Symantec says $110 billion annually while McAfee says $1 trillion. Why can't anyone agree?
The following letter was published in the Letters to the Editor in the May 2013 CACM (http://cacm.acm.org/magazines/2013/5/163765).
Paul Hyman's complaint about the lack of adequate reporting of cybercrime statistics was well justified in his news story "Cybercrime: It's Serious, But Exactly How Serious?" (Mar. 2013). All we have, he acknowledged, are lower-bound data, writing, "This much but how much more is there?" Information security is open-ended, with real but unreported losses, vulnerabilities, and threats.
Trade and professional journals tell us how to achieve security solutions, but such advice is not supported by experience because experience itself must be kept confidential. The confidentiality needed to achieve security of security greatly inhibits valid research and adequate preparation. I have for 40 years advised victim enterprises to carefully evaluate the pros and cons of publicly reporting specifics of their security experience, as revealing them would be a violation of the very concept of security; they could lose more from reporting than from keeping the information confidential. Yet they have a moral, social, and possibly legal obligation to publicly report it. An SEC advisory letter to public corporations (SEC Disclosure Guidance: Topic No. 2, Oct. 13, 2011, http://www.sec.gov/divisions/corp-fin/guidance/cfguidance-topic2.htm) requires publicly reporting cybersecurity risks to shareholders but also advised not to reveal information helpful to potential adversaries. How can they carry out such a contradictory dual mandate?
Security-information-sharing organizations (such as Infraguard, http://www.infraguard.net) in cooperation with the FBI and the inter-industry Information Sharing and Analysis Centers (http://www.isaccouncil.org) are helpful to a point. I suggest also using what I call the "old boys network" of informally sharing the most sensitive security information by developing mutual trust with fellow security practitioners in other enterprises, as has been the practice for a long time in industrial security.
Donn B. Parker
Los Altos, CA
Displaying 1 comment