acm-header
Sign In

Communications of the ACM

Home/Magazine Archive/March 2013 (Vol. 56, No. 3)/Cybercrime: It's Serious, But Exactly How Serious?/Abstract
News

Cybercrime: It's Serious, But Exactly How Serious?

By Paul Hyman
Communications of the ACM, March 2013, Vol. 56 No. 3, Pages 18-20
10.1145/2428556.2428563
Comments (1)
View as: Print Mobile App ACM Digital Library In the Digital Edition Share:
U.S. $100 bills

Credit: Vladimir Zhuravlev ?/ Shutterstock.com

Symantec says $110 billion annually while McAfee says $1 trillion. Why can't anyone agree?

The full text of this article is premium content

Comments

CACM Administrator
March 17, 2014 03:49

The following letter was published in the Letters to the Editor in the May 2013 CACM (http://cacm.acm.org/magazines/2013/5/163765).
--CACM Administrator

Paul Hyman's complaint about the lack of adequate reporting of cybercrime statistics was well justified in his news story "Cybercrime: It's Serious, But Exactly How Serious?" (Mar. 2013). All we have, he acknowledged, are lower-bound data, writing, "This much but how much more is there?" Information security is open-ended, with real but unreported losses, vulnerabilities, and threats.

Trade and professional journals tell us how to achieve security solutions, but such advice is not supported by experience because experience itself must be kept confidential. The confidentiality needed to achieve security of security greatly inhibits valid research and adequate preparation. I have for 40 years advised victim enterprises to carefully evaluate the pros and cons of publicly reporting specifics of their security experience, as revealing them would be a violation of the very concept of security; they could lose more from reporting than from keeping the information confidential. Yet they have a moral, social, and possibly legal obligation to publicly report it. An SEC advisory letter to public corporations (SEC Disclosure Guidance: Topic No. 2, Oct. 13, 2011, http://www.sec.gov/divisions/corp-fin/guidance/cfguidance-topic2.htm) requires publicly reporting cybersecurity risks to shareholders but also advised not to reveal information helpful to potential adversaries. How can they carry out such a contradictory dual mandate?

Security-information-sharing organizations (such as Infraguard, http://www.infraguard.net) in cooperation with the FBI and the inter-industry Information Sharing and Analysis Centers (http://www.isaccouncil.org) are helpful to a point. I suggest also using what I call the "old boys network" of informally sharing the most sensitive security information by developing mutual trust with fellow security practitioners in other enterprises, as has been the practice for a long time in industrial security.

Donn B. Parker
Los Altos, CA

Displaying 1 comment

Log in to Read the Full Article

Sign In

Sign in using your ACM Web Account username and password to access premium content if you are an ACM member, Communications subscriber or Digital Library subscriber.

Need Access?

Please select one of the options below for access to premium content and features.

Create a Web Account

If you are already an ACM member, Communications subscriber, or Digital Library subscriber, please set up a web account to access premium content on this site.

Join the ACM

Become a member to take full advantage of ACM's outstanding computing information resources, networking opportunities, and other benefits.
  

Subscribe to Communications of the ACM Magazine

Get full access to 50+ years of CACM content and receive the print version of the magazine monthly.

Purchase the Article

Non-members can purchase this article or a copy of the magazine in which it appears.
Sign In for Full Access
» Forgot Password? » Create an ACM Web Account