From SecurityStats.Com, 22 Feb, 2004.  See Microsoft Technet for more information.

• Across all products, Microsoft released 51 security advisories in 2003.  That represents an average of nearly one new security patch per week.
• 30 of the MS Security Bulletins released in 2003 affected Microsoft's Windows XP Operating System.

From NYT Magazine, 9 February 2003,  http://query.nytimes.com/gst/abstract.html?res=F20813FE3B5C0C7A8CDDAB0894DB404482

In December of 2002, one online SPAM prevention service measured upwards of 5,000,000 unique SPAM attacks - nearly 3 times more than what was measured in the same month in 1999.

From ZDNet, 29 January 2003, http://zdnet.com.com/2100-1105-982554.html

PSINet Europe purposely built an unprotected server and connected it to the Internet to determine how quickly it would be compromised.  Their findings were astonishing:

• The server was maliciously attacked 467 times in the first 24 hours
• Most of the attacks originated in the US or Western Europe
• After 3 weeks, a total of 626 attacks were detected against the server

From CERT, 16 January 2002, http://www.cert.org/stats/cert_stats.html

Publically released computer security vulnerabilities more than doubled in the last year, with 1,090 separate holes reported in 2000, and 2,437 reported in 2001.  Following the same trends, the number of reported incidents also drastically increased with 21,756 documented in 2000 and 52,658 in 2002.

According to Major General Dave Bryan, there were 25,000 attempted intrusions into defense systems last year.  Bryan stated that 245 of those attacks were successful, and also that officials found that 96% of the successful attacks could have been prevented if users had followed protocols.

From The Computer Security Institute with the participation of the San Francisco Federal Bureau of Investigation's (FBI) Computer Intrusion Squad, 12 March 2001, http://www.gocsi.com/prelea_000321.htm , out of 538 respondents (directly quoted):

• 85% (primarily large corporations and government agencies) detected computer security breaches within the last twelve months
• 64% acknowledged financial losses due to computer breaches
• 35% (186 respondents) were willing and/or able to quantify their financial losses. These 186 respondents reported $377,828,700 in financial losses. (In contrast, the losses from 249 respondents in 2000 totaled only $265,589,940. The average annual total over the three years prior to 2000 was $120,240,180.)
• The most serious financial losses occurred through theft of proprietary information (34 respondents reported $151,230,100) and financial fraud (21 respondents reported $92,935,500).
• More respondents (70%) cited their Internet connection as a frequent point of attack than cited their internal systems as a frequent point of attack (31%).
• The rise in those citing their Internet connections as a frequent point of attack rose from 59% in 2000 to 70% in 2001.
• 36% reported the intrusions to law enforcement; a significant increase from 2000, when only 25% reported them. (In 1996, only 16% acknowledged reporting intrusions to law enforcement.)
• 40% detected system penetration from the outside (only 25% reported system penetration in 2000).
• 38% detected denial of service attacks (only 27% reported denial of service in 2000).
• 91% detected employee abuse of Internet access privileges (79% detected net abuse in 2000)
• 95% detected computer viruses (only 85% detected them in 2000).

Related to e-Commerce:

• 97% have WWW sites.
• 47% conduct electronic commerce on their sites.
• 23% suffered unauthorized access or misuse within the last twelve months.
• 27% said that they didn't know if there had been unauthorized access or misuse.
• 21% of those acknowledging attacks reported from two to five incidents.
• 58% reported ten or more incidents.
• 90% of those attacked reported [web site] vandalism (only 64% in 2000).
• 78% reported denial of service (only 60% in 2000).
• 13% reported theft of transaction information (only 8% in 2000).
• 8% reported financial fraud (only 3% in 2000).

From SecurityFocus.Com, 15 October 2000,  http://www.securityfocus.com/frames/?content=/vdb/stats.html , so far in the year 2000, there have been 457 new, reported, Operating System vulnerabilities.  The breakout by OS is as follows:

• 85 new vulnerabilities in Windows NT/2000
• 82 new vulnerabilities total for all of the aggregate Linux variants
• 42 on Mandrake Linux
• 40 on RedHat Linux
• 32 on Windows 3.x/95/98
• 20 on Debian
• 19 on FreeBSD
• 14 on NetBSD
• 12 on IRIX and 12 on HP/UX
• 6 on AIX
• more ....

From CERT/CC, 17 August 2000, http://www.cert.org/present/cert-overview-trends/index.htm

Carnegie Mellon University estimates that 99% of all reported intrusions "result through exploitation of known vulnerabilities or configuration errors, [for which] countermeasures were available."  This directly shows how truly important it is to regularly patch systems, as well as keep current with network and system countermeasures.

In a test to see how fast a non-published, unpatched, system would be discovered, the San Diego Supercomputer Center placed a default installation, Red Hat Linux 5.2 machine on the Internet.

• 8 hours after installation, the system was probed for RPC vulnerabilities.
• 21 days after installation, there had been 20 targetted, unsuccessful, exploits attempted.
• Approximately 40 days after installation, a vulnerable POP service was compromised, and the intruder installed a sniffer, several backdoors, and wiped out the system logs.

From IDC, 14 August 2000, http://www.idc.com/Internet/press/PR/NET081400pr.stm

"Web spending on IT products and services [is expected] to more than double from $119.1 billion in 2000 to $282.5 billion in 2003."

From The Computer Security Institute with the participation of the San Francisco Federal Bureau of Investigation's (FBI) Computer Intrusion Squad, 22 March 2000, http://www.gocsi.com/prelea_000321.htm , out of 643 respondents:

• 25% of respondents detected system penetration from the outside.
• 27% of respondents detected denial of service attacks.
• 79% detected employee abuse of Internet access privileges (for example, downloading pornography or pirated software, or inappropriate use of e-mail systems).
• 85% detected computer viruses
• 93% of respondents have WWW sites.
• 43% conduct electronic commerce on their sites (in 1999, only it was only 30%).
• 19% suffered unauthorized access or misuse within the last twelve months.
• 32% said that they didn't know if there had been unauthorized access or misuse.
• 35% of those acknowledging attack, reported from two to five incidents.
• 19% reported ten or more incidents.
• 64% of those acknowledging an attack reported Web-site vandalism.
• 60% reported denial of service.
• 8% reported theft of transaction information.
• 3% reported financial fraud.
• 273 organizations that were able to quantify their losses reported a total of $265,589,940

From Information Security Magazine, July 1999, http://www.infosecuritymag.com/july99/cover.htm , out of 745 surveyed:

• 50% of the companies conduct e-commerce over the Internet ( chart )
• 65% said infosecurity has "high visibility" in their organization (chart )
• There was a 91.5% increase in the number of surveyed companies suffering an unauthorized access (hacking/cracking) intrusions from 1998 to 1999. ( chart )
• From 91 companies that were able to quantify their losses, the total cost of security breaches totaled $23.3 million USD ( chart )
• 77% experienced virus outbreaks ( chart )
• 52% had employee access breaches of some variety ( chart )
• 44% spent less than $50,000 on their organizational security budget
• 11% spent more than $1,000,000 on their organizational security budget ( chart )
• Only 33.33% said their infosecurity budget was sufficient ( chart )
• Average (mean) salary of all respondents was $69,000 ( chart )
• 99% held a security awareness/training program for staff during 1999

From Information Security Magazine, December 1999, 1999 Infosecurity Year-in-Review

• On April 22nd, 1999, a computer technician at the Seattle-area "Blarg! Online" ISP, discovered that improperly installed shopping-cart software, used widely on the Internet to simplify online purchasing, allowed anyone to see confidential data, such as credit card numbers, affecting at least several hundred, and possibly many thousands, of e-commerce sites where the software was improperly installed. 
• On April 22nd, 1999, according to newswire reports, the Chernobyl computer virus struck hundreds of thousands of computers in Asia and the Middle East, with Turkey and South Korea each reporting 300,000 damaged computers.

"Top Ten Most Critical Internet Security Threats" , SANS, Sept. 2000

"Mistakes People Make that Lead to
Security Breaches" , SANS, 2000

" Got Security?" , ISM*, July 1999

" The Seven Worst Security Mistakes Senior Executives Make" , SANS, May 1999

*Information Security Magazine