2010/2011 Computer CrIme and SeCurIty Survey - Gatton College ...

2010 / 2011 CSI Computer Crime and Security SurveyAbout the RespondentsAs always, we note at the outset that this is an informal survey. All surveys of this sort have certainbiases in their results. No exception here.The survey was sent to 5412 security practitioners by post and by email, with a total of 351 surveysreturned, yielding a 6.4 percent response rate. Assuming that the pool was properly representativeof the larger pool of information security professionals and that those returning the form were inturn a random selection of the group, the number of returns would give us 95% confidence in ourresults with an approximately 5.25% margin of error. In other words, if we could magically find theright answer, then in 19 out of 20 cases it would be within 5.25 percent (either higher or lower) ofthe number you’ll find here in the survey.It’s not quite that simple, of course. Remember that we began by assuming that the pool wasrepresentative and that the respondents were randomly chosen. Reality is seldom quite so wellorganized.First and foremost, there is surely a skew among respondents towards individuals and organizationsthat have actively demonstrated an interest in security. This isn’t a random sample of all thepeople in the country who are ostensibly responsible for the security of their networks. It’s a sampleof those with sufficient interest in security to be CSI members or to have attended a CSI paidevent. CSI caters to security professionals on the front lines, so it goes without saying that therespondents to this survey come from a community that is actively working to improve security.This pool, in short, doesn’t stand in for the organizations in the United States that are simply notpaying attention to security (and there are, unfortunately, all too many such organizations).Second, respondents fill out the questionnaire voluntarily, without any help from us. So one mustreckon with the possibility that the respondents are self-selected based on some salient quality.For example, are they more likely to respond to the survey if they have more data or more accuratedata at hand; and if so, is that indicative of a better overall security program? Are they more likelyto respond if they have or have not experienced a significant security incident?All responses are submitted anonymously, which is done to encourage candor, but which alsomeans that it is impossible to directly chase after those who have self-selected not to fill outthe form. This anonymity furthermore introduces a limitation in comparing data year over year,because of the possibility that entirely different people are responding to the questions each timethey are posed.All these caveats notwithstanding, it seems reasonable to assume that these results do representa view of what engaged security professionals are seeing in the field. And while thereare certainly limits to what should be assumed from longitudinal comparisons of the annual3