Essential for many economic activities in the digital
age is trust. Trust is essential in for instance
digital signatures, remote
contracts, e-cash, e-commerce, etc. Sufficiently high levels of trust
(among citizens and companies) are needed to profit from the economic
advantages (improved efficiency, higher volumes, more customers) of
such new techniques.
Trust is most hampered by security holes in ICT
systems (which often receive ample attention in the press). It is
precisely to the prevention and detection of such security holes that
the proposed research in SENTINELS
aims to contribute. High quality security
research and (resulting) products in the Netherlands will ensure a
strong position not only in the international knowledge economy, but
also in international trading.
The economic importance of secure computers and networks is tremendous
since most organizations are the victim of attacks. The costs are
difficult to estimate, as organizations are reluctant to
disclose how much damage is done by inadequate security.
The following four sections report the available statistics.
The Deloitte, Touche & Tohmatsu 2003 Global Security Survey amongst 80
senior IT executives representing global companies with a combined
annual turnover of over 200 B$ reported that:
nearly 40% of respondents experienced a security
breach during the past year and more attacks were from external
sources rather than internal sources;
fragmented security products contributed to the lack of unified
security programs;
within the next 18 months most companies will have strong
authentication in place: 45% will start deploying PKI, 42% smart
cards and 18% biometrics.
It can be concluded that the economic value of integrated security is
significant, and that research in this area is badly needed.
Furthermore the research proposed by SENTINELS into smart cards and
biometrics is particularly timely and topical.
The Ernst & Young 2003 Global Information Security Survey amongst 1400
companies from 66 countries reported that ``a holistic approach is
needed'' [15]:
Senior management and boards of directors are under greater scrutiny
for risk management oversight. Yet, the overall responses we gathered
in this years survey seem to suggest that many organizations are
continuing to take a piecemeal approach to information security. As we
saw in the survey, most organizations continue to have major gaps in
risk coverage, while the impact of information security failures on
market value has grown exponentially.
Information security, availability and confidentiality only address
some of the components of an organizations digital risk. Therefore, we
are moving beyond the concept of just information security. For
organizations to successfully manage their digital risk in the future,
they need to develop an enterprise wide Digital Risk Framework.
Again this points at the need for an integrated approach towards
security such as advocated by SENTINELS in its quest for a secure
systems engineering discipline.
In the U.S., the Computer Security Institute and the San
Francisco Federal Bureau of
Investigation's Computer Intrusion Squad did their
eighth annual Computer Crime and Security Survey [22].
This survey is based on the responses of 530 computer
security practitioners in U.S. corporations,
government agencies, financial institutions,
medical institutions and universities.
Fifty-six percent of respondents
reported unauthorized use. The total annual losses reported
were 202 M$ (in the 2002 survey this was
455 M$). The authors do not explain the difference, but
note that it is important to remember
that this figure is simply the total losses reported
by a specific number of organizations
(251 of them) and is not any kind of more
broadly extrapolated total.
Other key findings are that
theft of proprietary information
caused the greatest financial loss
(70 M$ was lost, with the average reported
loss being approximately 2.7 M$) and
that the second most expensive computer crime
was denial of service, with a cost of 66 M$.
Virus incidents (82%)
and insider abuse of network access
(80%) were the most cited forms of attack or abuse.
Economic importance in the Netherlands
The research described in this proposal is very important for
Dutch industry. This can be seen from the letters of intent written
by major industries that are appended to the end of this proposal (see
appendix -).
A survey [9] held by the Free University and KPMG EDP auditors
in 1997 under 878 organizations in the Netherlands that use the Internet
revealed similar results as discussed in the previous section
(and with better accuracy: the Dutch study had
a response rate of 17%, the US study only 9%). Over 45% of Dutch
organizations are under attack of unauthorized access, malicious code,
word viruses, etc. While a number of standard measures, such as timely
installation of security fixes, proper configuration and maintenance of
firewalls could have prevented some attacks, the sheer complexity of
systems makes it hard to achieve a satisfactory level of overall
security. Again this emphasizes the need for the development of the
discipline of secure systems engineering.
On Saturday July 26, 2003, the Dutch newspaper de Volkskrant published
an article called ``Het verborgen prijskaartje van Internet''.
Among others, this article reports on an ``investor'' who told (in a
chatbox) that important things were going to happen with a certain company.
In doing this, he was able to influence the share price of this
company considerably (and to make huge profits himself).
A U.S. company called comScore Media Metrix
found that for every dollar spent on Internet in the U.S., almost one
dollar is spent illegally. Numbers for the Netherlands are not easily
available because there is no registration for fraud and theft. De
Volkskrant cites a report by Ernst & Young from July 2003 that half of
the companies in the Netherlands had cases of cybercrime. Of the companies
larger than 500 employees about 61% complained about hackers and
viruses. Only one-fifth reported this, which is a large
increase because previously companies rather did not report this.
A report by KPMG, published in April 2003, concluded that approximately
1.2 B had been spent on repairing security incidents, and the
authors
admit that this number is only an estimation since about 23% of the
respondents didn't know the costs for repairing.
Spam is also causing substantial loss.
Internet provider Xs4all employs five persons full-time for taking
anti-spam measures, which amounts for a total of 0.5 M per year.
Serious ICT security incidents are not only increasing in number but attack
methods are becoming more sophisticated and the impact of security
incidents is becoming more significant. For example, the Monitor
Internetbeveiliging 2003 [28] showed that 17% of respondents
had to cope with one or two serious security incidents in 2002.
According to the PwC Global Economic Crime Survey 2003 [20],
financial institutions suffer most from attacks on their ICT
infrastructure, followed closely by telecommunications and IT companies.
The financial impact of ICT security incidents is significant but very
difficult to quantify:
The Monitor Internetbeveiliging 2003
estimates the financial impact of security incidents on Dutch companies
and institutions at more than 1 B per annum. The cost of a
single security incident is usually between 5 and 50 K, but can
be as high as 500 K. 47% of the respondents say that non-availability
of the Internet connection results in direct loss of productivity.
Most other ICT security surveys show similar figures but the problem
is that these figures are reported by the respondents themselves and
are therefore not reliable. Respondents are mostly unwilling to admit
that they have been hit hard and therefore downplay the seriousness of
attacks they suffered from. For example, the Monitor Internetbeveiliging
2003 showed that 9% of respondents know how many security incidents
took place but are not willing to disclose this figure.
As a result, despite the many ICT (self-reported) security surveys
performed every year, few studies exist that satisfactorily quantify the
economic impact of ICT security events on the breached companies. Ernst
& Young has performed one of the few independent quantitative study of
security events which occurred in recent years [16].
They conclude that security events
can cost companies between 17 and 28 M$ per incident
for the average publicly listed company. This is
an order of magnitude greater than indicated by most ICT security surveys.
Disclosed ICT security incidents are only the tip of the iceberg since
many security incidents are never observed and/or reported. For
example, the Monitor Internetbeveiliging 2003 showed that
more than 33% of respondents do not know whether or not all security
incidents have been observed/reported.
Also, most observed and reported security incidents are not disclosed.
Further evidence in the UK from the DTI/PwC Information
Security Breaches Survey 2002 [31] showed that while 63% of
the respondents believe it is important to report attacks to the police
and/or regulators, most respondents do not, in order to avoid bad press
and/or attention from the regulators.
It is also well-known that financial institutions are a top target for
attacks by hackers but most of them do not disclose security incidents.
The (perceived) lack of security for electronic transactions is a
hindrance to the widespread acceptance of electronic business. For
example, a NOP/Mintel survey (Branding - UK - February 2002) in the UK
showed that 31%
of respondents (retail customers) said they would worry about using the
Internet for financial services because of security.
Security is often viewed purely as a cost factor, in the sense that
better security should reduce the number of security incidents and
consequently should
reduce the damages. Of course, security is not for free,
and therefore costs and benefits must be balanced. However, security
can also be an important enabler for new business. Two examples are:
If the Internet had been designed with security firmly in
focus, then micro-payment would not have been the problem that it is
now. Pay-per-click is virtually impossible to backstitch effectively
onto the current Internet since the necessary transaction steps alone
cost more that what could be reasonably charged for a click.
Pay-per-click may open up numerous new business opportunities for small
payments on a huge scale.
Worldwide, one in
every three music CDs is pirated. The IFPI estimates that the costs
exceed 4.6 B$ each year (see
http://www.ifpi.org/sitecontent/press/20030710.html). Also,
of the total cost of a music CD (on average 15 $ in the US),
9 $ is spent on production, casing and transport [29].
With a
secure music delivery system based on the Internet more than half the
cost of a CD could be saved and, additionally, the pirates would be out of
business. Other content (film, software, education) may
use the same technology. A consortium consisting of the three
Dutch Technical universities, the Free University and Philips Research
is already working on this technology.
Security as an enabler of new business could provide a very significant
boost to the world economy; with SENTINELS we position
the Netherlands among the frontrunners.
This section lists some recent headlines related to security
from Dutch newspapers. This is
just a very crude selection indicating the importance of good security.
August 14, 2003, NRC:
``Gates zei het al: virus is kat-en-muisspel''.
July 26, 2003, de Volkskrant:
``Het verborgen prijskaartje van Internet'.
</LI>
<LI>July 24, 2003, de Volkskrant:
``Spanje vist 4000 `muziekdieven op'.
</LI>
<LI>July 22, 2003, de Volkskrant:
``Ruim 900 `dieven in het vizier van muziekindustrie''.
June 25, 2003, NRC:
``Paus heeft last van hackers''.
June 7, 2003, de Volkskrant:
``Computervirus neemt banken op de korrel''.
May 19, 2003, NRC:
``Veilig en democratisch''.
April 10, 2003, de Volkskrant:
``Opnieuw poging tot incassofraude''.
February 24, 2003, NRC:
``Onveilig bankieren''.
February 11, 2003, NRC:
``Centrum EU voor veilig Internet''.
October 29, 2002, de Volkskrant:
``Bankieren via Internet is niet goed beveiligd''.
August 22, 2002, de Volkskrant:
``Providers gaan justitie handje helpen''.
February 7, 2003, NRC:
``Virtuele wereld eist zelfde veiligheid als echte wereld''.
Log in
Sentinels
General info
![[*]](crossref.gif)