1996 Information Systems Security Survey Conducted by WarRoom Research, LLC 23 November 1996 Contact: Mark Gembicki Executive Vice President WarRoom Research, LLC. 410.437.1106 or 410.437.1110 info@warroomresearch.com Notes: Sent (est.) -- start 7/18/96 500 Received -- end 10/18/96 236 Rcvd. % 47.2% Used -- qualified responses 205 Used % 86.9% Questions were abbreviated - refer to original survey questionnaire for full questions. Response column contains the actual number of organizations reponding. General and Specific columns contain simple % calculations. 'Developed response' means in contains responses that were not on the survey form. 'Developed table' means that responses were assembled into a simple table format. I. General Information Response General Specific 1. Position in the organization? security/loss prevention mgmt. 102 49.8% executive mgmt. 74 36.1% other mgmt. (specified) 29 14.1% 205 100.0% 2. Security areas responsible for? anti-terrorism/personnel prote 3 0.4% crime/loss prevention 66 8.3% computer/information security 127 16.0% disaster/emergency mgmt. 57 7.2% facility mgmt. 19 2.4% human resources 0 0.0% investigations/auditing 41 5.2% legal counsel 6 0.8% operations security 88 11.1% physical security 72 9.1% proprietary information 112 14.1% safety 15 1.9% sales/service 36 4.5% security awareness/education 74 9.3% security personnel 48 6.0% strategic planning 13 1.6% other (specified) 18 2.3% 795 100.0% 3. Adequately respond based on understanding and insight? yes 205 100.0% no 0 0.0% 205 100.0% If 'yes', how much time spent on security matters? None (developed response) 2 1.0% <10% 7 3.4% 10-20% 24 11.7% 11-30% 38 18.5% 31-50% 51 24.9% 51-70% 46 22.4% 71-90% 37 18.0% 205 100.0% 4. How many people supervised? a. Directly 0 5 2.4% 1-5 37 18.0% 6-10 62 30.2% 11-15 54 26.3% 16-20 29 14.1% >20 18 8.8% 205 100.0% b. Indirectly 0 21 10.2% 1-5 65 31.7% 6-10 39 19.0% 11-15 37 18.0% 16-20 26 12.7% >20 17 8.3% 205 100.0% 5. Type of industry? Primary business agriculture 0 0.0% architectural/engineering firm 3 1.5% communication service 17 8.3% distribution/warehousing 2 1.0% educational inst. 8 3.9% entertainment or sports 2 1.0% environmental 7 3.4% food service 0 0.0% financial inst. 12 5.9% health care 8 3.9% hotel/motel/resort 3 1.5% industrial/manufacturing 21 10.2% insurance 13 6.3% news media 2 1.0% oil, gas, or mining extraction 4 2.0% pharmaceutical 17 8.3% public relations 1 0.5% real estate 6 2.9% retail 15 7.3% R&D 11 5.4% security consulting firm 16 7.8% security service, guards and a 3 1.5% transportation/travel 13 6.3% utilities 9 4.4% other (specified) 12 5.9% 205 100.0% Secondary business * Not calculated, not as relevant. II. Policy Response General Specific 6. Written policy on computer use and misuse? yes 171 83.4% no 34 16.6% 205 100.0% 7. Mandatory warning banner putting users on notice to be monitored online? yes 137 66.8% no 68 33.2% 205 100.0% a. If 'yes', ever enforced banner? yes 51 37.2% no 86 62.8% 137 100.0% 8. Written policy on information use and misuse? yes 148 72.2% no 57 27.8% 205 100.0% If 'yes', include proprietary data and information classifications? yes 97 65.5% no 51 34.5% 148 100.0% 9. Written policy on communication use and misuse? yes 179 87.3% no 26 12.7% 205 100.0% III. Intrusions Response General Specific 10. Consider outside security firm to safeguard systems and facility if suspected or witnessed a yes 194 94.6% no 11 5.4% 205 100.0% a. If 'yes', use security firm or law enforcement to assist in the investigation? security firm 125 64.4% law enforcement 42 21.6% both (developed response) 27 13.9% 194 100.0% 11. Capability to detect unauthorized access to computer systems? yes 149 72.7% no 56 27.3% 205 100.0% * Descriptions vary -- firewall logs, physical access to network resources, etc. 12. Detected attempts from outsiders to gain computer access in past 12 months? yes 119 58.0% no 25 12.2% don't know 61 29.8% 205 100.0% a. If 'yes', how many successful accesses detected? (developed table) 1-10 41 41.8% 11-20 24 24.5% 21-30 16 16.3% 31-40 10 10.2% 41-50 5 5.1% >50 2 2.0% 98 100.0% 13. If experienced intrusions by outsiders, type of activity performed? manipulated data integrity 41 6.8% installed a sniffer 40 6.6% stole password files 34 5.6% probing/scanning of system 88 14.6% Trojan logons 35 5.8% IP spoofing 29 4.8% introduced virus 64 10.6% denied use of services 38 6.3% downloaded data 49 8.1% compromised trade secrets 59 9.8% stole/diverted money 2 0.3% compromised e-mail/documents 76 12.6% publicized intrusion 3 0.5% harassed personnel 27 4.5% other (specified) 18 3.0% 603 100.0% 14. How many insiders caught misusing computer systems? (developed table) Unknown 20 9.8% 0 56 27.3% 1-5 24 11.7% 6-10 46 22.4% 11-15 32 15.6% 16-20 13 6.3% 21-25 9 4.4% >25 5 2.4% 205 100.0% a. If 'yes', what disciplinary action was taken? oral admonishment 70 54.3% written admonishment 27 20.9% suspended 7 5.4% resigned 8 6.2% fired 11 8.5% referred to law enforcement 2 1.6% out of court settlement 0 0.0% no action 4 3.1% other (specified) 0 0.0% 129 100.0% IV. Damage & Reporting Response General Specific 15. Cost for each successful intrusion into computer systems? a. By insider Unknown (developed response) 26 12.7% $0 0 0.0% $1 - 1,000 0 0.0% $1,001 - 5,000 3 1.5% $5,001 - 10,000 11 5.4% $10,001 - 50,000 23 11.2% $50,001 - 200,000 46 22.4% $200,001 - 500,000 41 20.0% $500,001 - 1,000,000 23 11.2% Over $1,000,000 32 15.6% 205 100.0% b. By outsider Unknown (developed response) 43 21.0% $0 0 0.0% $1 - 1,000 0 0.0% $1,001 - 5,000 0 0.0% $5,001 - 10,000 9 4.4% $10,001 - 50,000 17 8.3% $50,001 - 200,000 30 14.6% $200,001 - 500,000 39 19.0% $500,001 - 1,000,000 31 15.1% Over $1,000,000 36 17.6% 205 100.0% 16. How many intrusions investigated internally? (developed table) 0 21 13.5% 1-5 38 24.5% 6-10 26 16.8% 11-15 23 14.8% 16-20 19 12.3% 21-25 15 9.7% >25 13 8.4% 155 100.0% a. If 'yes', who conducted inquiry? corporate security 41 30.6% general counsel 12 9.0% computer security 22 16.4% systems administration 31 23.1% executive mgmt 18 13.4% mid-level mgmt 7 5.2% other (specified) 3 2.2% 134 100.0% 17. How many intrusions reported to security firms that investigated? (developed table) 1-5 23 54.8% 6-10 9 21.4% 11-15 4 9.5% 16-20 4 9.5% >20 2 4.8% 42 100.0% a. Of these, how many referred to law enforcement? (developed table) 1-5 3 75.0% 6-10 1 25.0% 4 100.0% b. If not referred to law enforcement, what was reason? didn't get into system 4 4.4% didn't want to get person in t 2 2.2% didn't know it was a crime 1 1.1% didn't want law enforcement in 13 14.3% take over system, loose produc 13 14.3% access to sensitive informatio 11 12.1% don't think they would be inte 0 0.0% don't think they would solve i 2 2.2% crime become public 19 20.9% loss of client confidence 18 19.8% loss of competitive status 8 8.8% opted for civil remedy 0 0.0% other (specified) 0 0.0% 91 100.0% 18. What circumstances would be willing to report computer intrusions to law enforcement? anytime detected 33 6.8% could report anonymously 146 30.2% only if everyone else reported 105 21.7% only if mandatory by law 181 37.4% other (specified) 19 3.9% 484 100.0% V. Financial Institutions Only 19. Performing EFTs * No feedback from ALL financial institutions.