The Big Lie

"The FBI estimates that about 70 percent of all computer security breaches are perpetrated by insiders."

For over five years this lie and variations on the same theme has been spreading through the Internet and the industry press.

Year after year journalists, security marketers, bloggers, and other media types continue to publish this nonsense as though it were the Gospel Truth when the truth is the FBI has never published any survey, study, or statistical analysis that supports this claim.

The 2003 CSI/FBI Computer Crime and Security Survey

Where did this nonsense come from?

For eleven years, the Computer Security Institute, in partnership with the FBI, published an annual security survey titled the "CSI/FBI Computer Crime and Security Survey". The cover of the 2003 edition is shown at right (click for larger view).

In 2007 the FBI dropped out of this partnership and the publication has since been known as the "CSI Computer Crime and Security Survey". Why the FBI chose to dissociate themselves with the Computer Security Institute has never been completely explained. Perhaps the reason has something to do with the total lack of understanding the survey has generated with over the years.

On page 9 of the 2003 survey was a chart labeled "Likely Sources of Attack". This chart is shown in black & white on the right (click for a larger view).

The chart shows that, in 2003, 77% of the survey's respondents believed that "Disgruntled Employees" were "Likely Sources of Attack". This is not data. This is not a conclusion. This is the perception of the survey's respondents.

Supporting the chart was this bulleted "Key Finding" (page 4):

"... virus incidents (82 percent) and insider abuse of network access (80 percent) were the most cited forms of attack or abuse."

The phrase "most cited" supports the perception perspective and the survey also noted (page 8):

"... it is still the case that many respondents simply do not know what’s going on within their networks."

In other words, the survey simply showed that 70% of people with no clue in the first place concluded that insider abuse was the most likely form of attack.

As for "hard data", the Survey reported that, across the board, "insider" incidents had the nearly same frequency as "outsider" incidents, a finding that was duplicated independently by the FBI itself two years later (table at right, click to enlarge).

The next chart from the 2003 survey demonstrates the losses from insider abuse, according to the 2003 survey (click to enlarge):

As you can see, "Unauthorized Insider Access" was second to last in actual dollar losses, with "Telecom Eavesdropping" holding the bottom spot.

2003 was the last time the "Likely Sources of Attack" chart was included in the survey. It has since disappeared and the overall format of the survey has changed somewhat.

2005 CSI/FBI Survey

The FBI had little to say officially about the 2003 study. However, in 2005 the FBI had this comment about the 2005 CSI / FBI Computer Crime and Security Survey:

4. "Inside jobs" occur about as often as external attacks.

Obviously this is not equal to "70% of all breaches are perpetuated by insiders" by any stretch of the imagination.

Far from it.

In fact, the FBI, in their own survey for 2005 (cover shown at right), published without any partnership with CSI, reported this finding:

"Over 44% of respondents to this question had experienced intrusions from within their organization."

Again, not even close to 70%. In fact, over 55% of respondents to this question reported ZERO unauthorized "insider" access incidents.

And, oddly enough, at the time the FBI reported these results, the usual suspects had already been spewing the 70% Lie, often bumping it up to 80-85%, unchallenged, for at least a year. And they continue doing so to this day.

It's Time For This Nonsense To STOP!

The people reporting this cruft must be stopped. When you see the 70% Lie in print, challenge it. If comments are allowed, demand a link to fbi.gov - not the CSI Report, not a link to another blogger or journalist parroting the same nonsense - demonstrating the FBI actually stated this as a finding.

"I heard it at an InfraGuard meeting" doesn't count.

If comments are not allowed, send a link to TheSecurityCommunity-AT-gmail-DOT-com and they will be added to the Hall of Shame.

Congratulations to Deb Perelman, the inspiration for this rant.