Academic journal article Trends & Issues in Crime and Criminal Justice

Computer Security Incidents against Australian Businesses: Predictors of Victimisation

Academic journal article Trends & Issues in Crime and Criminal Justice

Computer Security Incidents against Australian Businesses: Predictors of Victimisation

Article excerpt

Foreword | Drawing on data from the Australian Business Assessment of Computer User Security (ABACUS) survey, this paper examines a range of factors that may influence businesses' likelihood of being victimised by a computer security incident. It has been suggested that factors including business size, industry sector, level of outsourcing, expenditure on computer security functions and types of computer security tools and/or policies used may influence the probability of particular businesses experiencing such incidents. This paper uses probability modelling to test whether this is the case for the 4,000 businesses that responded to the ABACUS survey. It was found that the industry sector that a business belonged to, and business expenditure on computer security, were not related to businesses' likelihood of detecting computer security incidents. Instead, the number of employees that a business has and whether computer security functions were outsourced were found to be key indicators of businesses' likelihood of detecting incidents. Some of the implications of these findings are considered in this paper.

The Australian Institute of Criminology (AIC) recently commissioned a nationwide survey of businesses called the Australian Business Assessment of Computer User Security (ABACUS) survey (see Richards 2009). This study aimed to identify the prevalence, nature, costs and impacts of computer security incidents against Australian businesses during 2006-07. Computer security incidents were defined in the survey as any unauthorised use, damage, monitoring attack or theft of business information technology. Common computer security incidents include viruses and other malicious code, spyware, phishing, sabotage of network or data and denial of service attacks.

The ABACUS survey used a random, weighted sample of Australian businesses, stratified by industry sector and business size, to enable generalisations to be made about the entire population of Australian businesses. In total, 4,000 ABACUS questionnaires were completed by Australian businesses, representing a response rate of 29 percent (for a detailed discussion of the methodology of the ABACUS study see Challice (2009)).

The ABACUS study found that a majority of businesses (80%; n=2,881) that used information technology reported experiencing no computer security incidents during the 12 month period ending 30 June 2007. In the study, 'experiencing a computer security incident' meant that a business detected an incident. By definition, the survey was not able to capture incidents that businesses did not detect; the survey only capturing detected or identified computer security incidents. As a proportion of the overall sample, 12 percent (n=435) of businesses experienced one to five computer security incidents, one percent experienced six to 10 incidents (n=44) and one percent experienced more than 10 incidents (n=48). Six percent (n=21 2) of respondents were unable to quantify the number of computer security incidents their business had experienced.

Research has shown that businesses are concerned about the risks associated with computer security incidents and believe that victimisation is widespread (Nykodym, Taylor SViIeIa 2005; Smith, Grabosky & Urbas 2004). A survey commissioned by IBM (Ho 2006) found that about half of Australian businesses perceive computer security incidents as a greater threat and more costly to their organisation than physical crime.

The literature on computer security incidents posits a range of factors as potential predictors of whether businesses experience computer security incidents. Industry sector, for example, is widely held to be a key determinant, with financial organisations deemed most likely to be targeted (IBM Global Technology Services 2008). Business size is also commonly proposed as a factor that may determine businesses' likelihood of experiencing computer security incidents. For example, the Department of Trade and Industry (2006) found that in the United Kingdom, a higher proportion of large businesses reported experiencing malicious computer security incidents than businesses overall. …

Search by... Author
Show... All Results Primary Sources Peer-reviewed


An unknown error has occurred. Please click the button below to reload the page. If the problem persists, please try again in a little while.