Home page logo

basics logo Security Basics mailing list archives

Re: Statistics
From: Alessandro Bottonelli <abottonelli () libero it>
Date: Tue, 25 Nov 2003 13:22:08 +0100

On Monday 24 November 2003 16:57, Jack Solomon wrote:
I often hear statistics bandied around like 85% of attacks are internal.
Can anyone point to a reliable/quotable source of stats?  

82% Internal (of which 55% accidental) are quoted from a research (not 
public) of either Ernst&Young or Datapro--can't remember right now which one.

I'd like to prove
to my cynical managment that we are not safe behind the corporate

Beware! You are right, but this issue is highly political, management 
don't like to be told they cannot trust their employees. Make sure YOU know 
how to state this.

Also, I'd be interested in stats on amout of money lost

Hmmm. When it comes to money things are even worse. Insiders have more 
opportunity, means and motive to hit you hard. In a research paper of mine (I 
found no one here in Italy available to pubblish it... wonder why) I made 
this consideration (which is not by far a statistics):

-1- SQLWORM hits the Italian Post Office. Zero insiders, a unaccounted number 
of outsiders: estimated damage 150,000 Euros

-2- CREDIT CARD CLONING in an Italian (Tuscany) Bank. One insider, five 
outsiders: measured damage 1,000,000 Euros

-3- INS OUTSOURCER DESTROYS (willingly) some thousands documents (in order to 
look good on their SLA...). Three insiders, zero outsiders: assessed damage 
250,000,000 dollars (the value of the 5-year contract with INS).

Be careful when (if) using this with your management, as we say in Italy: 
"wrap it with plenty of vaseline grease ..." <grin>

Alessandro Bottonelli
CISSP, BS7799 Lead Auditor


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]