The goal of NCSS is to produce reliable national and industry-level estimates of the prevalence of computer security incidents (such as denial of service attacks, fraud, or theft of information) against businesses and the resulting losses incurred by businesses. The first national survey of thousands of businesses is being conducted in 2006. It is cosponsored by the Bureau of Justice Statistics and the National Cyber Security Division (NCSD) of the U.S. Department of Homeland Security. The RAND Corporation is the data collection agent. The NCSS collects data on - - the nature and extent of computer security incidents - monetary costs and other consequences of these incidents - incident details such as types of offenders and reporting to authorities - computer security measures used by companies.
The National Computer Security Survey sample was a stratified, random sample of businesses designed to produce national and industry-level estimates. The sample was stratified by industry, risk level, and size of business. Thirty-six industries, as determined by the North American Industrial Classification System (NAICS), were within the scope of the survey. (See appendix table 1 for a complete list and definition of industries.) Risk level comprised four groups: critical infrastructure, high risk, moderate risk, and low risk. Critical infrastructure consisted of businesses operating in the industries with which the Department of Homeland Security formed Information Sharing and Analysis Centers (ISACs). Each of the remaining businesses was designated as high, moderate, or low risk depending on its industry of operation's risk of incidents, loss, and downtime. Business size was determined by the number of employees and was divided into nine size categories. The sampling frame, Dunn and Bradstreet, contained records for nearly 7.3 million in-scope businesses. Businesses without employees on their payrollsuch as family owned and operated businesseswere out of scope.
Sampling was done at the enterprise level, except in cases of businesses with large subsidiaries operating in different economic sectors. To preserve the ability to provide industry-level findings, these businesses were sampled at the highest level of subsidiary with distinct lines of business.
A sample of 35,596 businesses was drawn to produce national and industry-level estimates and to track changes of more than 2.5% over time. (See appendix table 2 for a summary of the sample by risk level and industry.) Businesses with more than 5,000 employees and Fortune 500 businesses were drawn with certainty to ensure the representation of all industries. Because some industries typically do not have large businesses, the largest 50 businesses were also included with certainty. Due to the particular importance of the nation's critical infrastructure,businesses in these strata were over-sampled. High risk industries such as manufacturing, retail, and wholesale were also over-sampled.
Denominators reflect the number of businesses that responded to the questions relevant to a given table. For example, in table 5 the denominator represents the number of businesses that responded to questions on networks used by the business, whether computer security incidents were detected, and networks that were affected in those incidents (if any). Unless otherwise noted, missing items or responses of "don't know" have been omitted. Totals and medians are based on positive responses and exclude zeroes.
Incident percentages are based on 7,636 businesses that had a computer and responded to at least 1 incident question; 7,626 businesses responded to at least 1 question on cyber attacks, 7,561 to at least 1 question on cyber theft, and 7,492 to at least 1 question on other computer security incidents.
For theft of intellectual property, 29% of 198 businesses provided multiple types; for personal or financial data, 60% of 235 businesses specified more than 1 type; and for other computer security incidents, 59% of 1,762 businesses identified multiple types.
Missing and excluded data
Of the 8,079 businesses providing information on whether or not they had computer systems, 14 businesses reported contradictory information. Because the responses from these 14 businesses could not be reconciled, they were excluded from all analyses.
Each table underwent a detailed disclosure analysis to ensure the confidentiality of responses given by individual businesses. As a result, some responses were excluded from totals and medians. Table 8 and appendix table 6 were affected. Six responses were excluded from the number of computer security incidents; six responses were excluded from monetary loss; and three responses were excluded from system downtime. The disclosure analysis also resulted in the suppression of values for some cells in table 10, appendix table 6, and appendix table 7.