No one likes to talk about it, but criminals are using the Internet to extort money from companies, particularly those whose survival depends on processing financial transactions online. First, a company notices that its servers are under attack and online transactions with the public are blocked. Then an e-mail arrives explaining that the attack will stop only if the company pays an extortion fee.

Such attacks are an example of the growing sophistication and targeted nature of computer security incidents that afflict some businesses and government agencies. Reporting and responding to such incidents demand significant attention and resources. Companies that are models for dealing with security vulnerabilities provide training to make their employees security-aware. But increasingly, they rely on the quick response of automated detection and remediation systems to protect information on their networks.

Security officials at some of the largest companies say incident reporting is still more of an art than a science. But security officials at three corporations -- AT&T, Booz Allen Hamilton and Northrop Grumman -- agreed to discuss a topic that others said they would rather not talk about. Several experts in the information security business also offered their advice on incident reporting. Those officials and other experts said their experience might be helpful to federal officials who must not only protect government information but also comply with the Federal Information Security Management Act.

FISMA requires federal agencies to report incident data to two agencies with different reporting needs: the Office of Management and Budget and the Homeland Security Department. That is a tall order for many agencies, said Kenneth Ammon, president of MCI NetSec Global Security Services, an MCI company.

"You have two different audiences that you're trying to please here, and you probably need two different approaches to satisfy the requirements," he said.

OMB, which monitors FISMA compliance, asks agencies to report the number and type of security incidents they had in the previous year. Critics say the requirement fails to recognize that some agencies detect thousands of security incidents because they have rigorous security monitoring programs, whereas other agencies do not.

"A department that isn't looking can say we have zero incidents to report, and a department that is looking has a lot," Ammon said.