Sarbanes-Oxley Budget Allocation

A Robert Frances Group survey in June 2003 indicated that more than 95 percent of the budget for SOX implementation came from outside the IT department.

> > Full Chart

Sarbox's Toll

Sarbanes-Oxley is having an inherent impact on organizations' information security, but it is doing little to raise awareness of information security throughout the organization.

> > Full Chart

Web Application Vulnerabilities

In the second half of 2007, 58% of all vulnerabilities affected Web applications. This is less than the 61% in the first half of 2007. This drop in the proportion of Web application vulnerabilities is a continuing trend. From an attacker's standpoint, rather than try to compromise numerous smaller sites, it is better to compromise a specific popular site with a single vulnerability, as this increases the chances of compromising a larger number of hosts.

> > Full Chart

Losing Money

For IT under attack, the greatest loss of dollars is felt in an attack by a virus.

> > Full Chart

Security Technologies

With all the security technologies available to them, CIOs deploy a combination, though almost all include antivirus software in the mix.

> > Full Chart

Security Check

A survey found that 82 percent of respondents indicated that their organizations conduct security audits.

> > Full Chart

Outsourcing Security

Outsourcing computer security work is not as common as one might suppose. Only 7 percent of respondents indicated that their organizations outsource more than 20 percent of the security function.

> > Full Chart

Spending on Security

Information security managers have become increasingly aware that the financial aspects of information security management demand an increasing portion of their time and effort. In a survey, 46 percent of respondents indicated that their organization allocated between 1 percent and 5 percent of the total IT budget to security.

> > Full Chart

Cybercrime Insurance

Fewer than 30 percent of private and public sector respondents in a survey indicated that their organizations used external insurance to help manage cybersecurity risks. "It's still early days," concluded the report.

> > Full Chart

Web Application Vulnerabilities

In the first half of 2007, 61% of all vulnerabilities affected Web applications. This is a drop from the 66% reported in the second half of 2006, and a further decrease from the 69% of all vulnerabilities that affected Web applications in the first half of 2006.

> > Full Chart

Patched Operating System Vulnerability by Type

Of the 59 patched vulnerabilities that affected Apple Mac OS X in the first half of 2007, eight affected browsers, 21 were client-side vulnerabilities, 17 were local, 11 affected servers and two vulnerabilities did not fit into any of these categories. There were 30 patched vulnerabilities disclosed during this period that affected HP-UX. Of these, 13 affected browsers, three were client-side, three were local, nine affected servers and two could not be categorized.

> > Full Chart

Chatting into the Network

Intruders penetrate various domains by various means. This chart indicates intrusions via Internet Relay Chat (IRC) by domain.

> > Full Chart

Vulnerability Trends

The number of total vulnerabilities reported peaked in 2002 at 4,129, but has not fallen to its 2000 low of 1,090.

> > Full Chart

Information Sharing

More companies do not participate in information sharing organizations.

> > Full Chart

Intrusion Response

The most common response to an intrusion is patching.

> > Full Chart

Security Defense Tools

In a survey, almost all respondents were found to use firewalls and antivirus software to secure enterprise systems. Fewer used intrusion detection, encrypted files, and biometrics to keep attackers and other threats at bay.

> > Full Chart

Computer Security Expenditure by Employee

In a recent study, the Computer Security Institute and the FBI found that the transportation industry invested the highest number of dollars per employee in IT in 2004.

> > Full Chart

The Cost of Clean-up

Increasing attacks are ratcheting up costs 12 fold. In fact, the cost for just the month of August in 2003 was nearly equal to the amount spent on clean-up in all of 2002.

> > Full Chart

Measuring IT Value

Managers responsible for computer security are increasingly required to justify their budget requests in purely economic terms. A survey of IT executives found that 55 percent of respondents indicate their organizations use ROI as a metric, 28 percent use IRR, and 25 percent use NPV.

> > Full Chart

Keeping Costs in Line

One measure of security is the amount spent per employee. This chart shows companies err on the lower side.

> > Full Chart