 |
|
|
|
 |
U.S.
Department of Justice · Office of Justice Programs Bureau of Justice Statistics |
 |
|
|
|
|
|
U.S.
Department of Justice · Office of Justice Programs Bureau of Justice Statistics |
|
|
Relevant topic: |
NCSS Frequently Asked QuestionsAbout the DOJ/DHS National Computer Security Survey (NCSS)
About the DOJ/DHS National Computer Security Survey (NCSS)What is the purpose of the survey?The purpose of the NCSS is to produce reliable national and industry-level estimates of the prevalence of computer security incidents (such as denial of service attacks, fraud, or theft of information) against businesses operating within the U.S., and the resulting losses incurred by businesses. The survey will collect information across a wide range of industry sectors on:
Results from the NCSS will enable the Department of Justice and Department of Homeland Security, as well as industry as a whole, to make more informed decisions and to develop policies that more effectively target resources in the area of cyber security. Why is this survey important?Cyber-threats are a national issue that can be adequately addressed only through collaborative efforts between industry, law enforcement, and the Federal government. The President's National Strategy for Securing Cyberspace calls for the U.S. Department of Justice (DOJ) to develop better data about victims of cybercrime and intrusions in order to understand the scope of the problem and to be able to track changes over time. It also tasks the U.S. Department of Homeland Security (DHS) with implementing priority protective measures to reduce the cyber vulnerabilities of America’s critical infrastructures. The President's National Strategy to Secure Cyberspace, industry experts, trade associations, and other groups — including the President's Council of Advisors on Science and Technology, the National Coordination Office for Networking and Information Technology Research and Development, InfraGard, the Cyber Security Industry Alliance, the Economic Security Working Group (sponsored by the National Telecommunication and Information Administration), the IT-Information Sharing and Analysis Center, and the Business Software Alliance — have all expressed a great need for such nationally representative data. This survey is a special opportunity to help the Federal government and U.S. industry understand the nature of computer security threats facing businesses, and the effectiveness of mitigation strategies currently in use across the nation. The NCSS will yield information that will enable DOJ, DHS, and industry as a whole to make more informed decisions and to develop policies to effectively target resources in the area of cyber security. Will my survey responses be kept confidential?Yes. These survey data are protected by specific Federal legislation. All the information collected in this voluntary survey is confidential by law (P.L. 107-347, Title V and 44 U.S.C. § 3501 note). It may be seen only by persons certified to uphold the confidentiality of information, and used only for statistical purposes from which no company can be identified. For example, in reporting the results data will be aggregated in such a way that individual companies cannot be identified. The law also prohibits the sharing of your data with other agencies, exempts the information you provide from requests made under the Freedom of Information Act (FOIA), and ensures that your responses are immune from legal process. The Freedom of Information Act (FOIA) protects from disclosure any confidential "trade secrets and commercial or financial" information provided to the Federal government by a corporation. This means that information voluntarily provided by companies about their security practices and experience with computer security incidents as part of the survey is not subject to subpoena under the FOIA. Moreover, only select project staff at RAND will know the identity of participating companies. And, as a private, non-governmental organization, RAND is not subject to the FOIA. The experience of RAND in conducting surveys is noteworthy. Despite multiple legal efforts over the years to compel RAND to disclose confidential survey information, no such effort or court subpoena has ever succeeded. RAND has never been compelled to release such information in all of its 58 year history. For this project, RAND has submitted a "Privacy Certificate". As with all surveys RAND conducts, we will keep your organization’s responses and your identity confidential. Again, only select project staff at RAND will know the identity of businesses participating in the study. Neither the U.S. Department of Justice nor the U.S. Department of Homeland Security will have access to company identities. And, again, no data about your company will be shared with other agencies or businesses. How will the results be used?The survey results will help U.S. businesses and the Federal government to build better strategies for responding to cyber attacks. Data from the NCSS will help the Department of Homeland Security and industry as a whole to better protect our nation’s critical infrastructure. For example, the study results will inform which sectors are most exposed to economic risk from computer security incidents, how effective current Homeland Security initiatives are in protecting the business sector, and what improvements may be needed. The survey results will also help inform the Department of Justice as to what types of incidents the department should focus its resources on, and what strategies and tools may be needed for investigating and prosecuting computer security incidents. How is this survey different from others?The DOJ/DHS National Computer Security Survey is the first and only survey to provide official national statistics on the extent and consequences of computer security incidents within businesses across all industry sectors. Other surveys have typically used a much smaller sample representing only a narrow band of industry sectors. Consequently, their results are not representative at the national or industry levels. For these reasons, the NCSS can make unique contributions to the national understanding of cyber security threats facing businesses operating in the United States, and will inform what strategies and policies are needed to counter those threats. How often will this survey be repeated?To measure changes over time, the NCSS will be a recurring data collection effort to be repeated every 1-2 years. By being conducted on a regular basis, this survey will become a valuable tool for tracking computer security trends as they evolve, and will serve as the new benchmark for understanding the impact of cyber security on U.S. businesses and potential improvements in countering these threats. Will this survey put a stop to SPAM?While this survey will not have a direct effect on incoming SPAM mail, the results from the study may provide new information that can help inform legislation and business practices related to preventing SPAM in the future. Who is funding this survey?The survey is funded by the U.S. Department of Justice and the U.S. Department of Homeland Security and is part of the National Strategy to Secure Cyberspace (2003). The Department of Justice is charged with collecting statistics on cybercrime and the costs of such crime; the Bureau of Justice Statistics, the statistics arm of the Justice Department, is implementing the survey. The National Cyber Security Division of the Department of Homeland Security is charged with coordinating the implementation of the National Strategy to Secure Cyberspace; identifying, analyzing, and reducing cyber threats and vulnerabilities; disseminating threat warning information; coordinating incident response; and providing technical assistance in continuity of operations and recovery planning. Who is the data collection agent?The RAND Corporation is a non-partisan, private nonprofit research institution established in 1948. RAND is performing this work under a cooperative agreement with the Bureau of Justice Statistics. Who can I contact if I have questions?If you have questions regarding the NCSS, e-mail askbjs@usdoj.gov or the data collection agent at ncss@rand.org. Back to TopAbout the ParticipantsWho is taking part in the study?Businesses operating within the United States across 37 different industry sectors have been scientifically selected to participate in the survey. This sample of businesses has been chosen to be statistically representative of different sizes and types of businesses across the nation. The different industry sectors represented in the study include finance, utilities, transportation, health care, telecommunications, mining, manufacturing and technology, to name just a few. Why should I participate?Recent studies suggest that cyber attacks (and particularly denial of service and theft of intellectual property incidents) are costing U.S. businesses a great deal of money, time, and headache. These attacks can hamper or cripple not only an individual business, but also the nation. Techniques and tools to prevent cyber attacks are available, but they are expensive to implement, monitor, and maintain. It is not clear to what degree these preventive measures are working. It is important to get a better understanding of what is currently working and what isn't. Your input will help ensure that these survey results accurately reflect what is going on in the private sector, and will help inform both policy and resource allocation decisions that the Federal government and industry as a whole make in the future. The baseline data of this survey will also help your company better manage its computer security resources. The survey results can help your business to:
What will my company get in return for participating?At the end of the study participating companies will be offered information that will allow them to compare themselves to the rest of their industry sector. This information can be used to see how your company stands on issues such as types of computer security measures used, proportion of information technology budget dedicated to computer security, types and prevalence of computer security incidents, and losses incurred from those incidents. Why was my company selected?Your company has been scientifically selected to represent similar organizations within your industry sector throughout the country. Your participation is crucial to ensure that the snapshot taken of U.S. computer security incidents accurately reflects what is happening within your industry sector as well as across the nation. Am I required to participate in the survey?Participation in the survey is voluntary, but the importance of having your business represented as a part of this study cannot be stressed enough. Your participation is crucial to ensure that the snapshot taken of U.S. computer security incidents accurately reflects what is happening within your industry sector as well as across the nation. What other companies are taking part?The sample consists of thousands of companies from 37 industry sectors. They range in size from small companies with just a few employees to large, nationally recognized conglomerates. The identity of all sampled companies is confidential and will not be made public. Will non-participants have access to the results?The Department of Justice and Department of Homeland Security will produce a joint report describing the key findings of this study. This report will be publicly available. Data will be aggregated at the industry level so that individual companies cannot be identified. An earlier BJS report, Cybercrime against Businesses, illustrates what type of report will be written. In addition, a restricted-use data file will be made available for research purposes only. It will be carefully scrubbed of all identifying information so that the individual companies' identities and responses will be protected. Back to Top |
| BJS home page | Top of this page |
 |
|
|
