[ISN] Deloitte security survey has some puzzling figures

InfoSec News isn at c4i.org
Fri May 28 08:48:12 EDT 2004


By Sam Varghese
May 28, 2004

A research brief, about a global security survey measuring the state
of IT security at leading financial institutions, claims that 83
percent of the top 100 companies worldwide have experienced some
compromise of their systems in 2003.

However, the conclusion, drawn by consulting company Deloitte Touche
Tohmatu, is puzzling as the survey itself (which can be downloaded
from the company's website) says that only 31 of the top 100 global
financial services institutions ranked by 2002 assets were involved in
the survey.

The release accompanying the survey has it differently.

"Practitioners from Deloitte's Global Financial Services Industry
practice conducted face-to-face interviews with senior information
technology executives of the top 100 global financial services
organizations (sic)," it says.

The survey claims that the results, published this month, "provide a
global benchmark for the state of security in the financial sector."

Did the company actually speak to representatives from the top 100?  
Kevin Shaw, Leader Security Services Group - Asia Pacific for the
company's Enterprise Risk Services, said: "What we can say is that
interviews with senior information technology executives of top 100
global financial services organizations (sic) were conducted and that
the sample includes 31 of the top 100 global financial services

He said four Australian banks were among those interviewed but refused
to name them.

"I am sure that you will understand that respecting the
confidentiality of those who were so kind as to participate is very
important to us, and so unfortunately, we cannot denote the true
number of organizations (sic) that have participated in the survey,"  
Shaw said.

"If we indicate the number of organizations, (sic) people may start to
reverse engineer the number and make assumptions about who
participated. This could have impact on two levels, one being that
unfair assumptions are made leading to potentially erroneous
conclusions, and the other in that they circumvent our intent and
promise of allowing organizations (sic) to remain anonymous."

Last year's survey had some question marks over it as well. The
company claimed the participants represented 35 percent of the top 500
global financial services organisations, which would have meant that
175 companies of the top 500 had been interviewed.

However, when asked about it, Deloitte admitted that the facts were
that 35 percent of the top 50 global financial services organisations
- meaning 17 or 18 - had been involved.

More information about the ISN mailing list