Evaluating applied information security measures - an analysis of the data from the Norwegian Computer Crime Survey 2006

The author was engaged in the work with the Norwegian Computer Crime Survey from January 2006 and participated in the work with the design of the survey and the subsequent data analysis. The report gives a brief overview of the work. How vulnerable are Norwegian enterprises for outages in Internet services and how serious are the consequences of the reported computer crime incidents? The analysis confirms that Norwegian enterprises strongly depend on IT and Internet, but when they experience computer crime the respondents report the real consequences to be small or hardly notable. This result is in line with the marginal reporting of incidents to the police and the reported low/minor losses. Which security measures have Norwegian enterprises implemented to mitigate computer crime and how does this practice correspond with good security principles? Taxonomies based on good security principles have been developed to answer this question. The survey addresses many security measures, and it is worth noting two important tendencies: first, the use of mature preventive measures is more widespread compared to measures that intend to detect and react if incidents occur; second, when outsourcing IT operations, liability and sanction are rarely included in outsourcing contracts. These findings can also be connected with the low percentage of enterprises that have routines for calculating the economic losses of computer crime. Moreover, a few organizational measures are examined in the survey. These measures are less used than preventive security technologies. User education and exercises are rarely used. Compared with good security principles the results reveal several holes in enterprises’ security strategies, particularly behind the perimeter security. Do enterprises that have implemented many security measures report fewer incidents and less losses, or higher financial returns compared with those that have invested less in security measures? The answer to the first part of the question is clearly “no”. Correlation analysis shows that those that have implemented more security measures more often report some kinds of security incidents in contrast to those that have not implemented measures. Also, the analysis shows a statitically significant, but weak (low absolute value) correlation between security measures and return of investment. One explanation may be that return of investment is rather due to management factors than security. Security is a bi-factor input. Correlation analysis of security measures and economic losses reveals no significant relationships. What are the strengths and weaknesses of the Norwegian Computer Crime Survey Questionnaire 2006 and process, and how could the survey become a security measurement tool for the government? A SWOT analysis shows that the survey can come to hold a significant position since statistics on computer crime is lacking. This requires, however, an analytical framework and an improvement of the quality of the survey questions.