State of Web Application Security U.S. Survey of IT & IT security practitioners
|
|
- Cameron Jenkins
- 8 years ago
- Views:
Transcription
1 State of Web Application Security U.S. Survey of IT & IT security practitioners Sponsored by Cenzic & Barracuda Networks Independently conducted by Ponemon Institute LLC Publication Date: March 2011 Ponemon Institute Research Report
2 Part 1. Executive Summary State of Web Application Security Ponemon Institute, March 2011 Ponemon Institute is pleased to present the findings of the State of Web Application Security study sponsored by Cenzic and Barracuda Networks. We surveyed 637 IT and IT security practitioners in a variety of industries with an average of 11 years experience in their profession. The survey focused on the following issues: The importance of securing Web-facing applications What organizations are doing to augment and secure Web applications Perceptions about the use of Web application firewalls (WAFs) What organizations are doing to test the vulnerabilities of Web applications Web applications are vulnerable to hundreds of threat vectors. According to OWASP s Top 10 Web Software Application Security Risks, SQL injection flaws are considered the most critical Web application security risks for organizations followed by cross-site scripting (XSS) flaws. Other serious vulnerabilities include session management, privilege escalation, and cross-site request forgery among many. Some of the consequences from injection flaws include data loss, corruption, denial of access or complete host takeover. Cross-site scripting could allow an attacker to hijack a user s session or deface Websites. 1 The IT practitioners in our study agree that it is important to reduce the risks caused by these threats. According to the findings, 74 percent of respondents believe Web application security is either more critical or equally critical to other security issues faced by their organizations. When asked what the economic impact would be if they had a hacker attack, 25 percent of respondents have no idea. Almost half (47 percent) estimate it can range from $100,000 to $500,000 and the average is $255,000. IT practitioners recognize attacks can be costly due to the potential for the loss of sensitive data, fines due to noncompliance with regulations and business disruption. Given both the importance of Web application security and the potential for significant economic loss, are the organizations represented in our study taking the necessary measures to protect their Web applications? As shown in this study, only a small percentage of respondents test their Web applications for vulnerabilities. This lack of testing could be attributed in part to the fact that only 12 percent strongly agree that they have ample resources to detect and remediate insecure Web apps. There are other indications that the state of Web application security is dismal. While 73 percent of the organizations in the study have been hacked at least once in the last 24 months, 72 percent of the respondents test less than 10 percent of their applications. The reasons for this are a lack of budget and expertise. To make matters worse, 64 percent do not agree that their organization is able to fix Web application vulnerabilities quickly. In fact, 88 percent of respondents say their Web application security budget is less than the organization s coffee budget (about $30 per employee per month). Sixty-seven percent say it is less than the budget for network security and 51 percent say it is less than the budget for database encryption. Following is a summary of key findings according to the following three themes: Perceptions and concerns about Web application security, methods and standards used to secure Web applications and why the state of Web application security in organizations is at risk. 1 Injection Tops List of Web Application Security Risks, Angela Moscaritolo, SC Magazine, April 19, 2010 Ponemon Institute Research Report Page 1
3 Part 2. Key Findings Perceptions and concerns about Web application security Web application security is considered critical by many respondents. Bar Chart 1 shows 43 percent of respondents believe Web app security is equally critical to other security issues faced by their organization and 31 percent say it is more critical than other security issues. Only 19 percent see Web app security as less critical that other security issues. Bar Chart 1: How critical is Web app security vs. other security issues? 5 45% 4 35% 25% 15% 5% 43% 31% 19% 7% Web app security is equally critical Web app security is more critical Web app security is less critical Unsure Bar Chart 2 shows a majority of respondents who believe Web app security is one of their highest priorities. However, only 35 percent believe their organizations have ample resources to detect and remediate insecure Web apps. In addition, only 36 percent believe their IT organizations have adequate governance and policies over the use of insecure Web apps by end-users across the enterprise. Sixty-four percent of respondents believe their organizations do not fix Web application vulnerabilities quickly and efficiently. Bar Chart 2: Attributions about Web app security and IT compliance Five-point scale from strongly agree to strongly disagree My IT organization considers Web app security one of its highest priorities. My IT organization views compliance as one of its highest priorities. My IT organization has adequate governance and policies over the use of insecure Web apps. My IT organization fixes Web app vulnerabilities quickly and efficiently. My IT organization has ample resources to detect and remediate insecure Web apps. 53% 5 36% 36% 35% 47% 5 64% 64% 65% Srongly agree & agree Strongly disagree, disagree & unsure Ponemon Institute Research Report Page 2
4 Hacks through Websites are the number one concern. Bar Chart 3 shows the average rank for three hacking attacks in ascending level of concern. When asked what type of hacker attack concerns them most, respondents ranked hacks through Websites followed by hacks at the network layer and hacks through desktops, laptops or other connected devices. Bar Chart 3: What category of hacker attack concerns you the most? Rank order from 3 = highest level of concern to 1 = lowest level of concern Hacks through desktops, laptops or other connected devices Hacks at the network layer Hacks through websites As shown in Bar Chart 4, a majority of respondents (53 percent) agree or strongly agree it is the responsibility of the Web-hosting provider to secure their organization s Web applications. Bar Chart 4: Attribution I expect my Web app to be secured by the Web-hosting provider Five-point scale from strongly agree to strongly disagree % 47% 4 Strongly agree & agree Strongly disagree, disagree & unsure Ponemon Institute Research Report Page 3
5 Data protection and compliance are the most important reasons for securing Web applications. Bar Chart 5 shows the top three reasons for securing Web apps, which are: data protection (62 percent), compliance with laws and regulations (51 percent), and the avoidance of business disruption (42 percent). Very few respondents see revenue loss (7 percent) or brand protection (8 percent) as important reasons for ensuring Web app security. Bar Chart 5: What are the most important reasons for securing your Web apps? Data protection 62% Compliance with laws & regulations 51% Business disruption 42% Job protection 15% Customer loss Brand protection Revenue loss 8% 7% 9% Bar Chart 6 reports the primary means for securing Web-facing applications. These include network firewalls (69 percent), reverse proxy (49 percent) and internal pen testing (43 percent). Other popular tools are Web application firewalls (41 percent) and intrusion prevention systems (40 percent). The fact that network firewalls are selected as the most popular method used to augment and secure Web apps suggests many respondents lack sufficient knowledge. Bar Chart 6: What is your primary means of securing Web facing applications? Network firewall 69% Reverse proxy Internal pen testing Web application firewall (WAF) Intrusion prevention system (IPS) Web application vulnerability scanning 49% 43% 41% 4 36% Managed service External pen testing 28% 26% Ponemon Institute Research Report Page 4
6 Attacks on an organization s Web applications can be costly. When asked what the economic impact would be if they had a hacker attack, 25 percent have no idea. Almost half (47 percent) estimate it can range from $100,000 to $500,000, with an extrapolated average cost of $255,000. These findings suggest IT practitioners recognize that attacks can be costly due to the potential for the loss of sensitive data, fines due to noncompliance with regulations and business disruption. Bar Chart 7: What is the total economic impact if your organization were hacked? The extrapolated mean value is 255,000 dollars 25% 25% 15% 17% 15% 12% 13% 7% 7% 5% 3% 1% < $50k $50 to 100k $101 to 200k $201 to 300k $301 to 400k $401 to 500k $501 to 1 million > $1 million Do not know Methods and standards used to secure Web applications The majority of Web application firewall (WAF) users in our study consider a full reverse proxy WAF to be more secure. Bar Chart 8 compares the overall sample of respondents with a subsample of WAF users (about 41 percent). As can be seen, 73 percent of WAF users believe a reverse proxy WAF is more secure than a full reverse proxy. Bar Chart 8: Do you consider a full reverse proxy WAF to be more secure? Yes Yes No Unsure No Unsure Yes No Unsure Overall WAF User Ponemon Institute Research Report Page 5
7 Why? According to Bar Chart 9, WAF users see the top reasons as session termination and reconstruction (34 percent), the ability to scan uploaded documents for malware before they hit the Web application (23 percent), and ICAP connections for incorporating data loss prevention systems (23 percent). Bar Chart 9: If yes, why do you consider a full reverse proxy WAF to be more secure? Session termination and reconstruction 34% Ability to scan uploaded documents for malware before they hit the Web application ICAP connections for incorporating data loss prevention systems 23% 23% HTTP and HTTPS protocol enforcement 5% 15% 25% 35% 4 WAF users consider this enabling technology as necessary or critical for their organizations security infrastructure. Eighty-five percent of WAF users consider this method as necessary or critical to achieving the organization s security objectives. While not shown in Bar Chart 10, only 39 percent of the overall sample believes WAFs are critical and 40 percent are uncertain about its criticality. This result suggests there is a great deal of unfamiliarity with WAFs. Bar Chart 10: Do you consider Web application firewalls (WAF) to be a necessary or critical piece of your security infrastructure? Subsample of 261 respondents who are WAF users 9 85% % Yes No Unsure Ponemon Institute Research Report Page 6
8 Further, as noted in Bar Chart 11, 68 percent of WAF users consider a fully functional WAF as one that optimizes both performance and security. While not shown in the chart, only 31 percent of respondents in the general sample believe this is the case and 43 percent are unsure. Again, this difference suggests that there is uncertainty about the capabilities and value provided by WAFs. Bar Chart 11: Do you consider a fully functional WAF one that optimizes for both performance and security? Subsample of 261 respondents who are WAF users % % 19% Yes No Unsure For those WAF users who say that a fully functional WAF optimizes both performance and security, 55 percent see security as more important than performance. Bar Chart 12 shows only 20 percent of WAF users see performance as more important than security, and 25 percent see security and performance as equally important. Bar Chart 12: In terms of security and performance which one is more important? Subsample of 177 WAF users who said yes to the question posed in Bar Chart % % Security is most important Performance is most important Both security and performance are equally important Ponemon Institute Research Report Page 7
9 NIST, SANS 25 and CWE are the top three standards used in responding organizations Web app security efforts. As shown in Bar Chart 13, almost half of all respondents (49 percent) say their organization applies NIST standards followed by 39 percent who apply SANS 25 and 29 percent who apply CWE. In the case of OWASP, 57 (19+38) percent of respondents are very familiar or somewhat familiar with OWASP organization and principles which is very surprising given that it's the only non-profit organization focused entirely on Web application security. Of those who are very familiar or familiar with OWASP, 35 percent apply these principles. Another 30 percent of these respondents are unsure. Pie Chart 1: How familiar are you with the OWASP organization and principles? Bar Chart 13: Besides OWASP, what other industry standards do you adapt for Web app security? 13% 19% NIST 49% Very familiar Somewhat familiar Not familiar SANS 25 CWE 29% 39% 38% No knowledge Other 16% 4 6 Why the state of Web app security is at risk Only a small percentage of Web applications are tested for vulnerabilities. As previously mentioned, 53 percent of respondents agree that they expect Web apps to be secured by the Web hosting provider (see Bar Chart 4). That could explain why only a small percentage of Web apps are being tested for vulnerabilities on-premises. Bar Chart 14: What percentage of Web apps have you tested for vulnerabilities? 45% 4 35% 25% 15% 5% 4 12% 14% No testing Less than 5% 5 to 11 to 25% 26 to 5 51 to 75% 76 to 10 8% 2% 4% Ponemon Institute Research Report Page 8
10 As noted above in Bar Chart 14, 20 percent of respondents admit their organizations do not test and 40 percent test less than 5 percent of all Web apps used. The extrapolated average for all Web applications that are being tested by organizations is estimated to be 13 percent. While not shown in the chart below, one of the main reasons for not testing their Web applications concerns the lack of budget or in-house expertise. As shown in Bar Chart 15, Web app vulnerability scanning is the most popular method for testing. Forty-nine percent of respondents use this method followed by managed service (19 percent). Proprietary apps and outsourced apps are the categories most often tested. Bar Chart 15: What do you use for testing your Web apps? % 4 19% 14% 15% Web application vulnerability scanning Managed service External pen testing Internal pen testing Bar Chart 16 shows 56 percent of respondents say their organizations test Web apps in development and 54 percent test them in testing and quality assurance venues. Only 13 percent test their applications in production. Bar Chart 16: Do you test Web apps in the following venues? % 54% 4 13% Development Testing and quality assurance Production Ponemon Institute Research Report Page 9
11 The budget for Web application security is less than what an organization spends on coffee for its employees. As shown in Bar Chart 17, 88 percent of respondents say the coffee budget is bigger (about $30 per employee per month) and 67 percent say it is less than the budget for network security. Yet, we estimate from the responses that one attack could cost the organization an average of $255,000. Bar Chart 17: What statements best describe your organization s Web app security budget relative to other budgeted items? Our Web app security budget is less than... The coffee budget 88% Network security budget 67% Database encryption budget 51% Endpoint security budget 38% Laptop disk encryption budget 34% Identity and access management budget 21% The budget for data loss prevention (DLP) 14% Organizations are at risk because many Web application vulnerabilities are not fixed after detection. Or, if they are fixed it can take months. According to Bar Chart 18, 64 (31+33) percent of respondents say their organizations have been hacked through insecure Web applications between one and 10 times in the past 24 months. Another 20 percent of respondents were unable to assess the frequency of hacks through insecure Web apps. Bar Chart 18: How many times in the past 24 months has your organization been hacked through insecure Web apps? 35% 31% 33% 25% 15% 5% 7% 9% None 1 to 5 6 to 10 More than 10 Do not know Ponemon Institute Research Report Page 10
12 Bar Chart 19 shows, 21 percent of respondents do not know how long it takes to fix a single Web application vulnerability. The extrapolated average for all organizations participating is more than 68 hours or 8.5 days (assuming a normal eight-hour work day). While not shown in the chart below, organizations are devoting approximately 24 percent of their information security efforts to detecting and fixing the vulnerabilities caused by insecure applications Bar Chart 19: How long does it take to fix one vulnerability found in a Web app? 25% 21% 21% 15% 9% 13% 13% 11% 5% 4% 2% 6% < 60 minutes 1 to 4 hours 5 to 8 hours 1 to 2 days 3 to 7 days 1 to 4 weeks > 4 weeks Never able to fix Do not know As shown in Bar Chart 20, the controls in place to protect their Web infrastructure until the Web apps are secure include network firewall (42 percent), manual processes (39 percent), WAF (38 percent) and intrusion detection or intrusion prevention systems (18 percent). Bar Chart 20: Until you fix a known Web app vulnerability, what controls do you put inplace to protect the Web infrastructure? 45% 4 35% 25% 15% 5% 42% 39% 38% 18% Network firewall Manual process WAF IDS/IPS Ponemon Institute Research Report Page 11
13 Part 3. Methods Table 1 summarizes the sample response for this study. Our sampling frame of practitioners consisted of nearly 13,000 individuals located in the United States who have bona fide credentials in the IT or IT security fields. From this sampling frame, we invited 12,136 individuals. This resulted in 756 individuals completing the survey of which 119 were rejected for reliability issues. Our final sample of 637 respondents represents a 4.9 percent response rate. Table 1: Sample response statistics Frequency Total sampling frame Total invitations sent Bounce-back 1084 Total returns 756 Rejected returns 119 Final sample 637 Response rate 4.9% On average, respondents held 11.2 years of experience in either the IT or IT security fields. Twenty-six percent of respondents are female and 74 percent male. Table 2 shows the position levels of respondents. As shown, more than 66 percent of respondents are at or above the supervisory level. Table 2: Respondents organizational level Senior Executive 1% Vice President 2% Director 17% Manager Supervisor 16% Technician 25% Staff 5% Contractor 3% Other 1% Table 3 shows the headcount (size) of respondents business companies or government entities. As can be seen, more than half (51 percent) of respondents are employed by large-sized organizations with more than 5,000 individuals. Thirteen percent are small-to-medium (SMB) sized organizations. Table 3: Global headcount (size) of respondents organizations Less than 500 people 500 to 1,000 people 13% 1,001 to 5,000 people 26% 5,001 to 25,000 people 29% 25,001 to 75,000 people 15% More than 75,000 people 7% Ponemon Institute Research Report Page 12
14 Pie Chart 2 shows the industry distribution for respondents who are employed by private and public sector organizations. As can be seen, the largest sectors include financial services (including banking, insurance, credit cards, investment management), public sector (including federal, state and local government organizations), and health and pharmaceuticals. Pie Chart 2: Industry segments of respondents organizations 3% 3% 2% 2% Financial Public sector 5% Health & pharma Industrial 5% Retail 6% Services Technology 15% Communications 7% Education Hospitality 9% Transportation 14% Defense 9% Media Table 4 reports the geographic footprint of respondents organizations. In total, 86 percent of organizations have operations (headcount) in two or more countries. In addition, 79 percent have operations in one or more European nations. Finally, a total of 46 percent have operations in all major regions of the world. Table 4: Geographic footprint of respondents organizations United States 10 Canada 81% Europe 79% Middle East & Africa 46% Asia-Pacific 64% Latin America (including Mexico) 55% Ponemon Institute Research Report Page 13
15 Part 4. Conclusions & limitations Concluding thoughts We believe the research findings show that the state of Web application security is bleak and requires an immediate response from organizations. While companies and government agencies are constantly being hacked through the Websites, minimal efforts are being made toward securing these websites. Factors contributing to the insecurity are a lack of budget, expertise and governance procedures. As a result, Web application vulnerabilities are not fixed quickly. According to IT practitioners in our study, 21 percent do not know how long it takes to fix one vulnerability and 6 percent say they are never able to fix these vulnerabilities. Decisions to fix Web application vulnerabilities are made informally (46 percent of respondents) or there is no effort for priorities to be set (29 percent). We hope this study creates awareness of a security problem that could have serious financial and reputational consequences for organizations. On a positive note, IT practitioners seem to be aware of the threats to their Web applications. The next step is to convince management to consider making Web application security as important as the coffee budget. Caveats There are inherent limitations to survey research that need to be carefully considered before drawing inferences from findings. The following items are specific limitations that are germane to most Web-based surveys. Non-response bias: The current findings are based on a sample of survey returns. We sent surveys to a representative sample of IT and IT security practitioners, resulting in a large number of usable returned responses. Despite non-response tests, it is always possible that auditors who did not participate are substantially different in terms of underlying beliefs from those who completed the survey. Sampling-frame bias: The accuracy is based on contact information and the degree to which the list is representative of individuals who are information system auditors. We also acknowledge that responses from paper, interviews or telephone might result in a different pattern of findings. 0BSelf-reported results: The quality of survey research is based on the integrity of confidential responses received from respondents. While certain checks and balances were incorporated into our survey evaluation process, there is always the possibility that certain respondents did not provide responses that reflect their true opinions. Ponemon Institute Research Report Page 14
16 Appendix: Detailed Survey Findings The following tables provide the sample response and percentage frequencies for all survey questions completed by 637 respondents and a subsample of 261 WAF users. All survey results were completed in February Sample response statistics Frequency Total sampling frame 12,995 Total invitations sent 12,136 Bounce-back 1,084 Total returns 756 Rejected returns 119 Final sample 637 Response rate 4.9% Part 1. General Q1. What category of hacker attack concerns you the most? Please rank from 3 = highest level of concern to 1 = lowest level of concern. Average rank Hacks at the network layer 1.25 Hacks through desktops, laptops or other connected devices 1.88 Hacks through websites 2.31 Q2. If your organization were to be hacked, what do you think would be the economic impact in total dollars? An approximate response is welcome. Zero (nothing) 4% Less than $50k 3% $50 to 100k 17% $101 to 200k 15% $201 to 300k 12% $301 to 400k 13% $401 to 500k 7% $501 to 1 million 3% $1 to 5 million 1% More than $5 million Do not know 25% Extrapolated value (000 omitted) $ Q3. What are the two most important reasons for securing your Web apps? Compliance (such as PCI, HIPAA, GLBA, various state laws, privacy directive, etc.) 51% Data protection 62% Business disruption 42% Brand protection 8% Revenue loss 7% Customer loss 9% Job protection 15% Other (please specify) 1% Total 195% Ponemon Institute Research Report Page 15
17 Part 2: Web application security Q4. What is your primary means of securing Web facing applications? Please select all that apply. Intrusion prevention system (IPS) 4 Web application firewall (WAF) 41% Network firewall 69% Reverse proxy 49% Web application vulnerability scanning 36% Managed service 28% External pen testing 26% Internal pen testing 43% Others (please specify) 3% Total 335% Q5. What additional methods do you use for augmenting and securing Web applications? Please select all that apply. Load balancing 21% SSL 34% File caching 27% Data compression 19% Integration with AAA systems 14% Two factor authentication 18% IPS / IDS 28% Web application firewall (WAF) 38% Network firewall 62% Web application vulnerability scanning 29% Managed service 26% External pen testing 34% Internal pen testing 36% Total 386% Strongly agree Q6. Please rate the following statement using the scale provided below. & agree I expect my Web apps to be secured by the Web hosting provider. 53% Q7a. Do you consider a full reverse proxy WAF to be more secure? WAF Users* Yes 73% No 13% Unsure 13% *WAF user subsample = 261 respondents Q7b. If yes, why? HTTP and HTTPS protocol enforcement Session termination and reconstruction 34% Ability to scan uploaded documents for malware before they hit the Web application 23% ICAP connections for incorporating data loss prevention systems 23% Q8. Do you consider Web application firewalls (WAF) to be a necessary or critical piece of your security infrastructure? WAF Users* Yes 85% No 5% Unsure *WAF user subsample = 261 respondents Ponemon Institute Research Report Page 16
18 Q9a. How familiar are you with the OWASP organization and principles? Very familiar 19% Somewhat familiar 38% Not familiar No knowledge 13% Q9b. [If very familiar or somewhat familiar] Do you apply OWASP principles to your Web application security policy? Yes 35% No 35% Unsure Q9c. Besides OWASP, what other industry standards do you adapt for application security? NIST 49% SANS 25 39% CWE 29% Other 16% Total 133% Q10a. Do you consider a fully functional WAF one that optimizes for both performance and security? WAF Users* Yes 68% No 13% Unsure 19% *WAF user subsample = 261 respondents Q10b. If yes, in terms of security and performance which one is more important? Security is more important 44% Performance is more important 4 Both security and performance are equally important 16% Q11. When I research security solutions, my most trusted source of information is: References from other enterprises in my industry 49% Research organizations and analysts 22% Service providers or consultants 29% Other (please specify) Q12. How many Web apps does your organization have? Zero (none) 1 to 10 3% 11 to 50 5% 51 to % 100 to 1,000 21% 1,000 to 5,000 11% More than 5,000 9% Do not know (go to Q20) 24% Extrapolated value 1,121 Ponemon Institute Research Report Page 17
19 Q13. How did you compute the number of Web apps? Estimation 64% Ran an automated tool 19% Internal assessment or survey 17% Other (please specify) Q14. What percentage of these Web apps have you tested for vulnerabilities? Your best approximation is welcome. No testing performed (skip to Q20) Less than 5% 4 5 to 12% 11 to 25% 14% 26 to 5 8% 51 to 75% 2% 76 to 10 4% Extrapolated value 13% Q15. If you test less than of your Web apps, what are the reasons? Please check all that apply? We do not have the budget 31% We do not have the expertise 34% We are not certain we need to test more 11% Our organization has never been hacked 9% Our organization s leaders do not understand app security or see its need 15% Other (please specify) Q16. For testing your Web apps, what do you use? Web application vulnerability scanning 49% Managed service 19% External pen testing 14% Internal pen testing 15% Others (please specify) 3% Q17. How often do you test these Web apps? Once a year 8% Twice a year 13% Every quarter 23% Every month 16% More than monthly 5% Every time the code changes 16% Irregular intervals 19% Q18. Do you test Web apps in the following categories? Please check all that apply. Commercial apps 43% Proprietary apps 52% Outsourced apps 49% None of the above 3% Total 147% Ponemon Institute Research Report Page 18
20 Q19. Do you test Web apps in the following venues? Please check all that apply. Production 13% Development 56% Testing and quality assurance 54% None of the above 3% Total 126% Q20. How critical is Web app security vs. other security issues within your organization? Web app security is more critical than other security issues faced by my organization. 31% Web app security is less critical than other security issues faced by my organization. 19% Web app security is equally critical to other security issues faced by my organization. 43% Unsure 7% Q21. On average, what percentage of your organization s information security efforts are devoted to fixing vulnerabilities relating to insecure Web apps? Less than 5% 11% 5 to 13% 11 to 15% 21 to 28% 31 to 4 19% 41 to 5 6% More than 5 8% Extrapolated value 24% Q22. On average, how long does it take you to fix one vulnerability found in a Web app? Less than 60 minutes 9% 1 to 4 hours 21% 5 to 8 hours 13% 1 to 2 days 13% 3 to 7 days 11% 1 to 4 weeks 4% More than 4 weeks 2% Never able to fix 6% Do not know 21% Extrapolated value (hours) 68 Q23. Until you fix your known Web app vulnerabilities, what controls do you put inplace to protect your Web infrastructure? WAF 38% IDS/IPS 18% Network firewall 42% Manual process 39% Other (please specify) 3% Total 128% Ponemon Institute Research Report Page 19
21 Q24. How do you prioritize your Web app vulnerabilities? Quantitative score or metric 11% Simple high, medium, low rating 12% Informally 46% We do not prioritize 29% Other (please specify) 2% Q25. What statements best describe your organization s Web app security budget relative to other budgeted items? Please check all that apply. Our Web app security budget is less than... The coffee budget (assume $30 per employee per month) 88% The budget for network security 67% The budget for data loss prevention (DLP) 14% The budget for database encryption 51% The budget for laptop disk encryption 34% The budget for endpoint security 38% The budget for identity and access governance systems 21% Total 313% Q26. How many times in the past 24 months has your organization been hacked through insecure Web apps? Zero (never) 7% 1 to 5 31% 6 to 10 33% More than 10 times 9% Do not know Part 3. Attributions Q27. Please rate each one of the following four statements using the scale provided below each item. Strongly agree & agree Q27a. My IT organization has ample resources to detect and remediate insecure Web apps. 35% Q27b. My IT organization considers Web app security one of its highest priorities. 53% Q27c. My IT organization fixes Web app vulnerabilities quickly and efficiently. 36% Q27d. My IT organization has adequate governance and policies over the use of insecure Web apps by end-users across the enterprise. 36% Q27e. My IT organization views compliance as one of its highest priorities. 5 Part 4. Your Role D1. What organizational level best describes your current position? Senior Executive 1% Vice President 2% Director 17% Manager Supervisor 16% Technician 25% Staff 5% Contractor 3% Other 1% Ponemon Institute Research Report Page 20
22 D2. Is this a full time position? Yes 96% No 4% D3. Check the Primary Person you or your IT security leader reports to within the organization. CEO/Executive Committee 1% Chief Financial Officer 3% General Counsel 2% Chief Information Officer 52% Chief Information Security Officer 17% Compliance Officer 9% Human Resources VP 3% Chief Security Officer 6% Chief Risk Officer 5% Other 2% D4. Experience in IT or IT security Mean Total years of experience 11.2 Total years in present position 5.67 D5. Gender Female 26% Male 74% D6. What industry best describes your organization s industry focus? Airlines 1% Automotive 1% Brokerage & Investments 3% Communications 4% Credit Cards 2% Defense 2% Education 3% Energy 3% Entertainment and Media 2% Food Service 2% Government 15% Healthcare 11% Hospitality 3% Industrial 5% Insurance 1% Internet & ISPs 1% Pharmaceuticals 4% Professional Services 5% Research 2% Retail Banking 14% Retailing 7% Services 2% Technology & Software 6% Transportation 1% Ponemon Institute Research Report Page 21
23 D7. Where are your employees located? (Check all that apply): United States 10 Canada 81% Europe 79% Middle East & Africa 46% Asia-Pacific 64% Latin America (including Mexico) 55% D8. What is the worldwide headcount of your organization? Less than 500 people 500 to 1,000 people 13% 1,001 to 5,000 people 26% 5,001 to 25,000 people 29% 25,001 to 75,000 people 15% More than 75,000 people 7% Ponemon Institute Research Report Page 22
24 If you have any comments or concerns about this research, please contact us at or send an to Thank you for your interest in our work. Ponemon Institute Advancing Responsible Information Management Ponemon Institute is dedicated to independent research and education that advances responsible information and privacy management practices within business and government. Our mission is to conduct high quality, empirical studies on critical issues affecting the management and security of sensitive information about people and organizations. As a member of the Council of American Survey Research Organizations (CASRO),we uphold strict data confidentiality, privacy and ethical research standards. We do not collect any personally identifiable information from individuals (or company identifiable information in our business research). Furthermore, we have strict quality standards to ensure that subjects are not asked extraneous, irrelevant or improper questions. Ponemon Institute Research Report Page 23
State of Web Application Security
State of Web Application Security Executive Summary Sponsored by Cenzic & Barracuda Networks Independently conducted by Ponemon Institute LLC Publication Date: February 2011 Ponemon Institute Research
More informationUnderstanding Security Complexity in 21 st Century IT Environments:
Understanding Security Complexity in 21 st Century IT Environments: A study of IT practitioners in the US, UK, France, Japan & Germany Sponsored by Check Point Software Technologies Independently conducted
More informationPerceptions About Network Security Survey of IT & IT security practitioners in the U.S.
Perceptions About Network Security Survey of IT & IT security practitioners in the U.S. Sponsored by Juniper Networks Independently conducted by Ponemon Institute LLC Publication Date: June 2011 Ponemon
More information2012 Application Security Gap Study: A Survey of IT Security & Developers
2012 Application Gap Study: A Survey of IT & s Research sponsored by Innovation Independently Conducted by Ponemon Institute LLC March 2012 1 2012 Application Gap Study: A Survey of IT & s March 2012 Part
More informationThe State of Mobile Application Insecurity
The State of Mobile Application Insecurity Sponsored by IBM Independently conducted by Ponemon Institute LLC Publication Date: February 2015 Ponemon Institute Research Report Part 1. Introduction The State
More informationThe Cost of Web Application Attacks
The Cost of Web Application Attacks Sponsored by Akamai Technologies Independently conducted by Ponemon Institute LLC Publication Date: May 2015 Ponemon Institute Research Report Part 1. Introduction The
More informationData Security in Development & Testing
Data Security in Development & Testing Sponsored by Micro Focus Independently conducted by Ponemon Institute LLC Publication Date: July 31, 2009 Ponemon Institute Research Report Data Security in Development
More informationRisk & Innovation in Cybersecurity Investments. Sponsored by Lockheed Martin
Risk & Innovation in Cybersecurity Investments Sponsored by Lockheed Martin Independently conducted by Ponemon Institute LLC Publication Date: April 2015 Ponemon Institute Research Report Part 1. Introduction
More informationReputation Impact of a Data Breach U.S. Study of Executives & Managers
Reputation Impact of a Data Breach U.S. Study of Executives & Managers Sponsored by Experian Data Breach Resolution Independently conducted by Ponemon Institute LLC Publication Date: November 2011 Ponemon
More informationA Study of Retail Banks & DDoS Attacks
A Study of Retail Banks & DDoS Attacks Sponsored by Corero Network Security Independently conducted by Ponemon Institute LLC Publication Date: December 2012 Ponemon Institute Research Report A Study of
More informationThe Importance of Cyber Threat Intelligence to a Strong Security Posture
The Importance of Cyber Threat Intelligence to a Strong Security Posture Sponsored by Webroot Independently conducted by Ponemon Institute LLC Publication Date: March 2015 Ponemon Institute Research Report
More informationIs Your Company Ready for a Big Data Breach? Sponsored by Experian Data Breach Resolution
Is Your Company Ready for a Big Data Breach? Sponsored by Experian Data Breach Resolution Independently conducted by Ponemon Institute LLC Publication Date: March 2013 Ponemon Institute Research Report
More informationIs Your Company Ready for a Big Data Breach? Sponsored by Experian Data Breach Resolution
Is Your Company Ready for a Big Data Breach? Sponsored by Experian Data Breach Resolution Independently conducted by Ponemon Institute LLC Publication Date: April 2013 Ponemon Institute Research Report
More informationElectronic Health Information at Risk: A Study of IT Practitioners
Electronic Health Information at Risk: A Study of IT Practitioners Sponsored by LogLogic Conducted by Ponemon Institute LLC October 15, 2009 Ponemon Institute Research Report Executive summary Electronic
More informationThe SQL Injection Threat Study
The SQL Injection Threat Study Sponsored by DB Networks Independently conducted by Ponemon Institute LLC Publication Date: April 2014 1 The SQL Injection Threat Study Presented by Ponemon Institute, April
More informationAchieving Security in Workplace File Sharing. Sponsored by Axway Independently conducted by Ponemon Institute LLC Publication Date: January 2014
Achieving Security in Workplace File Sharing Sponsored by Axway Independently conducted by Ponemon Institute LLC Publication Date: January 2014 Ponemon Institute Research Report Part 1. Introduction Achieving
More informationWhat You Don t Know Will Hurt You: A Study of the Risk from Application Access and Usage
What You Don t Know Will Hurt You: A Study of the Risk from Application Access and Usage Sponsored by ObserveIT Independently conducted by Ponemon Institute LLC June 2015 Ponemon Institute Research Report
More informationThe State of USB Drive Security
The State of USB Drive Security U.S. survey of IT and IT security practitioners Sponsored by Kingston Independently conducted by Ponemon Institute LLC Publication Date: July 2011 Ponemon Institute Research
More informationGlobal Insights on Document Security
Global Insights on Document Security Sponsored by Adobe Independently conducted by Ponemon Institute LLC Publication Date: June 2014 Ponemon Institute Research Report Global Insights on Document Security
More informationThe Cost of Insecure Mobile Devices in the Workplace Sponsored by AT&T
The Cost of Insecure Mobile Devices in the Workplace! Sponsored by AT&T Independently conducted by Ponemon Institute LLC Publication Date: March 2014 Part 1. Introduction The Cost of Insecure Mobile Devices
More informationAftermath of a Data Breach Study
Aftermath of a Data Breach Study Sponsored by Experian Data Breach Resolution Independently conducted by Ponemon Institute LLC Publication Date: January 2012 Ponemon Institute Research Report Aftermath
More informationThe State of Data Security Intelligence. Sponsored by Informatica. Independently conducted by Ponemon Institute LLC Publication Date: April 2015
The State of Data Security Intelligence Sponsored by Informatica Independently conducted by Ponemon Institute LLC Publication Date: April 2015 Ponemon Institute Research Report The State of Data Security
More informationGlobal Survey on Social Media Risks Survey of IT & IT Security Practitioners
0 Global Survey on Social Media Risks Survey of IT & IT Security Practitioners Sponsored by Websense Independently conducted by Ponemon Institute LLC Publication Date: September 2011 1 Global Survey on
More informationIs Your Company Ready for a Big Data Breach?
Is Your Company Ready for a Big Data Breach? The Second Annual Study on Data Breach Preparedness Sponsored by Experian Data Breach Resolution Independently conducted by Ponemon Institute LLC Publication
More informationData Breach: The Cloud Multiplier Effect
Data Breach: The Cloud Multiplier Effect Sponsored by Netskope Independently conducted by Ponemon Institute LLC Publication Date: June 2014 Ponemon Institute Research Report Part 1. Introduction Data Breach:
More informationThe Security of Cloud Infrastructure Survey of U.S. IT and Compliance Practitioners
The Security of Cloud Infrastructure Survey of U.S. IT and Compliance Practitioners Sponsored by Vormetric Independently conducted by Ponemon Institute LLC Publication Date: November 2011 Ponemon Institute
More informationThe Role of Governance, Risk Management & Compliance in Organizations
The Role of Governance, Risk Management & Compliance in Organizations Study of GRC practitioners Sponsored by RSA, The Security Division of EMC Independently conducted by Ponemon Institute LLC Publication
More informationManaging Cyber Security as a Business Risk: Cyber Insurance in the Digital Age
Managing Cyber Security as a Business Risk: Cyber Insurance in the Digital Age Sponsored by Experian Data Breach Resolution Independently conducted by Ponemon Institute LLC Publication Date: August 2013
More informationThe State of Data Centric Security
The State of Data Centric Security Sponsored by Informatica Independently conducted by Ponemon Institute LLC Publication Date: June 2014 Ponemon Institute Research Report State of Data Centric Security
More informationThe Unintentional Insider Risk in United States and German Organizations
The Unintentional Insider Risk in United States and German Organizations Sponsored by Raytheon Websense Independently conducted by Ponemon Institute LLC Publication Date: July 2015 2 Part 1. Introduction
More informationThe Impact of Cybercrime on Business
The Impact of Cybercrime on Business Studies of IT practitioners in the United States, United Kingdom, Germany, Hong Kong and Brazil Sponsored by Check Point Software Technologies Independently conducted
More information2014: A Year of Mega Breaches
2014: A Year of Mega Breaches Sponsored by Identity Finder Independently conducted by Ponemon Institute LLC Publication Date: January 2015 Ponemon Institute Research Report Part 1. Introduction 2014: A
More informationSecurity of Cloud Computing Users Study
Security of Cloud Computing Users Study Sponsored by CA Technologies Independently conducted by Ponemon Institute, LLC Publication Date: March 2013 Security of Cloud Computing Users Study March 2013 Part
More information2015 Global Study on IT Security Spending & Investments
2015 Study on IT Security Spending & Investments Independently conducted by Ponemon Institute LLC Publication Date: May 2015 Sponsored by Part 1. Introduction Security risks are pervasive and becoming
More informationExposing the Cybersecurity Cracks: A Global Perspective
Exposing the Cybersecurity Cracks: A Global Perspective Part I: Deficient, Disconnected & in the Dark Sponsored by Websense, Inc. Independently conducted by Ponemon Institute LLC Publication Date: April
More information2012 Web Session Intelligence & Security Report: Business Logic Abuse Edition
2012 Web Session Intelligence & Security Report: Business Logic Abuse Edition Sponsored by Silver Tail Systems Independently conducted by Ponemon Institute, LLC Publication Date: October 2012 Ponemon Institute
More informationThe SQL Injection Threat & Recent Retail Breaches
The SQL Injection Threat & Recent Retail Breaches Sponsored by DB Networks Independently conducted by Ponemon Institute LLC Publication Date: June 2014 1 Part 1. Introduction The SQL Injection Threat &
More informationUnderstaffed and at Risk: Today s IT Security Department. Sponsored by HP Enterprise Security
Understaffed and at Risk: Today s IT Security Department Sponsored by HP Enterprise Security Independently conducted by Ponemon Institute LLC Publication Date: February 2014 Ponemon Institute Research
More informationEfficacy of Emerging Network Security Technologies
Efficacy of Emerging Network Security Technologies Sponsored by Juniper Networks Independently conducted by Ponemon Institute LLC Publication Date: February 2013 Ponemon Institute Research Report Part
More informationCyber Security on the Offense: A Study of IT Security Experts
Cyber Security on the Offense: A Study of IT Security Experts Co-authored with Radware Independently conducted by Ponemon Institute LLC Publication Date: November 2012 Ponemon Institute Research Report
More informationSecurity of Paper Records & Document Shredding. Sponsored by Cintas. Independently conducted by Ponemon Institute LLC Publication Date: January 2014
Security of Paper Records & Document Shredding Sponsored by Cintas Independently conducted by Ponemon Institute LLC Publication Date: January 2014 Ponemon Institute Research Report Part 1. Introduction
More informationLeading Practices in Behavioral Advertising & Consumer Privacy Study of Internet Marketers and Advertisers
Leading Practices in Behavioral Advertising & Consumer Privacy Study of Internet Marketers and Advertisers Independently Conducted by Ponemon Institute LLC February 2012 Leading Practices in Behavioral
More informationThe Security Impact of Mobile Device Use by Employees
The Security Impact of Mobile Device Use by Employees Sponsored by Accellion Independently conducted by Ponemon Institute LLC Publication Date: December 2014 Ponemon Institute Research Report The Security
More informationCloud Security: Getting It Right
Cloud Security: Getting It Right Sponsored by Armor Independently conducted by Ponemon Institute LLC Publication Date: October 2015 Ponemon Institute Research Report Cloud Security: Getting It Right Ponemon
More informationHow Single Sign-On Is Changing Healthcare A Study of IT Practitioners in Acute Care Hospitals in the United States
How Single Sign-On Is Changing Healthcare A Study of IT Practitioners in Acute Care Hospitals in the United States Sponsored by Imprivata Independently conducted by Ponemon Institute LLC Publication Date:
More informationExposing the Cybersecurity Cracks: A Global Perspective
Exposing the Cybersecurity Cracks: A Global Perspective Part 2: Roadblocks, Refresh and Raising the Human Security IQ Sponsored by Websense Independently conducted by Ponemon Institute LLC Publication
More informationSecurity Metrics to Manage Change: Which Matter, Which Can Be Measured?
Security Metrics to Manage Change: Which Matter, Which Can Be Measured? Sponsored by FireMon Independently conducted by Ponemon Institute LLC Publication Date: April 2014 2 Security Metrics to Manage Change:
More informationAdvanced Threats in Retail Companies: A Study of North America & EMEA
Advanced Threats in Companies: A Study of North America & EMEA Sponsored by Arbor Networks Independently conducted by Ponemon Institute LLC Publication Date: May 2015 Ponemon Institute Research Report
More informationData Security in the Evolving Payments Ecosystem
Data Security in the Evolving Payments Ecosystem Sponsored by Experian Data Breach Resolution Independently conducted by Ponemon Institute LLC Publication Date: April 2015 Ponemon Institute Research Report
More informationNational Survey on Data Center Outages
National Survey on Data Center Outages Independently conducted by Ponemon Institute LLC Publication Date: 30 September 2010 Part 1. Executive Summary National Survey on Data Center Outages Ponemon Institute,
More informationState of IT Security Study of Utilities & Energy Companies
State of IT Security Study of Utilities & Energy Companies Sponsored by Q1 Labs Independently conducted by Ponemon Institute LLC Publication Date: April 2011 Ponemon Institute Research Report State of
More informationDefining the Gap: The Cybersecurity Governance Study
Defining the Gap: The Cybersecurity Governance Study Sponsored by Fidelis Cybersecurity Independently conducted by Ponemon Institute LLC Publication Date: June 2015 Ponemon Institute Research Report Defining
More informationThird Annual Study: Is Your Company Ready for a Big Data Breach?
Third Annual Study: Is Your Company Ready for a Big Data Breach? Sponsored by Experian Data Breach Resolution Independently conducted by Ponemon Institute LLC Publication Date: October 2015 Ponemon Institute
More informationSecurity of Cloud Computing Providers Study
Security of Cloud Computing Providers Study Sponsored by CA Technologies Independently conducted by Ponemon Institute LLC Publication Date: April 2011 Ponemon Institute Research Report I. Executive Summary
More informationChallenges of Cloud Information
The Challenges of Cloud Information Governance: A Global Data Security Study Sponsored by SafeNet Independently conducted by Ponemon Institute LLC Publication Date: October 2014 Ponemon Institute Research
More informationThe 2013 ecommerce Cyber Crime Report: Safeguarding Brand And Revenue This Holiday Season
The 2013 ecommerce Cyber Crime Report: Safeguarding Brand And Revenue This Holiday Season Sponsored by RSA Security Independently conducted by Ponemon Institute, LLC Publication Date: October 2013 Ponemon
More informationSecurity of Cloud Computing Providers Study
Security of Cloud Computing Providers Study Sponsored by CA Technologies Independently conducted by Ponemon Institute LLC Publication Date: April 2011 Ponemon Institute Research Report I. Executive Summary
More informationPerceptions about the Potential Expiration of The Terrorism Risk Insurance Act (TRIA)
Perceptions about the Potential Expiration of The Terrorism Risk Insurance Act (TRIA) Sponsored by Property Casualty Insurers Association of America Independently conducted by Ponemon Institute LLC Publication
More informationEncryption in the Cloud
Encryption in the Cloud Who is responsible for data protection in the cloud? Sponsored by Thales e-security Independently conducted by Ponemon Institute LLC Publication Date: July 2012 Ponemon Institute
More informationThe Fraud Report: How Fake Users Are Impacting Business
The Fraud Report: How Fake Users Are Impacting Business Sponsored by TeleSign Independently conducted by Ponemon Institute LLC Publication Date: November 2015 Ponemon Institute Research Report The Fraud
More informationCyber Threat Intelligence: Has to Be a Better Way
Exchanging Cyber Threat Intelligence: There Has to Be a Better Way Sponsored by IID Independently conducted by Ponemon Institute LLC Publication Date: April 2014 Ponemon Institute Research Report Exchanging
More informationBreaking Bad: The Risk of Insecure File Sharing
Breaking Bad: The Risk of Insecure File Sharing Sponsored by Intralinks Independently conducted by Ponemon Institute LLC Publication Date: October 2014 Ponemon Institute Research Report Breaking Bad: The
More informationBig Data Analytics in Cyber Defense
Big Data Analytics in Cyber Defense Sponsored by Teradata Independently conducted by Ponemon Institute LLC Publication Date: February 2013 Ponemon Institute Research Report Big Data Analytics in Cyber
More informationData Loss Risks During Downsizing As Employees Exit, so does Corporate Data
Data Loss Risks During Downsizing As Employees Exit, so does Corporate Data Independently conducted by Ponemon Institute LLC Publication Date: February 23, 2009 Sponsored by Symantec Corporation Ponemon
More information2015 Global Megatrends in Cybersecurity
2015 Global Megatrends in Cybersecurity Sponsored by Raytheon Independently conducted by Ponemon Institute LLC Publication Date: February 2015 Ponemon Institute Research Report 2015 Global Megatrends in
More informationSurvey on the Governance of Unstructured Data. Independently Conducted and Published by Ponemon Institute LLC. Sponsored by Varonis Systems, Inc.
Survey on the Governance of Unstructured Data Independently Conducted and Published by Ponemon Institute LLC Sponsored by Varonis Systems, Inc. June 30, 2008 Please Do Not Quote Without Express Permission.
More informationThe Post Breach Boom. Sponsored by Solera Networks. Independently conducted by Ponemon Institute LLC Publication Date: February 2013
The Post Breach Boom Sponsored by Solera Networks Independently conducted by Ponemon Institute LLC Publication Date: February 2013 Ponemon Institute Research Report Part 1. Introduction The Post Breach
More information2015 Global Cyber Impact Report
2015 Global Cyber Impact Report Sponsored by Aon Risk Services Independently conducted by Ponemon Institute LLC Publication Date: April 2015 2015 Global Cyber Impact Report Ponemon Institute, April 2015
More informationState of SMB Cyber Security Readiness: UK Study
State of SMB Cyber Security Readiness: UK Study Sponsored by Faronics Independently conducted by Ponemon Institute LLC Publication Date: November 2012 Ponemon Institute Research Report Part 1. Introduction
More informationThe Human Factor in Data Protection
The Human Factor in Data Protection Sponsored by Trend Micro Independently conducted by Ponemon Institute LLC Publication Date: January 2012 Ponemon Institute Research Report The Human Factor in Data Protection
More informationCorporate Data: A Protected Asset or a Ticking Time Bomb?
Corporate Data: A Protected Asset or a Ticking Time Bomb? Sponsored by Varonis Independently conducted by Ponemon Institute LLC Publication Date: December 2014 Ponemon Institute Research Report Corporate
More informationPrivileged User Abuse & The Insider Threat
Privileged User Abuse & The Insider Threat Commissioned by Raytheon Company Independently conducted by Ponemon Institute LLC Publication Date: May 2014 1 Privileged User Abuse & The Insider Threat Ponemon
More informationAchieving Data Privacy in the Cloud
Achieving Data Privacy in the Cloud Study of Information Technology Privacy and Compliance of Small to Medium-Sized Organizations in germany Sponsored by microsoft Independently Conducted by Ponemon Institute
More informationThe TCO of Software vs. Hardware-based Full Disk Encryption Summary
The TCO of vs. -based Full Disk Encryption Summary Sponsored by WinMagic Independently conducted by Ponemon Institute LLC Publication Date: April 2013 Industry Co-Sponsors Ponemon Institute Research Report
More informationSponsored by Zimbra. The Open Source Collaboration Study: Viewpoints on Security & Privacy in the US & EMEA
The Open Source Collaboration Study: Viewpoints on Security & Privacy in the US & EMEA Sponsored by Zimbra Independently conducted by Ponemon Institute LLC Publication Date: November 2014 Ponemon Institute
More informationThe TCO for Full Disk Encryption Studies in the US, UK, Germany & Japan
The TCO for Full Disk Encryption Studies in the US, UK, Germany & Japan Sponsored by WinMagic Independently conducted by Ponemon Institute LLC Publication Date: July 2012 Ponemon Institute Research Report
More informationCompliance Cost Associated with the Storage of Unstructured Information
Compliance Cost Associated with the Storage of Unstructured Information Sponsored by Novell Independently conducted by Ponemon Institute LLC Publication Date: May 2011 Ponemon Institute Research Report
More informationSecurity of Cloud Computing Users A Study of Practitioners in the US & Europe
Security of Cloud Computing Users A Study of Practitioners in the US & Europe Sponsored by CA Independently conducted by Ponemon Institute LLC Publication Date: 12 May 2010 Ponemon Institute Research Report
More informationThreat Intelligence & Incident Response: A Study of U.S. & EMEA Organizations
Threat Intelligence & Incident Response: A Study of U.S. & EMEA Organizations Sponsored by AccessData Independently conducted by Ponemon Institute LLC Publication Date: February 2014 Ponemon Institute
More informationThe Billion Dollar Lost Laptop Problem Benchmark study of U.S. organizations
The Billion Dollar Lost Laptop Problem Benchmark study of U.S. organizations Independently conducted by Ponemon Institute LLC Publication Date: 30 September 2010 Ponemon Institute Research Report Part
More information2013 Study on Data Center Outages
2013 Study on Data Center Outages Independently conducted by Ponemon Institute LLC Publication Date: September 2013 2013 Study on Data Center Outages Ponemon Institute, September 2013 Part 1. Introduction
More informationThe End Endorsed Devices pose a Large Security Risk to Your Organization
2013 State of the Endpoint Sponsored by Lumension Independently conducted by Ponemon Institute LLC Publication Date: December 2012 Ponemon Institute Research Report 2013 State of the Endpoint Ponemon Institute:
More information2014 State of Endpoint Risk. Sponsored by Lumension. Independently conducted by Ponemon Institute LLC Publication Date: December 2013
2014 State of Endpoint Risk Sponsored by Lumension Independently conducted by Ponemon Institute LLC Publication Date: December 2013 Ponemon Institute Research Report 2014 State of Endpoint Risk Ponemon
More informationThe Importance of Senior Executive Involvement in Breach Response
The Importance of Senior Executive Involvement in Breach Response Sponsored by HP Enterprise Security Services Independently conducted by Ponemon Institute LLC Publication Date: October 2014 The Importance
More informationPrivacy and Security in a Connected Life: A Study of European Consumers
Privacy and Security in a Connected Life: A Study of European Consumers Sponsored by Trend Micro Independently conducted by Ponemon Institute LLC Publication Date: March 2015 Ponemon Institute Research
More informationLiveThreat Intelligence Impact Report 2013
LiveThreat Intelligence Impact Report 2013 Sponsored by Independently conducted by Ponemon Institute LLC Publication Date: July 2013 Ponemon Institute Research Report Contents Part 1. Introduction 3 Executive
More informationSmartphone Security Survey of U.S. consumers
Smartphone Security Survey of U.S. consumers Sponsored by AVG Technologies Independently conducted by Ponemon Institute LLC Publication Date: March 2011 Ponemon Institute Research Report Smartphone Security
More informationHow Much Is the Data on Your Mobile Device Worth?
How Much Is the Data on Your Mobile Device Worth? Sponsored by Lookout Independently conducted by Ponemon Institute LLC Publication Date: January 2016 Ponemon Institute Research Report Part 1. Introduction
More informationThe TCO of Software vs. Hardware-based Full Disk Encryption
The TCO of Software vs. Hardware-based Full Disk Encryption Sponsored by WinMagic Independently conducted by Ponemon Institute LLC Publication Date: April 2013 Industry Co-Sponsors Ponemon Institute Research
More informationIBM QRadar Security Intelligence: Evidence of Value
IBM QRadar Security Intelligence: Evidence of Value Independently conducted by Ponemon Institute LLC February 2014 Ponemon Institute Research Report Background IBM QRadar: Evidence of Value Ponemon Institute:
More informationSecond Annual Benchmark Study on Patient Privacy & Data Security
Second Annual Benchmark Study on Patient Privacy & Data Security Sponsored by ID Experts Independently conducted by Ponemon Institute LLC Publication Date: December 2011 Ponemon Institute Research Report
More information2013 Cost of Data Center Outages
2013 Cost of Data Center Outages Independently conducted by Ponemon Institute LLC Publication Date: December 2013 Part 1. Executive Summary 2013 Cost of Data Center Outages Ponemon Institute, December
More informationBest Practices in Data Protection Survey of U.S. IT & IT Security Practitioners
Best Practices in Data Protection Survey of U.S. IT & IT Security Practitioners Sponsored by McAfee Independently conducted by Ponemon Institute LLC Publication Date: October 2011 Ponemon Institute Research.
More information2015 State of the Endpoint Report: User-Centric Risk
2015 State of the Endpoint Report: User-Centric Risk Sponsored by Lumension Independently conducted by Ponemon Institute LLC Publication Date: January 2015 Ponemon Institute Research Report 2015 State
More informationEd Adams, CEO Security Innovation. Dr. Larry Ponemon Ponemon Institute. 2012 ISACA Webinar Program. 2012 ISACA. All rights reserved.
2012 Study on Application Security: AS Survey of fits Security and dd Developers Ed Adams, CEO Security Innovation Dr. Larry Ponemon Ponemon Institute 2012 ISACA Webinar Program. 2012 ISACA. All rights
More informationEconomic impact of privacy on online behavioral advertising
Benchmark study of Internet marketers and advertisers Independently Conducted by Ponemon Institute LLC April 30, 2010 Ponemon Institute Research Report Economic impact of privacy on online behavioral advertising
More informationThe Aftermath of a Data Breach: Consumer Sentiment
The Aftermath of a Data Breach: Consumer Sentiment Sponsored by Experian Data Breach Resolution Independently conducted by Ponemon Institute LLC Publication Date: April 2014 Ponemon Institute Research
More information2015 Cost of Data Breach Study: United States
2015 Cost of Data Breach Study: United States Benchmark research sponsored by IBM Independently conducted by Ponemon Institute LLC May 2015 Ponemon Institute Research Report 2015 1 Cost of Data Breach
More informationThe Economic and Productivity Impact of IT Security on Healthcare
The Economic and Productivity Impact of IT Security on Healthcare Sponsored by Imprivata Independently conducted by Ponemon Institute LLC Publication Date: May 2013 Ponemon Institute Research Report The
More informationFirst Annual Cost of Cyber Crime Study Benchmark Study of U.S. Companies
First Annual Cost of Cyber Crime Study Benchmark Study of U.S. Companies Sponsored by ArcSight Independently conducted by Ponemon Institute LLC Publication Date: July 2010 Ponemon Institute Research Report
More information