Infrastructure Security Stats


There were a number of interesting statistics cited at the Critical Infrastructure Protection Conference in Calgary, Sept 8th/9th, 2008:

  • 5.5 – the percentage of an average enterprise IT budget that should be spent on information security. (Yogen Appalraju, VP, Telus Security Solutions)
  • 26 – the percentage of identity data breaches that occur in the Education sector, highest among all industry sectors. (Dean Turner, Sr. Editor, Symantec Interet Security Threat Report)
  • 46 – average length of time, in days, it takes to patch an enterprise business application after a security vulernability is discovered. (Dean Turner, Symantec)
  • 52 – percent of problems in SCADA systems caused by lack of operating system hardening. (Michael James Martin, Senior Managing Consultant, IBM)
  • 75 – percent of oil and gas pipelines controlled by SCADA systems. (Brian Phillips, Director, Bell Canada)
  • 99.9999 – common availabilility expectation, in percent, of a SCADA control system. (Venkat Pothamsetty, Industrial Security Architect, Cisco Systems)
  • 245 – number of police offices in Canada dedicated to e-crime, out of a total police population of 62,000… (Brian Phillips, Bell)
  • 679 – number of US reported data breaches so far in 2008. (Patrick Gray, Senior Security Strategist, Cicso Systems)
  • 321,429 – The average cost, in US dollars, of a security breach for a government organization (Yogen Appalraju, Telus)
  • 500,000 – number of miles of pipelines in North America. (Brian Phillips, Bell)
  • 15,000,000 – amount, in US dollars, that Choicepoint was fined for failing to report data breaches. (Patrick Gray, Cicso)
  • 348,000,000 – number of attacks on utilities, January to June, 2008.  (Dean Turner, Symantec)

(For general IT statistics on Canadian organizations, click here.)


5 Responses to Infrastructure Security Stats

  1. I would like to know the EXACT source for this information, and not just relating to the CIPC conference. This is VERY useful stuff…

    BTW, I’ve included this in today’s posting on the SCADASEC-L mailing list. Right now, we are the ONLY mailing list (and now blog) that goes into discussion over SCADA and control systems security … in the ENTIRE World! (Yes, I can make that statement…)

    If interested, come and join our list. It’s *FREE*, and everyone is welcome to participate.

    Questions or comments, send me an email and/or call. Thanks! 8))

    Bob Radvanovsky
    SCADASEC-L Owner/Moderator
    Infracritical, Inc. – “Your Infrastructure, Their Future”
    630) 673-7740

  2. DOH! Forgot to put the web site URLs up for the SCADASEC-L mailing list, which is:

    SCADASEC-L search engine:

    Again….it’s *FREE*

  3. Kevin McGrath says:

    [i]# 46 – average length of time it takes to patch an enterprise business application after a security vulernability is discovered.[/i]

    Is that days,weeks,hours?… not years I hope! 🙂

    [i]# 99.9999 – common availabilility expectation, in percent, of a SCADA control system.[/i]

    When did we move from 5 nines to 6 nines?

  4. 46 days! thanks for catching that, fixed now.

  5. I’ve added the source (at least the speaker and company) – hope this helps.


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s

%d bloggers like this: