Problem of Ascertainment

Difficulties obtaining accurate information. Applies to surveys distributed to system administrators inquiring about the suspected identity of crack attackers, the methods they employed, the frequency of system intrusions, the systems affected, and the dollar amount lost as a result of the intrusions. These vital pieces of information, though often difficult to get from companies because they fear misuse of such information by competitors, are used as a basis for determining a given organization’s system risk management strategies. When system administrators try to project the right level of investment in computer security that their company should make, they tend to compare their company’s risk level of “crack attack,” or intrusion, by assessing the reports of organizations having similar computer systems and business characteristics.

Because of the problem of ascertainment, precautions should be taken in interpreting such data. First, one needs to accept that it is impossible for survey respondents to give completely reliable answers to such security breach questions. One reason is that an unknown number of crimes go undetected and therefore cannot be reported. Another reason is that even when the crack attacks are detected, few of these incidents are actually reported to authorities. For example, according to the CSI/FBI 2003 Survey, the number of reported incidents is only about 30%. In fact, a commonly held view in the information security community is that only about one-tenth of all cyber crimes are detected.

See Also: CSI/FBI Survey; Intrusion Detection System (IDS).