From TruSecure / ICSA Labs, 29 Aug, 2003, A recent survey including 882 respondents determined that the MS Blaster worm:

• Remediation cost $475,000 per company (median average - including hard, soft and productivity costs) with larger node-count companies reporting losses up to $4,228,000 
• Entered company networks most often through infected laptops, then through VPNs, and finally through mis-configured firewalls or routers.

From Deloitte Touche Tohmatsu, 20 May, 2003,  http://www.deloitte.com/dtt/cda/doc/content/Global%20Security%20Survey%202003.pdf

• Financial services companies are spending approximately 6% of their IT budgets on information security
• 47% hired extra security staff compared with 2001. 
• Only 19% of respondents said they had reduced the number of IT security staff, despite the slowdown in the economy.

From Internet Fraud Complaint Center (IFCC), 11 April, 2003, http://www1.ifccfbi.gov/strategy/2002_IFCCReport.pdf

• Instances of Internet fraud increased drastically in 2002 as compared to 2001
• Losses reported by victims totaled $54 million, versus $17 million the year before, and complaints referred to law enforcement totaled 48,252, compared to 16,755 in 2001
• Auction fraud and non-delivery of merchandise were to top two reported crimes, with Credit and debit card fraud following them at 12%

From MSN, March 27, 2003, http://www.msnbc.com/news/891186.asp?cp1=1

• "ID theft costs banks $1 billion a year. Nearly 10,000 victims had home loans - totaling about $300 million - taken out in their name in 2002 and another 68,000 had new credit cards issued in their name"
• "While the FTC received 161,000 identity theft complaints last year, the FBI estimates the actual number of victims is probably closer to 500,000"

From Information Security Magazine, 1 March 2003,  http://www.infosecuritymag.com/2003/mar/cisosurvey.shtml

According to an Information Security survey of 518 senior security managers:

• Just over half (53%) of those surveyed said their information security budgets would increase in 2003
• 16% said their budgets would increase by over 20%
• 30% said their budgets would remain flat in 2003
• 17% said their budgets would decrease

From IDC, 18 July 2002,  http://www.idc.com/getdoc.jhtml?containerId=pr2002_06_25_210953

The market for web intrusion protection services and products is expected to increase to nearly US $700,000,000 by 2006.

From UK Dept. of Trade and Industry, June 2002, https://www.security-survey.gov.uk/View2002SurveyResults.htm

In thier bi-annual report on information security breaches in the UK, Price Waterhouse Coopers and the UK DTI found some astonishing trends:

• Average cost of a serious security incident was £30,000 (appr. US $50,000) and several of those surveyed had single incident costs which were greater than £500,000 (appr. US $825,000)
• 78% of companies surveyed had experienced at least one malicious security incident, with 44% experiencing them within the last year.
• 56% of those surveyed were not covered or by cyber insurance, or weren't sure if their current insurance policies covered cyber incidents

From Computer Economics, 2 January 2002, http://www.computereconomics.com/page.cfm?name=pressreleases

It is estimated that the worldwide impact of malicious code was 13.2 Billion Dollars in the year 2001 alone, with the largest contributers being SirCam at $1.15 Billion, Code Red (all variants) at $2.62 Billion, and NIMDA at $635 Million.

A 41 year old, Radomir Lukic, was arrested in the UK after defrauding BT Cellnet and Telewest of an estimated £3,000,000.  For quite some time, Lukic had been selling "hacks" for popular UK based cellular phones and cable TV services.  In addition to confiscating several computer systems, when police searched Lukic's residence, they found 200 cellular phones, 400 devices used to "turn-on" cable TV channels, and nearly £22,000 in cash.

From the AHA, 30 March 2001, http://www.aha.org/ar/Comment/PrivacyDetailB0330.asp

It is estimated that implementing IT and management solutions to ensure minimum compliance with HIPPA regulations could cost hospitals up to US $22.5 billion, over the next 5 years.

From C|Net, 22 March 2001, http://news.cnet.com/news/0-1005-200-5217277.html?tag=ch_mh

Conducting a recent "digital sleuthing" challenge has helped researchers to uncover costs associated with investigating attacks on systems.  According to the C|net, article:

• "It took the intruder less than a minute to break into the university's computer via the Internet, and he stayed less than a half an hour. Yet finding out what he did in that time took researchers, on average, more than 34 hours each."
• "those 34 hours would cost a company about $2,000 if the investigation was handled internally and more
  than $22,000 if a consultant was called in."
• "The contest also helps illuminate why securing a computer is more cost effective than hiring consultants to come in and do the detective work afterward, said Fred Cohen, director of the online investigations program for the University of New Haven, Conn."

From The Computer Security Institute with the participation of the San Francisco Federal Bureau of Investigation's (FBI) Computer Intrusion Squad, 12 March 2001, http://www.gocsi.com/prelea_000321.htm , out of 538 respondents (directly quoted):

• 85% (primarily large corporations and government agencies) detected computer security breaches within the last twelve months
• 64% acknowledged financial losses due to computer breaches
• 35% (186 respondents) were willing and/or able to quantify their financial losses. These 186 respondents reported $377,828,700 in financial losses. (In contrast, the losses from 249 respondents in 2000 totaled only $265,589,940. The average annual total over the three years prior to 2000 was $120,240,180.)
• The most serious financial losses occurred through theft of proprietary information (34 respondents reported $151,230,100) and financial fraud (21 respondents reported $92,935,500).
• more...

From Independent Newspapers Ltd., 26 February 2001, http://www.stuff.co.nz/inl/index/0,1008,665885a1897,FF.html

A recent study conducted by the Omni Consulting Group, of Davis California, showed that out of "3000 businesses [surveyed,] security gaps cost the companies between 5.7 and 7 per cent of [their] annual revenue in what [they refer to as] "economic leakage".

From ZDNet, 24 January 2001, http://www.zdnet.com/zdnn/stories/news/0,4586,2677878,00.html

"Fortune 1,000 companies lost more than $45 billion from the theft of proprietary information in 1999, according to a study released by the American Society for Industrial Security and consulting firm PricewaterhouseCoopers. The majority of those hacking incidents hit tech companies, with nearly 67 individual attacks and the average theft ringing up about $15 million in losses."

From IDC, 23 January 2001, http://emea.idc.com/press/20010123.htm

In a recent press release entitled "Europe's eSecurity Services Market Tops $1.5 Billion in 2000", IDC states that "the esecurity services market will exceed $4 billion dollars in Western Europe by 2004 - making it one of the fastest-growing segments in the European IT services space"

From Business2.Com, 22 January 2001, http://www.business2.com/content/channels/technology/2001/01/19/24969

A report by Meridien Research was released on the 18th of January, 2001.  The report found that protective technologies currently being deployed by e-businesses are helping to reduce potential fraud related losses:

• In 2000, fraud-related losses from online transactions were approximately 1.6 billion US dollars.
• Without investments in anti-fraud technology, the loss figure for 2000 is estimated to be more than $2 billion
• "By 2005 [that figure] would have jumped to $15.5 billion. Meridien estimates that due to advances in online credit card fraud technology, losses will be cut to about $5.7 billion. Overall, the firm estimates that online credit card purchases worldwide will jump from $45 billion in 2000 to more than $310 billion by 2005."

From Datamonitor, 18 January 2001, http://www.datamonitor.com/viewnewsstory.asp?id=1375 ,

On November 15, 2000, Datamonitor released a paper entitled "eSecurity – removing the roadblock to eBusiness"

• Regardless of the fact that "eSecurity breaches cause over US $15 billion damage worldwide annually", according to the white paper, more than 50% of businesses worldwide spend 5% or or less of their IT budget on security.
• The paper also predicts that global business-to-business and business-to-consumer eCommerce revenues will reach US $5.9 trillion and US $663 billion by 2005 respectively.   It notes, however, that this growth can not happen without correcting security expeditures.

From ICSA.Net, 23 October 2000, http://www.securitystats.com/reports.asp , "2000 Computer Virus Prevalence Survey":

• The reported damage estimate from the "LoveLetter" virus is as much as $10 Billion.
• The reported damage estimate from the "Melissa" virus was $385 Million
• Including hard and soft dollar figures, the true cost of virus disasters is between $100,000 and $1 Million per company

From IDC, 14 August 2000,
http://www.idc.com/Internet/press/PR/NET081400pr.stm

"Web spending on IT products and services [is expected] to more than double from $119.1 billion in 2000 to $282.5 billion in 2003." 

From Wired News, 29 March 2000, http://www.wired.com/news/politics/0,1283,35264,00.html 

 A 19-year-old Houston cracker agreed to plead guilty to one count of conspiracy for teleconferencing fraud and computer cracking in one of the government's most notorious cybercrime cases, court documents show. GlobalHell, the hacker group that the teen belonged to, is said to have caused at least $1.5 million in damages to various U.S. corporations and government entities, including the White House and the U.S. Army. 

From The Computer Security Institute with the participation of the San Francisco Federal Bureau of Investigation's (FBI) Computer Intrusion Squad, 22 March 2000, http://www.gocsi.com/prelea_000321.htm , out of 643 respondents: 

• 25% of respondents detected system penetration from the outside. 
• 27% of respondents detected denial of service attacks. 
• 79% detected employee abuse of Internet access privileges (for example, downloading pornography or pirated software, or inappropriate use of e-mail systems). 
• 85% detected computer viruses 
• 93% of respondents have WWW sites. 
• 43% conduct electronic commerce on their sites (in 1999, only it was only 30%). 
• 19% suffered unauthorized access or misuse within the last twelve months. 
• 32% said that they didn't know if there had been unauthorized access or misuse. 
• 35% of those acknowledging attack, reported from two to five incidents. 
• 19% reported ten or more incidents. 
• 64% of those acknowledging an attack reported Web-site vandalism. 
• 60% reported denial of service. 
• 8% reported theft of transaction information. 
• 3% reported financial fraud. 
• 273 organizations that were able to quantify their losses reported a total of $265,589,940

From Computer World Online News, 7 January 2000, 
http://www.computerworld.com/home/print.nsf/all/000107DB3A

President Clinton will seek $2.03 billion next year for computer security and critical infrastructure programs, an approximately 17% increase over this fiscal year's budget of $1.75 billion. 

From Security Management Magazine, January 2000, 
"Underground Web Sites"

"Fueled by web sites that provide instructions on how to crack systems and commit technology-related frauds, it is estimated to have cost businesses more than $1 trillion in 1999 in preventative maintenance, recovery, theft, and unrealized revenue." 

NOTE: "Critics of <this> report have said the findings are alarmist and overstate the damage that can be specifically attributed to these Web sites. Harriss says the report was simply an alert to corporations about what type of information is being shared."

From Information Security Magazine, December 1999, 1999 Infosecurity Year-in-Review

• On April 22nd, 1999, a computer technician at the Seattle-area "Blarg! Online" ISP, discovered that improperly installed shopping-cart software, used widely on the Internet to simplify online purchasing, allowed anyone to see confidential data, such as credit card numbers, affecting at least several hundred, and possibly many thousands, of e-commerce sites where the software was improperly installed. 
• On April 22nd, 1999, according to newswire reports, the Chernobyl computer virus struck hundreds of thousands of computers in Asia and the Middle East, with Turkey and South Korea each reporting 300,000 damaged computers.

From Information Security Magazine, July 1999, http://www.infosecuritymag.com/july99/cover.htm , out of 745 surveyed:

• 50% of the companies conduct e-commerce over the Internet ( chart )
• 65% said infosecurity has "high visibility" in their organization (chart )
• There was a 91.5% increase in the number of surveyed companies suffering an unauthorized access (hacking/cracking) intrusions from 1998 to 1999. ( chart )
• From 91 companies that were able to quantify their losses, the total cost of security breaches totaled $23.3 million USD ( chart )
• 77% experienced virus outbreaks ( chart )
• 52% had employee access breaches of some variety ( chart )
• 44% spent less than $50,000 on their organizational security budget
• 11% spent more than $1,000,000 on their organizational security budget ( chart )
• Only 33.33% said their infosecurity budget was sufficient ( chart )
• Average (mean) salary of all respondents was $69,000 ( chart )
• 99% held a security awareness/training program for staff during 1999

From Information Week, 12 July 1999, Global Security Survey: Virus Attack

Based on responses from 2,700 executives, security professionals, and technology managers from 49 countries:

• "Globally, about 64% of companies were hit by at least one virus in the past 12 months, up from 53% the year before. In the United States, viruses stung 69% of companies. Those figures are about four times as high as the next highest category of security breaches: unauthorized network entry."
• Viruses and computer hacking will cost U.S. businesses an estimated $266 billion this year--more than 2.5 percent of America's Gross Domestic Product (GDP)
• "The percentage of companies suffering security breaches increased slightly. Last year, 27% of companies responding said they had not suffered a security breach. This year, only 24% could make that claim. In the United States, just 22% reported no security breaches."

"Survey Sound Bites" , ISM*, Sept. 2000

"Got Security?" , ISM*, July 1999

"Enough Is (Never) Enough" , ISM*, July 1999

" The Seven Worst Security Mistakes Senior Executives Make" , SANS, May 1999

*Information Security Magazine