The 2007 CSI Computer Crime Survey is available for public consumption. Further, an Oct 9, 2007 Webcast is available for viewing.
Interesting about this year's survey:
1. The gradual decline of reported incidents (page 14). All of the usual threat metrics are either in a downward trend or are stable (virus attacks, phishing, IM abuse, telecom fraud, etc.). In terms of reported incidents, what is up this year and quite dramatically are insider (employee) abuses of Internet access.
2. The fact that 74-percent of respondents only spent 0%-5% of their annual IT budgets on IT security this last year (page 8). This number is surprising to me. It suggests that the security problem has either become a non-issue or lacks total priority. If the metrics are any indicator, it would seem that in terms of reported incidents, technical vulnerabilities are being contained in corporate America better than ever before, and this places less emphasis on the security function. Good news for consumers and businesses; bad news for information security consultants and technology professionals. Automation and better-designed products/services are fixing the glaring problems.
3. The effects of SOX on IT security (page 26). This was actually spotted by one of my students - credit where credit is due. The survey would suggest that many respondents do not feel that increased IT governance has improved the IT security problem, nor do they feel that the emphasis has moved away from security to governance. The transparency offered by SOX and better IT governance isn't making a better difference in information security for a bulk of respondents? Eh? Seems contradictory to the academic, but maybe techheads in the field feel that the frontline battles are still fought tooth and nail, and have nothing to do with better oversight or management? This one is a little hard to read and is counter-intuitive, but is interesting nonetheless.