I've just received an early release of a security survey conducted by the RSA Conference where security professionals were polled about their attitudes and experiences around information security. There were two findings that caught my attention.

The first is that while 54% of the respondents have dealt with a security incident, only 11% of those disclosed the incident publicly or reported it to authorities. The second is that 86% of the respondents said the Storm worm had no impact on their organization. These two seemingly contradictory data points show under-reporting and over-reporting of threats. Let's take a look.

First, 54% said they were affected by a security incident. This percentage is similar to the numbers Nemertes research has found, although the outcome depends on how the study defines "incident." If one counts malware infections, the number goes up quite a bit. Still, it seems that most companies are affected negatively by security incidents. What is not immediately obvious is that this represents only the small subset of companies that are aware a security incident has occurred.

My experience conducting forensic investigations is that security incidents very often go unnoticed for months or even years. Many probably are never noticed. So, if a lot of incidents go unnoticed; and of those that are noticed, only a tiny minority are ever made public, what we see in the media is only a pale shadow of a much larger threat.

Second, 86% of the respondents said they were not affected by the Storm worm. The analysis of this data seemed to suggest that Storm is overhyped in the media, because its real-world incidence reportedly is low. I read this to mean the exact opposite. The defining characteristic of Storm is that it operates silently and is hard to detect, even if you go looking for it. I bet that a fair number of that 86% have a Storm infection in their infrastructure and don't know about it.

Companies probably are getting better at the operational aspects of security: monitoring, correlating and alerting. They probably are noticing more of the bad things occurring on their systems. At the same time, however, attacks deliberately have become much more subtle, silent, discreet.

It's cynical to assume that the absence of an obvious threat could be evidence of more sophisticated silent attacks flying under the radar. Nevertheless, all the great security professionals I know are both a bit cynical and a bit paranoid. Not all the zombies and stolen identities come from consumer machines. Some of them may come from your systems. What you don't know about what's on your systems can hurt you.