to $3.6 billion over the next four

years (Sentementes 2012). The statistics incorporated above show a dichotomy

whereby the economic impacts of Cyber Attacks can be both disadvantageous and

advantageous.

The point at issue is, is one more predominant over the other or do they balance

each other out? The question posed in the prior sentence is what this papers primary

5 | P a g e

objective seeks to ascertain, although other questions must be implemented and

investigated to garner an appropriate answer. So as you continue to migrate through the

sections to follow, we will look through an assortment of research to try and come up

with a valid answer to the aforementioned question.

2. Literature Review:

In reviewing the literature there is an abundance of material on growing number

of Cyber Attacks which has negative ramifications as well as helped to spur the growth

of a variety of disciplines and innovations within the IT Security arena. Therefore there

are a multitude of factors and questions one needs to take into account by means of

economic analysis.

2.1 Cyber Attack defined

Some of the essential questions that must be addressed include do the overall

economic impacts of these attacks way on the side of being more adverse or

advantageous? The aforementioned question should be broken down even further to

include the following.

What is a cyber-attack? There are a variety of ways to define and describe a

cyber-attack. Although, the term may appear simplistic on the surface, cyber-attacks are

comprised of a multitude of factors. The Ponemon Institute exclaims that this is any

criminal activity conducted over the Internet (Ponemon 2012) but is this not too

simplistic of a definition? According to the research paper “The Law of Cyber-Attack” the

authors explain that a Cyber Attack is “any action taken to undermine the functions of a

computer network for a political or national security purpose.” This group of writers than

6 | P a g e

further explains that the reason for lack of clarity among the community on what Cyber

Attacks are, is due to the inability to make a distinction between Cyber Crime, Cyber

Attack, and Cyber War. For example in their paper “a Cyber Attacks Objective must be

to undermine the function of a computer network” and “Must have a political or national

security purpose.” (Oona, Crootof, Levitz, Nix, Nowlan, Perdue, Spiegal, 2012).

The terms Cyber Crime and Cyber War discussed in the sentences above are

what makes up Cyber Attacks and therefore in addition further extrapolation on the true

meaning must be incorporated. Lt. Colonel David M. Keely hits the nail on the head in

stating that many of the definitions he came across where to narrow in scope. He

concluded that “A good definition of Cyber Attack can be found in discussions of the

Critical Infrastructures Protection Act (CIPA) of 2001: ―All intentional attacks on a

computer or computer network involving actions that are meant to disrupt, destroy, or

deny information. “ In addition he exclaims you must also incorporate the why aspect.

Inclusive should be the motivation of the attacker. “If the motivation of the attacker is

monetary gain, destruction of property, or espionage, then a crime has been

committed.” “If the desired result is ―to cause death or seriously bodily harm to civilians

or non-combatants, with the purpose of intimidating a population or compelling a

Government or an international organization to do or abstain from doing any act then an

act of terrorism has occurred.” “If the motivation is to wage or to assist in waging a

―armed hostile conflict between States or nations then an act of war has occurred.”

Lieutenant Keely’s assessment covers all the essential elements of Cyber Attacks that

impact sovereign nations, public and private entities and finally individuals therefore his

interpretation is quite effective for the purpose of our research endeavor (Keely, 2011).

7 | P a g e

Finally it is necessary to breakdown the types of exploits propagated by these Cyber

Attacks. Cyber Attacks are comprised of Malware, Web based attacks, stolen devices,

malicious code implementation, malicious insiders, phishing and social engineering and

denial of service attacks (DoS). Malware is defined as evil software and is made up of

subcategories which include viruses, Trojans, worms, rootkits, keyloggers etc however

in the chart provided by

2.2 Cyber Security defined

As with Cyber Attacks we need to try and come up with a concrete definition for

Cyber Security as it varies among Information and Communications Technology (ICT)

professionals. This is because the area of specialties could be substantial according to

The National Institute of Standards and Technology (NIST), a U.S. federal agency and

one of the leading organizations in charge of implementing security standard’s globally.

Although NIST’s numbers may be slightly overarching it provides additional affirmation

that the term Cyber Security cannot be so easily defined (National Institute of Standards

and Technology). Some believe the term to be interchangeable with Information

Security while others state that Information Security is a subset of Cyber Security. A

definition that we found to be most appropriate is Cyber Security refers to the protection

of any asset from being exploited by Cyber Attacks which we defined above, via

Information and Communication Technologies. Inclusive is additional components such

as countermeasures and activities that can either be technical in nature or non-technical

for the purpose of safeguarding computer networks, digital devices, hardware, software

and all the information that they contain and communicate from anyone that has malice

8 | P a g e

of intent. In addition Cyber Security encompasses a number of professionals that

perform continuous research and analysis in order to try and keep ahead of those

wishing to do us harm, described above by NIST. As you can see the word information

is embedded in the definition of Cyber Security so we can conclude that it is in fact a

subset of this area of discipline. Therefore Information Security references all aspects of

information protection. Subsequently three primary objectives lie at the heart of

Information Security. These include the terms confidentiality, integrity and availability.

Confidentiality makes sure that information is not disclosed to any unauthorized entity

and that those who which to disclose that information can do so but at their request,

Integrity assures one that information is modified only with proper authorization and

finally availability assures that information is provided promptly to authorized entities

and only denied to those who are not authorized [Dunn 2005].

2.3 Brief History of Cyber Attacks

From a historical perspective have the number of attacks grown over the years or

been on the decline? Furthermore have costs for entities accrued?

Cyber Attacks have become depicted in the media for quite some time therefore

one must look at these attacks in their historical context. The precursor to the present

day Internet was created by the U.S. governments Advanced Research Projects

Agency (ARPA) and was known as the ARPANET which was developed in the late

1960’s. ARPANET eventually was replaced by the Internet or what is known to many as

the information highway which connects local area networks to wide area networks

used by individuals and organizations worldwide (White, 2011). Unfortunately upon first

9 | P a g e

initiating the deployment of this medium, safeguards where never implemented as

Cyber Attacks where not even forethought. Some of the earliest attacks involved “phone

phreaking” in the early 1970’s and then with the invention of personal computers in the

early 1980’s attacks on systems began to proliferate. A number of congressional laws

were passed due to these early compromises to offer better protection of unauthorized

access to government computers. Title 18 United States Code: § 1030. “Fraud and

related activity in connection with computers” is one such law that was implemented in

1986 and modified over the years to punish those wishing to target systems, whether for

political reasons or criminal activity (Cornell University Law School 1986). Finally in the

early 1990’s the Internet was now open to the general public for private and commercial

use but with increasing reliance on the Internet and its expansion of interconnectivity

attacks became even easier to perform. The Computer Security Institute (CSI)/Federal

Bureau of Investigation (FBI) Computer Crime and Security Survey conducted over the

last several decades provides invaluable data, helping to further ascertain additional

information on the amount of attacks on organizations who have participated in the

study over the years and detailing their networks and cost estimates by the type of

attack.

2.4 Economic Impacts Defined (inclusive Cost benefit Analysis)

This leads us to the next area of topic, that being the economic impacts of these

increasing number of attacks but what do we mean by economic impacts?

It must be stated that in order to grasp an understanding of the term economic

impacts its essential that we include in our description economic

advantages/disadvantages and productivity as they all are intertwined. Economic impact

10 | P a g e

sometimes is difficult to describe because it is made up of a complexity of subcategories

but on its face this is any modification in the passage of capital (income) in the economy

between industry sectors, population groups, or local areas of the world and although

metrics are usually measured in terms of growth in income, jobs or output such data is

not necessarily easy to extract and often more times than not difficult to quantify.

Economic advantages/disadvantages is a broader concept of welfare gain than

economic impacts, in that it can incorporate both monetary advantages/disadvantages

(tangible) and non-monetary advantages/disadvantages (intangible) with a willingness

to pay value or remove value The previous sentences concepts are most useful for

performing a cost-benefit analysis (CBA). In using a simple example, a CBA can be the

benefit of safeguarding ones systems against Cyber Attacks and the costs associated

with these protective measures. Finally productivity typically refers to the increasing

growth in value added per worker or per unit of investment which has the potential to

produce an actual acceleration in income and jobs (Weisbrod 2011).In looking further

into productivity it can be utilized not only as an gauge of efficiency but also indicative of

economic development.

The research paper titled “Private Sector Cyber Security Investment Strategies:

An Empirical Analysis” suggests a cost benefit analysis approach is generally

Straightforward but found organizations inability to construct a rigorous cost benefits

analysis (CBA) framework. Furthermore expected damage or cost functions and threat

probabilities needed to conduct a CBA is difficult to attain therefore most often

companies rely more on a qualitative approach (Rowe, Gallaher 2006). Note that CBA

will be further described in the economic impact section to follow. Although the

11 | P a g e

aforementioned research study is slightly predated as quantitative analysis has

appeared to have improved as you will soon see in the Ponemon Intitute, the study was

able to conclude that regulations was the most often cited drivers increasing

organizations’ investments in Cyber Security. This is important as it shows a correlation

between government initiatives and spending discussed in the Baltimore Sun

introductory paragraph above. However in the article “Economic Analysis of Cyber

Security” the authors point out that a CBA framework which focuses on quantitative

analysis is expensive, difficult and in most cases even impossible to garner. This in turn

has forced most organizations to perform qualitative assessments, which are then

compared to quantitative analyses. Although the research paper dates back to 2006 this

is still mostly true today. It must be noted that they due endorse The Computer Security

Institute (CSI)/Federal Bureau of Investigation (FBI) Computer Crime and Security

Survey considering this to be the best available source. In contrast and to be fair the

authors of “The Economic Impact of Cyber Attacks” state that this survey is lacking in

certain areas due to incomplete metrics (Cashell, Jackson, Jickling, Webel, 2004). This

once again goes to how difficult it is many times to come up with complete and accurate

data which is why a number of sources should be used to reach the appropriate

balance. “The Economic Analysis of Cyber Security” paper also discusses how

organizations decipher how to invest in security. This is significant because these

organizations decisions are based on the impacts or potential impacts of Cyber Attacks

and therefore you can see how these firms collect data to perform their analysis.

Furthermore as part of this data collection process these entities implement the current

costs associated with being hit by these attacks in their investment analysis which

12 | P a g e

allows you to get a better understanding on how they come up with these costs they are

supplying to those conducting research on the financial impacts of Cyber

Attacks(Gallaher, Rowe, Rogozhin, Link 2006).

2.5 Cyber Attacks Spawning New industry and Garnering Capital Investment

Have Cyber Attacks spawned a new industry that has helped to garner a large

infusion of capital from the investment community?

It is essential that organizations implement Cyber Security controls either through

technological means or human analysis. Investments in the area of IT Security

organization and startups in the past have been slow due to a lack of understanding and

the inability to view security as an essential element that must be incorporated within

one’s business. However due to Cyber Attacks becoming more persistent an increasing

number of investments and the infusion of capital committed to this sector are starting to

take shape. One reason for this is the implementation of regulation but not so much as

to inhibit innovation. For instance federal and state statutes that penalize companies

that do not properly safeguard consumer information have forced these entities to

obtain the necessary financing and invest in the area of Cyber Security. United States

regulatory bodies such as the Federal Trade Commission (FTC), Department of Justice

(DOJ), Securities and Exchange Commission (SEC) [Department of Commerce Internet

Policy Task Force June 2011), Payment Credit Card regulatory agencies (PCI Security

Standards Council (2012) and many others has brought a number of legal enforcement

actions against entities that have been inept in protecting consumer data forcing them to

access additional capital. The capital is then used to pay for security.

13 | P a g e

In the wake of these legal actions and targeted attacks, Gartner Research in a

September 2012 release talks of the increasing amount of capital being deployed

throughout the Cyber Security Industry (Gartner 2012). In addition Certified Financial

Analyst for financial firm Citi Group conducted research whereby IT security budgets are

on the rise (Pritchard 2012) as well as a number of or other researching bodies.

3. Methodology:

In conducting our research the approach we have utilized and you will see whilst

continuing to view this document is one of a descriptive nature because although we

draw empirical data from prior research we focus primarily on the characteristics of

Cyber Attacks and its economic impacts on entities worldwide in the current day and

age. It should be also noted that due to the complex nature of Cyber Attacks and lack of

complete understanding data is vast and all over the map; therefore it is difficult to

acquire exact assessments and cost figures. The same also holds true for an

accurate account of the growth of the Cyber security industry although there have been

ongoing improvements to address these issues. Subsequently a compilation of primary,

secondary and general resources, those being from vetted educational research, public

companies such as Verizon, Certified Financial Analysts from investment houses,

leading information technology research and advisory firms, audited financial filings

from publicly traded companies and articles from newspapers/journals are utilized within

this paper. Again, the statistical data is fragmented as there has been no clear model

that has been adopted and many argue some numbers are skewed due to conflicts of

interest and in the ability to acquire the necessary resources (such as vetted papers

14 | P a g e

created by those that are in the educational arena) to conduct a proper study. The

figures comprised of various sample sizes among the population are compared and

contrasted so we can get a more accurate picture to determine whether the cost of

Cyber Attacks far outweighs the amount of money being generated by the Cyber

Security community or if the money being infused into the Cyber Security Industry has

economic benefits that exceed the costs generated by Cyber Attacks.

3.1 Cyber Attacks and Hypothesis on their Growth over the Years

We will begin our focus by asking the question once again from a historical

perspective have the number of attacks grown over the years and over the last several

decades have costs for entities accrued? This question is important because it lays the

ground work as to how the Internet and the technology that is embedded within it has

become a source utilized for nefarious purposes. Although some years have seen a

decline in the number of Cyber Attacks overall the trend one would think is likely to

show that these attacks are an everyday occurrence and ever increasing in numbers.

This is because the multitudes of devices that are connected to the Internet and make

use of its backbone are immense. In other words distributed systems have become

dominant as opposed to centralized systems which used to play more of a role among

entities but are in fact utilized less and less these days. Also due to complexity of the

network and programming code used in web applications worldwide, the vector of attack

has grown making it even more difficult to mitigate against and ripe for exploitation. For

example looking at web applications in particular, updates and patches are issued by

vendors who develop code for a number programs daily. The problem has become so

great that companies such as Microsoft and Oracle have a preset schedule for

15 | P a g e

distributing fixes on a monthly and quarterly basis. In fact firms like Red Hat employ

what is known as open source code, which is available to the general public for free and

offers the ability for any programmer to make modifications to the code when

necessary. Therefore vulnerabilities in open source software can be found more quickly

and what is also evident is the number of advisories for this type of code is deployed on

a daily basis. However there are still a number of programs that have vulnerabilities that

are not found for a number of months or even years. This is especially true in the way of

advanced persistent threats (APTs).In fact even when vendors issue advisories it takes

time for them to create patches for code therefore those wishing to do us harm have

plenty of time in between these fixes to propagate attacks by take advantage of these

vulnerable applications.

3.2 Cyber Attacks and Hypothesis on Financial Impacts of Entities targeted by Attacks

The next area we need to delve into once more is the economic impacts

that Cyber security has on society as a whole. More specifically, what are the financial

impacts on capital expenditures of private and public organizations targeted by Cyber

Attacks? As highlighted above, the Internet has become the primary backbone to

entities worldwide helping to create new innovations, increase collaboration and open

up new economies like we have never seen before. In addition with the simple click of a

browser, connectivity to this vast network has become so easy that even the average

laymen with no technological skills can access the information highway. Although it is

hard to dispute the advantages of the pervasive availability for anyone to connect online

16 | P a g e

it has also offered those seeking to do us harm a large vector that can be utilized to

attack and exploit individuals and organizations. The impact therefore of these attacks,

specifically Cyber Attacks, have come at a great cost to entities forcing them to outlay a

significant amount of capital and see a huge reduction in revenues . Inclusive are

entities going out of business, loss of jobs, the negative impact of productivity and the

vast amount of money or even identities being stolen from consumers. For example

organizational databases compromised or hit by a denial of service attacks, takes

enormous man power to recover from such attacks. This in turn negatively impacts

productivity.

3.3 Cyber Attacks and Hypothesis on whether they spawned a New Industry Helping to Infuse Significant Capital

Finally it is necessary to be redundant and ask whether Cyber Attacks spawned

a new industry that has helped to garner a large infusion of capital from the investment

community and increased organizational sales figures for Cyber Security firms? Despite

the adverse impacts Cyber Attacks have on the economy there is no doubt that it has

also created new opportunities as many subsectors such as cryptography, network

security, operating system security, database security, reverse engineering and

penetration testing just to name a few which have become essential components that

entities must make use of in order to safeguard systems. Therefore many venture

capital funds, private equity firms, individual investors and the overall capital markets

are continuing to pump money into the Cyber Security arena. These investments could

also have a positive effect on sales which is the exact opposite of entities who are

plagued by the current threat environment. The irony here is that the number

17 | P a g e

disciplines and income garnered by the Cyber Security Industry could possibly outweigh

the costs associated with Cyber Attacks.

The aforementioned questions and their hypotheses as stated in previous

paragraphs have been difficult to quantify however in the section to follow will attempt to

do just that!

4. Discussion

4.1 Cyber Attacks Growth from a Historical Perspective & Beginnings

Cyber Attacks have evolved over time therefore one must look at these attacks in

their historical context. The precursor to the present day Internet was created by the

U.S. governments Advanced Research Projects Agency (ARPA) and was known as the

ARPANET which was developed in the late 1960’s. The government allowed access to

ARPANET to only a selected few military bases, government labs and research

universities. The ARPANET was one of the first wide area packet switched networks

which provided services like electronic mail, the transferring of files and remote logins.

In 1983 the Department of Defense (DOD) broke ARPANET into two similar networks

keeping the name ARPANET for one of the networks and calling the other network

MILNET which would be used for military purposes. ARPANET eventually was phased

out and around this time the National Science Foundation funded the development of a

new high speed network known as the NSFnet which connected major router sites

across the U.S .than acting as the telecommunication backbone in turn connecting to

smaller regional networks or statewide networks. The statewide networks were then

connected to a set of campus networks and eventually the collection of all these

18 | P a g e

networks would then be known as the Internet (White, 2011). The previous sentences

are significant primarily because when this architectural medium was developed there

were no countermeasures or safeguards implemented. In fact nobody had the foresight

to think that the Internet would become the primary backbone for communications

globally, so instrumental to the economies worldwide and especially conceive that it

would be utilized as a medium for nefarious purposes.

Some of the earliest hackers were involved in “phone phreaking” which were

attackers looking to break into telephone networks in an effort to make free long

distance calls. Joybubbles AKA Joe Engressia was one of the first phone phreaks. He

was a blind boy with perfect pitch who could whistle any tone. Circuit switching centers

at the phone company were apparently tricked by the tones that he produced. One tone,

used by AT&T tone dialing switches, was a tone of 2600 Hz, which could be exploited to

provide free long distance and international calling. Engressia could imitate this tone,

while other phreaks used what was called a “blue box”. According to the New York

Times article written in 2007, Steve Jobs and Steve Wozniak, founders of Apple, were

also successful phone phreaks (Martin 2007).

In the early 1980’s personal computers came into being manufactured by

companies such as the likes of Apple and in turn individuals who tried to exploit

networks for all sorts of reasons began to emerge. One of the first well known attacks

was performed by Kevin Mitnick one of the most infamous attackers of the 1980’s. It

was back in 1979 when Mitnick at the tender age of 16 years old illegally accessed

Digital Equipment Corporation’s (DEC) computer network and obtained a copy of their

operating system software. He also hacked into the networks of Nokia, Motorola, Sun

19 | P a g e

Micro, Pacific Bell and other companies. Just over a year ago Kevin was interviewed by

ZDnet claiming none of the companies he compromised sustained any damages

however the FBI estimated Kevin's hacks and code reading into the $300 million range

(Hess 2011). In addition to Kevin, the Legion of Doom founded by Vincent Louis

Gelormine (“Lex Luther”) in the 1980s were involved in unauthorized access to a

number of corporate networks, including BellSouth Corp.(Dr. Hayes 2012).

4.2 CSI/FBI/Technolytics Institute/ Janet Napolitano Statistics on Growth of Cyber Attacks through Historical Perspective

In moving slightly ahead in time the Computer Security Institute which has been

a leading educational membership organization for information security professionals for

over 30 years, began its series of reports titled “CSI/FBI 2000 COMPUTER CRIME

AND SECURITY SURVEY”. The reports are advantageous as some of the others that

are produced are by those who may have ulterior motives such as the likes of many

vendors who produce and sell security tools. Thereby having a potential conflict of

interest. In contrast CSI security surveys are completely independent and collected

data is gathered from a team that is made up of security professionals spanning multiple

industries, separate from those who just work in organizations selling solely cyber

security tools and services. Having said that, sample size is not significant enough as it

only encompasses a small percentage of respondents solely within the United States.

However although participation has been on the decline we can focus on annual

financial impacts of major Malware attack data by CSI collected between the years 1995

to 1999. In 1995 the number totaled $500 million, in 1996 $1.8 billion, 1997 $3.3 billion,

1998 $6.1 billion and in 1999 $12.1 billion (Cashell, Jackson, Jickling, Webel 2004). The

20 | P a g e

percentage increases that can be denoted by these numbers are astonishing.

According to Kevin G. Colman of the Technolytics Institute back in November

2008 he acquired figures from several studies. One in particular conducted by Spy-Ops

stated that over a one year period from 2007 to 2008 information theft grew around 68

percent were every quarter of a second a file is stolen containing critical data in order to

steal a consumers identity. In 2008 it was also concluded that the United States

Pentagon was attacked 3 million times a day (Coleman 2011). Although not a precise

number in an article written by Voice of America Titled “Panetta Says US Boosting

Cyber Defense” Luis Ramirez who wrote the article backs up the 2008 document saying

thousands of enemy cyber-actors are targeting the Pentagon’s systems millions of times

a day (Ramirez 2012).

In 2012 Janet Napolitano US Secretary of Homeland Security, during her

opening keynote address at the ASIS/(ISC)² Congress 2012 conference in Philadelphia

stated that Cyber Attacks have increased “significantly over the past decade”, and that

number also includes the more than three years she has acted as US Secretary

of Homeland Security. To put this into context, Napolitano goes on to say “the United

States Computer Emergency Readiness Team (US-CERT) responded to more than

106,000 reports of Cyber Attacks during 2011 – releasing more than 5000 security

alerts to its public and private sector partner (Info Security Magazine 2012).”

Today attacks are no longer dominated by a few but many individuals and

entities. This is primarily due to the rise in distributed systems as opposed to the more

common centralized ones which were once dominant several decades back. According

21 | P a g e

to Information Week on February 1, 2012, “Cyber Attacks against government agencies

and businesses in the United States continue to rise, and cyber threats will one day

surpass the danger of terrorism to the United States, intelligence community officials

said in an open hearing of the Senate select intelligence community.” The article goes

on to mention countries such as China and Iran, to groups like Anonymous and LulzSec

targeting systems on a regular basis and it suggested it will only get worse (Hoover

2012). The historical trend certainly seems to indicate that there is a rise in attacks and

further proof of this can be seen in the paragraphs to follow.

4.3 Mckinsey Global GDP Growth Statistics

There is little doubt that the Internet has helped to create new innovations and

open up new areas of the economy leading to high areas of growth and prosperity for

many. This can be seen in the May 2011 Mckinsey Global Institute study which

explained that the Internet accounts for 3.4 percent of the GDP when examining thirteen

countries. The Internet for the developed nations among the 13 depicted in the previous

sentence over the last five years contributed to 21percent GDP growth. GDP is the

monetary value of all final goods and services produced within a nation in a particular

period of time, typically based on yearly estimates. It includes all of private and public

expenditures, government spending, investments and exports minus imports that are

representative of a certain region (Value Click). For the United States alone this

represents $440 billion to $580 billion of additional total output (Dowdy 2011).

Unfortunately along with GDP the information highway has also contributed to

adversely impacting these numbers because of the multitude of targeted attacks from a

22 | P a g e

variety of actors (hacktivists, cyber criminals and sovereign nations), on all

organizations and industries that add to GDP worldwide. Inclusive is Computer based

control systems that run much of the nation’s physical infrastructure. In other words no

public or private entity is immune from such threats.

4.4 Cost benefit Analysis & Difficulty in Obtaining Metrics

Just before we present you with the findings from a number of different entities

once again it must be emphasized that there is no one study that should be taken

completely at face value. The research paper titled “Private Sector Cyber Security

Investment Strategies: An Empirical Analysis” suggests a cost benefit analysis

approach is generally straightforward but found organizations inability to construct a

rigorous cost benefits analysis (CBA) framework. Furthermore expected damage or cost

functions and threat probabilities needed to conduct a CBA is difficult to attain therefore

most often companies rely more on a qualitative approach (Rowe 2006). Although the

aforementioned research study is slightly predated and quantitative analysis has

appeared to have improved figures remain inconsistent.

Examining a compilation of data and taking the average of all these numbers is

most appropriate. This is talked about above in particular the two differing opinions on

the “CSI/FBI Computer Crime and Security Survey”. One being from the authors of the

article titled “the article “Economic Analysis of Cyber Security” who endorse the survey

(Gallaher, Rowe, Rogozhin, Link 2006) and the other coming from the authors of “The

Economic Impact of Cyber-Attacks” who cites several sources claiming the data is not

chosen randomly nor is a representative sample of entities that are exposed to cyber-

risk but only taken from self-selected security professionals which is considered in

23 | P a g e

research circles to be somewhat biased. The reports on the 530 individuals who were

utilized nationally to conduct the survey are not accurate enough to obtain sound

figures. Additionally, cost data reported can be considered inept. For example in its

2003 survey fifteen percent of the participants could not tell you if there was unapproved

use of their network and systems indicating that some measurable losses were obtained

but this could significantly underestimate the totality of all losses. Also out of the seventy

five percent of the participants that reported losses only forty seven percent of them

could put an actual figure to those losses. The authors of “The Economic Impact of

Cyber-Attacks” do state however that this study is accepted by many papers that

comprise of computer security literature. Yet again, there is no one sound method that

can be modeled to quantify the costs associated when it comes to Cyber Attacks which

is why it is useful to extract data from a variety of sources (Cashell, Jackson, Jickling,

Webel, 2004).

4.5 CSI/FBI Statistics on Financial Impact of Cyber Attacks

In its 15th annual 2010/2011 “CSI/FBI Computer Crime and Security Survey” The

Computer Security Institute sent 5412 security practitioners by regular snail mail and

email, whereby 351 people replied back with feedback indicating the number of returns

would make the institute ninety five percent confident that there numbers are accurate

with only just slightly over five percent margin of error. They do however admit that

these respondents are only those who have paid to be members of the institute or paid

to attend their event which can skew the numbers but they represent a vast array of

industries except for the financial sector whose participation dropped around five

percent with this last study. Furthermore as with many of these surveys they do not

24 | P a g e

include consumers being compromised and a majority of the organizational respondents

came from companies making over $100 million a year as opposed to smaller entities.

Forty seven percent claimed they were affected by regulatory laws but this could be due

to the fact that laws may not be so clearly defined and respondents that are a part of a

government entity may not feel these laws affect them. Finally not for profit firms or

educational institutions may not feel they have customers so they do not believe it

affects them..

The CSI report for the year 2010 shows the types of attacks experienced by the surveys participants which include 67.1 percent were attacked with some type of

Malware infection, insider abuse of Net access or email 24.8 percent, laptop mobile

device theft 33.5 percent, phishing 38.9 percent, Denial of service 16.8 percent, Bots on

the network 28.9 percent, financial fraud 8.7 percent, password sniffing 11.4 percent

and exploiting a wireless network 7.4 percent. As you can see Malware infection

continues to be the most commonly seen attack. The percentages depicted in the prior

sentence are the main reason we incorporated the CSI survey and also their

commentary on the Symantec study which you will see below. As for the financial

losses they could not be properly accessed due to the fact that only 77 respondents

provided information and the numbers are not worth mentioning as this is far too small

of a sample but this does offer some proof on monetary losses (Richardson 2010).

4.6 Ponemon/Verizon/Morgan Stanley Statistics on Compromises & Costs Due to Cyber Contemporary Threat Landscape

25 | P a g e

In January of 2012 PGP corporation a global player in safeguarding

organizational data and research firm The Ponemon Institute performed a

comprehensive study specifically aimed at data breaches primarily and one must

remember these are only confirmed data breaches. The survey revealed that data

breach incidents cost U.S. companies $204 per compromised customer record in 2009,

compared to $202 in 2008. There was an overall decline in the figures of reported

breaches in 2009 compared to 2008 but still significant. The average total per-incident

costs in 2009 were $6.75 million, compared to an average per-incident cost of $6.65

million in 2008. Recently Ponemon came out with additional statistical data for the year

2010 but the numbers were also exceeding high. The chart below is a good

representation of the data compiled by Ponemon (Ponemon 2012). Using data provided

by Ponemon Institute, the chart depicted below shows that U.S. firms are now losing

more money to operational costs of Cyber Attacks than they are spending on security.

26 | P a g e

Figure 1. Chart Depicts Organizational Costs Outpacing IT Security Spending For United States Companies by Ponemon Institute 2012

In a Follow up study that came out in October of this year, Ponemon along with Hewlett

Packard for the first time studied several countries in addition to the United States. The

Institute conducted their research on Fifty Six Organizations and they concluded

businesses on average suffered losses of $8.9 million per annum, an increase from

$8.4 million indicative of the 2011 period. This represents a 6 percent increase over the

average cost reported in 2011, and a 38 percent increase over 2010 (Ponemon Institute

2012). The 2012 study also revealed a 42 percent increase in the number of Cyber

Attacks, with organizations experiencing an average of 102 successful attacks per

week, compared to 72 attacks per week in 2011 and 50 attacks per week in 2010

27 | P a g e

(Ponemon Institute 2012).”

Morgan Stanley Research came out with a report titled “Secular Should Outpace

Macro in Q3” whereby the firm conducted research on some of the leading Cyber

Security companies noting that Chief Information Officers (CIO’s) have explicitly said

that spending on security countermeasures will remain one of the top three priories for

the year 2012 (Weiss, Holt, Gorham 2012).

Furthermore Verizon Corporation which has conducted a survey from the years 2004 to

2011 titled “Data Breach Investigations Report” just came out with more recent figures.

The report is made up of those who confirmed that they were breached as many entities

refuse to report their compromises for fear of reputational consequences that can lead

to loss of business and in some cases firms may have been exploited but are unaware

of the attack until a future time. Collected data was captured by evidence during paid

external forensic investigations and making use of Verizon Enterprise Risk and Incident

Sharing (VERIS) framework that depicts security incidents in a structured and

repeatable manner and garners additional information through anonymous participants

to allow those to participate without fear for loss of reputation described in the above

sentence. Take note though that as with the Ponemon study, Verizon dealt mostly with

organizations where a significant breach occurred. The VERIS approach also provides

us with a better methodology and helping us answer the questions, what we need to

know and measure? The diagram below is representative of the model that aids

organizations in order to provide companies like Verizon with effective metrics so

approaches are improving. As you can see the chart is broken down into four quadrants

28 | P a g e

labeled Threat, Asset, Impact, and Control.

Figure 2. Baker, Hutton, Porter. The Graph is a Model Showing How Companies Collect Data For the Verizon Data Breach Reports by Verizon Enterprise Risk and Incident Sharing (VERIS)

To add further credibility to the study is the participation of United States Secret Service

(USSS), the Dutch National HighTech Crime Unit (NHTCU), the Australian Federal

Police (AFP), the Irish Reporting & Information Security Service (IRISS), and the Police

Central eCrimes Unit (PCeU) of the London Metropolitan Police as they contributed to

gathering data from 36 countries unlike The Computer Security Institute who only

gathered data from United States based entities. These countries include Australia,

Austria, Bahamas, Belgium, Brazil, Bulgaria, Canada, Denmark, France, Germany,

Ghana, Greece, India, Ireland, Israel, Japan, Jordan, Kuwait, Lebanon, Luxembourg,

Mexico, Netherlands, New Zealand, Philippines, Poland, Romania, Russian federation,

South Africa, Spain, Taiwan, Thailand, Turkey, United Arab emirates, Ukraine, United

29 | P a g e

Kingdom and the United states.

Results from participants comprised of 855 attacks considered sophisticated and

those less difficult to orchestrate with174 million compromised records for the year 2011

is coincidentally the second highest number since Verizon came out with these reports

in the beginning of 2004. Just taking Ponemons figures for 2009 (that are actually lower

than some more recent numbers) which references that each compromised record

costs $204, than spending becomes astronomical for many of these companies.

Multiplying $204 times Verizon’s 174 million compromised record cost you would garner

total costs coming in at $35.496 billion and those just are records breached from entities

who know they actually were compromised. The biggest change in this report as

opposed to previous research is that Cyber Attacks comprised of Malware and Hacking

against Servers and User Devices are growing substantially for large organizations but

even worse for smaller firms (Verizon 2012). These numbers are alarming as the

Verizon study for example does not take into account that compromises can weaken

product integrity, undermine software development and erode consumer confidence

leading to further future losses by organizations that are not depicted in the study.

Furthermore the survey focuses on organizations as opposed to effected individual

consumers and costs derived from those seeking legal action against these exploited

entities or negative effects on productivity such as downtime due to a system being

inoperable for a specified period of time also do not appear in the report. Remember,

productivity typically refers to the increasing growth or decline in value added/subtracted

per worker or per unit of investment which has the potential to produce an actual

acceleration in income and jobs or decline (Weisbrod 2011).

30 | P a g e

Finally in wrapping up this section we focus our attention on what even the

Computer Security Institute believes to be a highly accurate report, that being Symantec

Corporations’. The Institute believes the study covering the year 2010 is comprehensive

in nature because as they exclaim Symantec uses a “machine-generated approach to

obtain the data, using sensors of various types to capture information about the data

traversing networks and the configuration of all sorts of Internet-connected devices

(Richardson 2010). Symantec even says it acquires most of its data from more than 133

million client, server, and gateway system’s due to the worldwide deployment of its

antivirus products. Furthermore, Symantec has a distributed honeypot network which is

really just database decoys filled with false data. In addition to the vast resources the

multibillion dollar organization has at their disposal, they also had MessageLabs

intelligence, a respected source of data and analysis for messaging security issues,

trends and statistics provide excess aid. Before we move on with the company’s figures

it must again be stated that the reason there are not as many in depth reports coming

from academia and other sources is that unlike Symantec which is a publicly traded

company, with access to the capital markets unlimited amount of money, the other

entities are not able to gather the necessary resources to collect a significant amount of

data. Back to the survey the study was conducted in 24 countries among adults 18-64

specifically focusing on the cost of Cybercrime. Between February 6, 2011 and March

14, 2011, StrategyOne also interviewed 19,636 people and included 12,704 adults,

aged 18 and over 4,553 children aged 8-17 years and 2,379 grade 1-11 teachers from

24 countries (Australia, Brazil, Canada, China, France, Germany, India, Italy, Japan,

New Zealand, Spain, Sweden, United Kingdom, United States, Belgium, Denmark,

31 | P a g e

Holland, Hong Kong, Mexico, South Africa, Singapore, Poland, Switzerland, United

Arab Emirates). The company came up with its numbers by multiplying the number of

victims which were 431 million over a twelve month period by the average financial cost

of cybercrime (per country in US currency) totaling $114 billion in losses. Within that

$114 billion number Symantec was able to attain that more than 1 million became

victims every day and fourteen adults suffered from a cybercrime incident every second.

The publicly traded company took it even one step further by doing what other studies

could not and that is calculating the value of time lost which is correlated with

productivity based on cybercrime experiences over the 12 month period. This number

came to an astonishing $274 billion. In taking the sum of the two figures depicted in the

former sentences you come up with a total cost of $388 billion. Subsequently the study

surmised that targeted attacks, the use of social networking attacks, zero-day

vulnerabilities and rootkits (a type of Malware), attack kits and mobile threats all rose

sharply (Symantec 2012). The accumulation of studies on the financial impacts on

capital expenditures of individual and private/ public organizations targeted by Cyber

Attacks is indisputable. Therefore our hypothesis is on target, as the data substantiates

that Cyber Attacks do indeed cost the economy to incur losses, adversely impact

productivity and causing a significant decline in sales that are in the billions upon billions

of dollars. .

32 | P a g e

4.7 Growth of Cyber Security Industry Statistics (Gartner Research, Citi Group, Morgan Stanley, 451 Research & MarketsandMarkets) & Government Role Explained

It is essential that organizations implement Cyber Security controls either through

technological means or human analysis. Investments in the area of IT Security

organization and startups in the past have been slow due to a lack of understanding and

the inability to view security as an essential element that must be incorporated within

one’s business. However due to Cyber Attacks becoming more persistent an increasing

number of investments and the infusion of capital committed to this sector are starting to

take shape. One reason for this is the implementation of regulation but not so much as

to inhibit innovation. For instance federal and state statutes that penalize companies

who do not properly safeguard consumer information have forced these entities to

obtain the necessary financing and invest in the area of Cyber Security. The FTC has

brought a number of legal enforcement actions against entities that have been inept in

protecting consumer data. Sarbanes-Oxley which in particular pertains to public

companies require these firms to adhere with the Information Integrity provisions of this

law requiring executive management to make sure internal controls are implemented to

address a vast array of issues including data security. Another important law PCI

DSS, The Payment Card Industry Data Security Standard provides guidelines and

requirements for protecting cardholder data for those who accept credit/debit/prepaid

card payments which are transmitted, processed or stored. If these requirements are

not met entities can be penalized by the major credit card company brands at their

discretion by fining an acquiring bank $5,000 to $100,000 per month for PCI compliance

violations which would be passed down to the entity who accepts these transactions

33 | P a g e

and does not adhere to these requirements (PCI Security Standards Council 2012).

These regulatory initiatives in conjunction with the increasing number of attacks,

collaboration and awareness has all been helpful in garnering a large amount of capital

investment in the Cyber Security Industry further fueling innovation of new products and

services. In fact the United States Bureau of Labor Statistics (BLS) has not provided

any data over the years on the security industry in the way of job statistics however the

government fact finding agency has finally begun to recognize the importance of

collecting figures, albeit slowly. Although in its infancy the BLS began to implement a

category they coin “Security Analyst” which comprises of individuals that plan,

implement, upgrade, or monitor security measures for the protection of computer

networks and information. Embedded in the description of Security analysts and in

addition to the explanation of this group in the prior sentence, the BLS goes on to

expand upon their definition in saying “these workers may also ensure appropriate

security controls are in place that will safeguard digital files and vital electronic

infrastructure responding to computer security breaches and viruses.” Again this is

brought up to show that even the BLS has realized that investment in this area is

starting to have a direct impact on job growth, forcing their hand at having to come up

with figures to provide more accurate information on the economy as a whole. Numbers

garnered by the BLS to date are not yet a large enough sample that would allow one to

rely on such data but it is hopeful that this will soon change. One thing that does

resonate is that there was no unemployment among IT security professionals in the

U.S. and jobs grew dramatically while averaging four quarters of figures for the year

2011. Forty Four thousand Security Analysts were employed with the BLS seeing a rise

34 | P a g e

of more than one third in the fourth quarter of 2011to 51,000 from 37,000 in the first

quarter (Bureau of Labor Statistics 2012).

Gartner Research in a September 2012 release exclaimed that although a vast

sector of the world has been hit by the economic slowdown forcing many companies to

cut their Information Technology budgets this is not the case when it comes to the

global security infrastructure market. The research firm anticipates that security will

continue to be a top priority and therefore spending is slated to rise to $60 billion up

from $55 billion in the prior year and by 2016 reach $86 billion (Gartner 2012). In fact

Certified Financial Analyst for financial firm Citi Group came out with a 15 page report

titled “IT Security Survey Says…Network Security and Check Point Have Most

Favorable Trends” where he found IT security budgets in 2012 poised to grow faster

than overall IT spend, a reversal from last year positively impacting sales for several of

the major IT security vendors (Pritchard 2012). The bar graph below provided by Citi in

Figure 1, projects what was highlighted in the prior sentence

35 | P a g e

Figure 3. (Pritchard 2012)Graph Showing Security Spending Should Outpace Overall IT Budget Growth From Citi Investment Research & Analysis

Figure 4. (Pritchard 2012)Graph of Network Growth in the Network Security Market by Citi Investment Research & Analysis

36 | P a g e

The graph above indicates refresh growth in the Network Security appliance market

(unlike a single piece of security software network security appliances are security tools

typically bundled together), meaning CIO’s polled in the Citigroup survey will replace

their appliances more than in prior years. Although this includes a segment of the Cyber

Security Industry it can been incorporated as it provides further proof on the growth of

spending in security.

Morgan Stanley Research through their vast network and conversations with

several organizations who primarily conduct most of their business by partnering up with

manufacturer’s to market and sell manufacturer's products, services, or technologies is

where a significant amount of data was extracted. These are what the industry calls

channel partners and they cite that ongoing investments in data protection technologies,

multi-function network security solutions, and solutions to counter Advanced Persistent

Threats (APTs) will only continue to grow. They emphasize that these areas are

essential and is indicative of the large amount of negative publicity received over the

past 12 to18 months due to the growing number of Cyber Attacks. Breaking things down

a bit further Network security data points (the authorization of access to data on a

network including firewalls, antivirus, spam and content filtering through logs as well as

intrusion detection and prevention systems) (Weiss, Holt, Gorham 2012) are quite

robust as acquired data showed that 69% of CIOs plan to outlay capital on network

security in 2012 and very few entities, 8% to be precise, are planning to decrease

spending on security initiatives. Taking the last survey by Morgan Stanley that was

conducted in July of 2012 there was an overall improvement from 65%/20%

respectively. Separate from the number of CIO’s, the report solely focused on five of the

37 | P a g e

largest players in the IT security market, those being Fortinet Inc., Sourcefire,

Symantec, Websense and Checkpoint Software. The issue that arises with just

focusing on this small group is that it is not indicative of the overall Cyber Security

Industry unlike the Ponemon study. For example Symantec has appeared to plateau

compared too many of its rivals and this is because of increasing competition, the

substantial size of the company which impacts the rate of growth and internal controls

as opposed to lack of spending. To extrapolate on this a bit more back in March of

2012, Citigroup came out with a 15 page report titled “IT Security Survey

Says…Network Security and Check Point Have Most Favorable Trends” where the

analyst questioned via telephone 50 United States and European based Chief

Information Security Officers (CISO’s) detailing a lengthy series of in-depth questions on

the security market but here again it must be noted that the data just focused 90% on

firms with more than $1 billion in annual sales so although relevant the statistical

threshold falls slightly short due to sample size. Having said that Citi has conducted this

survey for the past three years which comprised of a broad spectrum of industries, the

most common were financial services (20%) and manufacturing (18%), while

government was underrepresented (just 4%) therefore the buying power should not be

ignored. They deciphered from the information that IT security budgets in 2012 are

poised to grow faster than overall IT spend, a reversal from last year positively

impacting sales for several of the major IT security vendors (Pritchard 2012).

There are internal and external factors that show the negative impact on bottom

line numbers (profit) such as litigation costs, employee overhead, taxes, Merger and

38 | P a g e

Acquisition activity, margins etc. but top line growth (revenues) remains strong again.

This is not indicative of internal cost controls and how well these security firms manage

their balance sheets but more in the way of cyclical trends (ie: effects of macroeconomic

conditions such as Europe’s debt crisis which can have an adverse impact on sales).

For example Sourcefire’s quarterly year over year (yoy) sales rose 30.10% with yearly

revenues of $ 208.94 million (Sourcefire 2012), Fortinet (yoy) sales grew 17.00% with

yearly revenues of $503.34 million (Fortinet 2012), Checkpoint (yoy) increased 7.80%

with yearly revenues of $1.33 billion (Checkpoint 2012), Symantec (yoy) rose 1.10%

with yearly revenues of $ 6.76 billion (Symantec 2012) and Websense rose slightly at

1%, with yearly revenues of $362.49 million to date (Websense). All data in the previous

sentence was compiled by the companies and audited by the world’s leading financial

advisory firms. This research has not taken into account what encompasses the bottom

line figures but rather just sales growth. Furthermore and to use an additional company

specific example NICE Systems which offers a wide array of security solutions is

labeled in another area of Cyber Security focusing primarily on management and

analysis. The Isreali firm saw quarterly revenue growth (yoy) rise 9.70% with $854.95

million in total sales this year thus far (NICE 2012). Quoted out of a Reuter’s article

written on October 31, 2012 of this year Tova Cohen exclaimed “Nice has benefited

from growing demand for tools to delve into data to improve business, spot fraud and

fend off security threats, and the company said compliance requirements in finance,

energy and other sectors had boosted business (Cohen 2012).” Therefore the Morgan

Stanley report should be taken with a grain of salt as it is only representative of five

companies which the Certified Financial Analysts (CFA’s) that performed the analysis

39 | P a g e

have admitted too. 451 Research a global analysis and data company solidifies

Ponemons results as you can see from the chart below and several number’s stick out,

in particular 45% of the security chiefs interviewed in their October 2012 research report

have expanded their company budget’s in 2012 compared to the 2011 year ago period

with a minimal amount of chiefs reducing their budgets this year compared to last year,,

that being 10% respectively. Subsequently, the outlay of capital goes towards security

becomes even more robust in 2013, with 47% of those surveyed planning on further

increases where in contrast only 8% believe their budgets will fall between 2012 and

2013.

Figure 5. (Kennedy 2012)Graph of Information Security Budget Trends From 451 Research

40 | P a g e

Some comments from those who participated in the 451 research study in reference to

expenditures on security include the following:

“It [budget] has increased, but percentage not disclosed. The increase is due to

voluntary projects to reduce complexity of meeting requirements.”

“Complicated — there was an increased [in budget allocation] allocation due to

regulations, but an overall budget decrease.”

“Half of the budget increase went to compliance issues.”

“The security budget is growing over time (Kennedy 2012)

We would be remised if we did not discuss one of the more astonishing statistical

financial data acquired to date by Advanced Technologies, Geographical Analysis &

Competitive Landscape, 280 page report. The firm that collected the data for the study

is a full service market research company and consulting firm, established in 2001 it

provides research on pharmaceuticals, energy and power, biotechnology, food and

beverage, chemicals, medical devices, advanced materials, semiconductor and

electronics, industrial automation, telecom and information Technology, consumer

goods, automotive and transportation, and banking & financial services sectors.

The report titled “Cyber-Security Market - Global Forecast & Trends (2012 –

2017) by Advanced Technologies, Geographical Analysis & Competitive Landscape”

acquires data from 24 large companies, and sub-segments/ micro-markets in North

America, Latin America, Western Europe, Eastern Europe, Middle East & Africa, and

APAC (Asia-Pacific) through analysis of a number of technology & solutions in particular

for the utilization of differing applications in the cyber security arena. This is all based on

41 | P a g e

functions and performance and the numbers are quite revealing. In 2011 the authors

state that the Cyber Security industry was calculated at being worth $63.7 billion and

that the figure in addition attributed to a larger number of entities focusing on a

comprehensive framework that covers the basis of network, end-point, application,

content, and wireless segments. Inclusive is Identity & Access Management, Risk &

Compliance Management, Data Encryption, DLPS, Data Recovery Solutions, UTM,

Anti-Virus, IPS/IDS, Web Filtering, Firewall, and Vulnerability management. To go off in

a tangent, just as with the Symantec study, Advanced technologies has the capability to

conduct such a detailed study because it’s a for profit research firm that on average

collects $4 650 for a single report, $ 7,150 for its corporate license and $9,000 for the

reportlinker.com site license. Therefore it has an unlimited amount of resources at their

beckoned call to conduct a study of this size unlike the vast majority of organizations or

individuals. In delving deeper into the numbers the company was able to model future

numbers based on historical data and past trends. Although these trends fluctuate a

sufficient average can be derived from an agreed upon and well established

mathematical formula among economic scholars. Extrapolating on this the research arm

was able to derive at an average compounded annual growth (CAGR) rate of 11.3

percent based on data collected by the firm from years past. In using a CAGR example

let’s say a company had just $10,000 on March 1, 2009 and by March 1, 2009, the

number grew to $13,000, then $14,000 by 2010, and finally ended up at $19,500 by

2011. The company’s CAGR would be the ratio of your ending value to beginning value

($19,500 / $10,000 = 1.95) raised to the power of 1/3 (since 1/# of years = 1/3), then

subtracting 1 from the resulting number: 1.95 raised to 1/3 power = 1.2493. (This could

42 | P a g e

be written as 1.95^0.3333). 1.2493 - 1 = 0.2493 another way of writing 0.2493 is

24.93% and there you would get your final CAGR figure (Value Click NA).

This figure, although pro forma was quite an eye opener, noting anticipated growth for

the Cyber Security market to be $120.1 billion by 2017. This number was also derived

based on security growth due to increased adoption of cloud computing, networks, data

centers, and wireless communication devices. Whereas, the service side is driven by

the need to service cyber security installations with security operations, managed

security services, and consulting services. In all participating global sovereign nations,

the private sector accounted for most of the outlaid capital expenditures for Cyber

Security countermeasures. The only anomaly was the United States, where government

expenditures were on par along with the private sector (MarketsandMarkets 2012) . In

2010 another interesting fact, which was issued by the Department of Commerce and

several other organizations. In their report they said that even though there has been

increased awareness in lewd of the risks of Cyber Attacks, a broad number of people

that contribute to the United States economy did not take advantage of available

technology and processes to secure their systems. Also countermeasures are not

evolving as rapidly in contrast to the threats (Department of Commerce 2011).If this is

the case we can make a slight assumption that Cyber Security market penetration could

grow even more substantially if more entities invested in the safety of their systems.

However even more evident on a change in this way of thinking can be seen over the

last year whereby the initial public offerings of IT security start-ups have outperformed

offerings that are not a part of this industry. Facebook is just one example. Imperva, a

data security company that went public last year saw its stock price rise nearly 30

43 | P a g e

percent on their first day of trading, and at the time if this report has it remains at 37

percent above the offering price. The stock price of Splunk, a data security company,

jumped nearly 65 percent from its offering in April of this year and in addition raised

$331 million in a secondary offering. “People are starting to realize that the billions of

dollars that have been invested into traditional network security are not working for them

anymore,” said Ted Schlein, a partner at Kleiner Perkins Caufield & Byers, the venture

capital firm. Merger and Acquisition activity is also seeing a pickup. Apple recently had

become a suitor of AuthenTec, paying $356 million last month which is reported as

being one of Apple’s largest acquisitions. These are just a few of the many deals that

are growing in number (PERLROTH and RUSLI 2012).

As you can see this last study is quite telling and provides support that Cyber

Attacks did develop a new market and subsectors within this industry helping to garner

a vast amount of money from the investment community in turn increasing

organizational revenue figures for Cyber Security firms. In addition the people and

organizations participating in the security infrastructure perform a wide array of

functions. These include education and training, research, publication, product

development and marketing, network security administration, security support services,

policy and standards making, law enforcement, and research funding.

44 | P a g e

5. Conclusion

As we have seen throughout this paper and especially in looking at the data

results incorporated in the discussion section, Cyber Attacks have cost the economies

of the world a substantial amount of money however it also helped to fuel investment

and the growth of the Cyber Security Industry at a rapid rate. It is unfortunate that the

numbers associated with both the overall negative economic impact on entities around

the world as well as the figures that can be derived from the Cyber Security industry in

reference to growth are not absolute or rigorous enough. However unlike individual

studies we have the ability to access information from a slew of research reports to help

obtain a more accurate evaluation. As for right now, one could certainly see that the

numbers effecting costs outweigh the capital being infused into the Cyber Security

Industry. Subsequently this year, we did see a change in increased collaboration and

awareness. Therefore it has forced organizations like the BLS to finally lay the

foundation to come up with an improved model in order to better acquire a closer

estimate on the growth of the Cyber Security realm. We than hopefully can effectively

come closer to finding out whether the Cyber Security Industry and the money that it

garners will surpass the cost figures associated with Cyber Attacks. It will be interesting

to see over the next several years if the BLS will help to bring this about. One other

thing to note is that although various research coming from organizations such as

Symantec are very comprehensive in nature, there is still a problem of gathering

information from organizations of all sizes that refuse to tell us whether they have been

breached for fear of loss of business due to reputational consequences. When it comes

to publicly traded corporations divulging such information can cause a decline in the

45 | P a g e

market capitalization for these companies, stock price declines and unwillingness for

those to invest in companies that can be infiltrated easily. The Securities and Exchange

Commission (SEC) guidelines are beginning to have an impact on publicly traded firms.

The SEC has now forced companies like Amazon, Google, Hartford Financial Services

Group Inc, Eastman Kodak and others to provide public information on any

compromises and costs that occur within their organizations. In an article written in

Business Week they exclaim the SEC sent out a number of letters to public companies,

asking about Cyber Security disclosures and later pushing companies to disclose.

Although this is not a law as of yet it paves the way for one. The reason this is brought

up is that it will be interesting to see if such a law finally passes, requiring companies to

report this information in their financial statements perhaps we can obtain even more

accurate figures on economic costs. Until than we have to rely on research offered by

multiple sources and take the average of all the compiled figures so we can come closer

in establishing whether the costs of Cyber Attacks far outweigh the capital being

accumulated by the Cyber Security industry or vice versa.

46 | P a g e

6. References

1. The Bureau of Labor Statistics (2012) “15-1122 Information Security Analysts” Retrieved 3 December 2012 from The Bureau of Labor Statistics http://www.bls.gov/soc/2010/soc151122.htm

2. Cashell, B., Jackson,W., Jickling,M., and Webel, B. (2004). “The Economic Impact of Cyber Attacks” published by Congressional Research Service, Library of Congress. Retrieved 23 November 2012 from Cisco Corporation

3. Checkpoint Software (2012). Form 6K filing period 10/17/2012. Retrieved 1 December 2012 from the Securities and Exchange Commission http://www.sec.gov/Archives/edgar/data/1015922/000117891312002883/0001178913-12-002883-index.htm

4. Cohen, T. Oct 31, 2012 “UPDATE 1-Nice raises 2012 profit forecast as Q3 beats estimates” published by Reuters http://www.reuters.com/article/2012/10/31/nice-results-idUSL3E8LV69Y20121031?feedType=RSS&feedName=marketsNews&rpc=43

5. Colman, K. (January 2011) “THE GROWING RISK OF CYBER ATTACK AND OTHER SECURITY THREATS” published by The Technolytics Institute. Retrieved 1 December 2012 from HWP Insurance http://www.hwphillips.com/wp-content/uploads/2012/09/The-Growing-Risk-of-Cyber-Attack-and-Other-Security-Threats.pdf

6. Cornell University Law School (1986). Fraud and related activity in connection with computers. Published by United States Congress, Retrieved 23 November 2012 from Cornell University Law School. http://www.law.cornell.edu/uscode/html/uscode18/usc_sec_18_00001030----000-.html

7. THE DEPARTMENT OF COMMERCE INTERNET POLICY TASK FORCE (June 2011). CYBERSECURITY,INNOVATION AND THE INTERNET ECONOMY. Retrieved 1 November 2012 from The National Institute of Security Standards. http://www.nist.gov/itl/upload/Cybersecurity_Green-Paper_FinalVersion.pdf

8. Dowdy, J. (2012).Chapter 5: The Cybersecurity Threat to U.S. Growth and Prosperity. Published by Aspen Institute bookstore and Brookings Press. Retrieved 22 November 2012 from McKinsey & Co. www.mckinsey.com

9. Dunn, Myriam (2005). A COMPARATIVE ANALYSIS OF CYBERSECURITY INITIATIVES WORLDWIDE. Retrieved 6 December 2012 from International Telecommunications Union: http://www.itu.int/osg/spu/cybersecurity/docs/Background_Paper_Comparative_Analysis_Cybersecurity_Initiatives_Worldwide.pdf

47 | P a g e

10.Fortinet (2012). Form 10Q filing report period 9/30/2012. Retrieved 1 December 2012 from the Securities and Exchange Commission http://www.sec.gov/Archives/edgar/data/1262039/000126203912000051/fortinet2012093010-q.htm

11.Gartner Research (2012). Gartner Says Worldwide Security Infrastructure Market Will Grow 8.4 Percent. Retrieved 1 December 2012. http://www.gartner.com/it/page.jsp?id=2156915

12.Gallaher, M., Rowe,B. Rogozhin, A., Link, A. (July 2006). ECONOMIC ANALYSIS OF CYBER SECURITY. Published by Research Triangle Institute. Retrieved 23 November 2012 from Defense Technical Information Center. http://www.dtic.mil/cgi-bin/GetTRDoc?AD=ADA455398

13.Hess, Ken (2011). Ghost in The Wires "The Keven Mitnick Interview. Retrieved 27, November 2012 from ZDNet: http://www.zdnet.com/blog/security/ghost-in-the-wires-the-kevin-mitnick-interview/9357

14.Hoover, N. (2012). Cyber Attacks Becoming Top Terror Threat, FBI Says Published by UBM Tech Retrieved 7 December 2012 from Information Week http://www.informationweek.com/government/security/cyber-attacks-becoming-top-terror-threat/232600046

15.HP Research: Cybercrime Costs Rise Nearly 40 Percent, Attack Frequency Doubles. PALO ALTO, Calif., Oct. 8, 2012. http://www.hp.com/hpinfo/newsroom/press/2012/121008a.html

16. Info Security Magazine (September 2012) “Cyber attacks “one of the most serious” threats facing the US, says Janet Napolitano published by Reed Exhibitions Retrieved 7 December 2012 from Info Security Magazine http://www.infosecurity-magazine.com/view/28145/cyber-attacks-one-of-the-most-serious-threats-facing-the-us-says-janet-napolitano/

17.Keely, David Lt. (April 13, 2011). “CYBER ATTACK! CRIME OR ACT OF WAR?” United States Air Force U.S. Army War College CARLISLE BARRACKS, PENNSYLVANIA 17013.

18.Kennedy, D. (October 2012). Information Security Budgets to Increase in 2013. Published by 451 Research Retrieved 27 November 2012 from 451 research Blog http://theinfopro.blogs.451research.com/index.php/2012/10/information-security-budgets-to-increase-in-2013/

19.MarketsandMarkets (June 2012) Cyber-Security Market - Global Forecast & Trends (2012 - 2017) Retrieved 27, November 2012 from reportlinker. http://www.reportlinker.com/p0923304-summary/Cyber-Security-Market-Global-Forecast-Trends--by-Advanced-Technologies-Geographical-Analysis-Competitive-Landscape.html

20.Martin, D. (2007) Joybubbles, 58, Peter Pan of Phone Hackers, Dies. Retrieved 1 December 2012 from The New York Times

48 | P a g e

http://www.nytimes.com/2007/08/20/us/20engressia.html?_r=3&ref=obituaries&oref=slogin&oref=slogin&

21.National Institute of Standards and Technology (NA). The National Cyber Security Workforce Framework. Retrieved 1 December 2012 from National Institute of Standards and Technology: http://csrc.nist.gov/nice/framework/documents/national_cybersecurity_workforce_framework_printable.pdf

22.NICE Systems (2012). Form 6K filing period 12/6/2012 Retrieved 1 December 2012 from the Securities and Exchange Commission http://www.sec.gov/Archives/edgar/data/1003935/000117891312003378/0001178913-12-003378-index.htm

23.Oona, H., Crootof, R., Levitz, P.,Nix, H,,Nowlan,A., Perdue, W. & Spiegal, J. (2012). The law of cyber-attack . California: California Law Review.

24.PCI Security Standards Council (2012). PCI SSC Data Security Standards Overviews. Retrieved 26 November 2o12 from PCI Security Standards Council https://www.pcisecuritystandards.org/security_standards/

25.PERLROTH, NICOLE and RUSLI, EVELYN M. (2012). Security Start-Ups Catch Fancy of Investors. Retrieved 1 December 2012 from The New York Times: http://www.nytimes.com/2012/08/06/technology/computer-security-start-ups-catch-venture-capitalists-eyes.html?_r=0

26.Pindar, J., Rigelsford, Dr. J. (July 2011).Cyber Security and Information Assurance. Mr. Joseph Published by The University of Sheffield.

27.Ponemon Institute (February 2012). Ponemon Study Shows the Cost of a Data Breach Continues to Increase. Retrieved 1 December 2012 from PR Newswire: http://www.ponemon.org/news-2/

28.Ponemon Institute (October 2012). 2012 Cost of Cyber Crime Study: United States Benchmark Study of U.S. Companies. Retrieved 1 December 2012 from Ponemon Institute: http://www.ponemon.org/local/upload/fckjail/generalcontent/18/file/2012_US_Cost_of_Cyber_Crime_Study_FINAL6%20.pdf

29.Pritchard, W., CFA (March 2012). IT Security Survey Says…Network Security and Check Point Have Most Favorable Trends. Citi Investment Research & Analysis.

30.Ramirez, L. (October 2012) “Panetta Says US Boosting Cyber Defense” published by Voice of America Retrieved 6 December 2012 http://www.voanews.com/content/panetta-appeals-for-stepped-up-cyber-security/1525450.html

31.Richardson, R., CSI Director (2010). 2010/2011 CSI Computer Crime and Security Survey. Retrieved 27, November 2012 from The Computer Security Institute. https://cours.etsmtl.ca/log619/documents/divers/CSIsurvey2010.pdf

49 | P a g e

32.Rowe, B., Gallaher, M. (2006). Private Sector Cyber Security Investment Strategies: An Empirical Analysis Published by Technology Economics and Policy RTI International Retrieved 21 November 2012 from The Ninth Workshop on the Economics of Information Security http://www.weis2006.econinfosec.org/docs/18.pdf

33.Securing Cyberspace: A New Domain for National Securing Cyberspace: A New Domain for National Security Nicholas Burns and Jonathon Price

34.Sentementes, Gus G. (2012). Cybersecurity business, jobs expected to grow through 2016. Retrieved 5 December 2012 from The Baltimore Sun: http://www.baltimoresun.com/business/bs-bz-cybersecurity-maryland-forecast-20121018,0,6945767.

35.Sourcefire (2012) Form 10Q filing report period. Retrieved 1 December 2012 from the Securities and Exchange Commission 9/30/2012 http://www.sec.gov/Archives/edgar/data/1168195/000116819512000007/0001168195-12-000007-index.htm

36.Symantec Corporation (2012) Norton Cybercrime Report, September 2012. Retrieved 22 November 2012 from Symantec. http://www.norton.com/2012cybercrimereport

37.Symantec Corp. (2012) Form 10Q filing report period 9/28/2012. Retrieved 1 December 2012 from the Securities and Exchange Commission http://www.sec.gov/cgi-bin/viewer?action=view&cik=849399&accession_number=0001193125-12-441366&xbrl_type=v

38.Value Click (Date NA) Compounded Annual Growth Definition. Retrieved 1 December 2012 from Investopedia. http://www.investopedia.com/terms/c/cagr.asp#ixzz2FEDxVIqH

39.Value Click (Date NA) GDP Definition. Published by Value Click Retrieved 1 December 2012 from Investopedia. http://www.investopedia.com/terms/g/gdp.asp#ixzz2Eark1U7v

40.Verizon RISK Team(2012). 2012 Data Breach Investigations Report. Retrieved 7 December 2012 from Verizon Corporation: http://www.verizonbusiness.com/resources/reports/rp_data-breach-investigations-report-2012_en_xg.pdf

41.Websense (2012) Form 10Q filing report period 9/30/2012. Retrieved 1 December 2012 from the Securities and Exchange Commission http://www.sec.gov/cgi-bin/viewer?action=view&cik=1098277&accession_number=0001098277-12-000004&xbrl_type=v

42.Weisbrod, Glen (2011). DEFINING ECONOMIC IMPACT AND BENEFIT METRICS FROM MULTIPLE PERSPECTIVES: LESSONS TO BE LEARNED FROM BOTH SIDES OF THE ATLANTIC. Retrieved 6 December 2012 from

50 | P a g e

Economic Development Research Group, Boston, Massachusetts, USA: http://www.edrgroup.com/pdf/Weisbrod-Simmonds-ETC-Oct2011R.pdf

43.Weiss, Holt, Gorham (October 2012). Security Preview: Secular Should Outpace Macro in Q3 published by Morgan Stanley Research of North America

44.White, C. (2011). Data communications and computer networks “a business users approach” . (6th ed., Vol. ISBN-10: 0538452617 , p. 17, 17, 297, 308 & 330). Course Technology, Cengage Learning

7. List of Figures

a. Figure 1: Ponemon Institute (October 2012). 2012 Cost of Cyber Crime Study: United States Benchmark Study of U.S. Companies. Retrieved 1 December 2012 from Ponemon Institute: http://www.ponemon.org/local/upload/fckjail/generalcontent/18/file/2012_US_Cost_of_Cyber_Crime_Study_FINAL6%20.pdf

b. Figure 2: Baker, Hutton, Porter (Date NA). A Framework for Gathering Risk Management Information From Security Incidents. Published by Verizon Risk Management Retrieved 6 December 2012 from Security Metrics Organization http://www.securitymetrics.org/content/attach/MetriCon4.5/mm_VZ.pdf

c. Figure 3: 29. Pritchard, W., CFA (March 2012). IT Security Survey Says…Network Security and Check Point Have Most Favorable Trends. Citi Investment Research & Analysis

d. Figure 4: Pritchard, W., CFA (March 2012). IT Security Survey Says…Network Security and Check Point Have Most Favorable Trends. Citi Investment Research & Analysis

e. Figure 5: Kennedy, D. (October 2012). Information Security Budgets to Increase in 2013. Published by 451 Research Retrieved 27 November 2012 from 451 research Blog http://theinfopro.blogs.451research.com/index.php/2012/10/information-security-budgets-to-increase-in-2013/

51 | P a g e