C.1. 2004 CSIFBI Computer Crime and Security Survey

C.1. 2004 CSI/FBI Computer Crime and Security Survey

Annually, the Computer Security Institute (CSI) and the FBI release the results of a survey they perform on the prevalence and character of computer crime. The 2004 survey data was gathered voluntarily from over 486 participants in the United States of America, covering business, government, educational, and medical facilities. Some respondents have only a few employees, while others have tens of thousands. The survey queries the respondents on many issues concerning computer security and cybercrime, of which DDoS is only one. Responses are voluntary, and not all responders answer all questions. Based on these facts about the source of the data, an important caveat for the following discussion is that there is no evidence to show that the respondents were representative of the kinds of Internet sites that suffer DDoS attacks most frequently, or of those that see the most powerful DDoS attacks.

One element of the survey is a question about the kinds of attacks that the institution has observed being perpetrated on its computers. DDoS attacks are one of the classes of attacks in the survey. Page 9 of this report contains a chart describing this data. Table C.1 extracts information from this chart describing the percentage of respondents who were targeted by a DDoS attack for the last five years.

Although this data shows that DDoS incidence has declined from the previous years, a significant percentage of all respondents (17%) suffered at least one DDoS attack in the past year. In some other cases, the respondent might not have recognized that an attack took place, though generally the participating institutions are both technically adept and aware of the nature and characteristics of different kinds of attacks, so they are likely to have noticed all but the most trivial attacks.

One further table from this report offers more depressing news. Each respondent provided an estimate of the loss suffered due to various forms of attacks on his institution over the course of the year. The report adds up the costs for each attack type over all institutions. The total reported cost of DDoS attacks by reporting institutions (total 269) was $26,064,050. DoS was the most costly kind of cyberattack this year, being followed by theft of proprietary information, which was responsible for the loss of $11,460,000 less than half of the DDoS-inflicted loss.

This data shows that the potential cost of being unable to handle a DDoS attack is quite high, suggesting the value of taking the steps to protect your network that were outlined in Chapter 6.

The annual CSI/FBI Computer Crime and Security Survey can be obtained from the Computer Security Insitute's Web site, http://www.gocsi.org/.