TABLE OF CONTENTS The 2002 "Computer Crime and Security Survey," conducted by the Computer Security Institute (CSI) and the Federal Bureau of Investigation (FBI), shows that 90% of the survey respondents (mainly large companies and government agencies) detected computer security breaches within the past year. A range of attacks and abuses was detected: system penetration from the outside (40%), denial of service attacks (40%), employee abuse of Internet access (78%), and computer viruses (85%). The CSI/FBI survey is a nonscientific, informal survey, and therefore, the survey results should not be considered representative of computer security problems. However, the survey provides an interesting snapshot of security problems experienced by companies, in particular because they emphasize the variety as well as the diverse sources of security problems.
As shown in the 2002 CSI/FBI survey, computer system vulnerabilities and security breaches are growing rapidly, maybe faster than our ability to respond (Computer Science and Telecommunications Board National Research Council, 2002). Why is this? Schneier (2000) describes four characteristics of computer systems that make computer security challenging: (1) computer systems are complex; (2) they interact with each other, forming even larger systems; (3) the resulting systems have "emergent" properties (i.e., they do things that are not anticipated by the users or designers); and (4) they suffer from bugs and failures. These characteristics have a major impact on the security of computer systems.
To ensure the security of computer systems, three activities are necessary: prevention, detection, and reaction (Schneier, 2000). Prevention...
