Automated Retrieval of Security Statistics from the World Wide Web

Many statistics pertaining to information security are cited with little supporting evidence. Consider the fraction of cyber-attacks due to insiders. The U.S. Secret Service in 1996 estimated 60%, Network World in 2000 estimated 70% to 90% for "corporate networks" (and said only 1 in 50 attacks is detected), Deloitte and Touche gave it as 35% in 2004 in a study of the financial industry, a CERT briefing in 2005 gave it as 20%, a Carnegie-Mellon report in 2004 gave it as 39%, and the CSI/FBI annual survey for 2006 estimated that 26% of financial losses anyway came from insiders. Which should we believe? The figures are based on different data collection methods and some are more reliable than others. Most do not adequately identify their sources. To explore this, we have developed a Java data-mining program that collects statements of security-related statistics from the World Wide Web. Besides providing a single source for scattered data, our program permits comparing the sources and influences of statistics.