B susser researchpaper (2)

  • 718 views
Uploaded on

 

More in: Technology
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Be the first to comment
    Be the first to like this
No Downloads

Views

Total Views
718
On Slideshare
0
From Embeds
0
Number of Embeds
1

Actions

Shares
Downloads
4
Comments
0
Likes
0

Embeds 0

No embeds

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
    No notes for slide

Transcript

  • 1. Cyber Attacks and the economic impacton Entities worldwide Cyber Attacks Ahead Bradley Sean Susser December 17, 2012 1|Page
  • 2. AbstractThis research report studies the economic impact that Cyber Security attacks have onsociety as a whole. The aim of this analysis is to examine the negative and positiveimpact of these compromises on multiple entities. Our descriptive analysisfocusesonindividuals, private and public organizations, costs, revenues, innovations, and jobs todetermine if proliferations of these attacks are either, negative or positive. Although thispaper draws upon the economic factors as result of cyber-attacks, it looks at the outlayin its historical context of capital expenditures to private and public organizations due tothe increased number of compromisesand factors of this paradigm helping to fuel thegrowth of innovations or spawn a new industry as a whole. 2|Page
  • 3. Table of Contents PageAbstract21. Introduction 4-52. Literature Review 62.1 Cyber Attack defined 6-82.2 Cyber Security defined 8-92.3 Brief History of Cyber Attacks 9-102.4 Economic Impacts Defined (inclusive Cost benefit Analysis) 10-132.5 Cyber Attacks Spawning New industry and Garnering Capital Investment13-143. Methodology 14-153.1 Cyber Attacks and Hypothesis on their Growth over the Years 15-163.2 Cyber Attacks &Hypothesis on Financial Impacts of Entities Targeted 16-173.3 Cyber Attacks and Hypothesis on whether they spawned a New Industry Helping toInfuse Significant Capital 17-184. Discussion 184.1 Cyber Attacks Growth from a Historical Perspective & Beginnings 18-204.2 CSI/FBI/Technolytics Institute/ Janet Napolitano Statistics on Growth of CyberAttacks through Historical Perspective 20-224.3 Mckinsey Global GDP Growth Statistics 22-234.4 Cost benefit Analysis & Difficulty in Obtaining Metrics 23-244.5 CSI/FBI Statistics on Financial Impact of Cyber Attacks 24-254.6 Ponemon/Verizon/Morgan Stanley Statistics on Compromises & Costs Due to CyberContemporary Threat Landscape 26-324.7 Growth of Cyber Security Industry Statistics (Gartner Research, Citi Group, MorganStanley, 451 Research & MarketsandMarkets) & Government Role Explained 33-445. Conclusion 45-466. References 47-517. List of Figures 51 3|Page
  • 4. 1. Introduction: Since the mid 1980’s as personal computers started becoming more prevalent sotoo did a small group of people that chose to wreak havoc by exploiting andcompromising these devices for nefarious purposes or just pure curiosity. These eventswere even depicted in movies such as War Games, which was introduced to the publicin 1983. The movie is based on a teenage boy who breaches the United StatesPentagons computer system and locates a game within the system known as ―GlobalThermo Nuclear War‖. Although he believes this is just a game in reality heinadvertently causes the system to begin the process of launching a nuclear attack on anumber of sovereign nations. This was the first time that such a scenario was brought to the forefront of thegeneral public and although this was just a movie in reality systems althoughin itsinfancy, where becoming attractive targets for individuals and entities to manipulate andunethically exploit. Then in the early 1990’s the Internet was introduced to thecommercial sector allowing for both private and public entities to leap frog off of thismedium and create whole new economies based on this technological innovation.However as the internet, systems, personal computers and a plethora ofhardware/software devices are utilized more and more for routine activities the numberof people wishing to do harm to individuals and organizations that make use of thesetechnologies continues to grow at an alarming rate. In fact, according to Verizon’s 2012 Data Breach Investigations Report, 2011 wasthe year that organizations systems came under attack by a slew of groups withdifferent forms of motivation but the numbers are unprecedented. The report focused on 4|Page
  • 5. 855 incidents that saw 174 million data records get compromised. This includedprotesting entities such as the likes of Anonymous, cybercriminals performing attacks toacquire trade secrets, classified information and other intellectual property, stealpersonal credit card information, identity theft, take down organizational servers and thelist goes on and on. Verizon is quoted as saying ―Doubly concerning for manyorganizations and executives was that target selection by these groups didn’t follow thelogical lines of who has money and/or valuable information. Enemies are even scarierwhen you can’t predict their behavior(Verizon 2012).‖ In another scathing report released to the public in October of 2012 by HewlettPackard working with the Ponemon Institute indicated an exponential increase of CyberCrimefrom 2010 to 2011. In contrast to the Ponemon and Verizon, reports an articlewritten in the Baltimore Sun on October 21, 2012 quoted Cyber Security analysts assaying that this sector of the market is anticipated to grow over 50 percent up until theend of 2016 which will open up new opportunities for business and individuals. Thearticle goes on to say that Cyber Security spending by the Defense Department, evenwith the absence of certain legislation will rise from $4.4 billion in 2011 to $6.7 billion in2016, spending in civilian agencies will increase from $2.6 billion in the 2011 period to$3.8 billion by 2016 and capital expenditures to be outlaid by U.S. Intelligence agenciesare expected to increase from $2.3 billion last year to $3.6 billion over the next fouryears (Sentementes 2012). The statistics incorporated above show a dichotomywhereby the economic impacts of Cyber Attacks can be both disadvantageous andadvantageous. The point at issue is, is one more predominant over the other or do they balance 5|Page
  • 6. each other out? The question posed in the prior sentence is what this papers primaryobjective seeks to ascertain, although other questions must be implemented andinvestigated to garner an appropriate answer. So as you continue to migrate through thesections to follow,we will look through an assortment of research to try and come upwith a valid answer to the aforementioned question. 2. Literature Review: In reviewing the literature there is an abundance of material ongrowing numberof Cyber Attacks which has negative ramifications as well as helped to spur the growthof a variety of disciplines and innovations within the IT Security arena. Therefore thereare a multitude of factors and questions one needs to take into account by means ofeconomic analysis.2.1 Cyber Attack defined Some of the essential questions that must be addressed include do the overalleconomic impacts of these attacks way on the side of being more adverse oradvantageous? The aforementioned question should be broken down even further toinclude the following. What is a cyber-attack? There are a variety of ways to define and describe acyber-attack.Although, the term may appear simplistic on the surface, cyber-attacks arecomprised of a multitude of factors. The Ponemon Institute exclaims that this is anycriminal activity conducted over the Internet (Ponemon 2012) but is this not toosimplistic of a definition?According to the research paper ―The Law of Cyber-Attack‖ theauthors explain that a Cyber Attack is ―any action taken to undermine the functions of a 6|Page
  • 7. computer network for a political or national security purpose.‖ This group of writers thanfurther explains that the reason for lack of clarity among the community on what CyberAttacks are, is due to the inability to make a distinction between Cyber Crime, CyberAttack, and Cyber War. For example in their paper ―a Cyber Attacks Objective must beto undermine the function of a computer network‖ and ―Must have a political or nationalsecurity purpose.‖ (Oona, Crootof, Levitz, Nix,Nowlan, Perdue, Spiegal, 2012). The terms Cyber Crime and Cyber War discussed in the sentencesabove arewhat makes up Cyber Attacks and therefore in addition further extrapolation on the truemeaning must be incorporated. Lt. Colonel David M. Keely hits the nail on the head instating that many of the definitions he came across where to narrow in scope. Heconcluded that ―A good definition of Cyber Attack can be found in discussions of theCritical Infrastructures Protection Act (CIPA) of 2001: ―All intentional attacks on acomputer or computer network involving actions that are meant to disrupt, destroy, ordeny information. ― In addition he exclaims you must also incorporate the why aspect.Inclusive should be the motivation of the attacker. ―If the motivation of the attacker ismonetary gain, destruction of property, or espionage, then a crime has beencommitted.‖ ―If the desired result is ―to cause death or seriously bodily harm to civiliansor non-combatants, with the purpose of intimidating a population or compelling aGovernment or an international organization to do or abstain from doing any act then anact of terrorism has occurred.‖ ―If the motivation is to wage or to assist in waging a―armed hostile conflict between States or nations then an act of war has occurred.‖Lieutenant Keely’s assessment covers all the essential elements of Cyber Attacks thatimpact sovereign nations, public and private entities and finally individuals therefore his 7|Page
  • 8. interpretation is quite effective for the purpose of our research endeavor (Keely, 2011).Finally it is necessary to breakdown the types of exploits propagated by these CyberAttacks. Cyber Attacks are comprised of Malware, Web based attacks, stolen devices,malicious code implementation, malicious insiders, phishing and social engineering anddenial of service attacks (DoS). Malware is defined as evil software and is made up ofsubcategories which include viruses, Trojans, worms, rootkits, keyloggers etc howeverin the chart provided by2.2 Cyber Security defined As with Cyber Attacks we need to try and come up with a concrete definition forCyber Security as it varies among Information and Communications Technology (ICT)professionals. This is because the area of specialties could be substantial according toThe National Institute of Standards and Technology (NIST), aU.S. federal agency andone of the leading organizations in charge of implementing security standard’s globally.Although NIST’s numbers may be slightly overarching it provides additional affirmationthat the term Cyber Security cannot be so easily defined (National Institute of Standardsand Technology). Some believe the term to be interchangeable with InformationSecurity while others state that Information Security is a subset of Cyber Security. Adefinition that we found to be most appropriate is Cyber Security refers to the protectionof any asset from being exploited by Cyber Attacks which we defined above, viaInformation and Communication Technologies. Inclusive is additional components suchas countermeasures and activities that can either be technical in nature or non-technicalfor the purpose of safeguarding computer networks, digital devices, hardware, softwareand all the information that they contain and communicate from anyone that has malice 8|Page
  • 9. of intent. In addition Cyber Security encompasses a number of professionals thatperform continuous research and analysis in order to try and keep ahead of thosewishing to do us harm, described above by NIST. As you can see the word informationis embedded in the definition of Cyber Security so we can conclude that it is in fact asubset of this area of discipline. Therefore Information Security references all aspects ofinformation protection. Subsequently three primary objectives lie at the heart ofInformation Security. These include the terms confidentiality, integrity and availability.Confidentiality makes sure that information is not disclosed to any unauthorized entityand that those who which to disclose that information can do so but at their request,Integrity assures one that information is modified only with proper authorization andfinally availability assures that information is provided promptly to authorized entitiesand only denied to those who are not authorized [Dunn 2005].2.3 Brief History of Cyber Attacks From a historical perspective have the number of attacks grown over the years orbeen on the decline?Furthermore have costs for entities accrued?Cyber Attacks have become depicted in the media for quite some time thereforeone must look at these attacks in their historical context. The precursor to the presentday Internet was created by the U.S. governments Advanced Research ProjectsAgency (ARPA) and was known as the ARPANET which was developed in the late1960’s. ARPANET eventually was replaced by the Internet or what is known to many asthe information highway which connects local area networks to wide area networksused by individuals and organizations worldwide (White, 2011). Unfortunatelyupon first 9|Page
  • 10. initiating the deployment of this medium, safeguards where never implemented asCyber Attacks where not even forethought. Some of the earliest attacks involved ―phonephreaking‖ in the early 1970’s and then with the invention of personal computers in theearly 1980’s attacks on systems began to proliferate. A number of congressional lawswere passed due to these early compromises to offer better protection of unauthorizedaccess to government computers. Title 18 United States Code: § 1030. ―Fraud andrelated activity in connection with computers‖ is one such law that was implemented in1986 and modified over the years to punish those wishing to target systems, whether forpolitical reasons or criminal activity(Cornell University Law School 1986). Finally in theearly 1990’s the Internet was now open to the general public for private and commercialuse but with increasing reliance on the Internet and its expansion of interconnectivityattacks became even easier to perform. The Computer Security Institute (CSI)/FederalBureau of Investigation (FBI) Computer Crime and Security Survey conducted over thelast several decades provides invaluable data, helping to further ascertain additionalinformation on the amount of attacks on organizations who have participated in thestudy over the years and detailing their networks and cost estimates by the type ofattack.2.4 Economic Impacts Defined (inclusive Cost benefit Analysis) This leads us to the next area of topic, that being the economic impacts of theseincreasing number of attacks but what do we mean by economic impacts?It must be stated that in order to grasp an understanding of the term economicimpacts its essential that we include in our description economic 10 | P a g e
  • 11. advantages/disadvantages and productivity as they all are intertwined. Economic impactsometimes is difficult to describe because it is made up of a complexity of subcategoriesbut on its face this is any modification in the passage of capital (income) in the economybetween industry sectors, population groups, or local areas of the world and althoughmetrics are usually measured in terms of growth in income, jobs or output such data isnot necessarily easy to extract and often more times than not difficult to quantify.Economic advantages/disadvantages is a broader concept of welfare gain thaneconomic impacts, in that it can incorporate both monetary advantages/disadvantages(tangible) and non-monetary advantages/disadvantages (intangible) with a willingnessto pay value or remove value The previous sentences concepts are most useful forperforming a cost-benefit analysis (CBA). In using a simple example, a CBA can be thebenefit of safeguarding ones systems against Cyber Attacks and the costs associatedwith these protective measures. Finally productivity typically refers to the increasinggrowth in value added per worker or per unit of investment which has the potential toproduce an actual acceleration in income and jobs (Weisbrod 2011).In looking furtherinto productivity it can be utilized not only as an gauge of efficiency but also indicative ofeconomic development. The research paper titled ―Private Sector Cyber Security Investment Strategies:An Empirical Analysis‖ suggests a cost benefit analysis approach is generallyStraightforward but found organizations inability to construct a rigorous cost benefitsanalysis (CBA) framework. Furthermore expected damage or cost functions and threatprobabilities needed to conduct a CBA is difficult to attain therefore most oftencompanies rely more on a qualitative approach(Rowe, Gallaher 2006).Note that CBA 11 | P a g e
  • 12. will be further described in the economic impact section to follow. Although theaforementioned research study is slightly predated as quantitative analysis hasappeared to have improved as you will soon see in the Ponemon Intitute, the study wasable to conclude that regulations was the most often cited drivers increasingorganizations’ investments in Cyber Security. This is important as it shows a correlationbetween government initiatives and spending discussed in the Baltimore Sunintroductory paragraph above. However in the article ―Economic Analysis of CyberSecurity‖ the authors point out that a CBA framework which focuses on quantitativeanalysis is expensive, difficult and in most cases even impossible to garner. This in turnhas forced most organizations to perform qualitative assessments, which are thencompared to quantitative analyses. Although the research paper dates back to 2006 thisis still mostly true today. It must be noted that they due endorse The Computer SecurityInstitute (CSI)/Federal Bureau of Investigation (FBI) Computer Crime and SecuritySurvey considering this to be the best available source. In contrast and to be fair theauthors of ―The Economic Impact of Cyber Attacks‖ state that this survey is lacking incertain areas due to incomplete metrics (Cashell, Jackson, Jickling, Webel, 2004). Thisonce again goes to how difficult it is many times to come up with complete and accuratedata which is why a number of sources should be used to reach the appropriatebalance. ―The Economic Analysis of Cyber Security‖ paper also discusses howorganizations decipher how to invest in security. This is significant because theseorganizations decisions are based on the impacts or potential impacts of Cyber Attacksand therefore you can see how these firms collect data to perform their analysis.Furthermore as part of this data collection process these entities implement the current 12 | P a g e
  • 13. costs associated with being hit by these attacks in their investment analysis whichallows you to get a better understanding on how they come up with these costs they aresupplying to those conducting research on the financial impacts of CyberAttacks(Gallaher, Rowe, Rogozhin, Link 2006).2.5 Cyber Attacks Spawning New industry and Garnering Capital Investment Have Cyber Attacks spawned a new industry that has helped to garner a largeinfusion of capital from the investment community?It is essential that organizations implement Cyber Security controls either throughtechnological means or human analysis. Investments in the area of IT Securityorganization and startups in the past have been slow due to a lack of understanding andthe inability to view security as an essential element that must be incorporated withinone’s business. However due to Cyber Attacks becoming more persistent an increasingnumber of investments and the infusion of capital committed to this sector are starting totake shape. One reason for this is the implementation of regulation but not so much asto inhibit innovation. For instance federal and state statutes that penalize companiesthat do not properly safeguard consumer information have forced these entities toobtain the necessary financing and invest in the area of Cyber Security. United Statesregulatory bodies such as theFederal Trade Commission (FTC), Department of Justice(DOJ), Securities and Exchange Commission (SEC)[Department of Commerce InternetPolicy Task Force June 2011), Payment Credit Card regulatory agencies(PCI SecurityStandards Council (2012) and many others has brought a number of legal enforcementactions against entities that have been inept in protecting consumer data forcing them to 13 | P a g e
  • 14. access additional capital. The capital is then used to pay for security. In the wake of these legal actions and targeted attacks, Gartner Research in aSeptember 2012 release talks of the increasing amount of capital being deployedthroughout the Cyber Security Industry (Gartner 2012). In addition Certified FinancialAnalyst for financial firm Citi Group conducted research whereby IT security budgets areon the rise (Pritchard 2012) as well as a number of or other researching bodies. 3. Methodology: In conducting our research the approach we have utilized and you will see whilstcontinuing to view this document is one of a descriptive nature because although wedraw empirical data from prior research we focus primarily on the characteristics ofCyber Attacks and its economic impacts on entities worldwide in the current day andage. It should be also noted that due to the complex nature of Cyber Attacks and lack ofcomplete understanding data is vast and all over the map;therefore it is difficult toacquire exact assessments and cost figures.The same also holds true for anaccurate account of the growth of the Cyber security industry although there have beenongoing improvements to address these issues. Subsequently a compilation of primary,secondary and general resources, those being from vetted educational research, publiccompanies such as Verizon, Certified Financial Analysts from investment houses,leading information technology research and advisory firms, audited financial filingsfrom publicly traded companies and articles from newspapers/journals are utilized withinthis paper. Again, the statistical data is fragmented as there has been no clear modelthat has been adopted and many argue some numbers are skewed due to conflicts ofinterest and in the ability to acquire the necessary resources (such as vetted papers 14 | P a g e
  • 15. created by those that are in the educational arena) to conduct a proper study. Thefigures comprised of various sample sizes among the population are compared andcontrasted so we can get a more accurate picture to determine whether the cost ofCyber Attacks far outweighs the amount of money being generated by the CyberSecurity communityor if the money being infused into the Cyber Security Industry haseconomic benefits that exceed the costs generated by Cyber Attacks.3.1 Cyber Attacks and Hypothesis on their Growth over the Years We will begin our focus by asking the question once again from a historicalperspective have the number of attacks grown over the years and over the last severaldecades have costs for entities accrued?This question is important because it lays theground work as to how the Internet and the technology that is embedded within it hasbecome a source utilized for nefarious purposes. Although some years have seen adecline in the number of Cyber Attacks overall the trend one would think is likely toshow that these attacks are an everyday occurrence and ever increasing in numbers.This is because the multitudes of devices that are connected to the Internet and makeuse of its backbone are immense. In other words distributed systems have becomedominant as opposed to centralized systems which used to play more of a role amongentities but are in fact utilized less and less these days. Also due to complexity of thenetwork and programming code used in web applications worldwide, the vector of attackhas grown making it even more difficult to mitigate against and ripe for exploitation. Forexample looking at web applications in particular, updates and patches are issued byvendors who develop code for a number programs daily. The problem has become so 15 | P a g e
  • 16. great that companies such as Microsoft and Oracle have a preset schedule fordistributing fixes on a monthly and quarterly basis. In fact firms like Red Hat employwhat is known as open source code, which is available to the general public for free andoffers the ability for any programmer to make modifications to the code whennecessary. Therefore vulnerabilities in open source software can be found more quicklyand what is also evident is the number of advisories for this type of code is deployed ona daily basis. However there are still a number of programs that have vulnerabilities thatare not found for a number of months or even years. This is especially true in the way ofadvanced persistent threats (APTs).In fact even when vendors issue advisories it takestime for them to create patches for code therefore those wishing to do us harm haveplenty of time in between these fixes to propagate attacks by take advantage of thesevulnerable applications.3.2 Cyber Attacks and Hypothesis on Financial Impacts of Entities targeted byAttacks The next area we need to delve into once more is the economic impactsthat Cyber security has on society as a whole. More specifically, what are the financialimpacts on capital expenditures of private and public organizations targeted by CyberAttacks?As highlighted above, the Internet has become the primary backbone toentities worldwide helping to create new innovations, increase collaboration and openup new economies like we have never seen before. In addition with the simple click of abrowser, connectivity to this vast network has become so easy that even the averagelaymen with no technological skills can access the information highway. Although it ishard to dispute the advantages of the pervasive availability for anyone to connect online 16 | P a g e
  • 17. it has also offered those seeking to do us harm a large vector that can be utilized toattack and exploit individuals and organizations. The impact therefore of these attacks,specifically Cyber Attacks, have come at a great cost to entities forcing them to outlay asignificant amount of capital and see a huge reduction in revenues . Inclusive areentities going out of business, loss of jobs, the negative impact of productivity and thevast amount of money or even identities being stolen from consumers. For exampleorganizational databases compromised or hit by a denial of service attacks, takesenormous man power to recover from such attacks. This in turn negatively impactsproductivity.3.3 Cyber Attacks and Hypothesis on whether they spawned a New IndustryHelping to Infuse Significant Capital Finally it is necessary to be redundant and ask whether Cyber Attacks spawneda new industry that has helped to garner a large infusion of capital from the investmentcommunity and increased organizational salesfiguresfor Cyber Security firms?Despitethe adverse impacts Cyber Attacks have on the economy there is no doubt that it hasalso created new opportunities as many subsectors such as cryptography, networksecurity, operating system security, database security, reverse engineering andpenetration testing just to name a few which have become essential components thatentities must make use of in order to safeguard systems. Therefore many venturecapital funds, private equity firms, individual investors and the overall capital marketsare continuing to pump money into the Cyber Security arena. These investments couldalso have a positive effect on sales which is the exact opposite of entities who areplagued by the current threat environment. The irony here is that the number 17 | P a g e
  • 18. disciplines and income garnered by the Cyber Security Industry could possibly outweighthe costs associated with Cyber Attacks. The aforementioned questions and their hypotheses as stated in previousparagraphs have been difficult to quantify however in the section to follow will attempt todo just that! 4. Discussion4.1 Cyber Attacks Growth from a Historical Perspective& Beginnings Cyber Attacks have evolved over time therefore one must look at these attacks intheir historical context. The precursor to the present day Internet was created by theU.S. governments Advanced Research Projects Agency (ARPA) and was known as theARPANET which was developed in the late 1960’s. The government allowed access toARPANET to only a selected few military bases, government labs and researchuniversities. The ARPANET was one of the first wide area packet switched networkswhich provided services like electronic mail, the transferring of files and remote logins.In 1983 the Department of Defense (DOD) broke ARPANET into two similar networkskeeping the name ARPANET for one of the networks and calling the other networkMILNET which would be used for military purposes. ARPANET eventually was phasedout and around this time the National Science Foundation funded the development of anew high speed network known as the NSFnet which connected major router sitesacross the U.S .than acting as the telecommunication backbone in turn connecting tosmaller regional networks or statewide networks. The statewide networks were then 18 | P a g e
  • 19. connected to a set of campus networks and eventually the collection of all thesenetworks would then be known as the Internet (White, 2011). The previous sentencesare significant primarily because when this architectural medium was developed therewere no countermeasures or safeguards implemented. In fact nobody had the foresightto think that the Internet would become the primary backbone for communicationsglobally, so instrumental to the economies worldwide and especially conceive that itwould be utilized as a medium for nefarious purposes. Some of the earliest hackers were involved in ―phone phreaking‖ which wereattackers looking to break into telephone networks in an effort to make free longdistance calls. Joybubbles AKA Joe Engressia was one of the first phone phreaks. Hewas a blind boy with perfect pitch who could whistle any tone. Circuit switching centersat the phone company were apparently tricked by the tones that he produced. One tone,used by AT&T tone dialing switches, was a tone of 2600 Hz, which could be exploited toprovide free long distance and international calling. Engressia could imitate this tone,while other phreaks used what was called a ―blue box‖. According to the New YorkTimes article written in 2007, Steve Jobs and Steve Wozniak, founders of Apple, werealso successful phone phreaks (Martin 2007). In the early 1980’s personal computers came into being manufactured bycompanies such as the likes of Apple and in turn individuals who tried to exploitnetworks for all sorts of reasons began to emerge. One of the first well known attackswas performed by Kevin Mitnick one of the most infamous attackers of the 1980’s. Itwas back in 1979 when Mitnick at the tender age of 16 years old illegally accessedDigital Equipment Corporation’s (DEC) computer network and obtained a copy of their 19 | P a g e
  • 20. operating system software. He also hacked into the networks of Nokia, Motorola, SunMicro, Pacific Bell and other companies. Just over a year ago Kevin was interviewed byZDnet claiming none of the companies he compromised sustained any damageshowever the FBI estimated Kevins hacks and code reading into the $300 million range(Hess 2011). In addition to Kevin, the Legion of Doom founded by Vincent LouisGelormine (―Lex Luther‖) in the 1980s were involved in unauthorized access to anumber of corporate networks, including BellSouth Corp.(Dr. Hayes 2012).4.2 CSI/FBI/Technolytics Institute/Janet Napolitano Statistics on Growth of CyberAttacks through Historical Perspective In moving slightly ahead in time the Computer Security Institute which has beena leading educational membership organization for information security professionals forover 30 years, began its series of reports titled ―CSI/FBI 2000 COMPUTER CRIMEAND SECURITY SURVEY‖. The reports are advantageous as some of the others thatare produced are by those who may have ulterior motives such as the likes of manyvendors who produce and sell security tools. Thereby having a potential conflict ofinterest. In contrast CSI security surveys are completely independent and collecteddata is gathered from a team that is made up of security professionals spanning multipleindustries, separate from those who just work in organizations selling solely cybersecurity tools and services. Having said that, sample size is not significant enough as itonly encompasses a small percentage of respondents solely within the United States.However although participation has been on the decline we can focus on annualfinancial impacts of major Malware attack data by CSI collected between the years 1995to 1999. In 1995 the number totaled $500 million, in 1996 $1.8 billion, 1997 $3.3 billion, 20 | P a g e
  • 21. 1998 $6.1 billion and in 1999 $12.1 billion (Cashell, Jackson, Jickling, Webel 2004). Thepercentage increases that can be denoted by these numbers are astonishing. According to Kevin G. Colman of the Technolytics Institute back in November2008 he acquired figures from several studies. One in particular conducted by Spy-Opsstated that over a one year period from 2007 to 2008 information theft grew around 68percent were every quarter of a second a file is stolen containing critical data in order tosteal a consumers identity. In 2008 it was also concluded that the United StatesPentagon was attacked 3 million times a day (Coleman 2011). Although not a precisenumber in an article written by Voice of America Titled ―Panetta Says US BoostingCyber Defense‖ Luis Ramirez who wrote the article backs up the 2008 document sayingthousands of enemy cyber-actors are targeting the Pentagon’s systems millions of timesa day (Ramirez 2012). In 2012 Janet Napolitano US Secretary of Homeland Security, during heropening keynote address at the ASIS/(ISC)² Congress 2012 conference in Philadelphiastated that Cyber Attacks have increased ―significantly over the past decade‖, and thatnumber also includes the more than three years she has acted as US Secretaryof Homeland Security. To put this into context, Napolitano goes on to say ―the UnitedStates Computer Emergency Readiness Team (US-CERT) responded to more than106,000 reports of Cyber Attacks during 2011 – releasing more than 5000 securityalerts to its public and private sector partner (Info Security Magazine 2012).‖ Today attacks are no longer dominated by a few but many individuals andentities. This is primarily due to the rise in distributed systems as opposed to the more 21 | P a g e
  • 22. common centralized ones which were once dominant several decades back. Accordingto Information Week on February 1, 2012, ―Cyber Attacks against government agenciesand businesses in the United States continue to rise, and cyber threats will one daysurpass the danger of terrorism to the United States, intelligence community officialssaid in an open hearing of the Senate select intelligence community.‖ The article goeson to mention countries such as China and Iran, to groups like Anonymous and LulzSectargeting systems on a regular basis and it suggested it will only get worse (Hoover2012). The historical trend certainly seems to indicate that there is a rise in attacks andfurther proof of this can be seen in the paragraphs to follow.4.3 Mckinsey Global GDP Growth Statistics There is little doubt that the Internet has helped to create new innovations andopen up new areas of the economy leading to high areas of growth and prosperity formany. This can be seen in the May 2011 Mckinsey Global Institute study whichexplained that the Internet accounts for 3.4 percent of the GDP when examining thirteencountries. The Internet for the developed nations among the 13 depicted in the previoussentence over the last five years contributed to 21percent GDP growth. GDP is themonetary value of all final goods and services produced within a nation in a particularperiod of time, typically based on yearly estimates. It includes all of private and publicexpenditures, government spending, investments and exports minus imports that arerepresentative of a certain region(Value Click). For the United States alone thisrepresents$440 billion to $580 billion of additional total output(Dowdy 2011). Unfortunately along with GDP the information highway has also contributed toadversely impacting these numbers because of the multitude of targeted attacks from a 22 | P a g e
  • 23. variety of actors (hacktivists, cyber criminals and sovereign nations), on allorganizations and industries that add to GDP worldwide.Inclusive is Computer basedcontrol systems that run much of the nation’s physical infrastructure. In other words nopublic or private entity is immune from such threats.4.4Cost benefit Analysis &Difficulty in Obtaining Metrics Just before we present you with the findings from a number of different entitiesonce again it must be emphasized that there is no one study that should be takencompletely at face value. The research paper titled ―Private Sector Cyber SecurityInvestment Strategies: An Empirical Analysis‖ suggests a cost benefit analysisapproach is generally straightforward but found organizations inability to construct arigorous cost benefits analysis (CBA) framework. Furthermore expected damage or costfunctions and threat probabilities needed to conduct a CBA is difficult to attain thereforemost often companies rely more on a qualitative approach (Rowe 2006). Although theaforementioned research study is slightly predated and quantitative analysis hasappeared to have improved figures remain inconsistent. Examining a compilation of data and taking the average of all these numbers ismost appropriate. This is talked about above in particular the two differing opinions onthe ―CSI/FBI Computer Crime and Security Survey‖. One being from the authors of thearticle titled ―the article ―Economic Analysis of Cyber Security‖ who endorse the survey(Gallaher, Rowe, Rogozhin, Link 2006) and the other coming from the authors of ―TheEconomic Impact of Cyber-Attacks‖ who cites several sources claiming the data is notchosen randomly nor is a representative sample of entities that are exposed to cyber- 23 | P a g e
  • 24. risk but only taken from self-selected security professionals which is considered inresearch circles to be somewhat biased. The reports on the 530 individuals who wereutilized nationally to conduct the survey are not accurateenough to obtain soundfigures. Additionally, cost data reported can be considered inept. For example in its2003 survey fifteen percent of the participants could not tell you if there was unapproveduse of their network and systems indicating that some measurable losses were obtainedbut this could significantly underestimate the totality of all losses. Also out of the seventyfive percent of the participants that reported losses only forty seven percent of themcould put an actual figure to those losses. The authors of ―The Economic Impact ofCyber-Attacks‖ do state however that this study is accepted by many papers thatcomprise of computer security literature. Yet again,thereis no one sound method thatcan be modeled to quantify the costs associated when it comes to Cyber Attacks whichis why it is useful to extract data from a variety of sources(Cashell, Jackson, Jickling,Webel, 2004).4.5 CSI/FBI Statistics on Financial Impact of Cyber Attacks In its 15th annual 2010/2011 ―CSI/FBI Computer Crime and Security Survey‖ TheComputer Security Institute sent 5412 security practitioners by regular snail mail andemail, whereby 351 people replied back with feedback indicating the number of returnswould make the institute ninety five percent confident that there numbers are accuratewith only just slightly over five percent margin of error. They do however admit thatthese respondents are only those who have paid to be members of the institute or paidto attend their event which can skew the numbers but they represent a vast array ofindustries except for the financial sector whose participation dropped around five 24 | P a g e
  • 25. percent with this last study. Furthermore as with many of these surveys they do notinclude consumers being compromised and a majority of the organizational respondentscame from companies making over $100 million a year as opposed to smaller entities.Forty seven percentclaimed they were affected by regulatory laws but this could be dueto the fact that laws may not be so clearly defined and respondents that are a part of agovernment entity may not feel these laws affect them. Finally not for profit firms oreducational institutions may not feel they have customers so they do not believe itaffects them.. The CSI report for the year 2010 shows the types of attacks experienced by thesurveys participants which include 67.1 percent were attacked with some type ofMalware infection, insider abuse of Net access or email 24.8 percent, laptop mobiledevice theft 33.5 percent, phishing 38.9 percent, Denial of service 16.8 percent, Bots onthe network 28.9 percent, financial fraud 8.7 percent, password sniffing 11.4 percentand exploiting a wireless network 7.4 percent. As you can see Malware infectioncontinues to be the most commonly seen attack. The percentages depicted in the priorsentence are the main reason we incorporated the CSI survey and also theircommentary on the Symantec study which you will see below. As for the financiallosses they could not be properly accessed due to the fact that only 77 respondentsprovided information and the numbers are not worth mentioning as this is far too smallof a sample but this does offer some proof on monetary losses (Richardson 2010). 25 | P a g e
  • 26. 4.6 Ponemon/Verizon/Morgan Stanley Statistics on Compromises& Costs Due toCyber Contemporary Threat Landscape In January of 2012 PGP corporation a global player in safeguardingorganizational data and research firm The Ponemon Institute performed acomprehensive study specifically aimed at data breaches primarily and one mustremember these are only confirmed data breaches. The survey revealed that databreach incidents cost U.S. companies $204 per compromised customer record in 2009,compared to $202 in 2008. There was an overall decline in the figures of reportedbreaches in 2009 compared to 2008 but still significant. The average total per-incidentcosts in 2009 were $6.75 million, compared to an average per-incident cost of $6.65million in 2008. Recently Ponemon came out with additional statistical data for the year2010 but the numbers were also exceeding high.The chart below is a goodrepresentation of the data compiled by Ponemon (Ponemon 2012). Using data providedby Ponemon Institute, the chart depicted below shows that U.S. firms are now losingmore money to operational costs of Cyber Attacks than they are spending on security. 26 | P a g e
  • 27. Figure 1. Chart Depicts Organizational Costs Outpacing IT SecuritySpending For United States Companies by Ponemon Institute 2012In a Follow up study that came out in October of this year, Ponemon along with HewlettPackard for the first time studied several countries in addition to the United States. TheInstitute conducted their research on Fifty Six Organizations and they concludedbusinesses on average suffered losses of $8.9 million per annum, an increase from$8.4 million indicative of the 2011 period.This represents a 6 percent increase over theaverage cost reported in 2011, and a 38 percent increase over 2010 (Ponemon Institute2012). The 2012 study also revealed a 42 percent increase in the number of CyberAttacks, with organizations experiencing an average of 102 successful attacks perweek, compared to 72 attacks per week in 2011 and 50 attacks per week in 2010 27 | P a g e
  • 28. (Ponemon Institute 2012).‖ Morgan Stanley Research came out with a report titled ―Secular Should OutpaceMacro in Q3‖ whereby the firm conducted research on some of the leading CyberSecurity companies noting that Chief Information Officers (CIO’s) have explicitly saidthat spending on security countermeasures will remain one of the top three priories forthe year 2012 (Weiss, Holt, Gorham 2012).Furthermore Verizon Corporation which has conducted a survey from the years 2004 to2011 titled ―Data Breach Investigations Report‖ just came out with more recent figures.The report is made up of those who confirmed that they were breached as many entitiesrefuse to report their compromises for fear of reputational consequences that can leadto loss of business and in some cases firms may have been exploited but are unawareof the attack until a future time.Collected data was captured by evidence during paidexternal forensic investigations and making use of Verizon Enterprise Risk and IncidentSharing (VERIS) framework that depicts security incidents in a structured andrepeatable manner and garners additional information through anonymous participantsto allow those to participate without fear for loss of reputation described in the abovesentence. Take note though that as with the Ponemon study, Verizon dealt mostly withorganizations where a significant breach occurred. The VERIS approach also providesus with a better methodology and helping us answer the questions, what we need toknow and measure? The diagram below is representative of the model that aidsorganizations in order to provide companies like Verizon with effective metrics soapproaches are improving. As you can see the chart is broken down into four quadrants 28 | P a g e
  • 29. labeled Threat, Asset, Impact, and Control.Figure 2. Baker, Hutton, Porter. The Graph is a Model Showing How CompaniesCollect Data For the Verizon Data Breach Reports by Verizon Enterprise Risk andIncident Sharing (VERIS)To add further credibility to the study is the participation of United States Secret Service(USSS), the Dutch National HighTech Crime Unit (NHTCU), the Australian FederalPolice (AFP), the Irish Reporting & Information Security Service (IRISS), and the PoliceCentral eCrimes Unit (PCeU) of the London Metropolitan Police as they contributed togathering data from 36 countries unlike The Computer Security Institute who onlygathered data from United States based entities. These countries include Australia,Austria, Bahamas, Belgium, Brazil, Bulgaria,Canada, Denmark, France, Germany,Ghana, Greece, India, Ireland, Israel, Japan, Jordan, Kuwait, Lebanon, Luxembourg,Mexico, Netherlands, New Zealand, Philippines, Poland, Romania, Russian federation,South Africa, Spain, Taiwan, Thailand, Turkey, United Arab emirates, Ukraine, United 29 | P a g e
  • 30. Kingdom and the United states. Results from participants comprised of855 attacks considered sophisticated andthose less difficult to orchestrate with174 million compromised records for the year 2011is coincidentally the second highest number since Verizon came out with these reportsin the beginning of 2004. Justtaking Ponemons figures for 2009 (that are actually lowerthan some more recent numbers) which references that each compromised recordcosts $204, than spending becomes astronomical for many of these companies.Multiplying $204 times Verizon’s 174 million compromised record cost you would garnertotal costs coming in at $35.496 billion and those just are records breached from entitieswho know they actually were compromised. The biggest change in this report asopposed to previous research is that Cyber Attacks comprised of Malware and Hackingagainst Servers and User Devices are growing substantially for large organizations buteven worse for smaller firms (Verizon 2012). These numbers are alarming as theVerizon study for example does not take into account that compromises can weakenproduct integrity, undermine software development and erode consumer confidenceleading to further future losses by organizations that are not depicted in the study.Furthermore the survey focuses on organizations as opposed to effected individualconsumers and costs derived from those seeking legal action against these exploitedentities or negative effects on productivity such as downtime due to a system beinginoperable for a specified period of time also do not appear in the report. Remember,productivity typically refers to the increasing growth or decline in value added/subtractedper worker or per unit of investment which has the potential to produce an actualacceleration in income and jobs or decline(Weisbrod 2011). 30 | P a g e
  • 31. Finally in wrapping up this section we focus our attention on what even theComputer Security Institute believes to be a highly accurate report, that being SymantecCorporations’. The Institute believes the study covering the year 2010 is comprehensivein nature because as they exclaim Symantec uses a ―machine-generated approach toobtain the data, using sensors of various types to capture information about the datatraversing networks and the configuration of all sorts of Internet-connected devices(Richardson 2010). Symantec even says it acquires most of its data from more than 133million client, server, and gateway system’s due to the worldwide deployment of itsantivirus products. Furthermore, Symantec has a distributed honeypot network which isreally just database decoys filled with false data. In addition to the vast resources themultibillion dollar organization has at their disposal, they also had MessageLabsintelligence, a respected source of data and analysis for messaging security issues,trends and statistics provide excess aid. Before we move on with the company’s figuresit must again be stated that the reason there are not as many in depth reports comingfrom academia and other sources is that unlike Symantec which is a publicly tradedcompany, with access to the capital markets unlimited amount of money, the otherentities are not able to gather the necessary resources to collect a significant amount ofdata. Back to the survey the study was conducted in 24 countries among adults 18-64specifically focusing on the cost of Cybercrime. Between February 6, 2011 and March14, 2011, StrategyOne also interviewed 19,636 people and included 12,704 adults,aged 18 and over 4,553 children aged 8-17 years and 2,379 grade 1-11 teachers from24 countries (Australia, Brazil, Canada, China, France, Germany, India, Italy, Japan,New Zealand, Spain, Sweden, United Kingdom, United States, Belgium, Denmark, 31 | P a g e
  • 32. Holland, Hong Kong, Mexico, South Africa, Singapore, Poland, Switzerland, UnitedArab Emirates). The company came up with its numbers by multiplying the number ofvictims which were 431 million over a twelve month period by the average financial costof cybercrime (per country in US currency) totaling $114 billion in losses. Within that$114 billion number Symantec was able to attain that more than 1 million becamevictims every day and fourteen adults suffered from a cybercrime incident every second.The publicly traded company took it even one step further by doing what other studiescould not and that is calculating the value of time lost which is correlated withproductivity basedon cybercrime experiences over the 12 month period. This numbercame to an astonishing $274 billion. In taking the sum of the two figures depicted in theformer sentences you come up with a total cost of $388 billion. Subsequently the studysurmised that targeted attacks, the use of social networking attacks, zero-dayvulnerabilities and rootkits (a type of Malware), attack kits and mobile threats all rosesharply (Symantec 2012). The accumulation of studies on the financial impacts oncapital expenditures of individual and private/ public organizations targeted by CyberAttacks is indisputable. Therefore our hypothesis is on target, as the data substantiatesthat Cyber Attacks do indeed cost the economy to incur losses, adversely impactproductivity and causing a significant decline in sales that are in the billions upon billionsof dollars.. 32 | P a g e
  • 33. 4.7 Growth of Cyber Security Industry Statistics (Gartner Research, CitiGroup,Morgan Stanley, 451 Research & MarketsandMarkets) & Government RoleExplained It is essential that organizations implement Cyber Security controls either throughtechnological means or human analysis. Investments in the area of IT Securityorganization and startups in the past have been slow due to a lack of understanding andthe inability to view security as an essential element that must be incorporated withinone’s business. However due to Cyber Attacks becoming more persistent an increasingnumber of investments and the infusion of capital committed to this sector are starting totake shape. One reason for this is the implementation of regulation but not so much asto inhibit innovation. For instance federal and state statutes that penalize companieswho do not properly safeguard consumer information have forced these entities toobtain the necessary financing and invest in the area of Cyber Security. The FTC hasbrought a number of legal enforcement actions against entities that have been inept inprotecting consumer data. Sarbanes-Oxley which in particular pertains to publiccompanies require these firms to adhere with the Information Integrity provisions of thislaw requiring executive management to make sure internal controls are implemented toaddress a vast array of issues including data security. Another important law PCIDSS, The Payment Card Industry Data Security Standard provides guidelines andrequirements for protecting cardholder data for those who accept credit/debit/prepaidcard payments which are transmitted, processed or stored. If these requirements arenot met entities can be penalized by the major credit card company brands at theirdiscretion by fining an acquiring bank $5,000 to $100,000 per month for PCI complianceviolations which would be passed down to the entity who accepts these transactions 33 | P a g e
  • 34. and does not adhere to these requirements (PCI Security Standards Council 2012).These regulatory initiatives in conjunction with the increasing number of attacks,collaboration and awareness has all been helpful in garnering a large amount of capitalinvestment in the Cyber Security Industry further fueling innovation of new products andservices. In fact the United States Bureau of Labor Statistics (BLS)has not providedany data over the years on the security industryin the way of job statistics however thegovernment fact finding agency has finally begun to recognize the importance ofcollecting figures, albeit slowly. Although in its infancy the BLS began to implement acategory they coin ―Security Analyst‖ which comprises of individuals that plan,implement, upgrade, or monitor security measures for the protection of computernetworks and information. Embedded in the description of Security analysts and inaddition to the explanation of this group in the prior sentence, the BLS goes on toexpand upon their definition in saying ―these workers may also ensure appropriatesecurity controls are in place that will safeguard digital files and vital electronicinfrastructure responding to computer security breaches and viruses.‖ Again this isbrought up to show that even the BLS has realized that investment in this area isstarting to have a direct impact on job growth, forcing their hand at having to come upwith figures to provide more accurate information on the economy as a whole. Numbersgarnered by the BLS to date are not yet a large enough sample that would allow one torely on such data but it is hopeful that this will soon change. One thing that doesresonate is that there was no unemployment among IT security professionals in theU.S. and jobs grew dramatically while averaging four quarters of figures for the year2011. Forty Four thousand Security Analysts were employed with the BLS seeing a rise 34 | P a g e
  • 35. of more than one third in the fourth quarter of 2011to 51,000 from 37,000 in the firstquarter (Bureau of Labor Statistics 2012). Gartner Research in a September 2012 release exclaimed that although a vastsector of the world has been hit by the economic slowdown forcing many companies tocut their Information Technology budgets this is not the case when it comes to theglobal security infrastructure market. The research firm anticipates that security willcontinue to be a top priority and therefore spending is slated to rise to $60 billion upfrom $55 billion in the prior year and by 2016 reach $86 billion (Gartner 2012). In factCertified Financial Analyst for financial firm Citi Group came out with a 15 page reporttitled ―IT Security Survey Says…Network Security and Check Point Have MostFavorable Trends‖ where he found IT security budgets in 2012 poised to grow fasterthan overall IT spend, a reversal from last year positively impacting sales for several ofthe major IT security vendors (Pritchard 2012). The bar graph below provided by Citi inFigure 1, projects what was highlighted in the prior sentence 35 | P a g e
  • 36. Figure 3. (Pritchard 2012)Graph Showing Security Spending Should OutpaceOverall IT Budget Growth FromCiti Investment Research& AnalysisFigure 4. (Pritchard 2012)Graph of Network Growth in the Network SecurityMarket by Citi Investment Research & Analysis 36 | P a g e
  • 37. The graph above indicates refresh growth in the Network Security appliance market(unlike a single piece of security software network security appliances are security toolstypically bundled together), meaning CIO’s polled in the Citigroup survey will replacetheir appliances more than in prior years. Although this includes a segment of the CyberSecurity Industry it can been incorporated as it provides further proof on the growth ofspending in security. Morgan Stanley Research through their vast network and conversations withseveral organizations who primarily conduct most of their business by partnering up withmanufacturer’s to market and sell manufacturers products, services, or technologies iswhere a significant amount of data was extracted.These are what the industry callschannel partners and they cite that ongoing investments in data protection technologies,multi-function network security solutions, and solutions to counter Advanced PersistentThreats (APTs) will only continue to grow. They emphasize that these areas areessential and is indicative of the large amount of negative publicity received over thepast 12 to18 months due to the growing number of Cyber Attacks. Breaking things downa bit further Network security data points (the authorization of access to data on anetworkincludingfirewalls, antivirus, spam and content filtering through logs as well asintrusion detection and prevention systems)(Weiss, Holt, Gorham 2012)are quiterobust as acquired data showed that 69% of CIOs plan to outlay capital on networksecurity in 2012 and very few entities,8% to be precise, are planning to decreasespending on security initiatives. Taking the last survey by Morgan Stanley that wasconducted in July of 2012 there was an overall improvement from 65%/20%respectively.Separate from the number of CIO’s, the report solely focused on five of the 37 | P a g e
  • 38. largest players in the IT security market, those being Fortinet Inc., Sourcefire,Symantec, Websense and Checkpoint Software. The issue that arises with justfocusing on this small group is that it is not indicative of the overall Cyber SecurityIndustry unlike the Ponemon study. For example Symantec has appeared to plateaucompared too many of its rivals and this is because of increasing competition, thesubstantial size of the company which impacts the rate of growth and internal controlsas opposed to lack of spending. To extrapolate on this a bit more back in March of2012, Citigroup came out with a 15 page report titled ―IT Security SurveySays…Network Security and Check Point Have Most Favorable Trends‖ where theanalyst questioned via telephone 50 United States and European based ChiefInformation Security Officers (CISO’s) detailing a lengthy series of in-depth questions onthe security market but here again it must be noted that the data just focused 90% onfirms with more than $1 billion in annual sales so although relevant the statisticalthreshold falls slightly short due to sample size. Having said that Citi has conducted thissurvey for the past three years which comprised of a broad spectrum of industries, themost common were financial services (20%) and manufacturing (18%), whilegovernment was underrepresented (just 4%) therefore the buying power should not beignored. They deciphered from the information that IT security budgets in 2012 arepoised to grow faster than overall IT spend, a reversal from last year positivelyimpacting sales for several of the major IT security vendors (Pritchard 2012). There are internal and external factors that show the negative impact on bottomline numbers (profit) such as litigation costs, employee overhead, taxes, Merger and 38 | P a g e
  • 39. Acquisition activity, margins etc. but top line growth (revenues) remains strong again.This isnot indicative of internal cost controls and how well these security firms managetheir balance sheets but more in the way of cyclical trends (ie: effects of macroeconomicconditions such as Europe’s debt crisis which can have an adverse impact on sales).For example Sourcefire’s quarterly year over year (yoy) sales rose 30.10%with yearlyrevenues of$208.94 million (Sourcefire 2012), Fortinet (yoy) sales grew 17.00%withyearly revenues of $503.34 million (Fortinet 2012), Checkpoint (yoy) increased 7.80%with yearly revenues of $1.33 billion (Checkpoint 2012), Symantec (yoy) rose 1.10%with yearly revenues of $ 6.76 billion (Symantec 2012)and Websense rose slightly at1%,with yearly revenues of$362.49 million to date (Websense). All data in the previoussentence was compiled by the companies and audited by the world’s leading financialadvisory firms. This research has not taken into account what encompasses the bottomline figures but rather just sales growth. Furthermore and to use an additional companyspecific example NICE Systems which offers a wide array of security solutions islabeled in another area of Cyber Security focusing primarily on management andanalysis. The Isreali firm saw quarterly revenue growth (yoy) rise 9.70% with $854.95million in total sales this year thus far (NICE 2012). Quoted out of a Reuter’s articlewritten on October 31, 2012 of this year Tova Cohen exclaimed ―Nice has benefitedfrom growing demand for tools to delve into data to improve business, spot fraud andfend off security threats, and the company said compliance requirements in finance,energy and other sectors had boosted business (Cohen 2012).‖Therefore the MorganStanley report should be taken with a grain of salt as it is only representative of fivecompanies which the Certified Financial Analysts (CFA’s) that performed the analysis 39 | P a g e
  • 40. have admitted too. 451 Research a global analysis and data company solidifiesPonemons results as you can see from the chart below and several number’s stick out,in particular 45% of the security chiefs interviewed in their October 2012 research reporthave expandedtheir company budget’sin 2012 compared to the 2011 year ago periodwith a minimal amount of chiefs reducing their budgets this year compared to last year,,that being 10% respectively. Subsequently, the outlay of capital goes towards securitybecomes even more robust in 2013, with 47% of those surveyed planning on furtherincreaseswhere in contrast only 8% believe their budgets will fall between 2012 and2013.Figure 5. (Kennedy 2012)Graph of Information Security Budget Trends From451Research 40 | P a g e
  • 41. Some comments from those who participated in the 451 research study in reference toexpenditures on security include the following:―It [budget] has increased, but percentage not disclosed. The increase is due tovoluntary projects to reduce complexity of meeting requirements.‖―Complicated — there was an increased [in budget allocation] allocation due toregulations, but an overall budget decrease.‖―Half of the budget increase went to compliance issues.‖―The security budget is growing over time (Kennedy 2012) We would be remised if we did not discuss one of the more astonishing statisticalfinancial data acquired to date by Advanced Technologies, Geographical Analysis &Competitive Landscape,280 page report. The firm that collected the data for the studyis a full service market research company and consulting firm, established in 2001 itprovides research on pharmaceuticals, energy and power, biotechnology, food andbeverage, chemicals, medical devices, advanced materials, semiconductor andelectronics, industrial automation, telecom and information Technology, consumergoods, automotive and transportation, and banking & financial services sectors. The report titled ―Cyber-Security Market - Global Forecast & Trends (2012 –2017) by Advanced Technologies, Geographical Analysis & Competitive Landscape‖acquires data from 24 large companies, and sub-segments/ micro-markets in NorthAmerica, Latin America, Western Europe, Eastern Europe, Middle East & Africa, andAPAC (Asia-Pacific) through analysis of a number of technology & solutions in particularfor the utilization of differing applications in the cyber security arena. This is all based on 41 | P a g e
  • 42. functions and performance and the numbers are quite revealing. In 2011 the authorsstate that the Cyber Security industry was calculated at being worth $63.7 billion andthat the figure in addition attributed to a larger number of entities focusing on acomprehensive framework that covers the basis of network, end-point, application,content, and wireless segments. Inclusive is Identity & Access Management, Risk &Compliance Management, Data Encryption, DLPS, Data Recovery Solutions, UTM,Anti-Virus, IPS/IDS, Web Filtering, Firewall, and Vulnerability management. To go off ina tangent, just as with the Symantec study, Advanced technologies has the capability toconduct such a detailed study because it’s a for profit research firm that on averagecollects $4 650 for a single report, $ 7,150 for its corporate license and $9,000 for thereportlinker.com site license. Therefore it has an unlimited amount of resources at theirbeckoned call to conduct a study of this size unlike the vast majority of organizations orindividuals. In delving deeper into the numbers the company was able to model futurenumbers based on historical data and past trends. Although these trends fluctuate asufficient average can be derived from an agreed upon and well establishedmathematical formula among economic scholars. Extrapolating on this the research armwas able to derive at an average compounded annual growth (CAGR) rate of 11.3percent based on data collected by the firm from years past. In using a CAGR examplelet’s say a company had just $10,000 on March 1, 2009 and by March 1, 2009, thenumber grewto $13,000, then $14,000 by 2010, and finally ended up at $19,500 by2011. The company’s CAGR would be the ratio of your ending value to beginning value($19,500 / $10,000 = 1.95) raised to the power of 1/3 (since 1/# of years = 1/3), thensubtracting 1 from the resulting number: 1.95 raised to 1/3 power = 1.2493. (This could 42 | P a g e
  • 43. be written as 1.95^0.3333). 1.2493 - 1 = 0.2493 another way of writing 0.2493 is24.93% and there you would get your final CAGR figure (Value Click NA).This figure, although pro forma was quite an eye opener, noting anticipated growth forthe Cyber Security market to be $120.1 billion by 2017. This number was also derivedbased on security growth due to increased adoption of cloud computing, networks, datacenters, and wireless communication devices. Whereas, the service side is driven bythe need to service cyber security installations with security operations, managedsecurity services, and consulting services. In all participating global sovereign nations,the private sector accounted for most of the outlaid capital expenditures for CyberSecurity countermeasures. The only anomaly was the United States, where governmentexpenditures were on par along with the private sector(MarketsandMarkets 2012) .In2010 another interesting fact, which was issued by the Department of Commerce andseveral other organizations. In their report they said that even though there has beenincreased awareness in lewd of the risks of Cyber Attacks, a broad number of peoplethat contribute to the United States economy did not take advantage of availabletechnology and processes to secure their systems. Also countermeasures are notevolving as rapidly in contrast to the threats (Department of Commerce 2011).If this isthe case we can make a slight assumption that Cyber Security market penetration couldgrow even more substantially if more entities invested in the safety of their systems.However even more evident on a change in this way of thinking can be seen over thelast year whereby the initial public offerings of IT security start-ups have outperformedofferings that are not a part of this industry. Facebook is just one example. Imperva, adata security company that went public last year saw its stock price rise nearly 30 43 | P a g e
  • 44. percent on their first day of trading, and at the time if this report has it remains at 37percent above the offering price. The stock price of Splunk, a data security company,jumped nearly 65 percent from its offering in April of this year and in addition raised$331 million in a secondary offering. ―People are starting to realize that the billions ofdollars that have been invested into traditional network security are not working for themanymore,‖ said Ted Schlein, a partner at Kleiner Perkins Caufield & Byers, the venturecapital firm. Merger and Acquisition activity is also seeing a pickup. Applerecently hadbecome a suitor of AuthenTec, paying $356 million last month which is reported asbeing one of Apple’s largest acquisitions. These are just a few of the many deals thatare growing in number (PERLROTH and RUSLI 2012). As you can see this last study is quite telling and provides support that CyberAttacks did develop a new market and subsectors within this industry helping to garnera vast amount of money from the investment community in turn increasingorganizational revenue figures for Cyber Security firms. In addition the people andorganizations participating in the security infrastructure perform a wide array offunctions. These include education and training, research, publication, productdevelopment and marketing, network security administration, security support services,policy and standards making, law enforcement, and research funding. 44 | P a g e
  • 45. 5. Conclusion As we have seen throughout this paper and especially in looking at the dataresults incorporated in the discussion section, Cyber Attacks have cost the economiesof the world a substantial amount of money however it also helped to fuel investmentand the growth of the Cyber Security Industry at a rapid rate. It is unfortunate that thenumbers associated with both the overall negative economic impact on entities aroundthe world as well as the figures that can be derived from the Cyber Security industry inreference to growth are not absolute or rigorous enough. However unlike individualstudies we have the ability to access information from a slew of research reports to helpobtain a more accurate evaluation. As for right now, one could certainly see that thenumbers effecting costs outweigh the capital being infused into the Cyber SecurityIndustry. Subsequently this year, we did see a change in increased collaboration andawareness. Therefore it has forced organizations like the BLS to finally lay thefoundation to come up with an improved model in order to better acquire a closerestimate on the growth of the Cyber Security realm. We than hopefully can effectivelycome closer to finding out whether the Cyber Security Industry and the money that itgarners will surpass the cost figures associated with Cyber Attacks. It will be interestingto see over the next several years if the BLS will help to bring this about. One otherthing to note is that although various research coming from organizations such asSymantec are very comprehensive in nature, there is still a problem of gatheringinformation from organizations of all sizes that refuse to tell us whether they have beenbreached for fear of loss of business due to reputational consequences. When it comesto publicly traded corporations divulging such information can cause a decline in the 45 | P a g e
  • 46. market capitalization for these companies, stock price declines and unwillingness forthose to invest in companies that can be infiltrated easily. The Securities and ExchangeCommission (SEC) guidelines are beginning to have an impact on publicly traded firms.The SEC has now forced companies like Amazon, Google, Hartford Financial ServicesGroup Inc, Eastman Kodak and others to provide public information on anycompromises and costs that occur within their organizations. In an article written inBusiness Week they exclaim the SEC sent out a number of letters to public companies,asking about Cyber Security disclosures and later pushing companies to disclose.Although this is not a law as of yet it paves the way for one. The reason this is broughtup is that it will be interesting to see if such a law finally passes, requiring companies toreport this information in their financial statements perhaps we can obtain even moreaccurate figures on economic costs. Until than we have to rely on research offered bymultiple sources and take the average of all the compiled figures so we can come closerin establishing whether the costs of Cyber Attacks far outweigh the capital beingaccumulated by the Cyber Security industry or vice versa. 46 | P a g e
  • 47. 6. References1. The Bureau of Labor Statistics (2012) ―15-1122 Information Security Analysts‖ Retrieved 3 December 2012 from The Bureau of Labor Statistics http://www.bls.gov/soc/2010/soc151122.htm2. Cashell, B., Jackson,W., Jickling,M., and Webel, B. (2004). ―The Economic Impact of Cyber Attacks‖ published by Congressional Research Service, Library of Congress. Retrieved 23 November 2012 from Cisco Corporation3. Checkpoint Software (2012). Form 6K filing period 10/17/2012. Retrieved 1 December 2012 from the Securities and Exchange Commission http://www.sec.gov/Archives/edgar/data/1015922/000117891312002883/000117 8913-12-002883-index.htm4. Cohen, T. Oct 31, 2012 ―UPDATE 1-Nice raises 2012 profit forecast as Q3 beats estimates‖ published by Reuters http://www.reuters.com/article/2012/10/31/nice- results- idUSL3E8LV69Y20121031?feedType=RSS&feedName=marketsNews&rpc=435. Colman, K. (January 2011) ―THE GROWING RISK OF CYBER ATTACK AND OTHER SECURITY THREATS‖ published by The Technolytics Institute. Retrieved 1 December 2012 from HWP Insurance http://www.hwphillips.com/wp- content/uploads/2012/09/The-Growing-Risk-of-Cyber-Attack-and-Other-Security- Threats.pdf6. Cornell University Law School (1986). Fraud and related activity in connection with computers. Published by United States Congress, Retrieved 23 November 2012 from Cornell University Law School. http://www.law.cornell.edu/uscode/html/uscode18/usc_sec_18_00001030----000- .html7. THE DEPARTMENT OF COMMERCE INTERNET POLICY TASK FORCE (June 2011). CYBERSECURITY,INNOVATION AND THE INTERNET ECONOMY. Retrieved 1 November 2012 from The National Institute of Security Standards. http://www.nist.gov/itl/upload/Cybersecurity_Green-Paper_FinalVersion.pdf8. Dowdy, J. (2012).Chapter 5: The Cybersecurity Threat to U.S. Growth and Prosperity. Published by Aspen Institute bookstore and Brookings Press. Retrieved 22 November 2012 from McKinsey & Co. www.mckinsey.com9. Dunn, Myriam (2005). A COMPARATIVE ANALYSIS OF CYBERSECURITY INITIATIVES WORLDWIDE. Retrieved 6 December 2012 from International Telecommunications Union: http://www.itu.int/osg/spu/cybersecurity/docs/Background_Paper_Comparative_A nalysis_Cybersecurity_Initiatives_Worldwide.pdf 47 | P a g e
  • 48. 10. Fortinet (2012). Form 10Q filing report period 9/30/2012. Retrieved 1 December 2012 from the Securities and Exchange Commission http://www.sec.gov/Archives/edgar/data/1262039/000126203912000051/fortinet2 012093010-q.htm11. Gartner Research (2012). Gartner Says Worldwide Security Infrastructure Market Will Grow 8.4 Percent. Retrieved 1 December 2012. http://www.gartner.com/it/page.jsp?id=215691512. Gallaher, M., Rowe,B. Rogozhin, A., Link, A. (July 2006). ECONOMIC ANALYSIS OF CYBER SECURITY. Published by Research Triangle Institute. Retrieved 23 November 2012 from Defense Technical Information Center. http://www.dtic.mil/cgi-bin/GetTRDoc?AD=ADA45539813. Hess, Ken (2011). Ghost in The Wires "The Keven Mitnick Interview. Retrieved 27, November 2012 from ZDNet: http://www.zdnet.com/blog/security/ghost-in- the-wires-the-kevin-mitnick-interview/935714. Hoover, N. (2012). Cyber Attacks Becoming Top Terror Threat, FBI Says Published by UBM Tech Retrieved 7 December 2012 from Information Week http://www.informationweek.com/government/security/cyber-attacks-becoming- top-terror-threat/23260004615. HP Research: Cybercrime Costs Rise Nearly 40 Percent, Attack Frequency Doubles. PALO ALTO, Calif., Oct. 8, 2012. http://www.hp.com/hpinfo/newsroom/press/2012/121008a.html16. Info Security Magazine (September 2012) ―Cyber attacks ―one of the most serious‖ threats facing the US, says Janet Napolitano published by Reed Exhibitions Retrieved 7 December 2012 from Info Security Magazine http://www.infosecurity-magazine.com/view/28145/cyber-attacks-one-of-the- most-serious-threats-facing-the-us-says-janet-napolitano/17. Keely, David Lt. (April 13, 2011). ―CYBER ATTACK! CRIME OR ACT OF WAR?‖ United States Air Force U.S. Army War College CARLISLE BARRACKS, PENNSYLVANIA 17013.18. Kennedy, D. (October 2012). Information Security Budgets to Increase in 2013. Published by 451 Research Retrieved 27 November 2012 from 451 research Blog http://theinfopro.blogs.451research.com/index.php/2012/10/information- security-budgets-to-increase-in-2013/19. MarketsandMarkets (June 2012) Cyber-Security Market - Global Forecast & Trends (2012 - 2017) Retrieved 27, November 2012 from reportlinker. http://www.reportlinker.com/p0923304-summary/Cyber-Security-Market-Global- Forecast-Trends--by-Advanced-Technologies-Geographical-Analysis- Competitive-Landscape.html20. Martin, D. (2007) Joybubbles, 58, Peter Pan of Phone Hackers, Dies. Retrieved 1 December 2012 from The New York Times 48 | P a g e
  • 49. http://www.nytimes.com/2007/08/20/us/20engressia.html?_r=3&ref=obituaries&or ef=slogin&oref=slogin&21. National Institute of Standards and Technology (NA). The National Cyber Security Workforce Framework. Retrieved 1 December 2012 from National Institute of Standards and Technology: http://csrc.nist.gov/nice/framework/documents/national_cybersecurity_workforce_ framework_printable.pdf22. NICE Systems (2012). Form 6K filing period 12/6/2012 Retrieved 1 December 2012 from the Securities and Exchange Commission http://www.sec.gov/Archives/edgar/data/1003935/000117891312003378/000117 8913-12-003378-index.htm23. Oona, H., Crootof, R., Levitz, P.,Nix, H,,Nowlan,A., Perdue, W. & Spiegal, J. (2012). The law of cyber-attack . California: California Law Review.24. PCI Security Standards Council (2012). PCI SSC Data Security Standards Overviews. Retrieved 26 November 2o12 from PCI Security Standards Council https://www.pcisecuritystandards.org/security_standards/25. PERLROTH, NICOLE and RUSLI, EVELYN M. (2012). Security Start-Ups Catch Fancy of Investors. Retrieved 1 December 2012 from The New York Times: http://www.nytimes.com/2012/08/06/technology/computer-security-start-ups- catch-venture-capitalists-eyes.html?_r=026. Pindar, J., Rigelsford, Dr. J. (July 2011).Cyber Security and Information Assurance. Mr. Joseph Published by The University of Sheffield.27. Ponemon Institute (February 2012). Ponemon Study Shows the Cost of a Data Breach Continues to Increase. Retrieved 1 December 2012 from PR Newswire: http://www.ponemon.org/news-2/28. Ponemon Institute (October 2012). 2012 Cost of Cyber Crime Study: United States Benchmark Study of U.S. Companies. Retrieved 1 December 2012 from Ponemon Institute: http://www.ponemon.org/local/upload/fckjail/generalcontent/18/file/2012_US_Cos t_of_Cyber_Crime_Study_FINAL6%20.pdf29. Pritchard, W., CFA (March 2012). IT Security Survey Says…Network Security and Check Point Have Most Favorable Trends. Citi Investment Research & Analysis.30. Ramirez, L. (October 2012) ―Panetta Says US Boosting Cyber Defense‖ published by Voice of America Retrieved 6 December 2012 http://www.voanews.com/content/panetta-appeals-for-stepped-up-cyber- security/1525450.html31. Richardson, R., CSI Director (2010). 2010/2011 CSI Computer Crime and Security Survey. Retrieved 27, November 2012 from The Computer Security Institute. https://cours.etsmtl.ca/log619/documents/divers/CSIsurvey2010.pdf 49 | P a g e
  • 50. 32. Rowe, B., Gallaher, M. (2006). Private Sector Cyber Security Investment Strategies: An Empirical Analysis Published by Technology Economics and Policy RTI International Retrieved 21 November 2012 from The Ninth Workshop on the Economics of Information Security http://www.weis2006.econinfosec.org/docs/18.pdf33. Securing Cyberspace: A New Domain for National Securing Cyberspace: A New Domain for National Security Nicholas Burns and Jonathon Price34. Sentementes, Gus G. (2012). Cybersecurity business, jobs expected to grow through 2016. Retrieved 5 December 2012 from The Baltimore Sun: http://www.baltimoresun.com/business/bs-bz-cybersecurity-maryland-forecast- 20121018,0,6945767.35. Sourcefire (2012) Form 10Q filing report period. Retrieved 1 December 2012 from the Securities and Exchange Commission 9/30/2012 http://www.sec.gov/Archives/edgar/data/1168195/000116819512000007/000116 8195-12-000007-index.htm36. Symantec Corporation (2012) Norton Cybercrime Report, September 2012. Retrieved 22 November 2012 from Symantec. http://www.norton.com/2012cybercrimereport37. Symantec Corp. (2012) Form 10Q filing report period 9/28/2012. Retrieved 1 December 2012 from the Securities and Exchange Commission http://www.sec.gov/cgi- bin/viewer?action=view&cik=849399&accession_number=0001193125-12- 441366&xbrl_type=v38. Value Click (Date NA) Compounded Annual Growth Definition. Retrieved 1 December 2012 from Investopedia. http://www.investopedia.com/terms/c/cagr.asp#ixzz2FEDxVIqH39. Value Click (Date NA) GDP Definition. Published by Value Click Retrieved 1 December 2012 from Investopedia. http://www.investopedia.com/terms/g/gdp.asp#ixzz2Eark1U7v40. Verizon RISK Team(2012). 2012 Data Breach Investigations Report. Retrieved 7 December 2012 from Verizon Corporation: http://www.verizonbusiness.com/resources/reports/rp_data-breach- investigations-report-2012_en_xg.pdf41. Websense (2012) Form 10Q filing report period 9/30/2012. Retrieved 1 December 2012 from the Securities and Exchange Commission http://www.sec.gov/cgi- bin/viewer?action=view&cik=1098277&accession_number=0001098277-12- 000004&xbrl_type=v42. Weisbrod, Glen (2011). DEFINING ECONOMIC IMPACT AND BENEFIT METRICS FROM MULTIPLE PERSPECTIVES: LESSONS TO BE LEARNED 50 | P a g e
  • 51. FROM BOTH SIDES OF THE ATLANTIC. Retrieved 6 December 2012 from Economic Development Research Group, Boston, Massachusetts, USA: http://www.edrgroup.com/pdf/Weisbrod-Simmonds-ETC-Oct2011R.pdf43. Weiss, Holt, Gorham (October 2012). Security Preview: Secular Should Outpace Macro in Q3 published by Morgan Stanley Research of North America44. White, C. (2011). Data communications and computer networks ―a business users approach‖ . (6th ed., Vol. ISBN-10: 0538452617 , p. 17, 17, 297, 308 & 330). Course Technology, Cengage Learning7. List of Figuresa. Figure 1: Ponemon Institute (October 2012). 2012 Cost of Cyber Crime Study: United States Benchmark Study of U.S. Companies. Retrieved 1 December 2012 from Ponemon Institute: http://www.ponemon.org/local/upload/fckjail/generalcontent/18/file/2012_US_Cos t_of_Cyber_Crime_Study_FINAL6%20.pdfb. Figure 2: Baker, Hutton, Porter (Date NA). A Framework for Gathering Risk Management Information From Security Incidents. Published by Verizon Risk Management Retrieved 6 December 2012 from Security Metrics Organization http://www.securitymetrics.org/content/attach/MetriCon4.5/mm_VZ.pdfc. Figure 3: 29. Pritchard, W., CFA (March 2012). IT Security Survey Says…Network Security and Check Point Have Most Favorable Trends. Citi Investment Research& Analysisd. Figure 4: Pritchard, W., CFA (March 2012). IT Security Survey Says…Network Security and Check Point Have Most Favorable Trends. Citi Investment Research & Analysise. Figure 5: Kennedy, D. (October 2012). Information Security Budgets to Increase in 2013. Published by 451 Research Retrieved 27 November 2012 from 451 research Blog http://theinfopro.blogs.451research.com/index.php/2012/10/information-security- budgets-to-increase-in-2013/ 51 | P a g e