1. technology and computing
2. computer security
3. antivirus and malware

Advanced Threats in Financial Services:
A Study of North America & EMEA
Sponsored by Arbor Networks
Independently conducted by Ponemon Institute LLC
Publication Date: May 2015
Ponemon Institute© Research Report
Advanced Threats in Financial Services
A Study of North America & EMEA1
Ponemon Institute, May 2015
Part 1. Introduction
Ponemon Institute is pleased to present the results of Advanced Threats in Financial Services: A
Study of North American & EMEA, sponsored by Arbor Networks. In the wake of mega breaches,
how are financial services preventing or stopping advanced threats (ATs). Are they able to
evaluate and measure the effectiveness of their cybersecurity posture to make informed
decisions about their security strategy? Are they making the appropriate investments in
technologies and expertise to avoid an AT or DDoS attack?
In this research, we define ATs as a type of cyber attack designed to evade an organization’s
present technical and process countermeasures. For example, ATs are those that are specifically
designed to bypass firewalls, intrusion
detection systems and anti-malware
programs.
We surveyed 844 IT and IT security
practitioners in North America and in 14
countries in Europe, Middle East & Africa
(EMEA). To ensure a knowledgeable and
quality response, only IT practitioners who are
familiar with both their companies’ defense
against cybersecurity attacks and are
responsible for directing cybersecurity
activities within their company participated in
this study.
As shown in Figure 1, respondents worry
much more about ATs than DDoS attacks.
ATs are considered to occur more frequently
than DDoS attacks and more difficult to detect.
Key takeaways from this research include the
following:
§
Financial service companies have almost one serious cyber attack per month. Seventy-nine
percent of respondents say these cyber attacks were considered an AT and 55 percent say
they were DDoS attacks.
§
The use of shared threat intelligence was more likely to identify DDoS attacks than ATs.
Known signatures are more likely to identify ATs.
§
To deal with ATs and DDoS attacks, companies are most likely to install controls that prevent
infiltration followed by incident response procedures.
§
Financial service companies are faster at detecting and containing DDoS attacks than ATs.
To improve time to detect and contain, most companies are integrating threat intelligence into
IR function and implementing new forensic security tools.
1
North America includes Canada and the United States. EMEA countries include Denmark, France,
Germany, Italy, Netherlands, Poland, Saudi Arabia, South Africa, Spain, Sweden, Switzerland, Turkey,
United Arab Emirates and United Kingdom.
Ponemon Institute© Research Report
Page 1
Part 2. Key findings
The complete audited findings are presented in the appendix of this report. We have organized
the report according to the following topics:
§
§
§
§
§
The state of ATs and DDoS attacks in financial services
How companies deal with advanced threats and denial of service attacks
Cyber Kill Chain and advanced threats
Budget for advanced threats
Industry differences: financial services vs. retail companies
The state of ATs and DDoS attacks in financial services
Companies have an average of almost one serious cyber attack per month. In the context
of this research, cyber attacks refer to all computer-based assaults on an organization’s IT
infrastructure, applications, databases and source data. Cyber attacks typically involve malicious
software or code that seeks to infiltrate networks or infect endpoint devices. Attack methods may
also involve malicious or criminal insiders.
Based on the definition above, respondents believe their organization experienced almost seven
cyber attacks in the past 12 months. Seventy-nine percent of respondents say they were
considered an AT and 55 percent of respondents say it was a denial of service (DDoS) attack.
Forensic evidence informed by degradation of application or system performance most often
revealed the attack was an AT or DDoS, as shown in Figure 2. Shared intelligence by customer
or partner due to lack of available in-house expertise most often determined the attack to be a
DDoS.
Figure 2. How did you know the attack was an AT or DDoS?
34%
35%
Forensic evidence informed by degradation of
application or system performance
25%
Shared threat intelligence by customer or partner
due to lack of available internal resources
36%
23%
Known signature of the attacker
13%
20%
17%
Gut feel
0%
5%
10% 15% 20% 25% 30% 35% 40%
How did you know that the attack was an AT?
How did you know that the attack was a DDoS?
Ponemon Institute© Research Report
Page 2
Companies need to improve their effectiveness in containing ATs and DDoS attacks. While
the majority of respondents (58 percent) consider their companies’ IT security function as
effective in quickly detecting ATs, they are lagging behind in the ability to contain both ATs and
DDoS attacks, as shown in Figure 3.
Figure 3. Perceptions about ATs and DDoS
Strongly agree and agree responses combined
Security technologies and personnel are
effective in quickly detecting advance threats
58%
Security technologies and personnel are
effective in containing advance threats
49%
Security technologies and personnel are
effective in quickly detecting denial of service
attacks
49%
Security technologies and personnel are
effective in containing denial of service attacks
48%
0%
Ponemon Institute© Research Report
10%
20%
30%
40%
50%
60%
70%
Page 3
To deal with both types of attacks, most companies installed controls to prevent
infiltration. As shown in Figure 4, when asked what steps their companies took to minimize or
contain the impact of the AT and DDoS attacks, the most common was to install controls to
prevent infiltration and implement incident response procedures (48 percent and 45 percent of
respondents, respectively). In the case of reducing the consequences of a DDoS attack,
respondents say their company was more likely to install controls to quickly detect and block
infiltration (51 percent of respondents).
Figure 4. Steps taken to minimize the impact of ATs and DDoS attacks
More than one response permitted
48%
46%
Installed controls to prevent infiltration
45%
47%
Implemented incident response procedures
Installed controls to quickly detect and block
infiltration
44%
Established threat sharing with other companies
or government entities
43%
45%
Conducted specialized training for IT security
team
51%
21%
19%
0%
1%
Other
0%
10%
20%
30%
40%
50%
60%
Steps taken to minimize or contain the impact of the AT
Steps taken to minimize or contain the impact of the DDoS attacked
Ponemon Institute© Research Report
Page 4
How companies deal with cyber attack incidents
How security incidents are investigated. In the context of this study, a security incident is an
event that potentially results in adverse consequences to an organization’s network or enterprise
system. It also includes events that constitute violations of security policies, standardized
procedures, or acceptable use policies by employees and other insiders.
On average, SecOps and/or CSIRT teams in the companies represented in this study investigate
226 security incidents each month. The average number of employees in a company responsible
for cybersecurity incidents is 19.
The events most often considered a security incident are denial of service attacks (99 percent of
respondents), targeted attacks that result in the theft of customer data (99 percent of
respondents), reported wrongdoing by employees (95 percent of respondents), and lost or stolen
devices (90 percent). These incidents are followed by targeted attacks that result in the theft of
high-value intellectual properties (88 percent of respondents) and reported wrongdoing by third
parties (81 percent of respondents).
Figure 5. What is considered a security incident?
More than one response permitted
Denial of service attack
99%
Targeted attack that results in the theft of
customer data
99%
95%
Reported wrongdoing by employee
Lost or stolen device
90%
Targeted attack that results in the theft of highvalue intellectual properties
88%
Reported wrongdoing by third party
81%
Other
3%
0%
Ponemon Institute© Research Report
20%
40%
60%
80%
100%
120%
Page 5
Companies are faster at detecting denial of service attacks. The majority of organizations use
Mean Time to Identify (MTTI) and Mean Time to Contain (MTTC) metrics to determine the
effectiveness of their organization’s incident response and containment processes. Sixty-two
percent of respondents use the MTTI metric to understand the time it takes to detect that an
incident has occurred and 66 percent of respondents say they use the MTTC metric to measure
the time it takes for a responder to resolve a situation and ultimately restore service.
As shown in Figure 6, the average time to detect an AT attack is almost 98 days. In contrast, the
average time to detect a denial of services is approximately 27 days. Once the incident has been
detected, the average time to contain an AT attack is approximately 26 days. In contrast, the
average time to contain a denial of services is approximately 13 days.
Figure 6. The average time to detect and resolve an AT and DDoS extrapolated value
Extrapolated value (days)
120
100
98
80
60
40
27
26
13
20
0
MTTI for advanced
threats
MTTI for denial of
service
Ponemon Institute© Research Report
MTTC for advanced
threats
MTTC for denial of
service
Page 6
Steps to improve the time to detect and contain an attack are similar. Forty-two percent of
respondents anticipate that the time to detect an incident will improve in the next 12 months. As
shown in Figure 7, to achieve this improvement, 74 percent of respondents are integrating threat
intelligence into the incident response process and 60 percent are implementing new forensic
security tools.
Forty percent of respondents anticipate they will improve their effectiveness in containing attacks
in the next 12 months. To achieve this improvement, 73 percent are integrating threat intelligence
into the incident response function and 60 percent of respondents are implementing new forensic
security tools. Other popular steps are to increase security operations staff and to improve their
triage process.
Figure 7. Steps to improve MTTI & MTTC
74%
73%
Integrate threat intelligence into IR function
60%
60%
Implement new forensic security tools
Increase security operations staff
56%
53%
Improve triage process
55%
53%
40%
41%
Introduce hunting team to look for attacks
1%
2%
Other
0%
10%
Steps to improve MTTI
Ponemon Institute© Research Report
20%
30%
40%
50%
60%
70%
80%
Steps to improve MTTC
Page 7
Cyber Kill Chain and dealing with advanced threats
The majority of respondents are familiar with the term Cyber Kill Chain. Seventy-eight
percent of respondents are familiar with the term and were asked questions regarding their
companies’ experience and allocation of resources to this strategy. The term Cyber Kill Chain
refers to a life cycle approach that allows information security professionals to proactively
remediate and mitigate ATs as part of the organization’s intelligence-driven defense process. This
process is organized into the following seven phases:
1. Reconnaissance - Research, identification and selection of targets.
2. Weaponization - Coupling a remote access trojan with an exploit into a deliverable payload,
typically by means of an automated tool (weaponizer).
3. Delivery - Transmission of the weapon to the targeted environment.
4. Exploitation - After the weapon is delivered to a victim’s host, exploitation triggers the
nefarious code.
5. Installation - Installation of a remote access trojan or backdoor on the victim system allowing
the adversary to maintain persistence inside the environment.
6. Command & control (C2) - Typically, compromised hosts must beacon outbound to an
Internet controller server to establish a C2 channel. Once the C2 channel establishes,
intruders have “hands on the keyboard” access inside the target environment.
7. Actions on objectives - After progressing through the first six phases, the intruders take
actions to achieve their original objectives such as data exfiltration.
Reconnaissance is the most difficult phase to stop or minimize ATs. While the majority of
respondents believe it is impossible, very difficult or difficult to deal with ATs in every phase of the
kill chain, reconnaissance or the research, identification and selection of targets, according to 92
percent of respondents, is the most challenging (Figure 8). Installation of a remote access Trojan
or backdoor on the victim system allowing the adversary to maintain persistence inside the
environment is the next most difficult phase.
Figure 8. Ability to stop or minimize ATs in seven phases of the Cyber Kill Chain
Impossible, very difficult and difficult responses combined
Reconnaissance
92%
Installation
81%
Actions on Objectives
74%
Exploitation
73%
Weaponization
70%
Delivery
70%
66%
Command & Control (C2)
0%
10%
Ponemon Institute© Research Report
20%
30%
40%
50%
60%
70%
80%
90% 100%
Page 8
How much money is allocated for each phase of the Cyber Kill Chain? As shown in Figure 9,
while the reconnaissance phase is the most impossible or difficult phase in dealing with ATs, it is
also the phase that receives the least amount of resources. Twenty percent of total IT security
resources are applied to the exploitation phase when after the weapon is delivered to a victim’s
host, exploitation triggers the nefarious code. Eighteen percent of respondents say actions on
objective when intruders take actions to achieve their original objectives such as data exfiltration.
Figure 9. Percentage of total IT total security resources allocated to each phase
Exploitation
20%
Actions on Objectives
18%
Installation
16%
Command & Control (C2)
14%
Weaponization
13%
Delivery
13%
Reconnaissance
2%
0%
5%
10%
15%
20%
25%
Extrapolated value
Ponemon Institute© Research Report
Page 9
How capable are companies in stopping or minimizing each phase of the Cyber Kill Chain?
As described above, the most difficult or impossible phase in which to stop ATs is the
reconnaissance phase. The result is that only 10 percent of respondents rate their ability to stop
or minimize ATs as high (7+ on a scale of 1 = lowest ability and 10 = the highest ability). In
contrast, 71 percent of respondents say their ability is highest in the exploitation phase, which
receives the most resources. However, 69 percent rate their ability as very high in the delivery
phase, which does not receive as much of the available resources.
Figure 10. Ability to stop or minimize ATs in each phase
On a scale of 1 = lowest ability to 10 = highest ability, percentage of respondents who rated their ability 7+
Exploitation
71%
Delivery
69%
Actions on Objectives
66%
Installation
60%
Command & Control (C2)
60%
58%
Weaponization
Reconnaissance
10%
0%
10%
Ponemon Institute© Research Report
20%
30%
40%
50%
60%
70%
80%
Page 10
The most promising technology to stop ATs in the Cyber Kill Chain is intelligence about
network traffic, according to 71 percent of respondents. Sixty-three percent select
technologies that isolate or sandbox malware infections and 49 percent pick technologies that
secure information assets as most promising. Considered the least effective in the Cyber Kill
Chain are the technologies that simplify the reporting of threats and those that minimize insider
threats (including negligence), according to 5 percent of respondents.
Figure 11. Most promising technologies in the Cyber Kill Chain
Three responses permitted
Technologies that provide intelligence about
networks and traffic
71%
Technologies that isolate or sandbox malware
infections
63%
Technologies that secure information assets
49%
Technologies that provide intelligence about
attackers’ motivation and weak spots
41%
Technologies that secure the perimeter
36%
Technologies that secure endpoints including
mobile-connected devices
22%
13%
Technologies that simplify the reporting of threats
Technologies that minimize insider threats
(including negligence)
5%
0%
Ponemon Institute© Research Report
10% 20% 30% 40% 50% 60% 70% 80%
Page 11
Budget for advanced threats defense
Personnel and technologies receive the most budget. Respondents were asked to allocate
100 points to indicate the relative proportion of each area of spending to the 2015 IT security
budget for their organization, as shown in Figure 12. Forty points were allocated to technologies
followed by 37 points for in-house personnel. This is followed by managed (third party) services
(20 points) followed by cash outlays (3 points).
Figure 12. Allocation of resources to defend against ATs
45
40
37
40
35
30
25
20
20
15
10
3
5
Technologies
In-house personnel
Managed (third party)
services
Other cash outlays
According to Table 1, the average total IT budget is approximately $145 million. Eleven percent or
approximately $16 million is allocated to IT security activities and investments. For those
companies planning to use the Cyber Kill Chain, respondents say approximately $3.5 million will
be spent.
Table 1. The average budget for IT, IT security and Cyber Kill Chain
2015 IT budget
Extrapolated
value
$144,900,000
2015 IT security activities and investments (11 percent)
$15,939,000
2015 Cyber Kill Chain Activities (22 percent of the IT security budget)
$ 3,506,580
Ponemon Institute© Research Report
Page 12
Industry differences: financial services vs. retail
This research was conducted in both the financial and retail industry sectors. In the retail sector,
675 IT and IT security practitioners participated. These findings are presented in a companion
report, Advanced Threats in the Retail Industry: A Study of North America & EMEA IT Security
Practitioners. Industry differences emerged that reveal how much more effective financial
services companies are in managing and reducing the impact of ATs and DDoS attacks.
Financial services are more confident in their ability to contain ATs and DDoS attacks. As
shown in Figure 13, financial services are more confident than retail companies in containing both
ATs and DDoS attacks. Retail is more confident in containing ATs than DDoS attacks.
Figure 13. Effectiveness in containing ATs and DDoS attacks
On a scale of 1 = lowest ability to 10 = highest ability percentage of respondents who rated their ability 7+
70%
64%
63%
60%
50%
44%
40%
31%
30%
20%
10%
0%
Effectiveness in containing ATs
Retail
Ponemon Institute© Research Report
Effectiveness in containing DDoS attacks
Financial services
Page 13
Financial services are more likely to measure the time it takes to detect and contain an AT.
As shown in Figure 14, 62 percent of respondents say their organizations use MTTI and 66
percent use MTTC metrics. In contrast, 40 percent of retail companies are not using MTTI and
MTTC metrics to determine their effectiveness in responding to incidents. If they do use these
measures, they are most likely to measure the time it takes to contain an attack.
Figure 14. Time-dependent metrics used to determine incident response effectiveness
70%
60%
62%
66%
58%
53%
50%
40%
40%
28%
30%
20%
5%
10%
5%
0%
MTTI
MTTC
Retail
Other
We don’t utilize timedependent operational
metrics
Financial services
Financial services are faster to detect and contain an incident. It takes almost twice as long
for retail companies to detect if an incident has occurred (196.5 days for retail companies vs. 98.1
for financial services), according to Figure 15. Financial services companies in this study are also
faster to contain ATs and DDoS attacks.
Figure 15. Time it takes to detect and contain an AT
Extrapolated value (days)
196.5
Average MTTI experienced for advanced threats
98.1
39.2
Average MTTI experienced for denial of service
27.2
38.5
Average MTTC experienced for advanced threats
26.1
18.0
Average MTTC experienced for denial of service
12.7
0
Retail
Ponemon Institute© Research Report
50
100
150
200
250
Financial services
Page 14
Financial services are more optimistic they can reduce the time to detect and contain
attacks. According to Figure 16, in the next 12 months respondents in financial services are far
more more optimistic that they will improve their ability to detect and contain incidents.
Figure 16. Will MTTI and MTTC improve in the next 12 months?
Yes response
42%
45%
40%
40%
35%
30%
32%
29%
25%
20%
15%
10%
5%
0%
Do you expect MTTI to decrease (improve) over
the next 12 months?
Retail
Do you expect MTTC to decrease (improve)
over the next 12 months?
Financial services
The use of threat intelligence will be used to improve detection. To achieve a reduction in the
time to detect an attack, both retail and financial services will integrate intelligence into the
incident response time, as revealed in Figure 17. Financial services are more likely to hire
security operations staff and introduce new forensic security tools.
Figure 17. Steps taken to reduce the time it takes to detect attacks
60%
Integrate threat intelligence into IR function
50%
55%
Improve triage process
Increase security operations staff
41%
Implement new forensic security tools
40%
33%
Introduce hunting team to look for attacks
56%
60%
40%
1%
1%
Other
0%
Retail
Ponemon Institute© Research Report
74%
10%
20%
30%
40%
50%
60%
70%
80%
Financial services
Page 15
Threat intelligence is the number one step to reduce the time to contain attacks. In
general, According to Figures 17 and 18, financial services are more likely to take steps to detect
and contain attacks. This could contribute to the optimism financial services have in their ability to
reduce the time to detect and contain attacks.
Specifically, 73 percent of respondents in financial services will integrate threat intelligence into
the incident response function and 57 percent of respondents in retail companies say they will do
so. Again, financial services are more likely to implement new forensic security tools and hire
more staff.
Figure 18. Steps taken to reduce the time to contain attacks
57%
Integrate threat intelligence into IR function
49%
53%
Improve triage process
Implement new forensic security tools
41%
Increase security operations staff
41%
Introduce hunting team to look for attacks
35%
41%
60%
53%
0%
2%
Other
0%
Retail
Ponemon Institute© Research Report
73%
10%
20%
30%
40%
50%
60%
70%
80%
Financial services
Page 16
Part 3. Methods
The sampling frame is composed of 20,504 IT and IT security practitioners in North America and
in 14 countries in EMEA who are familiar with their companies’ defense against cybersecurity
attacks and have responsibility in directing cybersecurity activities within their company. As
shown in Table 2, 931 respondents completed the survey. Screening removed 87 surveys. The
final sample was 844 surveys (or a 4.1 percent response rate).
Table 2. Sample response
Total sampling frame
Total returns
Rejected or screened surveys
Final sample
Freq
20,504
931
87
844
Pct%
100.0%
4.5%
0.4%
4.1%
Pie Chart 1 reports the current position or organizational level of the respondents. More than half
of respondents (56 percent) reported their current position as supervisory or above.
Pie Chart 1. Current position or organizational level
4%
7%
16%
Executive/VP
Director
Manager
35%
Supervisor
19%
Technician
Associate/staff
17%
Pie Chart 2 identifies the primary person the respondent or their supervisor reports to. Fifty-nine
percent of respondents report to the chief information officer and 19 percent report to the chief
information security officer.
Pie Chart 2. The primary person you or your supervisor reports to
6%
2%
7%
Chief Information Officer
Chief Information Security Officer
7%
Compliance Officer
Chief Technology Officer
Chief Risk Officer
19%
Ponemon Institute© Research Report
59%
Other
Page 17
Pie Chart 3 reports the primary financial services industry focus of respondents’ organizations.
This chart identifies banking (30 percent) as the largest segment, followed by insurance (20
percent) and brokerage (14 percent).
Pie Chart 3. Primary financial service industry focus
6%
2%
8%
30%
Banking
Insurance
Brokerage
9%
Payments
General services
Investment management
10%
Financial tech
Other
20%
14%
According to Pie Chart 4, more than half of the respondents (69 percent) are from organizations
with a global headcount of 1,000 or more employees.
Pie Chart 4. Worldwide headcount of the organization
6%
7%
11%
< 500
24%
500 to 1,000
1,001 to 5,000
5,001 to 25,000
22%
25,001 to 75,000
> 75,000
30%
Ponemon Institute© Research Report
Page 18
Part 4. Caveats
There are inherent limitations to survey research that need to be carefully considered before
drawing inferences from findings. The following items are specific limitations that are germane to
most web-based surveys.
Non-response bias: The current findings are based on a sample of survey returns. We sent
surveys to a representative sample of individuals, resulting in a large number of usable returned
responses. Despite non-response tests, it is always possible that individuals who did not
participate are substantially different in terms of underlying beliefs from those who completed the
instrument.
Sampling frame bias: The accuracy is based on contact information and the degree to which the
list is representative of individuals who are IT or IT security practitioners located in various
organizations in North American and EMEA. We also acknowledge that the results may be biased
by external events such as media coverage. We also acknowledge bias caused by compensating
subjects to complete this research within a specified time period.
Self-reported results: The quality of survey research is based on the integrity of confidential
responses received from subjects. While certain checks and balances can be incorporated into
the survey process, there is always the possibility that a subject did not provide accurate
responses.
Ponemon Institute© Research Report
Page 19
Appendix: Detailed Survey Results
The following tables provide the frequency or percentage frequency of responses to all survey
questions contained in this study. All survey responses were captured in February 2015.
Survey response
Sampling frame
Total returns
Rejected or screened surveys
Final sample: Overall (n = 1519) North America (n = 808) and EMEA (n = 711)
Response rate
Finserv
20,504
931
87
844
4.1%
Screening Questions
S1. How familiar are you with your organization’s defense against cyber
security attacks?
Very familiar
Familiar
Somewhat familiar
No knowledge (Stop)
Total
Finserv
37%
29%
33%
0%
100%
S2. Do you have any responsibility in directing cyber security activities within
your organization?
Yes, full responsibility
Yes, some responsibility
Yes, minimum responsibility
No responsibility (Stop)
Total
Finserv
21%
65%
14%
0%
100%
Part 1. Attributions: Please rate the following statements using the five-point
scale provided below each item.
Q1a. My organization has security technologies and personnel that are
effective in quickly detecting advance threats.
Strongly agree
Agree
Unsure
Disagree
Strongly disagree
Total
Finserv
27%
31%
27%
10%
6%
100%
Q1b. My organization has security technologies and personnel that are
effective in quickly detecting denial of service attacks.
Strongly agree
Agree
Unsure
Disagree
Strongly disagree
Total
Finserv
23%
26%
27%
14%
10%
100%
Ponemon Institute© Research Report
Page 20
Q1c. My organization has security technologies and personnel that are
effective in containing advance threats.
Strongly agree
Agree
Unsure
Disagree
Strongly disagree
Total
Finserv
23%
26%
28%
13%
10%
100%
Q1d. My organization has security technologies and personnel that are
effective in containing denial of service attacks.
Strongly agree
Agree
Unsure
Disagree
Strongly disagree
Total
Finserv
23%
25%
29%
13%
10%
100%
Q1e. The greatest threats to my organization are targeted advanced attacks.
Strongly agree
Agree
Unsure
Disagree
Strongly disagree
Total
Finserv
28%
32%
23%
9%
8%
100%
Q1f. The greatest threats to my organization are denial of service attacks.
Strongly agree
Agree
Unsure
Disagree
Strongly disagree
Total
Finserv
25%
28%
31%
10%
5%
100%
Part 2. Incident Experience
Q2. How many cyber attacks (see definition) has your organization
experienced over the past 12 months?
None (skip to Q11)
1 to 2
3 to 4
5 to 6
7 to 8
9 to 10
More than 10
Total
Extrapolated value
Finserv
9%
7%
12%
27%
16%
19%
10%
100%
6.58
Ponemon Institute© Research Report
Page 21
Q3. Do you consider any of the above attacks an advanced threat (AT)?
Yes
No (skip to Q7)
Total
Finserv
79%
21%
100%
Q4. How did you know that the attack was an AT?
Forensic evidence
Shared threat intelligence
Known signature of the attacker
Gut feel
Other (please specify)
Total
Finserv
34%
25%
23%
20%
0%
102%
Q5. What steps did your organization take to minimize or contain the impact of
the AT?
Implemented incident response procedures
Conducted specialized training for IT security team
Installed controls to prevent infiltration
Installed controls to quickly detect and block infiltration
Established threat sharing with other companies or government entities
Other (please specify)
Total
Finserv
45%
21%
48%
44%
43%
0%
201%
Q6. Using the following 10-point scale from 1 = low to 10 = high, please rate
your organization’s effectiveness in containing ATs?
1 or 2
3 or 4
5 or 6
7 or 8
9 or 10
Total
Extrapolated value
Finserv
5%
8%
25%
36%
27%
100%
6.97
Q7. Do you consider any of the cyber attacks (indicated in Q2) a denial of
service (DDoS)?
Yes
No (skip to Q11)
Total
Finserv
55%
45%
100%
Q8. How did you know that the attack was a DDoS?
Forensic evidence informed by degradation of application or system
performance
Shared threat intelligence by customer or partner due to lack of available
internal resources
Known signature of the attacker
Gut feel
Other (please specify)
Total
Ponemon Institute© Research Report
Finserv
35%
36%
13%
17%
0%
100%
Page 22
Q9. What steps did your organization take to minimize or contain the impact of
the DDoS attack?
Implemented incident response procedures
Conducted specialized training for IT security team
Installed controls to prevent infiltration
Installed controls to quickly detect and block infiltration
Established threat sharing with other companies or government entities
Other (please specify)
Total
Finserv
47%
19%
46%
51%
45%
1%
209%
Q10. Using the following 10-point scale from 1 = low to 10 = high, please rate
your organization’s effectiveness in containing DDoS attacks?
1 or 2
3 or 4
5 or 6
7 or 8
9 or 10
Total
Extrapolated value
Finserv
8%
9%
20%
35%
29%
100%
6.87
Q11. What is the full-time equivalent headcount of employees in your
organization who are responsible for cyber security incident investigation,
analysis and management?
Less than 5
5 to 10
11 to 15
16 to 20
21 to 25
26 to 30
More than 30
Total
Extrapolated value
Finserv
12%
15%
14%
18%
12%
3%
26%
100%
18.79
Q12. From the list below, please select all the events or issues that your
organization would consider a security incident?
Lost or stolen device
Reported wrongdoing by employee
Reported wrongdoing by third party
Targeted attack that results in the theft of customer data
Targeted attack that results in the theft of high-value intellectual properties
Denial of service attack
Other (please specify)
None of the above
Total
Finserv
90%
95%
81%
99%
88%
99%
3%
0%
554%
Ponemon Institute© Research Report
Page 23
Q13. Approximately, how many security incidents are investigated by your
organization’s SecOps and/or CSIRT team each month?
Less than 10
10 to 25
26 to 50
51 to 100
101 to 250
251 to 500
More than 500
Total
Extrapolated value
Finserv
0%
1%
16%
27%
21%
18%
17%
100%
225.75
Q14. What organizational group or “team” is responsible for incident
investigation, analysis and management?
Security operations team (SecOps)
Cyber security incident response team (CSIRT)
Both (shared responsibility)
Other (please specify)
Total
Finserv
38%
49%
11%
2%
100%
Q15. What time-dependent metrics does your organization use to determine
the effectiveness of your organization’s incident response process?
MTTI
MTTC
Other (please specify)
We don’t utilize time-dependent operational metrics (skip to Q20)
Finserv
62%
66%
5%
28%
Q16. Approximately, what is an average MTTI experienced by your
organization in recent incidents? Your best guess is welcome.
Q16a. For advanced threats:
Less than 30 minutes
31 to 60 minutes
1 to 4 hours
5 to 8 hours
1 to 2 days
3 to 7 days
1 to 4 weeks
1 to 3 months
4 to 6 months
7 to 12 months
1 to 2 years
More than two years
Total
Extrapolated days
Finserv
0%
0%
1%
3%
4%
12%
16%
28%
16%
9%
6%
0%
96%
98.08
Ponemon Institute© Research Report
Page 24
Q16b. For denial of services:
Less than 30 minutes
31 to 60 minutes
1 to 4 hours
5 to 8 hours
1 to 2 days
3 to 7 days
1 to 4 weeks
1 to 3 months
4 to 6 months
7 to 12 months
1 to 2 years
More than two years
Total
Extrapolated days
Finserv
7%
5%
10%
19%
13%
15%
16%
8%
8%
1%
1%
0%
102%
27.24
Q17a. Do you expect MTTI to decrease (improve) over the next 12 months?
Yes
No
Total
Finserv
42%
58%
100%
Q17b. If yes, in percentage terms, how much of a decrease in MTTI do you
anticipate?
Less than 5%
5% to 10%
11% to 25%
26% to 50%
51% to 75%
76% to 100%
Total
Extrapolated value
Finserv
7%
33%
40%
14%
6%
0%
100%
19%
Q17c. If yes, what steps is your organization taking to reduce MTTI?
Increase security operations staff
Improve triage process
Introduce hunting team to look for attacks
Integrate threat intelligence into IR function
Implement new forensic security tools
Other (please specify)
Total
Finserv
56%
55%
40%
74%
60%
1%
285%
Ponemon Institute© Research Report
Page 25
Q18. Approximately, what is an average MTTC experienced by your
organization in recent incidents? Your best guess is welcome.
Q18a. For advanced threats:
Less than 30 minutes
31 to 60 minutes
1 to 4 hours
5 to 8 hours
1 to 2 days
3 to 7 days
1 to 4 weeks
1 to 3 months
4 to 6 months
7 to 12 months
1 to 2 years
More than two years
Total
Extrapolated value
Finserv
4%
10%
9%
15%
17%
16%
12%
8%
8%
1%
1%
0%
101%
26.06
Q18b. For denial of services:
Less than 30 minutes
31 to 60 minutes
1 to 4 hours
5 to 8 hours
1 to 2 days
3 to 7 days
1 to 4 weeks
1 to 3 months
4 to 6 months
7 to 12 months
1 to 2 years
More than two years
Total
Extrapolated value
Finserv
6%
10%
14%
25%
16%
11%
9%
7%
3%
0%
0%
0%
100%
12.75
Q19a. Do you expect MTTC to decrease (improve) over the next 12 months?
Yes
No
Total
Finserv
40%
60%
100%
Q19b. If yes, in percentage terms, how much of a decrease in MTTC do you
anticipate?
Less than 5%
5% to 10%
11% to 25%
26% to 50%
51% to 75%
76% to 100%
Total
Extrapolated value
Finserv
28%
40%
26%
5%
1%
0%
100%
11%
Ponemon Institute© Research Report
Page 26
Q19c. If yes, what steps is your organization taking to reduce MTTC?
Increase security operations staff
Improve triage process
Introduce hunting team to look for attacks
Integrate threat intelligence into IR function
Implement new forensic security tools
Other (please specify)
Total
Finserv
53%
53%
41%
73%
60%
2%
281%
Part 3. Cyber Kill Chain
Q20. How familiar are you with the term Cyber Kill Chain?
Very familiar
Familiar
Not familiar
No knowledge (skip to Q29)
Total
Finserv
37%
29%
12%
23%
100%
Q21a. In your opinion, how difficult is it to stop or minimize advanced threats
during the Reconnaissance phase of the kill chain?
Impossible
Very difficult
Difficult
Not difficult
Easy
Total
Finserv
41%
29%
22%
6%
3%
100%
Q21b. Approximately, what percent of your organization’s total security
resources will go to stopping or minimizing advanced threats during the
Reconnaissance phase of the cyber kill chain?
0%
1% to 5%
6% to 10%
11% to 20%
21% to 30%
31% to 50%
51% to 75%
76% to 100%
Total
Extrapolated value
Finserv
60%
18%
17%
2%
1%
0%
0%
0%
99%
2%
Q21c. Using the 10-point scale, please rate your organization's ability to stop
or minimize advance threats during the Reconnaissance phase of the kill
chain.
1 or 2 (low)
3 or 4
5 or 6
7 or 8
9 or 10 (high)
Total
Extrapolated value
Finserv
61%
21%
9%
5%
5%
100%
2.92
Ponemon Institute© Research Report
Page 27
Q22a. In your opinion, how difficult is it to stop or minimize advance threats
during the Weaponization phase of the kill chain?
Impossible
Very difficult
Difficult
Not difficult
Easy
Total
Finserv
13%
30%
27%
25%
5%
100%
Q22b. Approximately, what percent of your organization’s total security
resources will go to stopping or minimizing advanced threats during the
Weaponization phase of the cyber kill chain?
0%
1% to 5%
6% to 10%
11% to 20%
21% to 30%
31% to 50%
51% to 75%
76% to 100%
Total
Extrapolated value
Finserv
5%
15%
29%
35%
12%
4%
1%
0%
100%
13%
Q22c. Using the 10-point scale, please rate your organization's ability to stop
or minimize advance threats during the Weaponization phase of the kill chain.
1 or 2 (low)
3 or 4
5 or 6
7 or 8
9 or 10 (high)
Total
Extrapolated value
Finserv
7%
12%
23%
25%
33%
100%
6.80
Q23a. In your opinion, how difficult is it to stop or minimize advance threats
during the Delivery phase of the kill chain?
Impossible
Very difficult
Difficult
Not difficult
Easy
Total
Finserv
5%
28%
37%
25%
5%
100%
Ponemon Institute© Research Report
Page 28
Q23b. Approximately, what percent of your organization’s total security
resources will go to stopping or minimizing advanced threats during the
Delivery phase of the cyber kill chain?
0%
2% to 5%
6% to 10%
11% to 20%
21% to 30%
31% to 50%
51% to 75%
76% to 100%
Total
Extrapolated value
Finserv
5%
15%
29%
35%
12%
4%
1%
0%
100%
13%
Q23c. Using the 10-point scale, please rate your organization's ability to stop
or minimize advance threats during the Delivery phase of the kill chain.
1 or 2 (low)
3 or 4
5 or 6
7 or 8
9 or 10 (high)
Total
Extrapolated value
Finserv
0%
9%
22%
25%
44%
100%
7.55
Q24a. In your opinion, how difficult is it to stop or minimize advance threats
during the Exploitation phase of the kill chain?
Impossible
Very difficult
Difficult
Not difficult
Easy
Total
Finserv
9%
30%
34%
25%
2%
100%
Q24b. Approximately, what percent of your organization’s total security
resources will go to stopping or minimizing advanced threats during the
Exploitation phase of the cyber kill chain?
0%
1% to 5%
6% to 10%
11% to 20%
21% to 30%
31% to 50%
51% to 75%
76% to 100%
Total
Extrapolated value
Finserv
1%
8%
14%
32%
30%
15%
0%
0%
100%
20%
Ponemon Institute© Research Report
Page 29
Q24c. Using the 10-point scale, please rate your organization's ability to stop
or minimize advance threats during the Exploitation phase of the kill chain.
1 or 2 (low)
3 or 4
5 or 6
7 or 8
9 or 10 (high)
Total
Extrapolated value
Finserv
0%
8%
20%
29%
42%
100%
7.60
Q25a. In your opinion, how difficult is it to stop or minimize advance threats
during the Installation phase of the kill chain?
Impossible
Very difficult
Difficult
Not difficult
Easy
Total
Finserv
12%
34%
35%
18%
0%
100%
Q25b. Approximately, what percent of your organization’s total security
resources will go to stopping or minimizing advanced threats during the
Installation phase of the cyber kill chain?
0%
1% to 5%
6% to 10%
11% to 20%
21% to 30%
31% to 50%
51% to 75%
76% to 100%
Total
Extrapolated value
Finserv
5%
23%
13%
27%
21%
11%
0%
0%
100%
16%
Q25c. Using the 10-point scale, please rate your organization's ability to stop
or minimize advance threats during the Installation phase of the kill chain.
1 or 2 (low)
3 or 4
5 or 6
7 or 8
9 or 10 (high)
Total
Extrapolated value
Finserv
2%
10%
29%
40%
20%
100%
6.78
Q26a. In your opinion, how difficult is it to stop or minimize advance threats
during the Command & Control (C2) phase of the kill chain?
Impossible
Very difficult
Difficult
Not difficult
Easy
Total
Finserv
2%
25%
39%
31%
3%
100%
Ponemon Institute© Research Report
Page 30
Q26b. Approximately, what percent of your organization’s total security
resources will go to stopping or minimizing advanced threats during the
Command & Control (C2) phase of the cyber kill chain?
0%
1% to 5%
6% to 10%
11% to 20%
21% to 30%
31% to 50%
51% to 75%
76% to 100%
Total
Extrapolated value
Finserv
4%
18%
33%
18%
17%
10%
0%
0%
100%
14%
Q26c. Using the 10-point scale, please rate your organization's ability to stop
or minimize advance threats during the Command & Control (C2) phase of
the kill chain.
1 or 2 (low)
3 or 4
5 or 6
7 or 8
9 or 10 (high)
Total
Extrapolated value
Finserv
2%
10%
29%
40%
20%
100%
6.78
Q27a. In your opinion, how difficult is it to stop or minimize advance threats
during the Actions on Objectives phase of the kill chain?
Impossible
Very difficult
Difficult
Not difficult
Easy
Total
Finserv
0%
35%
39%
23%
3%
100%
Q27b. Approximately, what percent of your organization’s total security
resources will go to stopping or minimizing advanced threats during the
Actions on Objectives phase of the cyber kill chain?
0%
1% to 5%
6% to 10%
11% to 20%
21% to 30%
31% to 50%
51% to 75%
76% to 100%
Total
Extrapolated value
Finserv
0%
12%
22%
28%
29%
11%
0%
0%
101%
18%
Ponemon Institute© Research Report
Page 31
Q27c. Using the 10-point scale, please rate your organization's ability to stop
or minimize advance threats during the Actions on Objectives phase of the
kill chain.
1 or 2 (low)
3 or 4
5 or 6
7 or 8
9 or 10 (high)
Total
Extrapolated value
Q28. What are the most promising technologies to stopping or minimizing
advance threats during the seven phases of the kill chain? Please choose only
your top three choices.
Technologies that secure the perimeter
Technologies that provide intelligence about networks and traffic
Technologies that provide intelligence about attackers’ motivation and weak
spots
Technologies that simplify the reporting of threats
Technologies that secure endpoints including mobile-connected devices
Technologies that minimize insider threats (including negligence)
Technologies that secure information assets
Technologies that isolate or sandbox malware infections
Total
Finserv
5%
12%
17%
34%
32%
100%
7.02
Finserv
36%
71%
41%
13%
22%
5%
49%
63%
300%
Part 4. Budget Questions
Q29. Approximately, what is the dollar range that best describes your
organization’s IT budget for 2015?
< $1 million
$1 to 5 million
$6 to $10 million
$11 to $50 million
$51 to $100 million
$101 to $250 million
$251 to $500 million
> $500 million
Total
Extrapolated value ($millions)
Finserv
0%
1%
4%
17%
33%
28%
15%
2%
100%
144.90
Q30. Approximately, what percentage of the 2015 IT budget will go to IT
security activities and investments?
0%
1% to 5%
6% to 10%
11% to 20%
21% to 30%
31% to 50%
51% to 75%
76% to 100%
Total
Extrapolated value
Finserv
0%
22%
32%
38%
9%
0%
0%
0%
100%
11%
Ponemon Institute© Research Report
Page 32
Q31. Approximately, what percentage of the 2015 IT security budget will go
to kill chain-related activities?
0%
1% to 5%
6% to 10%
11% to 20%
21% to 30%
31% to 50%
51% to 75%
76% to 100%
Total
Extrapolated value
Q32. The following table contains 4 budget or spending areas. Please allocate
points to indicate the relative proportion of each area to the 2015 IT security
budget for your organization. Note that the sum of your allocation must equal
100 points.
Technologies
In-house personnel
Managed (third party) services
Other cash outlays
Total
Finserv
12%
10%
9%
27%
21%
8%
8%
5%
100%
22%
Finserv
40
37
20
3
100
Part 5. Role & Organizational Characteristics
D1. What best describes your position or organizational level?
Executive/VP
Director
Manager
Supervisor
Technician
Associate/staff
Consultant/contractor
Other (please specify)
Total
Finserv
4%
16%
19%
17%
35%
7%
0%
0%
100%
D2. Check the primary person you or your supervisor reports to within your
organization.
Business owner
CEO/President
Chief Financial Officer
Chief Information Officer
Compliance Officer
Chief Privacy Officer
Director of Internal Audit
General Counsel
Chief Technology Officer
Human Resources VP
Chief Information Security Officer
Chief Risk Officer
Other (please specify)
Total
Finserv
0%
1%
0%
59%
7%
0%
1%
0%
7%
0%
19%
6%
0%
100%
Ponemon Institute© Research Report
Page 33
D3 (retail). What best describes your company’s primary retail industry focus?
Conventional retailer (stores)
Franchises
Internet retailer (websites)
Combination
Retail tech
Other (please specify)
Total
D3 (financial services). What best describes your company’s primary FS
industry focus?
Banking
Investment management
Brokerage
Insurance
Payments
Financial tech
General services
Other (please specify)
Total
D4. What is the worldwide headcount of your organization?
< 500
500 to 1,000
1,001 to 5,000
5,001 to 25,000
25,001 to 75,000
> 75,000
Total
Countries
Canada
Denmark
France
Germany
Italy
Netherlands
Poland
Saudi Arabia
South Africa
Spain
Sweden
Switzerland
Turkey
United Arab Emirates
United Kingdom
United States
Total
Ponemon Institute© Research Report
Finserv
0%
0%
0%
0%
0%
0%
0%
Finserv
30%
8%
14%
20%
10%
6%
9%
2%
100%
0%
Finserv
7%
24%
30%
22%
11%
6%
100%
NA cluster
120
0
0
0
0
0
0
0
0
0
0
0
0
0
0
688
808
Page 34
EMEA
cluster
0
14
87
146
51
68
36
40
7
59
9
9
17
18
150
0
711
Ponemon Institute
Advancing Responsible Information Management
Ponemon Institute is dedicated to independent research and education that advances responsible
information and privacy management practices within business and government. Our mission is to conduct
high quality, empirical studies on critical issues affecting the management and security of sensitive
information about people and organizations.
As a member of the Council of American Survey Research Organizations (CASRO), we uphold strict
data confidentiality, privacy and ethical research standards. We do not collect any personally identifiable
information from individuals (or company identifiable information in our business research). Furthermore, we
have strict quality standards to ensure that subjects are not asked extraneous, irrelevant or improper
questions.
Ponemon Institute© Research Report
Page 35