Errata - Statistics

Statistics

[10-19-09] - Ridding the Web of the XSS Scourge [local] - [remote]

* ""This wouldn't be such an issue if software developers did a better job of securing their code. About 66 percent of all Web sites are infected with XSS code. There is no real industry push to solve this problem," Michael Sutton, vice president of security research at Web security firm Zscaler, told TechNewsWorld."

* ""Cross-site scripting is the No. 1 threat on the Internet. As many as 80 to 90 percent of all Web sites have the infection," said Khera."

* Attrition Staff notes: "Why bother checking stats when you can just have two people make them up in the same article?"

[12-03-08] - Secunia Survey Finds 98% of PCs Have Vulnerable Program [local] - [remote]

* "According to data gathered from 20,000 users of Secunia PSI (Personal Software Inspector) 1.0 during the past seven days, roughly 98 percent were running unpatched programs. Roughly 30 percent had one to five insecure programs running on their Windows PCs; 25 percent had six to 10. The rest - about 45 percent - had 11 or more out-of-date programs."

* Attrition Staff notes: "What's the definition of insecure? Simply out of date? Not every software update is security related..."

[6-13-08] - British hacker faces extradition hearing next week [local] - [remote]

* "However, the U.S. said that the intrusions disrupted computer networks used by the military that were critical to operations conducted after the Sept. 11, 2001, terrorist attacks. The U.S. estimates the damage caused by McKinnon at US$700,000."

* Attrition Staff wonders: "Are critical military systems vulnerable to script kids using RemotelyAnywhere? Does it cost $700,000 to close that vulnerability?"

[11-14-07] - Researcher: Half a million database servers have no firewall [local] - [remote]

* "There are approximately 368,000 Microsoft SQl Servers... and about 124,000 Oracle database servers directly accessible on the Internet"

* Attrition Staff notes: "Did he really "find half a million database servers"? No, he found about 200 and extrapolated the figure up to 492K. Scan 1.16 million IP addresses, sure, sounds hot and heavy... but out of 3.7 BILLION possible IP addresses?"

* Additionally - "If you target a range you know is full of .com people versus a network full of mixed or end-user/home IP space and the results dramatically change again."

[10-05-07] - Hacker Attacks On Some U.S. Utilities Up 90% [local] - [remote]

*"SecureWorks, a managed security services company that serves 100 American utilities, reported Friday that it has tracked a 90% increase in the number of hackers trying to attack its utility clients this year."

*"Between January and April, SecureWorks blocked an average of 49 attackers per utility client per day. However, between May and September, the company's researchers saw an average of 93 hackers attempt attacks on each of its utility clients every day."

[09-21-07] - Canadian coppers admit making up piracy figures [local] - [remote]

*"For months, Canadian coppers have been claiming that software piracy costs the country $30 billion."

*"The letter came back from red-faced coppers confessing that they made up the figure based what they had read on the Internet. The RCMP did not conduct any independent research on the scope or impact of counterfeiting in Canada, but rather merely searched a couple news stories."

[09-21-07] - Fewer Companies Suffer Security Breaches, But They're Much More Severe [local] - [remote]

*"The Computing Technology Industry Association (CompTIA) released a study showing that 66% of the 1,070 organizations surveyed said they did not have a security breach in the previous 12 months. That's a slight improvement from the 61.8% who said the same thing last year and the 42% who said it two years ago."

*"As for the financial damage caused by all kinds of breaches, the average cost across all companies surveyed is $369,388, reported CompTIA. That cost, however, is driven upwards by a handful of companies that estimated security breach costs to be in excess of $10 million. This, noted the report, reflects the higher risk that larger companies face."

*Lyger noted, "1070 surveyed / 34% breached = 363 breaches. average cost = $369,388. $134,383,354.40 in total cost? Hrm."

[09-17-07] - Report: MS, Apple, Oracle Are Top Vulnerable Vendors [local] - [remote]

*"IBM Internet Security Systems' X-Force R&D team released its 2007 report on cyber attacks on Sept. 17, revealing that the top five vulnerable vendors accounted for 12.6 of all disclosed vulnerabilities in the first half of the year - or 411 of 3,272 vulnerabilities disclosed."

*"The report also says that 21 percent of vulnerabilities disclosed by the top 5 vendors remain unpatched - up from a year ago, when only 14 percent of the top vendors' vulnerabilities stayed open in the same timeframe."

[09-17-07] - Beware of Zombies [local] - [remote]

*"As of the morning of Sept. 14, there were exactly (remember, Strassmann is an engineer and likes precision) 735,598 computers in the United States infested by Chinese zombies, he said."

*Richard Forno noted, "Anyone care to tell me how Strassman can say with such "engineering precision" that there were "exactly" 735,598 zombified computers in the US on a given day, and that ALL those systems were zombified exclusively by Chinese activity?"

[07-05-07] - Security exchange trades zero-day flaws [local] - [remote]

*"Zampariolo added that, although researchers had analysed around 7,000 publicly disclosed vulnerabilities last year, the number of new vulnerabilities found in code could be as high as 139,362 a year."

*Attrition staff noted, "You know, because 139,362 vulnerabilities, sounds *WAY* more official and less made up than 'approximately 140,000'".

[04-24-07] - Companies Say Security Breach Could Destroy Their Business [local] - [remote]

*"A McAfee Datagate study showed 33% surveyed think they are at risk and that 60% of IT managers said they had suffered a data breach in the past year."

* "33% of respondents said they believe a major data-loss incident involving accidental or malicious distribution of confidential data could put them out of business."

From Emergent Chaos: The number of companies that have gone under because of a breach is statistically indistinguishable from zero. That's the case if you express it as a percentage of companies breached, or as a percentage of companies going out of business. McAfee should do better than spread this sort of FUD, especially when we can measure what's really happening.

[04-01-07] - Renee Millman - Most websites can be "easily hacked" [local] - [remote]

*"Most websites have vulnerabilities that could allow hackers to access systems or to launch Denial of Service (DoS) attacks, according to new findings."

*"The research carried out by security consultants NTA Monitor, found that 90 per cent of organisations' websites contain at least one or more flaws that could allow external users to gain unauthorised system access or disrupt service availability. A further 33 per cent of websites were found to have widely known critical vulnerabilities that are actively exploited by hackers."

[03-26-07] - Mark A. Kellner - USMC Networks 'Attacked Every Millisecond' [local] - [remote]

*"Brig. Gen. George Allen, Marine Corps C4 director and chief information officer (CIO), said the service's networks "are being attacked every millisecond of every day. During the time I'm speaking, we will have had 100,000 attacks.""

Do the math. At least one thousand attacks per second, all day, every day. In one day, that's 1000 x 60 x 60 x 24 = 86,400,000 "attacks" per day. Wonder if they consider a simple ping or a 404 web page an "attack"...

[03-20-07] - J. Micah Grunert - Hacking, the new American hobby. [local] - [remote]

*As a part of their bi-yearly report or malicious computer activity, Symantic reported that about a third of all the computer attacks recorded world wide originated within the United States

Jericho noted: So if 1/3 of all 'cyber attacks' are initiated in the US, that means 2/3 are not? Ignoring of course the whole 'hacker' term being used for virus/worm writers, criminals conducting phishing attacks, spammers, etc.

*Snarky comments inside!

[03-18-07] - Jose Nazario - Infosec OPML 1.0 [remote]

Jose Nazario has released a 200+ site OPML file for all your security news aggregation needs. The list is sorted alphabetically for now but updates to reflect the organization of Infosec Daily are said to be coming. This list is perfect for browsing while you have down time at work and feel too guilty to goof off.

[03-17-07] - Jaikumar Vijayan - Forget hackers; companies responsible for most data breaches, study says [local] - [remote]

*In the five minutes it might take to read this article, about 672 electronic records containing confidential information will be compromised. By year's end, more than 72 million records with Social Security numbers, credit card numbers, birth dates and other personal data will have been exposed. That rate is about 200,000 more records per month than last year.

*In contrast, just 31% of the incidents were perpetrated by external hackers; 9% had unspecified causes.

*A report released last week by the IT Policy Compliance Group showed that human error is the overwhelming cause of losses of sensitive data -- contributing to 75% of all occurrences, while malicious hacking activity contributed to just 20%

*When it comes to just the volume of compromised records, though, external hackers accounted for some 45% of breached records, while 27% came from internal errors and 28% remained unattributed, Howard said. A total of about 1.9 billion records were compromised in the incidents that were studied

*The university study also showed that there were more reported incidents in 2005 and 2006 -- 424 -- than the previous 25 years combined, when there were 126.

[03-17-07] - Brian Krebs - Cyber-Criminals and Their Tools Getting Bolder, More Sophisticated [local] - [remote]

* "More than 1,000 fraudulent sites known as "phishing" sites are erected each day, according to the Anti-Phishing Working Group, an industry organization. Scammers can net 20 to 100 victims per case, according to CastleCops, a volunteer group of security experts that analyzes malicious software and phishing sites and provides information to police, Internet service providers and affected companies."

* Cyber-Criminals and Their Tools Getting Bolder, More Sophisticated

[03-10-07] - Bradley Olson, The Baltimore Sun - Computer remedy to be complete Monday [local] - [remote]

* "There are thousands of viruses written every day, and someone has to notify [Symantec] about the newer ones"

* Computer remedy to be complete Monday

[03-06-07] - Jana Cranmer, GCN Staff - FBI unsure if missing notebook PCs contain sensitive data [local] - [remote]

* "The FBI has reduced notebook PC losses by 312 percent since 2002, but the bureau has failed to adequately report whether stolen computers contain classified or sensitive data, the Justice Department Office of the Inspector General said in an audit report last week."

* FBI unsure if missing notebook PCs contain sensitive data

[03-06-07] - Michael Fitzgerald, CSO Online - How to Stop a Laptop Thief [local] - [remote]

* "The CSI/FBI survey pegs losses by U.S. companies from laptop theft in 2003 at $6.8 million, but that doesn't necessarily include the value of the data lost. Gartner estimates that a single stolen laptop can cost a company more than $6,000 for hardware, software, restoring data (assuming it was backed up in the first place) and user downtime. Gartner analyst Leslie Fiering notes that this number doesn't account for the cost of any data lost or exposed."

* How to Stop a Laptop Thief

[02-13-07] - Paul McNamara, NetworkWorld Buzzblog - Survey says 70 percent of Web sites are begging to be hacked: My expert's $1,000 says that percentage is a crock. [local] - [remote]

* "Let's get their list of 3,200 sites, pick 10 at random, and see if they can 'steal sensitive data' from those sites. They say they'll be able to hack into seven of them. I'll bet $1,000 they can't steal personal data from three of them."

* Acunetix sidesteps the challenge

[02-06-07] - Chris Reidy, Globe staff - Survey: Data security worries bankers [local] - [remote]

* 70 percent said their bank had to reissue credit or debit cards three times or more in the past 24 months.

* Seven out of ten... three or MORE times... in the last two years? Not saying this is false, but if true... wow?

[10-11-06] - Joris Evers - A banner year for security bugs [local] - [remote]

* 41%? In the world of vulnerabilities, tracking, databases and disclosure, numbers are far from exact. While one database may have 5,195 vulns, another may have 3,832 and a third may have 9,452. Just depends on how each tracks vulns. That said, since it isn't an exact science, how does a company *predict* a *41%* increase? Easy.. the real number is "about 40%, give or take 5%" but with the standard "oh shit, if we're not more specific we don't seem like experts" which turns in to "we think its 40% but we need something that isn't rounded..."

[08-09-06] - Robert McMillan - Defcon: Cybercriminals taking cues from Mafia, says FBI [local] - [remote]

.. the costs of cybercrime are steep. The FBI estimates that it cost the U.S. more than $67 billion last year.

[08-08-06] - AOL offers free antivirus software [local] - [remote]

* 56% of participants either had no antivirus protection or had not updated it within the previous week, which exposed them to serious security threats.

[08-07-06] - Speed boost for file-sharing nets [local] - [remote]

* 60% of peer-to-peer traffic is video, average file size is 1GB

* BitTorrent and RawFlow are seen as commercially viable technologies.

[04-19-06] - Web App Vulnerabilities ... [local] - [remote]

* The number of websites with applications vulnerable to these attacks appears to be small (as reported to the WASC): 58 in 2005, 16 in 2004, 9 in 2003, 20 thus far in 2006.

* Note The above statistic is incredibly misleading, how many business oriented sites would be willing to admit they were vulnerable? Contrast the number sites reported vulnerable with OSVDB reports on how many web applications were vulnerable to an attack that could be leveraged into information discloseur.

* A survey of more than 700 people with online accounts at TD Canada Trust ... found that fewer than 30% knew the terms phishing and website spoofing.

[04-18-06] - Rootkit numbers rocketing up, McAfee says [local] - [remote]

* In the first quarter [06?] the number of rootkits seen by McAfee's Avert Labs grew by 700%

* In the first quarter alone, the Avert Labs found more than 827 stealth techniques. That contrasts with about 70 found in the same period in 2005 and with approximately 769 for the whole of that year.

* We can predict that, in the coming two or three years, the growth of rootkits for the current Windows architecture will reach an annual rate of at least 650%.

[04-18-06] - What's the next security threat? [local] - [remote]

* Ancheta admitted the scam had netted him $60,000

* He [Ancheta] controlled some 400,000 computers around the world, which he could manipulate remotely to ... generate advertisement traffic

* According to security company CipherTrust, more than 180,000 PCs are turned into zombies every day

[04-17-06] - Bug Bounties Exterminate Holes [local] - [remote]

* iDefense pays between a few hundred dollars and $10,000 for a vulnerability. (ED - Depending on l33tness)

* Mozilla's Bug Bounty Program pays $500 and a T-shirt

[03-15-06] - APACS - UK Card fraud losses in 2005 fall by £65m [local] - [remote]

* Figures released today (7 March 2006) by APACS, the UK payments association, show total card fraud losses fell by 13% compared to 2004 (£439.4m in 2005 compared to £504.8m in 2004).

* Fraud caused by either account takeover or fraudulent applications fell by 17% to £30.5m (£36.9m in 2004).

* Due to formatting isues we've got a screen cap of a useful table

[03-10-06] - MAAWG - Global Email Spam Report [local] - [remote]

* The MAAWG email metrics program includes over 100 million mailboxes, providing a statistically significant sample.

* Metrics derived from the report for the fourth quarter of 2005 concluded that:

* ...approximately 80 percent of Internet traffic today is abusive email.

* There were more than 1,000 blocked or tagged inbound emails per mailbox.

* With more than 1.5 dropped connections for every unaffected email delivered, there were approximately 500 dropped connections for each mailbox.

[03-10-06] - Matthew Borersma - Test shows how vulnerable unpatched Windows is [local] - [remote]

*A test has revealed that a Linux server is far less likely to be compromised. In fact, unpatched Red Hat and SuSE servers were not breached at all during a six-week trial, while the equivalent Windows systems were compromised within hours.

*An unpatched Windows 2000 Server was the quickest to be compromised, at an hour and 17 minutes

*Windows XP Professional, unpatched, lasted one hour and 12 seconds.

*Meanwhile, Unpatched Red Hat Enterprise Linux 3 and SuSE Linux 9 Desktop weren't compromised during the month and a half it was exposed to the Internet.

*However, patching does make a difference. Patched versions of Windows fared far better, remaining untouched throughout the test, as did the Red Hat and Suse deployments.

*The results of the test were confirmed by Symantec's other finding, Companies were at risk from unpatched software bugs for an average of 42 days per bug during the second half of last year

*The report highlights the fact that even quick patching isn't enough to keep software secure, since exploit code began to circulate an average of 6.8 days after the disclosure of a vulnerability, while a vendor-supplied patch wasn't available until an average of 49 days after disclosure, Symantec said.

[03-09-06] - John Leyden - AOL sues mystery phishers for $18m [local] - [remote]

*The ISP is seeking damages of $18m against unnamed groups who targeted AOL and CompuServe members with fraudulent emails that attempted to trick them into handing over confidential personal information

*According to the Anti-Phishing Working Group almost 50,000 phishing websites were created last year, with more than 7,000 appearing in December alone.

*[AOL] said it blocks an average 1.5bn spam emails a day, approximately 80 per cent of the email traffic sent to users' in-boxes.

[03-09-06] - John Leyden - Cybercrooks spur anti-virus market growth [local] - [remote]

*Last year [2005], the [anti-virus] market was worth $3.27bn.

*The anti-virus market will grow to reach $7.49bn by 2012, according to market analyst Frost & Sullivan (F&S).

[03-09-06] - Tom Espiner - More brands target as phishing attacks soar [local] - [remote]

*The number of unique e-mail-based fraud attacks detected in November 2005 was 16,882, almost double the 8,975 attacks launched in November 2004, said the report, published by the Anti-Phishing Working Group, an industry consortium that provides information on phishing trends.

*The number of brands targeted increased by nearly 50 percent over the course of 2005, from 64 percent to 93 percent in November.

*Attacks are becoming increasingly sophisticated, with a quarter of all phishing Web sites hosting keylogging malicious software. Users can become infected just by visiting the sites, Murtagh warned.

[03-08-06] - IT-Observer - Patching window is getting shorter [local] - [remote]

*The X-Force Threat Insight Quarterly highlights that the number of vulnerabilities in 2005 has increased by over 33% over 2004.

*From the public announcement of the vulnerability on the internet, the report highlights that 3.13% of threats discovered had malicious code that surfaced within 24 hours, whereas 9.38% had code that surfaced within 48 hours.

*Worryingly, 12.5% of the threats had code included in disclosure.

*In addition, 50% of vulnerabilities had either an exploit and/or proof-of-concept code surface within one week.

*"We are seeing an increase in "zero-day exploits" from hackers appearing at the same time the vulnerability is published," said Gunter Ollman, Director of X-Force at Internet Security Systems.

[03-08-06] - Staff Writers, CRN - Top 50 malicious code samples reveals secrets [local] - [remote]

*While past attacks were designed to destroy data, today's attacks are increasingly designed to silently steal data for profit without doing noticeable damage that would alert a user to its presence, the company said.

*Malicious code threats that could reveal confidential information rose from 74 percent of the top 50 malicious code samples last period to 80 percent this period.

[03-08-06] - Paul Meadocroft - Combating Identity Theft [local] - [remote]

*In a recent survey of security budget holders and influencers of UK banks, 73% of respondents cited identity management as the top transaction security concern.

*ID theft has increased by 500% since 1999 and now costs the UK economy £1.3bn a year, forcing defences against this crime to evolve rapidly.

*In addition, the number of UK banks assigning separate budgets for identity management has risen from 22% to 60% since 2003.

[03-07-06] - Robert McMillan - After flap, Symantec adjusts browser bug count [local] - [remote]

*In its latest Internet Security Threat Report, covering the last six months of 2005, the company now features two different ways of counting browser bugs: one that finds that Internet Explorer has the most vulnerabilities, and a second that reveals Firefox as the bug leader

*Firefox had the highest number of "vendor-confirmed" vulnerabilities, with 13 bugs reported during the six months covered by the report, compared with Internet Explorer's 12, said Dave Cole, a director of Symantec Security Response.

*However, the latest report also includes a count of bugs found by security researchers that have not been confirmed by Microsoft or the Mozilla Foundation, which owns Mozilla Corp. By that count, Internet Explorer had the most security issues: 24, compared with Firefox's 17.

*DOS attacks were up 51% from the first half of the year, Cole said.

[03-06-06] - Ryan Naraine - SiteAdvisor Finds Billions of Unsafe Web Visits [local] - [remote]

*...slapped a red "X" warning label on approximately 5% of all web traffic and warned that there are one billion monthly visits to Web pages that aren't safe for surfing.

*The idea is to use the color-coded (red, yellow or green) system to mark every Web site and to help Web surfers determine if a site's content includes spyware, spam, viruses, browser-based exploits or online scams.

*About 2% of all Web traffic was given the "yellow" caution rating.

*For example, on the first page of Google search results for "screensavers," 10 of the 18 sites shown have "red" ratings.

*More than 475,000 downloads have been analyzed for adware, spyware and viruses.

[02-19-06] - Commtouch - January Virus and Spam Statistics [local] - [Remote]

*The average response time to new viruses among tested AV engines was 8.12 hours

*43.18% of global spam is sent from the US, China 12.89%, Korea and Germany 4%

*From a 256m message sample, 4.7m pieces of spam came from Hotmail, 4.2 from Yahoo, 2.1 from MSN, 1.9 from cisco (?) and 1.5 from gmail.

*52.46% of spam dealt with medical offerings

[01-27-06] - William Sturgeon - Could your laptop be worth millions? [local] - [remote]

*A report released Friday by security-software company Symantec suggests that an ordinary notebook holds content valued at 550,000 pounds ($972,000)

*Past research in the U.K. suggests that as many as 10,000 laptops are left in the backs of British taxis each year and civil servants are among the worst offenders.

*The question here is how did Symantec convert bits to dollars, and how could you profit from that specific data? -MrZ

[10-24-05] - The Measurement Factory - DNS Survey [local] - [remote]

*Results are for public DNS servers *Over 75% of DNS (of 1.3 mil.) allow recursive name service to arbitrary queriers

*Over 40% allow zone transfers from arbitrary queriers

*57% run the most recent, secure versions of bind

[10-11-05] - Unknown - 26.7 Million Americans ... [local] - [remote]

*26.7 million Americans are transmitting their identity to international hackers and criminals.

*15% of spyware is actually stealing all the information typed on an infected computer

*[Key logging] ... was the cause for 5% of the identity theft cases last year.

*Last year there were approximately 10 million cases of identity theft.

*Props to Alex over at Sunbelt Blog for this one.

[10-04-05] - Joris Evers - Worms Biting harder into IM, P2P [local] - [remote]

*The number of threats detected for IM and peer-to-peer networks rose a whoping 3,295 percent ... IMlogic said

*The numbers echo data reported by Akonix Systems ... who identified a record 25 IM pests in September.

*MSN Messanger recieved 62% of all attacks, 31% to AIM/ICQ and 7% to Yahoo Messanger

*Captain's log, supplemental.

[08-22-05] - Pat Regnier - The ID Theft Protection Racket [local] - [remote]

*An American Express telemarketer might tell you that one in four U.S. households has been a victim of ID theft.

*The Web site for Equifax puts the number at around 10 million Americans a year, which works out to more than 4 percent of adults.

*This article in particular points out just how wildly some stats can vary. After doing some independent research, two studies stand out:

1. A study by Javelin Strategy and Research (U.S. Based) showed that approximately 4.25% of Americans are ID victims on a regular basis. (sounds like the one quoted by Equifax)

2. The Consumers' Association (U.K. Based) published a report that stated one in four people had been a victim of identity theft, or knew someone who had been a victim. (sounds like the one misquoted and placed out of context by American Express telemarketers)

[08-12-05] - Associated Press (via MSNBC) - Man Convicted in massive database theft [local] - [remote]

*Prosecutors said Levine and his company stole 1.6 billion customer records - the equivalent of 550 telephone books filled with names, e-mail and postal addresses. The government did not charge anyone with identity theft.

*"So, would that be LA phonebooks or Bozeman, Montana phonebooks..." - Lyger

[07-20-05] - Robert McMillan - Attackers turning to fake online greeting cards [local] - [remote]

*The amount of malicious e-mail being disguised as e-mail greeting cards is up 90% from last year and now makes up more than half of all malicious e-mail being sent.

[07-13-05] - Colin Barker - Alleged hacker: U.S. defense sites poorly secured [local] - [remote]

*5,000 computers with blank administrator passwords

[07-13-05] - Curt Feldman - Rockstar Games blames Hot Coffee on Hackers [local] - [remote]

*So, now mod creators are hackers? While the use of this term may be closer to the accepted meaning of the term in the security community I don't think Gamespot is using it in that sense.

*"Hackers created the 'Hot Coffee' modification by disassembling and then combining, recompiling and altering the game's source code."

*This isn't a statistic, but I believe it belongs in Errata

[07-12-05] - Joe Fantuzzi - Document Security? It's a Joke [local] - [remote]

*75% of all corporate documents may contain legally sensitive information

*Insider attacks against a large company cost an average of $2.7 million

*An average outsider attack $57,000

[07-11-05] - Robert Jaques - Microsoft claims Windows more secure than Linux [local] - [remote]

*Customers without SP2 are up to 15 times more likely to fall victim to viruses, the software giant has warned

[07-07-05] - Dave Newbart - Computer Snooping a Growing Problem [local] - [remote]

*Spyware has disrupted the computer lives of 43% of surfers

*80% of users actually had ... spyware or adware on their computers

*90% of users want better notice of adware

[07-07-05] - Robert MacMillan - Thanks for Listening [local] - [remote]

*81% of Internet users don't open e-mail attachments without knowing that they are safe

*48% stopped visiting suspect Web sites

*25% don't use music-swapping networks anymore

*18% have switched Internet browsers

[07-08-02] - John Leyden - Show us the bugs - users want full disclosure [local] - [Remote]

*Based on interviews with more than 300 software security professionals

*Points of contention: questionaires are not interviews, 300 'software security professionals' are not representative of the 'user' population, the interviewees are themselves not representitive of a population of 'software security professionals.'

*A response from Jericho link

[01-16-02] - John Leyden - Lies, damned lies, and anti-virus statistics [local] - [Remote]

*The research firm has totted up the damage wreaked by viruses each year since 1995, But the results are controversial.

*Good article, required reading

[an error occurred while processing this directive]