16.2. CONSTANT RISKS
As I mentioned in the introduction, terrorism has redefined the way most of us view risk. We must never forget what happened on September 11, 2001, and we must implement controls to help our organizations and our government prevent such atrocities from ever happening again.
But we must not forget about the traditional weaknesses and challenges that we face on a daily basis. In its popularly quoted but nonscientific 2002 Computer Crime and Security Survey of practitioners in a variety of U.S. corporations, government agencies, financial institutions, and universities, the Computer Security Institute (CSI) found that 223 of the 503 respondents were willing and able to quantify their computer crime losses at $456 million. The actual loss figure within the United States is most certainly many orders of magnitude larger since many organizations are reluctant to share loss information. The most common loss categories cited by CSI were theft of proprietary information ($171 million), financial fraud ($116 million), insider abuse of Internet access ($50 million), and viruses ($50 million).
While the CSI survey references insider abuse of Internet access, insider abuse is a farther-reaching problem. There have been many incidents of insiders causing astronomical harm, some even jeopardizing the security of the United States. The following cases are just a sampling of many cases of insider abuse.
Robert Hanssen, a FBI agent with high security clearance, was one of the ...
Get Auditing Information Systems, Second Edition now with the O’Reilly learning platform.
O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.
