The goal of NCSS is to produce reliable national and industry-level estimates of the prevalence of computer security incidents (such as denial of service attacks, fraud, or theft of information) against businesses and the resulting losses incurred by businesses. The first national survey of thousands of businesses is being conducted in 2006. It is cosponsored by the Bureau of Justice Statistics and the National Cyber Security Division (NCSD) of the U.S. Department of Homeland Security. The RAND Corporation is the data collection agent. The NCSS collects data on - - the nature and extent of computer security incidents - monetary costs and other consequences of these incidents - incident details such as types of offenders and reporting to authorities - computer security measures used by companies.
|On This Page|
|Computer Security Survey|
|2005 PDF | 2001 PDF (92K)|
The National Computer Security Survey sample was a stratified, random sample of businesses designed to produce national and industry-level estimates. The sample was stratified by industry, risk level, and size of business. Thirty-six industries, as determined by the North American Industrial Classification System (NAICS), were within the scope of the survey. (See appendix table 1 for a complete list and definition of industries.) Risk level comprised four groups: critical infrastructure, high risk, moderate risk, and low risk. Critical infrastructure consisted of businesses operating in the industries with which the Department of Homeland Security formed Information Sharing and Analysis Centers (ISACs). Each of the remaining businesses was designated as high, moderate, or low risk depending on its industry of operation's risk of incidents, loss, and downtime. Business size was determined by the number of employees and was divided into nine size categories. The sampling frame, Dunn and Bradstreet, contained records for nearly 7.3 million in-scope businesses. Businesses without employees on their payrollsuch as family owned and operated businesseswere out of scope.
Sampling was done at the enterprise level, except in cases of businesses with large subsidiaries operating in different economic sectors. To preserve the ability to provide industry-level findings, these businesses were sampled at the highest level of subsidiary with distinct lines of business.
A sample of 35,596 businesses was drawn to produce national and industry-level estimates and to track changes of more than 2.5% over time. (See appendix table 2 for a summary of the sample by risk level and industry.) Businesses with more than 5,000 employees and Fortune 500 businesses were drawn with certainty to ensure the representation of all industries. Because some industries typically do not have large businesses, the largest 50 businesses were also included with certainty. Due to the particular importance of the nation's critical infrastructure,businesses in these strata were over-sampled. High risk industries such as manufacturing, retail, and wholesale were also over-sampled.
Denominators reflect the number of businesses that responded to the questions relevant to a given table. For example, in table 5 the denominator represents the number of businesses that responded to questions on networks used by the business, whether computer security incidents were detected, and networks that were affected in those incidents (if any). Unless otherwise noted, missing items or responses of dont know have been omitted. Totals and medians are based on positive responses and exclude zeroes.
Incident percentages are based on 7,636 businesses that had a computer and responded to at least 1 incident question; 7,626 businesses responded to at least 1 question on cyber attacks, 7,561 to at least 1 question on cyber theft, and 7,492 to at least 1 question on other computer security incidents.
For theft of intellectual property, 29% of 198 businesses provided multiple types; for personal or financial data, 60% of 235 businesses specified more than 1 type; and for other computer security incidents, 59% of 1,762 businesses identified multiple types.
Missing and excluded data
Of the 8,079 businesses providing information on whether or not they had computer systems, 14 businesses reported contradictory information. Because the responses from these 14 businesses could not be reconciled, they were excluded from all analyses.
Each table underwent a detailed disclosure analysis to ensure the confidentiality of responses given by individual businesses. As a result, some responses were excluded from totals and medians. Table 8 and appendix table 6 were affected. Six responses were excluded from the number of computer security incidents; six responses were excluded from monetary loss; and three responses were excluded from system downtime. The disclosure analysis also resulted in the suppression of values for some cells in table 10, appendix table 6, and appendix table 7.
|Publications & Products|
|Socio-emotional Impact of Violent Crime Examines victims' socio-emotional problems resulting from violent crime, including moderate to severe distress, problems with family or friend relationships, or problems at work or school.|
|Cybercrime against Businesses, 2005 Presents the nature and prevalence of computer security incidents among 7,818 businesses in 2005. This is the first report to provide data on monetary loss and system downtime resulting from cyber incidents.|
Cybercrime against Businesses Series
Part of the |
|Cybercrime against Businesses: Pilot Test Results, 2001 Computer Security Survey Describes the history, development, and implementation of the pilot Computer Security Survey conducted during the last half of 2002.|
Cybercrime against Businesses Series
Part of the |