Computer crime has also become a major threat to business. According to the Federal Bureau of Investigation, computer crime is the most expensive form of commercial crime. In 2003, theft of information cost over $70 million, with an average cost of $2.6 million per theft. Also in 2003, denial of service attacks, which deprived companies of revenue and idled IT investments, cost over $66 million, with an average loss of $1.4 million. Estimates of the dollar figure for theft by computer intrusion and attack total $201 million.
Even though there has been substantial publicity in recent years about computer system risks and attacks, it turns out that many organizations are unwilling to report system intrusions. Doing so can result in adverse publicity, the loss of public confidence, and the possible charge of managerial incompetence. Many organizations fear lawsuits based on the emerging "standard of due care."
In fact, there are reports that in the days before regulations such as Sarbanes-Oxley, which requires increased justification of the figures used in business accounting, some businesses paid hush money to intruders. In London, a number of firms have reportedly signed agreements with computer criminals offering them amnesty for returning part of the money stolen and, more importantly, for keeping quiet about their thefts. In one case, an assistant programmer at a merchant bank diverted eight million pounds to a Swiss account. In an agreement that protected him from prosecution, the programmer promised not to disclose the system penetrationand he got to keep one million pounds!
Recent statistics indicate that payment of hush money is decreasing, often due to increasingly automated nature of the attacks. Most attacks today are run by unsophisticated youth who learn a few tricks and gather a few scripts from true gurus, and then do what amounts to vandalism for the thrill of it. However, the thrill of penetration and creating havoc is increasingly offset by the penalities. The legal fate of some big time virus writers has been widely reported on TV and in the newspapers. Some murderers and rapists have gotten away with lighter sentences.
More recently, skillful intruders are attacking computers with criminal or military goals in mind. These attackers may outwit even sophisticated security systems, and can leave dormant sleeper programs that will lay low to avoid detection until their owners summon them to action.