Computer Crime Research Center


2004 CSI/FBI Computer Crime and Security Survey

Date: June 11, 2004
Source: Source: Computer Security Institute

Press Release

SAN FRANCISCO, June 10 /PRNewswire-FirstCall/ -- The Computer Security Institute (CSI) announced today the results of its ninth annual Computer Crime and Security Survey. The Computer Crime and Security Survey is conducted by CSI with the participation of the San Francisco Federal Bureau of Investigation's (FBI) Computer Intrusion Squad. The aim of this effort is to raise the level of security awareness, as well as help determine the scope of computer crime in the United States. The survey is available for free download from the Institute's Web site at
Highlights of the 2004 Computer Crime and Security Survey include the following:

-- Overall financial losses totaled from 494 survey respondents were
$141,496,560. This is down significantly from 530 respondents reporting
$201,797,340 last year.
-- In a shift from previous years, the most expensive computer crime was
denial of service. Theft of intellectual property, the prior leading
category, was the second most expensive last year.
-- Organizations are using metrics from economics to evaluate their
security decisions. Fifty-five percent use Return on Investment (ROI),
28 percent use Internal Rate of Return (IRR), and 25 percent use Net
Present Value (NPV).
-- The vast majority of organizations in the survey do not outsource
computer security activities. Among those organizations that do
outsource some computer security activities, the percentage of security
activities outsourced is quite low.

Based on responses from 494 computer security practitioners in U.S. corporations, government agencies, financial institutions, medical institutions and universities, the findings of the 2004 Computer Crime and Security Survey confirm that the threat from computer crime and other information security breaches is real. Chris Keating, CSI Director, believes that the Computer Crime and Security Survey, now in its ninth year, suggests that organizations that raise their level of security awareness have reason to hope for measurable returns on their investments.

"Although the CSI/FBI survey clearly shows that cybercrime continues to be a significant threat to American organizations, our survey respondents appear to be getting real results from their focus on information security. Their average dollar losses per year have dropped in each survey for four straight years. Obviously, computer crime remains a serious problem and some kinds of attacks can cause ruinous financial damage. We don't believe that all organizations maintain the same defenses as our members -- financial damages for less protected organizations are almost certainly worse. And hackers won't become complacent anytime soon -- new attacks are devised every day. So we still have our work cut out for us. The message here is that it makes sense to continue our focus on adherence to sound practices, deployment of sophisticated technologies, and adequate staffing and training."

New to the survey this year was CSI's collaboration with an academic team from the Robert H. Smith School of Business at the University of Maryland. The three-person team, led by Lawrence A. Gordon, Ernst &Young Alumni Professor of Managerial Accounting and Information Assurance, specializes in research on the economics of information security. CSI Director Keating says bringing academics into the survey process improved both the survey itself and the subsequent analysis of the results.

Computer Security Institute (CSI) is the world's premier membership association and education provider serving the information security community. For over 31 years CSI has helped thousands of security professionals protect their organizations' valuable information assets through conferences, seminars, publications and membership benefits.

The FBI, in response to an expanding number of instances in which criminals have targeted major components of information and economic infrastructure systems, has established Regional Computer Intrusion Squads located in selected offices throughout the United States. The mission of Regional Computer Intrusion Squads is to investigate violations of Computer Fraud and Abuse Act (Title 8, Section 1030), including intrusions to public switched networks, major computer network intrusions, privacy violations, industrial espionage, pirated computer software and other crimes. Additionally, the FBI sponsors InfraGard, an information sharing and analysis effort between the FBI and the private sector. InfraGard is designed to assist in protecting the infrastructure of the United States. To learn more about InfraGard, your local chapter and how you can become a member, please go to

Computer Security Institute, 600 Harrison Street, San Francisco, CA 94107. Telephone: 415-947-6320, Fax: 415-947-6023, email [email protected]

For complete survey, go to

CONTACT: Robert Richardson, +1-610-604-4604, or [email protected], for Computer Security Institute.

Add comment  Email to a Friend

Copyright © 2001-2013 Computer Crime Research Center
CCRC logo