How scared should you be about security statistics?

IT security pros skeptical, but do work numbers into overall plans

This is one in a collection of seven pieces on Burning Security Questions. Read the rest here.

Did you know the number of crimeware-spreading Web sites infecting PCs with password-stealing crimeware reached an all-time high of 31,173 in December, according to the APWG (formerly Anti-Phishing Working Group) coalition?

Or that data breach costs rose to $6.6 million per breach last year, up from $6.3 million in 2007, according to the Ponemon Institute. Or that 3% to 5% of enterprise desktops and servers, mainly Windows, are apt to be infected with botnet code, according to security firm Damballa, based on an analysis of its customers' network traffic?

News reports are filled with such disturbing statistics culled from any variety of sources, but do IT managers find themselves worrying about it all?

"We all pay a little bit of attention," says Jeff Keahey, CIO at Wardlaw Claims, the Waco, Texas, property and auto claims insurance adjuster. "But we try to evaluate their bias."

In general, it usually looks like someone is trying very hard to "get you to lean toward a certain product" and "a lot of statistics come with an advertisement in tow," he notes.

Though he does take it all with a grain of salt, Keahey says he may look at security statistics as a general guideline about trends, and they may have some influence in deciding directions to take in countering threats.

One vendor, Cloudmark, which makes e-mail security products, discounts the importance of security statistics that pop up in media reports.

"An organization should be focused far more on their own internal metrics for determining their security posture, rather than on outside statistics,” says Adam O’Donnell, director of emerging technologies at Cloudmark.

However, Unisys, a systems integrator, begs to differ.

Unisys over the last two years has undertaken a semi-annual survey of about 14,000 individuals in 13 countries around the world, asking them eight questions about their perception of personal, financial and national safety online.

For businesses concerned about what consumers are thinking, the results are one factor to consider, Unisys contends, pointing to the value of statistics.

"It's fascinating to see how different the results are by country and demographics," says Tim Kelleher, vice president and general manager of managed security services at Unisys. "The world isn't homogenous. In France, no one is very worried about this stuff at all. But in Brazil and some of the Asian countries, people are feeling very insecure online. The U.S. is sort of in the middle."

In general, Kelleher thinks statistical trends are more significant than the numbers bandied about at the moment.

From CSO: 7 security mistakes people make with their mobile device
Join the discussion
Be the first to comment on this article. Our Commenting Policies