Home | | Information Management | Are the Data Representative?

Chapter: Security in Computing : The Economics of Cybersecurity

Are the Data Representative?

How representative are these data? Pfleeger et al. have evaluated the available data, which collectively paint a mixed picture of the security landscape.

Are the Data Representative?

 

How representative are these data? Pfleeger et al. have evaluated the available data, which collectively paint a mixed picture of the security landscape.

 

Classification of Attack Types

 

Understandably, the surveys measure different things. One would hope to be able to extract similar data items from several surveys, but unfortunately that is not often the case.

 

 

For example, the Australian Computer Crime and Security Survey reported a decrease in attacks of all types, but 43 percent of CSI member organizations reported increases from 2003 to 2004. The Deloitte survey found the rate of breaches to have been the same for several years. The variation may derive from the differences in the populations surveyed: different countries, sectors, and degrees of sophistication about security matters.

 

Types of Respondents

 

Most of these surveys are convenience surveys, meaning that the respondents are self-selected and do not form a representative sample of a larger population. For convenience surveys, it is usually difficult or impossible to determine which population the results represent, making it difficult to generalize the findings. For example, how can we tell if the CSI/FBI survey respondents represent the more general population of security practitioners or users? Similarly, if, in a given survey, 500 respondents reported having experienced attacks, what does that tell us? If the 500 respondents represent 73 percent of all those who completed the survey, does the result mean that 73 percent of companies can expect to be attacked in the future? Or, since completing the questionnaire is voluntary, can we conclude only that respondents in the attacked 500 sites were more likely to respond than the thousands of others who might not have been attacked? When done properly, good surveys sample from the population so that not only can results be generalized to the larger group but also the results can be compared from year to year (because the sample represents the same population).

 

Comparability of Categories

 

There are no standards in defining, tracking, and reporting security incidents and attacks. For example, information is solicited about

 

"electronic attacks" (Australian Computer Crime and Security Survey)

 

"total number of electronic crimes or network, system, or data intrusions" and "unauthorized use of computer systems" (CSI/FBI)

 

"security incidents," "accidental security incidents," "malicious security incidents," and "serious security incidents" (Information Security Breaches Survey)

 

"any form of security breach" (Deloitte Global Security Survey)

 

"incidents that resulted in an unexpected or unscheduled outage of critical business systems" (Ernst and Young Global Information Security Survey)

 

Indeed, it is difficult to find two surveys whose results are strictly comparable. Not only are the data characterized differently, but the answers to many questions are based on opinion, interpretation, or perception, not on consistent capture and analysis of solid data.

 

Study Material, Lecturing Notes, Assignment, Reference, Wiki description explanation, brief detail
Security in Computing : The Economics of Cybersecurity : Are the Data Representative? |


Privacy Policy, Terms and Conditions, DMCA Policy and Compliant

Copyright © 2018-2023 BrainKart.com; All Rights Reserved. Developed by Therithal info, Chennai.