1. technology and computing

 2015
Global Megatrends in Cybersecurity
Sponsored by Raytheon
Independently conducted by Ponemon Institute LLC
Publication Date: February 2015
Ponemon Institute© Research Report
2015 Global Megatrends in Cybersecurity
Ponemon Institute, February 2015
Part 1. Introduction
We are pleased to present the findings of the 2015 Global Megatrends in Cybersecurity
sponsored by Raytheon. The purpose of this research is to understand the big trends or changes
that will impact the security posture of organizations in both the public and private sector in the
next three years. Moreover, the study looks at the next generation of protocols and practices as
the cybersecurity field evolves and matures.
We surveyed 1,006 senior-level information technology and information technology security
leaders (hereafter referred to as respondent) in the US, UK/Europe and Middle East/North Africa
(MENA) who are familiar with their organizations’ cybersecurity strategies.
The research covered a range of trends related to an organization’s ability to protect itself from
cyber threats and attacks. Some of the areas addressed in this report are: the critical disconnect
between CISOs and senior leadership, insider negligence, the Internet of Things, adoption of new
technologies such as big data analytics, predictions of increases in nation state attacks and
advanced persistent threats and the dearth of cyber talent.
Overall direction of cybersecurity posture
As noted in Figure 1, a majority of
respondents believe their
organizations’ cybersecurity posture
will improve. Respondents in MENA
are most positive about improvements
in cyber security and the UK/Europe is
least positive.
According to the findings, the following
reasons are why the cyber security
posture of organizations are projected
to improve over the next three years:
§
§
§
§
§
Cyber intelligence will become
more timely and actionable
More funding will be made
available to invest in people and
technologies
Technologies will become more effective in detecting and responding to cyber threats
More staffing will be available to deal with the increasing frequency of attacks
Employee-related risks will decline
Following are reasons why the cyber security posture of organizations might decline:
§
§
§
§
§
Inability to hire and retain expert staff
Lack of actionable and timely intelligence
Employee-related risks might not be reduced
A lack of funding will prevent appropriate investments in people and technologies
Technologies that address the specific cyber threats to the organization will not be available
Ponemon Institute©: Research Report
Page 1 Part 2. Seven Megatrends in Cybersecurity
Based on the findings of the research, there are seven mega trends that will significantly impact
the cybersecurity posture of organizations in the following areas: disruptive technologies, cyber
crime, cost of compliance, the human factor, organizational and governance factors and enabling
security technologies. Following is a summary of these seven mega trends and implications for
companies.
1. Cybersecurity will become a competitive advantage and a C-level priority. As part of this
study, we asked a panel of cybersecurity experts to predict changes to several normatively
1
important characteristics concerning the role, mission and strategy of security. A total of 110
individuals with bona fide credentials in information security provided their three-year predictions.
In each of the following figures, today’s average results were derived from the survey sample
(n=1,006). An expert panel provided future predictions (n=110).
Figure 2 shows only 25 percent of respondents believe their organization’s C-level views security
as a competitive advantage. However, 59 percent of respondents in the expert panel say C-level
executives will view security as a competitive advantage three years from now.
Figure 2. Do your organization’s senior leadership view cybersecurity as a necessary cost
or a competitive advantage?
80%
75%
70%
59%
60%
50%
41%
40%
25%
30%
20%
10%
0%
Today
Necessary cost
Future (3 years from now)
Competitive advantage
1
The expert panel consisted of individuals with, on average, more than 20 years of experience in IT or
information security leadership. Many of these individuals are Distinguished Fellows of Ponemon Institute.
Ponemon Institute©: Research Report
Page 2 Figure 3 shows only 34 percent of respondents believe their organization’s senior leadership
views security as a strategic priority. Fifty-four percent of the expert panel forecast that C-level
executives will view security as a strategic priority three years from now.
Figure 3. Does senior leadership view cybersecurity as a strategic priority?
66%
70%
60%
54%
46%
50%
40%
34%
30%
20%
10%
0%
Today
Future (3 years from now)
Yes
No or Unsure
Figure 4 shows 22 percent of respondents say their organization’s security leader briefs the board
of directors on cybersecurity strategy. Sixty-six percent of the expert panel forecast that three
years from now the organization’s security leader will regularly brief the board on a recurring
basis.
Figure 4. Does your organization’s security leader brief the board of directors on the
cybersecurity strategy? 90%
78%
80%
66%
70%
60%
50%
34%
40%
30%
22%
20%
10%
0%
Today
Future (3 years from now)
Yes
Ponemon Institute©: Research Report
No or Unsure
Page 3 Figure 5 reports 14 percent of respondents say their organization’s security leader has a direct
reporting relationship with the CEO. In contrast, 30 percent of the expert panel predict that the
security leader will directly report to the organization’s CEO three years from now.
Figure 5. Does your organization’s security leader report directly to the CEO?
100%
86%
90%
80%
70%
70%
60%
50%
40%
30%
30%
20%
14%
10%
0%
Today
Future (3 years from now)
Yes
No or Unsure
Ponemon Institute©: Research Report
Page 4 The following megatrends are presented as a percentage net change between the current state
(e.g., today) and the future state (e.g., 3 years from now). The formula for percentage net change
is defined as:
Percentage net change = {[Current state – Future state] / ½ * [Current state + Future state]}
2. Insider negligence risks are decreasing. Due to investments in technologies, organizations
will gain better control over employees’ insecure devices and apps. Training programs will
increase awareness of cybersecurity practices. A lack of visibility into what employees are doing
in the workplace will become less of a problem in the next three years.
Figure 6 provides the percentage net changes in human factor security risks. Here, a negative
percentage indicates that the security risk rating is expected to increase. A positive percentage
indicates the risk is forecasted to decline.
As noted in this figure, only one attribution (about the inability to enforce compliance with polices)
is expected to worsen over the next three years. According to respondents, the inability to control
employees’ devices and apps, lack of awareness of cybersecurity practices, employee
complacency about cybersecurity and a lack of visibility into what employees are doing in the
workplace will become less of a problem in the next three years. Investments in technologies to
address these threats and better controls over BYOD and BYOC will make these risks more
manageable.
Figure 6. Percentage net changes in human factor megatrends
Consolidated view
Inability to enforce compliance with policies -2%
Contract workers replacing employees
4%
More employees working outside the office
10%
Insufficient staff with knowledge and credentials
25%
Lack of awareness of cybersecurity practices
30%
Inability to control employees' devices and apps
32%
Employee complacency about cybersecurity
40%
Inability to know what employees are doing in
the workplace
-10%
51%
0%
10%
20%
30%
40%
50%
60%
Percentage net change on security risk ratings
Ponemon Institute©: Research Report
Page 5 3. Cyber crime will keep information security leaders up night. There will be significant
increases in the risk of nation state attackers and advanced persistent threats, cyber warfare or
terrorism, data breaches involving high value information and the stealth and sophistication of
cyber attackers. In contrast, there are expected to be slight improvements in mitigating the risk of
hacktivism and malicious or criminal insiders.
Figure 7 provides the percentage net changes in cyber crime mega trends. Here, a negative
percentage indicates that the security risk rating is expected to increase. A positive percentage
indicates that risk is forecasted to decline.
According to respondents, there will be significant increases in the risk of nation state attackers
and advanced persistent threats, cyber warfare or terrorism, data breaches involving high value
information and the stealth and sophistication of cyber attackers. In contrast, there are expected
to be slight improvements in mitigating the risk of hacktivism and malicious or criminal insiders.
Figure 7. Percentage net changes in cyber crime megatrends
Consolidated view
Nation state attackers -37%
Cyber warfare or cyber terrorism
-24%
-15%
Breaches involving high-value information
Stealth and sophistication of cyber attackers
-14%
Zero-day attacks
-13%
Breaches that disrupt business and IT processes
-12%
Breaches that damage critical infrastructure
-11%
Breaches involving large volumes of data
-3%
0%
Emergence of cyber syndicates
Malicious or criminal insiders
2%
Emergence of hacktivism
-45%
3%
-35%
-25%
-15%
-5%
5%
15%
Percentage net change on security risk ratings
Ponemon Institute©: Research Report
Page 6 4. The Internet of Things is here but organizations are slow to address its security risks.
The Internet of Things is the expanding network of billions of connected devices that are
permeating our daily lives—from the computers inside our cars to our WiFi enabled appliances,
from wireless medical devices to wearable device.
Because consumers are embracing more connected devices, information security leaders predict
that the Internet of Things will be one of the most significant disruptive technologies in the near
future. Figure 8 shows respondents’ perceptions about preparedness for cybersecurity risks
resulting from the Internet of Things are generally consistent across all three regional samples.
The majority of respondents do not believe they are ready for the impact the Internet of Things
will have on their organizations.
Figure 8. My organization is prepared to deal with potential cybersecurity risks resulting
from the Internet of Things
40%
35%
34%
30%
30%
28%
25%
20%
15%
10%
5%
0%
US
UK/Europe
MENA
Strongly agree and agree responses combined
Ponemon Institute©: Research Report
Page 7 Figure 9 shows the disruptive technologies that will increase or decrease in their risk to an
organization. The Internet of Things risk is projected to increase by 25 percent and follows virtual
currencies (48 percent increase in risk) and big data analytics (32 percent increase in risk).
Figure 9. Percentage net changes in disruptive technology megatrends
Consolidated view
Organization’s acceptance of virtual currencies -48%
Organization’s use of big data analytics
The Internet of Things
Organization’s use of mobile payments
-32%
-25%
-21%
Organization’s use of IT virtualization
Employees’ use of social media in the workplace
3%
11%
Organization’s use of cloud infrastructure
14%
Organization’s use of digital identities
15%
Organization’s use of cloud file sharing tools
Organization’s use of cloud services
Employee-owned mobile devices (BYOD)
Employees’ use of favorite cloud apps (BYOC)
19%
25%
33%
38%
-60%-50%-40%-30%-20%-10% 0% 10% 20% 30% 40% 50%
Percentage net change on security risk ratings
Ponemon Institute©: Research Report
Page 8 5. The cyber talent gap will persist. Figure 10 shows respondents in three regional samples
hold a consistent belief that their organizations need more knowledgeable and experienced
cybersecurity practitioners (i.e., the cyber talent gap).
Figure 10. My organization needs more knowledgeable and experienced cybersecurity
practitioners
80%
70%
67%
66%
65%
US
UK/Europe
MENA
60%
50%
40%
30%
20%
10%
0%
Strongly agree and agree responses combined
Figure 11 lists the factors that respondents believe could hinder or stall improvements in their
organization’s cybersecurity posture in the next 3 years. At 45 percent, the number one factor for
respondents is the inability to hire and retain staff. This is closely followed by a lack of actionable
intelligence (44 percent) and the inability to curtail employee-related security risks (43 percent).
Figure 11. Factors that will hinder improvement over the next 3 years
Consolidated view
Inability to hire and retain expert staff
45%
Lack of actionable intelligence
44%
43%
Inability to minimize employee risk
Lack of funding
34%
Lack of suitable technologies
33%
31%
Increase in complexity
29%
Lack of C-level support
22%
Lack of cybersecurity leadership
19%
Increase in compliance burden
0%
Ponemon Institute©: Research Report
5%
10%
15%
20%
25%
30%
35%
40%
45%
Page 9 50%
6. Big shifts in new technologies towards big data analytics, forensics and intelligencebased cyber solutions. The following technologies will gain the most in importance over the next
3 years: encryption for data at rest, big data analytics, SIEM and cybersecurity intelligence,
automated forensics tools, encryption for data in motion, next generation firewalls, web
application firewalls, threat intelligence feeds and sandboxing or isolation tools.
Figure 12 provides the percentage net changes in importance ratings for 25 enabling security
technologies for the consolidated sample. Here, a positive net change percentage indicates that
the importance of a given technology is projected to increase over the next three years. A
negative percentage indicates the importance of the technology is projected to decrease.
The technologies that achieve the highest percentage net change are: encryption for data at rest,
big data analytics, forensics (automated tools), next generation firewalls, SIEM, threat intelligence
feeds, web application firewalls, sandboxing or isolation tools and encryption for data in motion.
Technologies that are projected to become less important over time include anti-virus tools and
data loss prevention systems.
Figure 12. Percentage change in importance of enabling security technologies
Consolidated view
Encryption for data at rest
Big data analytics
SIEM and cybersecurity intelligence
Forensics (automated tools)
Encryption for data in motion
Next generation firewalls (NGFW)
Web application firewalls (WAF)
Threat intelligence feeds
Sandboxing or isolation tools
Access governance systems
Tokenization tools
Automated policy generation
Perimeter or location surveillance
Identity & access management
Intrusion detection & prevention
Incident response tools
Database scanning and monitoring
URL or content filtering
Device anti-theft solutions
Configuration & log management
Virtual private network (VPN)
ID & credentialing system
Endpoint and mobile device management
Data loss prevention (DLP)
Anti-virus & anti-malware
-30%
24%
20%
20%
19%
19%
18%
18%
17%
17%
6%
4%
3%
2%
2%
1%
0%
0%
-1%
-2%
-4%
-4%
-5%
-6%
-12%
-17%
-20%
-10%
0%
10%
20%
30%
Percentage net change on importance ratings
Ponemon Institute©: Research Report
Page 10 7. Despite alarming media headlines, cybersecurity postures are expected to improve. As
noted in Figure 13, the majority of respondents say their cybersecurity postures will improve for
the following reasons: cyber intelligence will become more timely and actionable, more funding
will be made available to invest in people and technologies, technologies will become more
effective in detecting and responding to cyber threats, more staffing will be available to deal with
the increasing frequency of attacks and employee-related risks will decline.
Figure 13. Will our organization’s security posture improve, decline or stay at the same
level?
70%
64%
60%
60%
55%
50%
40%
32%
31%
30%
26%
20%
13%
10%
9%
10%
0%
US
UK/Europe
Improve
Ponemon Institute©: Research Report
Stay the same
MENA
Decline
Page 11 Part 3. Country Comparisons
In this section we compare the average megatrend ratings for the countries represented in this
study. Figure 14 provides the summarized average risk rating for six areas of megatrends by
country sample. Each respondent provided a rating on a 5-point scale from 1 = low to 5 = high. A
risk scale was used to rate four mega trend categories – namely, organizational factors, the
human factor, disruptive technologies and cyber crime. Security technologies were rated on
importance and compliance was rated on cost burden. Respondents provided ratings in three
separate samples (US, UK/Europe and MENA) for today and three years from now (future).
As shown below, ratings across country samples vary. The US sample appears to have higher or
more risky ratings on average and the MENA sample has lower or less risky ratings.
The grand mean for both the current state (today) and future state is 3.6, which is significantly
higher than the 5-point scale median of 3.0.
Figure 14. Average megatrend ratings for today and future state by country sample
Panel A: Current State (Today)
Security technologies
Organizational factors
Human factor
Disruptive technologies
Cyber crime
Compliance cost
1.0
2.0
MENA
3.0
UK/Europe
4.0
5.0
US
Panel B: Future State (3 years from now)
Security technologies
Organizational factors
Human factor
Disruptive technologies
Cyber crime
Compliance cost
1.0
2.0
MENA
Ponemon Institute©: Research Report
3.0
UK/Europe
4.0
5.0
US
Page 12 According to the findings, net changes across country samples are generally consistent, with
mixed results for human and organizational factors, respectively. Results suggest that security
technologies will increase in importance and the human factor risk will improve significantly in the
US and UK/Europe over three years. In contrast, organizational factors, disruptive technologies,
cyber crime and compliance costs are all predicted to worsen over time. In the US, organizational
factors will improve slightly.
Figure 15. Percentage net changes between current and future states by country sample
Worsened State
Improved State
17%
17%
14%
Security technologies
-2%
Organizational factors
-20%
2%
-10%
23%
Human factor
43%
-8%
Disruptive technologies -22%
-8%
-10%
-6%
-8%
Cyber crime
-18%
Compliance cost
-10%
-24%
-30%
-20%
-10%
MENA
Ponemon Institute©: Research Report
0%
10%
UK/Europe
20%
30%
40%
50%
US
Page 13 Part 4. Other Megatrends and Findings
Will governance practices evolve to meet cybersecurity challenges? Three years from now,
due in part to the growth of connected mobile devices, respondents believe it will become more
difficult to secure access to data, systems and physical spaces, as shown in Figure 16.
Respondents also believe the complexity of IT operations coupled with the growth of unstructured
data assets will cause a substantial increase in security risks. Another factor that is projected to
increase risk concerns the inability to integrate disparate technologies.
Figure 16. Percentage net change in organizational factor mega trends
Consolidated view
Inability to secure access rights to data, systems
and physical spaces
Complexity of business and IT operations
-20%
-17%
Growth of unstructured data assets
-9%
Inability to integrate disparate technologies
-7%
Inability to integrate necessary data sources for
actionable cyber intelligence
Integration of third parties into internal networks
and applications
-2%
1%
Silos and the lack of collaboration
2%
Lack of cybersecurity leadership
8%
Inability to convince leadership to make
cybersecurity a priority
13%
Lack of funding to support cyber defense
-35%
19%
-25%
-15%
-5%
5%
15%
25%
Percentage net change on security risk ratings
Ponemon Institute©: Research Report
Page 14 The compliance cost burden is predicted to increase. Three years from now, due to the
increase in cyber attacks and cyber terrorism, organizations will be facing the need to invest more
in compliance with mandates on critical infrastructure protection and national cyber defense
strategies. An increase in class action and tort litigation because of the continuation of data
breaches will be another concern for organizations.
Figure 17. Percentage change in compliance cost megatrends
Consolidated view
Mandates on critical infrastructure protection
-41%
National cyber defense strategies
-40%
Class action and tort litigation
-31%
Federal laws regulating data protection and
privacy
-9%
International privacy and data protection laws
-8%
E-Discovery requirements
-4%
State laws regulating data protection and privacy
-1%
Self-regulatory programs (such as ISO 27.001 or
PCI)
0%
Cybersecurity governance
-50%
3%
-40%
-30%
-20%
-10%
0%
10%
Percentage net change on cost ratings
Ponemon Institute©: Research Report
Page 15 What respondents believe is the current state of cybersecurity. Figure 18 provides the
strongly agree and agree response to eight attributions about cybersecurity. As can be seen, 66
percent of respondents believe their organization needs more knowledgeable and experienced
cybersecurity practitioners. Fifty-nine percent believe cyber intelligence activities are necessary
for protecting information assets and IT infrastructure. Slightly less than half (48 percent ) believe
their organization has adequate security technologies. Finally, only 31 percent of respondents
believe their organization is prepared to deal with cybersecurity risks or issues in the Internet of
Things.
Figure 18. The current state of cybersecurity
Strongly agree and Agree responses combined
My organization needs more knowledgeable and
experienced cybersecurity practitioners.
66%
My organization believes cyber intelligence
activities are necessary for protecting information
assets and IT infrastructure.
59%
My organization has adequate security
technologies to protect information assets and IT
infrastructure.
48%
My organization takes appropriate steps to
comply with the leading cybersecurity standards.
47%
My organization has ample resources to ensure
all cybersecurity requirements are met.
47%
My organization consistently follows policies and
procedures that seek to protect information
assets and IT infrastructure.
39%
My organization is investing in big data analytics
for cyber defense.
37%
My organization is prepared to deal with potential
cybersecurity risks resulting from the “Internet of
things”.
31%
0%
10%
20%
30%
40%
50%
60%
70%
Strongly agree and Agree responses combined
Ponemon Institute©: Research Report
Page 16 Why will organizations cybersecurity posture improve? As discussed earlier in the report,
there is general optimism that organizations will rise to the challenge of dealing with cyber threats.
Figure 19 shows the success factors that respondents believe could drive improvement to their
organization’s cybersecurity posture in the next 3 years. The top three choices are: increase in
funding, improvements to cyber intelligence and improvement in enabling security technologies.
Figure 19. Factors that will drive improvement over the next 3 years
Consolidated view
Increase in funding
47%
Cyber intelligence improvements
47%
Improvement in technologies
41%
Improvement in staffing
40%
Ability to minimize employee-related risk
36%
Improvement in threat sharing
23%
Reduction in complexity
21%
Cybersecurity leadership
19%
Increase in C-level support
16%
Reduction in compliance burden
10%
0%
Ponemon Institute©: Research Report
5%
10% 15% 20% 25% 30% 35% 40% 45% 50%
Page 17 Figure 20 lists in descending order of importance what respondents believe will be the most
prevalent types of cyber threats over the next 3 years. The top five choices are: zero day attacks,
data leakage in the cloud, mobile malware/targeted attacks, SQL injection and phishing attacks.
Figure 20. What respondents believe will be the most prevalent cyber threats or attacks
over the next three years
Consolidated view
Zero day attacks
49%
Cloud data leakage
41%
Mobile malware/targeted attacks
38%
SQL injection
37%
Phishing attacks
36%
Critical infrastructure attacks
35%
Watering hole attacks
29%
Compromised supply chain
25%
Insider threats
23%
DDoS
23%
Rootkits
22%
BYOD data theft
13%
Cross-site scripting
12%
Compromised trusted partners
10%
Compromised MSSPs/SaaS providers
10%
MacOS malware/targeted attacks
10%
Botnet attacks
9%
Linux malware/targeted attacks
8%
Clickjacking
8%
Attacks against control systems
7%
0%
Ponemon Institute©: Research Report
10%
20%
30%
40%
50%
60%
Page 18 Part 4. Conclusion
Many information security professionals believe the next three years will determine if
organizations can win the cyber war. Understanding the big trends that will impact the security
posture of organizations will help organizations make smarter decisions about their investments
in people, processes and technologies to achieve success.
To gain this understanding, we turned to information security leaders throughout the world to
identify the most important trends for the next three years. Based on the findings, following are
recommendations and observations:
§
Prepare to deal with external threats such as nation state attackers, cyber warfare or cyber
terrorism. With the negligence insider risk decreasing, more resources should be allocated to
dealing with an increasing sophisticated and stealthy cyber criminal.
§
Establish regular cyber training and awareness programs. These programs are critical in
making employees and contractors the first line of defense against malicious or criminal
activity.
§
Develop a strategy to deal with the risks created by the Internet of Things. Conduct a security
impact assessment on how the Internet of Things will impact your organization’s security
posture.
§
Be aware of the growing adoption of virtual currencies that will pose new risks to both
organizations and customers.
§
Understand how to use big data analytics effectively. Big data analytics will have both a
negative and positive impact on organizations. The negative will be the vast amounts of
sensitive and confidential data that will have to be protected. The positive will be the
availability of analytics that will be helpful in detecting and blocking cyber attacks.
§
Go back to school and recruit experts in cybersecurity. A key differentiator among
organizations will be the ability to hire and retain knowledgeable and experienced
cybersecurity practitioners.
§
Invest in the tried and true technologies because they will become more important. These
include encryption for data at rest and in motion, SIEM and cybersecurity technologies and
firewalls.
§
While leadership for cybersecurity initiatives will improve other governance issues will
become more troublesome. These are the inability to secure access rights to data, systems
and physical spaces, complexity of business and IT operations, the growth of unstructured
data assets and the inability to integrate disparate technologies.
§
Prepare to deal with an increasing litigious environment due to class action and tort litigation.
The compliance cost burden will increase for organizations due to mandates on critical
infrastructure protection.
Ponemon Institute©: Research Report
Page 19 Part 5. Methods
A random sampling frame of 27,125 senior-level IT and IT security practitioners located in the
United States, Europe and MENA were selected as participants to this survey. All respondents
2
were screened to ensure they had bona fide credentials in cybersecurity or related disciplines.
When asked what best describes their role in managing security risk, 58 percent of respondents
said they set priorities, 57 percent said they manage budgets, 63 percent select vendors and
contractors, 43 percent determine the organization’s security strategy and 46 percent evaluate
program performance.
By design, 97 percent of respondents are at supervisory or executive levels. The organizational
level of respondents is as follows: C-level (8 percent), Director (32 percent), Vice President (13
percent), Senior Executive (10 percent), Manager (34 percent) and Other (3 percent). The
department or function where respondents are located within the organization is as follows: Chief
Information Officer (51 percent), Chief Technology Officer (8 percent), CEO/President (7 percent),
Chief Security Officer (6 percent), Chief Risk Officer (6 percent), Chief Financial Officer (5
percent), General Counsel (5 percent), Compliance Officer (4 percent), Business Owner (3
percent) and Other (5 percent).
As shown in Table 1, a consolidated total of 1,125 respondents completed the survey. Screening
and failed reliability checks resulted in the removal of 119 surveys. The final sample was 1,006
surveys (or a 3.7 percent overall response rate).
Table 1. Survey Response
US
Total sampling frame
Total survey returns
Rejected or screened surveys
Final sample
Response rate
UK/Europe
MENA
Consolidated
11,550
9,790
5,785
27,125
467
455
203
1125
46
52
21
119
421
403
182
1006
3.6%
4.1%
3.1%
3.7%
2
When asked what best describes their job-related role in managing security risk, 58 percent of respondents
said they set priorities, 57 percent said they manage budgets, 63 percent said they select vendors and
contractors, 43 percent determine the organization’s security strategy and 46 percent evaluate program
performance.
Ponemon Institute©: Research Report
Page 20 Pie Chart 1 reports the industry segments of respondents’ organizations. This chart identifies
financial services (15 percent) as the largest segment, followed by industrial (12 percent) and
public sector (11 percent).
Pie Chart 1. Industry distribution of respondents’ organizations
3%
3%
3%
2%
3% 3%
15%
3%
3%
12%
4%
5%
11%
5%
6%
9%
Financial services
Industrial
Public sector
Services
Health & pharmaceutical
Energy & utilities
Technology
Hospitality & leisure
Software
Consumer products
Retail, store
Other
Retail, Internet
Transportation
Communications
Education & research
Agriculture & food services
10%
Pie chart 2 shows 42 percent of respondents are from organizations with a worldwide headcount
of more than 5,000 employees.
Pie Chart 2. Worldwide headcount of the organization
9%
14%
12%
< 100
100 to 500
20%
501 to 5,000
5,001 to 10,000
10,001 to 25,000
22%
> 25,000
24%
Ponemon Institute©: Research Report
Page 21 Part 6. Caveats
There are inherent limitations to survey research that need to be carefully considered before
drawing inferences from findings. The following items are specific limitations that are germane to
most web-based surveys.
Non-response bias: The current findings are based on a sample of survey returns. We sent
surveys to a representative sample of individuals, resulting in a large number of usable returned
responses. Despite non-response tests, it is always possible that individuals who did not
participate are substantially different in terms of underlying beliefs from those who completed the
instrument.
Sampling-frame bias: The accuracy is based on contact information and the degree to which the
list is representative of individuals who are IT or IT security practitioners. We also acknowledge
that the results may be biased by external events such as media coverage. We also acknowledge
bias caused by compensating subjects to complete this research within a holdout period.
Self-reported results: The quality of survey research is based on the integrity of confidential
responses received from subjects. While certain checks and balances can be incorporated into
the survey process, there is always the possibility that a subject did not provide a truthful
response.
Please contact [email protected] or call us at 800.877.3118 if you have any questions.
Ponemon Institute
Advancing Responsible Information Management
Ponemon Institute is dedicated to independent research and education that advances responsible
information and privacy management practices within business and government. Our mission is to conduct
high quality, empirical studies on critical issues affecting the management and security of sensitive
information about people and organizations.
As a member of the Council of American Survey Research Organizations (CASRO), we uphold strict
data confidentiality, privacy and ethical research standards. We do not collect any personally identifiable
information from individuals (or company identifiable information in our business research). Furthermore, we
have strict quality standards to ensure that subjects are not asked extraneous, irrelevant or improper
questions.
Copyright © 2015, Raytheon Company, Ponemon Institute, LLC. All rights reserved. No parts
of
this material may be reproduced in any form without the written permission of Raytheon or
the
Ponemon Institute, LLC.
Permission has been obtained from the copyright co-owner, Raytheon
to publish this
reproduction, which is the same in all material respects, as the original unless
approved as
changed. No parts of this document may be reproduced, stored in any retrieval
system, or
transmitted in any form, or by any means electronic, mechanical, photocopying,
recording, or
otherwise, without prior written permission of Raytheon or the Ponemon Institute,
LLC.
Ponemon Institute©: Research Report
Page 22