State of Web Application Security U.S. Survey of IT & IT security practitioners

Save this PDF as:
 WORD  PNG  TXT  JPG

Size: px
Start display at page:

Download "State of Web Application Security U.S. Survey of IT & IT security practitioners"

Transcription

1 State of Web Application Security U.S. Survey of IT & IT security practitioners Sponsored by Cenzic & Barracuda Networks Independently conducted by Ponemon Institute LLC Publication Date: March 2011 Ponemon Institute Research Report

2 Part 1. Executive Summary State of Web Application Security Ponemon Institute, March 2011 Ponemon Institute is pleased to present the findings of the State of Web Application Security study sponsored by Cenzic and Barracuda Networks. We surveyed 637 IT and IT security practitioners in a variety of industries with an average of 11 years experience in their profession. The survey focused on the following issues: The importance of securing Web-facing applications What organizations are doing to augment and secure Web applications Perceptions about the use of Web application firewalls (WAFs) What organizations are doing to test the vulnerabilities of Web applications Web applications are vulnerable to hundreds of threat vectors. According to OWASP s Top 10 Web Software Application Security Risks, SQL injection flaws are considered the most critical Web application security risks for organizations followed by cross-site scripting (XSS) flaws. Other serious vulnerabilities include session management, privilege escalation, and cross-site request forgery among many. Some of the consequences from injection flaws include data loss, corruption, denial of access or complete host takeover. Cross-site scripting could allow an attacker to hijack a user s session or deface Websites. 1 The IT practitioners in our study agree that it is important to reduce the risks caused by these threats. According to the findings, 74 percent of respondents believe Web application security is either more critical or equally critical to other security issues faced by their organizations. When asked what the economic impact would be if they had a hacker attack, 25 percent of respondents have no idea. Almost half (47 percent) estimate it can range from $100,000 to $500,000 and the average is $255,000. IT practitioners recognize attacks can be costly due to the potential for the loss of sensitive data, fines due to noncompliance with regulations and business disruption. Given both the importance of Web application security and the potential for significant economic loss, are the organizations represented in our study taking the necessary measures to protect their Web applications? As shown in this study, only a small percentage of respondents test their Web applications for vulnerabilities. This lack of testing could be attributed in part to the fact that only 12 percent strongly agree that they have ample resources to detect and remediate insecure Web apps. There are other indications that the state of Web application security is dismal. While 73 percent of the organizations in the study have been hacked at least once in the last 24 months, 72 percent of the respondents test less than 10 percent of their applications. The reasons for this are a lack of budget and expertise. To make matters worse, 64 percent do not agree that their organization is able to fix Web application vulnerabilities quickly. In fact, 88 percent of respondents say their Web application security budget is less than the organization s coffee budget (about $30 per employee per month). Sixty-seven percent say it is less than the budget for network security and 51 percent say it is less than the budget for database encryption. Following is a summary of key findings according to the following three themes: Perceptions and concerns about Web application security, methods and standards used to secure Web applications and why the state of Web application security in organizations is at risk. 1 Injection Tops List of Web Application Security Risks, Angela Moscaritolo, SC Magazine, April 19, 2010 Ponemon Institute Research Report Page 1

3 Part 2. Key Findings Perceptions and concerns about Web application security Web application security is considered critical by many respondents. Bar Chart 1 shows 43 percent of respondents believe Web app security is equally critical to other security issues faced by their organization and 31 percent say it is more critical than other security issues. Only 19 percent see Web app security as less critical that other security issues. Bar Chart 1: How critical is Web app security vs. other security issues? 5 45% 4 35% 25% 15% 5% 43% 31% 19% 7% Web app security is equally critical Web app security is more critical Web app security is less critical Unsure Bar Chart 2 shows a majority of respondents who believe Web app security is one of their highest priorities. However, only 35 percent believe their organizations have ample resources to detect and remediate insecure Web apps. In addition, only 36 percent believe their IT organizations have adequate governance and policies over the use of insecure Web apps by end-users across the enterprise. Sixty-four percent of respondents believe their organizations do not fix Web application vulnerabilities quickly and efficiently. Bar Chart 2: Attributions about Web app security and IT compliance Five-point scale from strongly agree to strongly disagree My IT organization considers Web app security one of its highest priorities. My IT organization views compliance as one of its highest priorities. My IT organization has adequate governance and policies over the use of insecure Web apps. My IT organization fixes Web app vulnerabilities quickly and efficiently. My IT organization has ample resources to detect and remediate insecure Web apps. 53% 5 36% 36% 35% 47% 5 64% 64% 65% Srongly agree & agree Strongly disagree, disagree & unsure Ponemon Institute Research Report Page 2

4 Hacks through Websites are the number one concern. Bar Chart 3 shows the average rank for three hacking attacks in ascending level of concern. When asked what type of hacker attack concerns them most, respondents ranked hacks through Websites followed by hacks at the network layer and hacks through desktops, laptops or other connected devices. Bar Chart 3: What category of hacker attack concerns you the most? Rank order from 3 = highest level of concern to 1 = lowest level of concern Hacks through desktops, laptops or other connected devices Hacks at the network layer Hacks through websites As shown in Bar Chart 4, a majority of respondents (53 percent) agree or strongly agree it is the responsibility of the Web-hosting provider to secure their organization s Web applications. Bar Chart 4: Attribution I expect my Web app to be secured by the Web-hosting provider Five-point scale from strongly agree to strongly disagree % 47% 4 Strongly agree & agree Strongly disagree, disagree & unsure Ponemon Institute Research Report Page 3

5 Data protection and compliance are the most important reasons for securing Web applications. Bar Chart 5 shows the top three reasons for securing Web apps, which are: data protection (62 percent), compliance with laws and regulations (51 percent), and the avoidance of business disruption (42 percent). Very few respondents see revenue loss (7 percent) or brand protection (8 percent) as important reasons for ensuring Web app security. Bar Chart 5: What are the most important reasons for securing your Web apps? Data protection 62% Compliance with laws & regulations 51% Business disruption 42% Job protection 15% Customer loss Brand protection Revenue loss 8% 7% 9% Bar Chart 6 reports the primary means for securing Web-facing applications. These include network firewalls (69 percent), reverse proxy (49 percent) and internal pen testing (43 percent). Other popular tools are Web application firewalls (41 percent) and intrusion prevention systems (40 percent). The fact that network firewalls are selected as the most popular method used to augment and secure Web apps suggests many respondents lack sufficient knowledge. Bar Chart 6: What is your primary means of securing Web facing applications? Network firewall 69% Reverse proxy Internal pen testing Web application firewall (WAF) Intrusion prevention system (IPS) Web application vulnerability scanning 49% 43% 41% 4 36% Managed service External pen testing 28% 26% Ponemon Institute Research Report Page 4

6 Attacks on an organization s Web applications can be costly. When asked what the economic impact would be if they had a hacker attack, 25 percent have no idea. Almost half (47 percent) estimate it can range from $100,000 to $500,000, with an extrapolated average cost of $255,000. These findings suggest IT practitioners recognize that attacks can be costly due to the potential for the loss of sensitive data, fines due to noncompliance with regulations and business disruption. Bar Chart 7: What is the total economic impact if your organization were hacked? The extrapolated mean value is 255,000 dollars 25% 25% 15% 17% 15% 12% 13% 7% 7% 5% 3% 1% < $50k $50 to 100k $101 to 200k $201 to 300k $301 to 400k $401 to 500k $501 to 1 million > $1 million Do not know Methods and standards used to secure Web applications The majority of Web application firewall (WAF) users in our study consider a full reverse proxy WAF to be more secure. Bar Chart 8 compares the overall sample of respondents with a subsample of WAF users (about 41 percent). As can be seen, 73 percent of WAF users believe a reverse proxy WAF is more secure than a full reverse proxy. Bar Chart 8: Do you consider a full reverse proxy WAF to be more secure? Yes Yes No Unsure No Unsure Yes No Unsure Overall WAF User Ponemon Institute Research Report Page 5

7 Why? According to Bar Chart 9, WAF users see the top reasons as session termination and reconstruction (34 percent), the ability to scan uploaded documents for malware before they hit the Web application (23 percent), and ICAP connections for incorporating data loss prevention systems (23 percent). Bar Chart 9: If yes, why do you consider a full reverse proxy WAF to be more secure? Session termination and reconstruction 34% Ability to scan uploaded documents for malware before they hit the Web application ICAP connections for incorporating data loss prevention systems 23% 23% HTTP and HTTPS protocol enforcement 5% 15% 25% 35% 4 WAF users consider this enabling technology as necessary or critical for their organizations security infrastructure. Eighty-five percent of WAF users consider this method as necessary or critical to achieving the organization s security objectives. While not shown in Bar Chart 10, only 39 percent of the overall sample believes WAFs are critical and 40 percent are uncertain about its criticality. This result suggests there is a great deal of unfamiliarity with WAFs. Bar Chart 10: Do you consider Web application firewalls (WAF) to be a necessary or critical piece of your security infrastructure? Subsample of 261 respondents who are WAF users 9 85% % Yes No Unsure Ponemon Institute Research Report Page 6

8 Further, as noted in Bar Chart 11, 68 percent of WAF users consider a fully functional WAF as one that optimizes both performance and security. While not shown in the chart, only 31 percent of respondents in the general sample believe this is the case and 43 percent are unsure. Again, this difference suggests that there is uncertainty about the capabilities and value provided by WAFs. Bar Chart 11: Do you consider a fully functional WAF one that optimizes for both performance and security? Subsample of 261 respondents who are WAF users % % 19% Yes No Unsure For those WAF users who say that a fully functional WAF optimizes both performance and security, 55 percent see security as more important than performance. Bar Chart 12 shows only 20 percent of WAF users see performance as more important than security, and 25 percent see security and performance as equally important. Bar Chart 12: In terms of security and performance which one is more important? Subsample of 177 WAF users who said yes to the question posed in Bar Chart % % Security is most important Performance is most important Both security and performance are equally important Ponemon Institute Research Report Page 7

9 NIST, SANS 25 and CWE are the top three standards used in responding organizations Web app security efforts. As shown in Bar Chart 13, almost half of all respondents (49 percent) say their organization applies NIST standards followed by 39 percent who apply SANS 25 and 29 percent who apply CWE. In the case of OWASP, 57 (19+38) percent of respondents are very familiar or somewhat familiar with OWASP organization and principles which is very surprising given that it's the only non-profit organization focused entirely on Web application security. Of those who are very familiar or familiar with OWASP, 35 percent apply these principles. Another 30 percent of these respondents are unsure. Pie Chart 1: How familiar are you with the OWASP organization and principles? Bar Chart 13: Besides OWASP, what other industry standards do you adapt for Web app security? 13% 19% NIST 49% Very familiar Somewhat familiar Not familiar SANS 25 CWE 29% 39% 38% No knowledge Other 16% 4 6 Why the state of Web app security is at risk Only a small percentage of Web applications are tested for vulnerabilities. As previously mentioned, 53 percent of respondents agree that they expect Web apps to be secured by the Web hosting provider (see Bar Chart 4). That could explain why only a small percentage of Web apps are being tested for vulnerabilities on-premises. Bar Chart 14: What percentage of Web apps have you tested for vulnerabilities? 45% 4 35% 25% 15% 5% 4 12% 14% No testing Less than 5% 5 to 11 to 25% 26 to 5 51 to 75% 76 to 10 8% 2% 4% Ponemon Institute Research Report Page 8

10 As noted above in Bar Chart 14, 20 percent of respondents admit their organizations do not test and 40 percent test less than 5 percent of all Web apps used. The extrapolated average for all Web applications that are being tested by organizations is estimated to be 13 percent. While not shown in the chart below, one of the main reasons for not testing their Web applications concerns the lack of budget or in-house expertise. As shown in Bar Chart 15, Web app vulnerability scanning is the most popular method for testing. Forty-nine percent of respondents use this method followed by managed service (19 percent). Proprietary apps and outsourced apps are the categories most often tested. Bar Chart 15: What do you use for testing your Web apps? % 4 19% 14% 15% Web application vulnerability scanning Managed service External pen testing Internal pen testing Bar Chart 16 shows 56 percent of respondents say their organizations test Web apps in development and 54 percent test them in testing and quality assurance venues. Only 13 percent test their applications in production. Bar Chart 16: Do you test Web apps in the following venues? % 54% 4 13% Development Testing and quality assurance Production Ponemon Institute Research Report Page 9

11 The budget for Web application security is less than what an organization spends on coffee for its employees. As shown in Bar Chart 17, 88 percent of respondents say the coffee budget is bigger (about $30 per employee per month) and 67 percent say it is less than the budget for network security. Yet, we estimate from the responses that one attack could cost the organization an average of $255,000. Bar Chart 17: What statements best describe your organization s Web app security budget relative to other budgeted items? Our Web app security budget is less than... The coffee budget 88% Network security budget 67% Database encryption budget 51% Endpoint security budget 38% Laptop disk encryption budget 34% Identity and access management budget 21% The budget for data loss prevention (DLP) 14% Organizations are at risk because many Web application vulnerabilities are not fixed after detection. Or, if they are fixed it can take months. According to Bar Chart 18, 64 (31+33) percent of respondents say their organizations have been hacked through insecure Web applications between one and 10 times in the past 24 months. Another 20 percent of respondents were unable to assess the frequency of hacks through insecure Web apps. Bar Chart 18: How many times in the past 24 months has your organization been hacked through insecure Web apps? 35% 31% 33% 25% 15% 5% 7% 9% None 1 to 5 6 to 10 More than 10 Do not know Ponemon Institute Research Report Page 10

12 Bar Chart 19 shows, 21 percent of respondents do not know how long it takes to fix a single Web application vulnerability. The extrapolated average for all organizations participating is more than 68 hours or 8.5 days (assuming a normal eight-hour work day). While not shown in the chart below, organizations are devoting approximately 24 percent of their information security efforts to detecting and fixing the vulnerabilities caused by insecure applications Bar Chart 19: How long does it take to fix one vulnerability found in a Web app? 25% 21% 21% 15% 9% 13% 13% 11% 5% 4% 2% 6% < 60 minutes 1 to 4 hours 5 to 8 hours 1 to 2 days 3 to 7 days 1 to 4 weeks > 4 weeks Never able to fix Do not know As shown in Bar Chart 20, the controls in place to protect their Web infrastructure until the Web apps are secure include network firewall (42 percent), manual processes (39 percent), WAF (38 percent) and intrusion detection or intrusion prevention systems (18 percent). Bar Chart 20: Until you fix a known Web app vulnerability, what controls do you put inplace to protect the Web infrastructure? 45% 4 35% 25% 15% 5% 42% 39% 38% 18% Network firewall Manual process WAF IDS/IPS Ponemon Institute Research Report Page 11

13 Part 3. Methods Table 1 summarizes the sample response for this study. Our sampling frame of practitioners consisted of nearly 13,000 individuals located in the United States who have bona fide credentials in the IT or IT security fields. From this sampling frame, we invited 12,136 individuals. This resulted in 756 individuals completing the survey of which 119 were rejected for reliability issues. Our final sample of 637 respondents represents a 4.9 percent response rate. Table 1: Sample response statistics Frequency Total sampling frame Total invitations sent Bounce-back 1084 Total returns 756 Rejected returns 119 Final sample 637 Response rate 4.9% On average, respondents held 11.2 years of experience in either the IT or IT security fields. Twenty-six percent of respondents are female and 74 percent male. Table 2 shows the position levels of respondents. As shown, more than 66 percent of respondents are at or above the supervisory level. Table 2: Respondents organizational level Senior Executive 1% Vice President 2% Director 17% Manager Supervisor 16% Technician 25% Staff 5% Contractor 3% Other 1% Table 3 shows the headcount (size) of respondents business companies or government entities. As can be seen, more than half (51 percent) of respondents are employed by large-sized organizations with more than 5,000 individuals. Thirteen percent are small-to-medium (SMB) sized organizations. Table 3: Global headcount (size) of respondents organizations Less than 500 people 500 to 1,000 people 13% 1,001 to 5,000 people 26% 5,001 to 25,000 people 29% 25,001 to 75,000 people 15% More than 75,000 people 7% Ponemon Institute Research Report Page 12

14 Pie Chart 2 shows the industry distribution for respondents who are employed by private and public sector organizations. As can be seen, the largest sectors include financial services (including banking, insurance, credit cards, investment management), public sector (including federal, state and local government organizations), and health and pharmaceuticals. Pie Chart 2: Industry segments of respondents organizations 3% 3% 2% 2% Financial Public sector 5% Health & pharma Industrial 5% Retail 6% Services Technology 15% Communications 7% Education Hospitality 9% Transportation 14% Defense 9% Media Table 4 reports the geographic footprint of respondents organizations. In total, 86 percent of organizations have operations (headcount) in two or more countries. In addition, 79 percent have operations in one or more European nations. Finally, a total of 46 percent have operations in all major regions of the world. Table 4: Geographic footprint of respondents organizations United States 10 Canada 81% Europe 79% Middle East & Africa 46% Asia-Pacific 64% Latin America (including Mexico) 55% Ponemon Institute Research Report Page 13

15 Part 4. Conclusions & limitations Concluding thoughts We believe the research findings show that the state of Web application security is bleak and requires an immediate response from organizations. While companies and government agencies are constantly being hacked through the Websites, minimal efforts are being made toward securing these websites. Factors contributing to the insecurity are a lack of budget, expertise and governance procedures. As a result, Web application vulnerabilities are not fixed quickly. According to IT practitioners in our study, 21 percent do not know how long it takes to fix one vulnerability and 6 percent say they are never able to fix these vulnerabilities. Decisions to fix Web application vulnerabilities are made informally (46 percent of respondents) or there is no effort for priorities to be set (29 percent). We hope this study creates awareness of a security problem that could have serious financial and reputational consequences for organizations. On a positive note, IT practitioners seem to be aware of the threats to their Web applications. The next step is to convince management to consider making Web application security as important as the coffee budget. Caveats There are inherent limitations to survey research that need to be carefully considered before drawing inferences from findings. The following items are specific limitations that are germane to most Web-based surveys. Non-response bias: The current findings are based on a sample of survey returns. We sent surveys to a representative sample of IT and IT security practitioners, resulting in a large number of usable returned responses. Despite non-response tests, it is always possible that auditors who did not participate are substantially different in terms of underlying beliefs from those who completed the survey. Sampling-frame bias: The accuracy is based on contact information and the degree to which the list is representative of individuals who are information system auditors. We also acknowledge that responses from paper, interviews or telephone might result in a different pattern of findings. 0BSelf-reported results: The quality of survey research is based on the integrity of confidential responses received from respondents. While certain checks and balances were incorporated into our survey evaluation process, there is always the possibility that certain respondents did not provide responses that reflect their true opinions. Ponemon Institute Research Report Page 14

16 Appendix: Detailed Survey Findings The following tables provide the sample response and percentage frequencies for all survey questions completed by 637 respondents and a subsample of 261 WAF users. All survey results were completed in February Sample response statistics Frequency Total sampling frame 12,995 Total invitations sent 12,136 Bounce-back 1,084 Total returns 756 Rejected returns 119 Final sample 637 Response rate 4.9% Part 1. General Q1. What category of hacker attack concerns you the most? Please rank from 3 = highest level of concern to 1 = lowest level of concern. Average rank Hacks at the network layer 1.25 Hacks through desktops, laptops or other connected devices 1.88 Hacks through websites 2.31 Q2. If your organization were to be hacked, what do you think would be the economic impact in total dollars? An approximate response is welcome. Zero (nothing) 4% Less than $50k 3% $50 to 100k 17% $101 to 200k 15% $201 to 300k 12% $301 to 400k 13% $401 to 500k 7% $501 to 1 million 3% $1 to 5 million 1% More than $5 million Do not know 25% Extrapolated value (000 omitted) $ Q3. What are the two most important reasons for securing your Web apps? Compliance (such as PCI, HIPAA, GLBA, various state laws, privacy directive, etc.) 51% Data protection 62% Business disruption 42% Brand protection 8% Revenue loss 7% Customer loss 9% Job protection 15% Other (please specify) 1% Total 195% Ponemon Institute Research Report Page 15

17 Part 2: Web application security Q4. What is your primary means of securing Web facing applications? Please select all that apply. Intrusion prevention system (IPS) 4 Web application firewall (WAF) 41% Network firewall 69% Reverse proxy 49% Web application vulnerability scanning 36% Managed service 28% External pen testing 26% Internal pen testing 43% Others (please specify) 3% Total 335% Q5. What additional methods do you use for augmenting and securing Web applications? Please select all that apply. Load balancing 21% SSL 34% File caching 27% Data compression 19% Integration with AAA systems 14% Two factor authentication 18% IPS / IDS 28% Web application firewall (WAF) 38% Network firewall 62% Web application vulnerability scanning 29% Managed service 26% External pen testing 34% Internal pen testing 36% Total 386% Strongly agree Q6. Please rate the following statement using the scale provided below. & agree I expect my Web apps to be secured by the Web hosting provider. 53% Q7a. Do you consider a full reverse proxy WAF to be more secure? WAF Users* Yes 73% No 13% Unsure 13% *WAF user subsample = 261 respondents Q7b. If yes, why? HTTP and HTTPS protocol enforcement Session termination and reconstruction 34% Ability to scan uploaded documents for malware before they hit the Web application 23% ICAP connections for incorporating data loss prevention systems 23% Q8. Do you consider Web application firewalls (WAF) to be a necessary or critical piece of your security infrastructure? WAF Users* Yes 85% No 5% Unsure *WAF user subsample = 261 respondents Ponemon Institute Research Report Page 16

18 Q9a. How familiar are you with the OWASP organization and principles? Very familiar 19% Somewhat familiar 38% Not familiar No knowledge 13% Q9b. [If very familiar or somewhat familiar] Do you apply OWASP principles to your Web application security policy? Yes 35% No 35% Unsure Q9c. Besides OWASP, what other industry standards do you adapt for application security? NIST 49% SANS 25 39% CWE 29% Other 16% Total 133% Q10a. Do you consider a fully functional WAF one that optimizes for both performance and security? WAF Users* Yes 68% No 13% Unsure 19% *WAF user subsample = 261 respondents Q10b. If yes, in terms of security and performance which one is more important? Security is more important 44% Performance is more important 4 Both security and performance are equally important 16% Q11. When I research security solutions, my most trusted source of information is: References from other enterprises in my industry 49% Research organizations and analysts 22% Service providers or consultants 29% Other (please specify) Q12. How many Web apps does your organization have? Zero (none) 1 to 10 3% 11 to 50 5% 51 to % 100 to 1,000 21% 1,000 to 5,000 11% More than 5,000 9% Do not know (go to Q20) 24% Extrapolated value 1,121 Ponemon Institute Research Report Page 17

19 Q13. How did you compute the number of Web apps? Estimation 64% Ran an automated tool 19% Internal assessment or survey 17% Other (please specify) Q14. What percentage of these Web apps have you tested for vulnerabilities? Your best approximation is welcome. No testing performed (skip to Q20) Less than 5% 4 5 to 12% 11 to 25% 14% 26 to 5 8% 51 to 75% 2% 76 to 10 4% Extrapolated value 13% Q15. If you test less than of your Web apps, what are the reasons? Please check all that apply? We do not have the budget 31% We do not have the expertise 34% We are not certain we need to test more 11% Our organization has never been hacked 9% Our organization s leaders do not understand app security or see its need 15% Other (please specify) Q16. For testing your Web apps, what do you use? Web application vulnerability scanning 49% Managed service 19% External pen testing 14% Internal pen testing 15% Others (please specify) 3% Q17. How often do you test these Web apps? Once a year 8% Twice a year 13% Every quarter 23% Every month 16% More than monthly 5% Every time the code changes 16% Irregular intervals 19% Q18. Do you test Web apps in the following categories? Please check all that apply. Commercial apps 43% Proprietary apps 52% Outsourced apps 49% None of the above 3% Total 147% Ponemon Institute Research Report Page 18

20 Q19. Do you test Web apps in the following venues? Please check all that apply. Production 13% Development 56% Testing and quality assurance 54% None of the above 3% Total 126% Q20. How critical is Web app security vs. other security issues within your organization? Web app security is more critical than other security issues faced by my organization. 31% Web app security is less critical than other security issues faced by my organization. 19% Web app security is equally critical to other security issues faced by my organization. 43% Unsure 7% Q21. On average, what percentage of your organization s information security efforts are devoted to fixing vulnerabilities relating to insecure Web apps? Less than 5% 11% 5 to 13% 11 to 15% 21 to 28% 31 to 4 19% 41 to 5 6% More than 5 8% Extrapolated value 24% Q22. On average, how long does it take you to fix one vulnerability found in a Web app? Less than 60 minutes 9% 1 to 4 hours 21% 5 to 8 hours 13% 1 to 2 days 13% 3 to 7 days 11% 1 to 4 weeks 4% More than 4 weeks 2% Never able to fix 6% Do not know 21% Extrapolated value (hours) 68 Q23. Until you fix your known Web app vulnerabilities, what controls do you put inplace to protect your Web infrastructure? WAF 38% IDS/IPS 18% Network firewall 42% Manual process 39% Other (please specify) 3% Total 128% Ponemon Institute Research Report Page 19

21 Q24. How do you prioritize your Web app vulnerabilities? Quantitative score or metric 11% Simple high, medium, low rating 12% Informally 46% We do not prioritize 29% Other (please specify) 2% Q25. What statements best describe your organization s Web app security budget relative to other budgeted items? Please check all that apply. Our Web app security budget is less than... The coffee budget (assume $30 per employee per month) 88% The budget for network security 67% The budget for data loss prevention (DLP) 14% The budget for database encryption 51% The budget for laptop disk encryption 34% The budget for endpoint security 38% The budget for identity and access governance systems 21% Total 313% Q26. How many times in the past 24 months has your organization been hacked through insecure Web apps? Zero (never) 7% 1 to 5 31% 6 to 10 33% More than 10 times 9% Do not know Part 3. Attributions Q27. Please rate each one of the following four statements using the scale provided below each item. Strongly agree & agree Q27a. My IT organization has ample resources to detect and remediate insecure Web apps. 35% Q27b. My IT organization considers Web app security one of its highest priorities. 53% Q27c. My IT organization fixes Web app vulnerabilities quickly and efficiently. 36% Q27d. My IT organization has adequate governance and policies over the use of insecure Web apps by end-users across the enterprise. 36% Q27e. My IT organization views compliance as one of its highest priorities. 5 Part 4. Your Role D1. What organizational level best describes your current position? Senior Executive 1% Vice President 2% Director 17% Manager Supervisor 16% Technician 25% Staff 5% Contractor 3% Other 1% Ponemon Institute Research Report Page 20

22 D2. Is this a full time position? Yes 96% No 4% D3. Check the Primary Person you or your IT security leader reports to within the organization. CEO/Executive Committee 1% Chief Financial Officer 3% General Counsel 2% Chief Information Officer 52% Chief Information Security Officer 17% Compliance Officer 9% Human Resources VP 3% Chief Security Officer 6% Chief Risk Officer 5% Other 2% D4. Experience in IT or IT security Mean Total years of experience 11.2 Total years in present position 5.67 D5. Gender Female 26% Male 74% D6. What industry best describes your organization s industry focus? Airlines 1% Automotive 1% Brokerage & Investments 3% Communications 4% Credit Cards 2% Defense 2% Education 3% Energy 3% Entertainment and Media 2% Food Service 2% Government 15% Healthcare 11% Hospitality 3% Industrial 5% Insurance 1% Internet & ISPs 1% Pharmaceuticals 4% Professional Services 5% Research 2% Retail Banking 14% Retailing 7% Services 2% Technology & Software 6% Transportation 1% Ponemon Institute Research Report Page 21

23 D7. Where are your employees located? (Check all that apply): United States 10 Canada 81% Europe 79% Middle East & Africa 46% Asia-Pacific 64% Latin America (including Mexico) 55% D8. What is the worldwide headcount of your organization? Less than 500 people 500 to 1,000 people 13% 1,001 to 5,000 people 26% 5,001 to 25,000 people 29% 25,001 to 75,000 people 15% More than 75,000 people 7% Ponemon Institute Research Report Page 22

24 If you have any comments or concerns about this research, please contact us at or send an to Thank you for your interest in our work. Ponemon Institute Advancing Responsible Information Management Ponemon Institute is dedicated to independent research and education that advances responsible information and privacy management practices within business and government. Our mission is to conduct high quality, empirical studies on critical issues affecting the management and security of sensitive information about people and organizations. As a member of the Council of American Survey Research Organizations (CASRO),we uphold strict data confidentiality, privacy and ethical research standards. We do not collect any personally identifiable information from individuals (or company identifiable information in our business research). Furthermore, we have strict quality standards to ensure that subjects are not asked extraneous, irrelevant or improper questions. Ponemon Institute Research Report Page 23

State of Web Application Security

State of Web Application Security State of Web Application Security Executive Summary Sponsored by Cenzic & Barracuda Networks Independently conducted by Ponemon Institute LLC Publication Date: February 2011 Ponemon Institute Research

More information

Understanding Security Complexity in 21 st Century IT Environments:

Understanding Security Complexity in 21 st Century IT Environments: Understanding Security Complexity in 21 st Century IT Environments: A study of IT practitioners in the US, UK, France, Japan & Germany Sponsored by Check Point Software Technologies Independently conducted

More information

The Cost of Web Application Attacks

The Cost of Web Application Attacks The Cost of Web Application Attacks Sponsored by Akamai Technologies Independently conducted by Ponemon Institute LLC Publication Date: May 2015 Ponemon Institute Research Report Part 1. Introduction The

More information

Data Security in Development & Testing

Data Security in Development & Testing Data Security in Development & Testing Sponsored by Micro Focus Independently conducted by Ponemon Institute LLC Publication Date: July 31, 2009 Ponemon Institute Research Report Data Security in Development

More information

Reputation Impact of a Data Breach U.S. Study of Executives & Managers

Reputation Impact of a Data Breach U.S. Study of Executives & Managers Reputation Impact of a Data Breach U.S. Study of Executives & Managers Sponsored by Experian Data Breach Resolution Independently conducted by Ponemon Institute LLC Publication Date: November 2011 Ponemon

More information

2012 Application Security Gap Study: A Survey of IT Security & Developers

2012 Application Security Gap Study: A Survey of IT Security & Developers 2012 Application Gap Study: A Survey of IT & s Research sponsored by Innovation Independently Conducted by Ponemon Institute LLC March 2012 1 2012 Application Gap Study: A Survey of IT & s March 2012 Part

More information

Perceptions About Network Security Survey of IT & IT security practitioners in the U.S.

Perceptions About Network Security Survey of IT & IT security practitioners in the U.S. Perceptions About Network Security Survey of IT & IT security practitioners in the U.S. Sponsored by Juniper Networks Independently conducted by Ponemon Institute LLC Publication Date: June 2011 Ponemon

More information

The Importance of Cyber Threat Intelligence to a Strong Security Posture

The Importance of Cyber Threat Intelligence to a Strong Security Posture The Importance of Cyber Threat Intelligence to a Strong Security Posture Sponsored by Webroot Independently conducted by Ponemon Institute LLC Publication Date: March 2015 Ponemon Institute Research Report

More information

Risk & Innovation in Cybersecurity Investments. Sponsored by Lockheed Martin

Risk & Innovation in Cybersecurity Investments. Sponsored by Lockheed Martin Risk & Innovation in Cybersecurity Investments Sponsored by Lockheed Martin Independently conducted by Ponemon Institute LLC Publication Date: April 2015 Ponemon Institute Research Report Part 1. Introduction

More information

A Study of Retail Banks & DDoS Attacks

A Study of Retail Banks & DDoS Attacks A Study of Retail Banks & DDoS Attacks Sponsored by Corero Network Security Independently conducted by Ponemon Institute LLC Publication Date: December 2012 Ponemon Institute Research Report A Study of

More information

Is Your Company Ready for a Big Data Breach? Sponsored by Experian Data Breach Resolution

Is Your Company Ready for a Big Data Breach? Sponsored by Experian Data Breach Resolution Is Your Company Ready for a Big Data Breach? Sponsored by Experian Data Breach Resolution Independently conducted by Ponemon Institute LLC Publication Date: March 2013 Ponemon Institute Research Report

More information

Is Your Company Ready for a Big Data Breach? Sponsored by Experian Data Breach Resolution

Is Your Company Ready for a Big Data Breach? Sponsored by Experian Data Breach Resolution Is Your Company Ready for a Big Data Breach? Sponsored by Experian Data Breach Resolution Independently conducted by Ponemon Institute LLC Publication Date: April 2013 Ponemon Institute Research Report

More information

The State of Mobile Application Insecurity

The State of Mobile Application Insecurity The State of Mobile Application Insecurity Sponsored by IBM Independently conducted by Ponemon Institute LLC Publication Date: February 2015 Ponemon Institute Research Report Part 1. Introduction The State

More information

The SQL Injection Threat Study

The SQL Injection Threat Study The SQL Injection Threat Study Sponsored by DB Networks Independently conducted by Ponemon Institute LLC Publication Date: April 2014 1 The SQL Injection Threat Study Presented by Ponemon Institute, April

More information

Achieving Security in Workplace File Sharing. Sponsored by Axway Independently conducted by Ponemon Institute LLC Publication Date: January 2014

Achieving Security in Workplace File Sharing. Sponsored by Axway Independently conducted by Ponemon Institute LLC Publication Date: January 2014 Achieving Security in Workplace File Sharing Sponsored by Axway Independently conducted by Ponemon Institute LLC Publication Date: January 2014 Ponemon Institute Research Report Part 1. Introduction Achieving

More information

Aftermath of a Data Breach Study

Aftermath of a Data Breach Study Aftermath of a Data Breach Study Sponsored by Experian Data Breach Resolution Independently conducted by Ponemon Institute LLC Publication Date: January 2012 Ponemon Institute Research Report Aftermath

More information

Electronic Health Information at Risk: A Study of IT Practitioners

Electronic Health Information at Risk: A Study of IT Practitioners Electronic Health Information at Risk: A Study of IT Practitioners Sponsored by LogLogic Conducted by Ponemon Institute LLC October 15, 2009 Ponemon Institute Research Report Executive summary Electronic

More information

Global Insights on Document Security

Global Insights on Document Security Global Insights on Document Security Sponsored by Adobe Independently conducted by Ponemon Institute LLC Publication Date: June 2014 Ponemon Institute Research Report Global Insights on Document Security

More information

What You Don t Know Will Hurt You: A Study of the Risk from Application Access and Usage

What You Don t Know Will Hurt You: A Study of the Risk from Application Access and Usage What You Don t Know Will Hurt You: A Study of the Risk from Application Access and Usage Sponsored by ObserveIT Independently conducted by Ponemon Institute LLC June 2015 Ponemon Institute Research Report

More information

The State of Data Security Intelligence. Sponsored by Informatica. Independently conducted by Ponemon Institute LLC Publication Date: April 2015

The State of Data Security Intelligence. Sponsored by Informatica. Independently conducted by Ponemon Institute LLC Publication Date: April 2015 The State of Data Security Intelligence Sponsored by Informatica Independently conducted by Ponemon Institute LLC Publication Date: April 2015 Ponemon Institute Research Report The State of Data Security

More information

The State of USB Drive Security

The State of USB Drive Security The State of USB Drive Security U.S. survey of IT and IT security practitioners Sponsored by Kingston Independently conducted by Ponemon Institute LLC Publication Date: July 2011 Ponemon Institute Research

More information

Data Breach: The Cloud Multiplier Effect

Data Breach: The Cloud Multiplier Effect Data Breach: The Cloud Multiplier Effect Sponsored by Netskope Independently conducted by Ponemon Institute LLC Publication Date: June 2014 Ponemon Institute Research Report Part 1. Introduction Data Breach:

More information

Global Survey on Social Media Risks Survey of IT & IT Security Practitioners

Global Survey on Social Media Risks Survey of IT & IT Security Practitioners 0 Global Survey on Social Media Risks Survey of IT & IT Security Practitioners Sponsored by Websense Independently conducted by Ponemon Institute LLC Publication Date: September 2011 1 Global Survey on

More information

Is Your Company Ready for a Big Data Breach?

Is Your Company Ready for a Big Data Breach? Is Your Company Ready for a Big Data Breach? The Second Annual Study on Data Breach Preparedness Sponsored by Experian Data Breach Resolution Independently conducted by Ponemon Institute LLC Publication

More information

The Cost of Insecure Mobile Devices in the Workplace Sponsored by AT&T

The Cost of Insecure Mobile Devices in the Workplace Sponsored by AT&T The Cost of Insecure Mobile Devices in the Workplace! Sponsored by AT&T Independently conducted by Ponemon Institute LLC Publication Date: March 2014 Part 1. Introduction The Cost of Insecure Mobile Devices

More information

The Unintentional Insider Risk in United States and German Organizations

The Unintentional Insider Risk in United States and German Organizations The Unintentional Insider Risk in United States and German Organizations Sponsored by Raytheon Websense Independently conducted by Ponemon Institute LLC Publication Date: July 2015 2 Part 1. Introduction

More information

Exposing the Cybersecurity Cracks: A Global Perspective

Exposing the Cybersecurity Cracks: A Global Perspective Exposing the Cybersecurity Cracks: A Global Perspective Part I: Deficient, Disconnected & in the Dark Sponsored by Websense, Inc. Independently conducted by Ponemon Institute LLC Publication Date: April

More information

Managing Cyber Security as a Business Risk: Cyber Insurance in the Digital Age

Managing Cyber Security as a Business Risk: Cyber Insurance in the Digital Age Managing Cyber Security as a Business Risk: Cyber Insurance in the Digital Age Sponsored by Experian Data Breach Resolution Independently conducted by Ponemon Institute LLC Publication Date: August 2013

More information

The Cost of Malware Containment

The Cost of Malware Containment The Cost of Malware Containment Sponsored by Damballa Independently conducted by Ponemon Institute LLC Publication Date: January 2015 Ponemon Institute Research Report The Cost of Malware Containment Ponemon

More information

The Challenge of Preventing Browser-Borne Malware

The Challenge of Preventing Browser-Borne Malware The Challenge of Preventing Browser-Borne Malware Sponsored by Spikes Security Independently conducted by Ponemon Institute LLC Publication Date: February 2015 Ponemon Institute Research Report Part 1.

More information

Understaffed and at Risk: Today s IT Security Department. Sponsored by HP Enterprise Security

Understaffed and at Risk: Today s IT Security Department. Sponsored by HP Enterprise Security Understaffed and at Risk: Today s IT Security Department Sponsored by HP Enterprise Security Independently conducted by Ponemon Institute LLC Publication Date: February 2014 Ponemon Institute Research

More information

The Impact of Cybercrime on Business

The Impact of Cybercrime on Business The Impact of Cybercrime on Business Studies of IT practitioners in the United States, United Kingdom, Germany, Hong Kong and Brazil Sponsored by Check Point Software Technologies Independently conducted

More information

Leading Practices in Behavioral Advertising & Consumer Privacy Study of Internet Marketers and Advertisers

Leading Practices in Behavioral Advertising & Consumer Privacy Study of Internet Marketers and Advertisers Leading Practices in Behavioral Advertising & Consumer Privacy Study of Internet Marketers and Advertisers Independently Conducted by Ponemon Institute LLC February 2012 Leading Practices in Behavioral

More information

The Security Impact of Mobile Device Use by Employees

The Security Impact of Mobile Device Use by Employees The Security Impact of Mobile Device Use by Employees Sponsored by Accellion Independently conducted by Ponemon Institute LLC Publication Date: December 2014 Ponemon Institute Research Report The Security

More information

Efficacy of Emerging Network Security Technologies

Efficacy of Emerging Network Security Technologies Efficacy of Emerging Network Security Technologies Sponsored by Juniper Networks Independently conducted by Ponemon Institute LLC Publication Date: February 2013 Ponemon Institute Research Report Part

More information

The Security of Cloud Infrastructure Survey of U.S. IT and Compliance Practitioners

The Security of Cloud Infrastructure Survey of U.S. IT and Compliance Practitioners The Security of Cloud Infrastructure Survey of U.S. IT and Compliance Practitioners Sponsored by Vormetric Independently conducted by Ponemon Institute LLC Publication Date: November 2011 Ponemon Institute

More information

Security of Paper Records & Document Shredding. Sponsored by Cintas. Independently conducted by Ponemon Institute LLC Publication Date: January 2014

Security of Paper Records & Document Shredding. Sponsored by Cintas. Independently conducted by Ponemon Institute LLC Publication Date: January 2014 Security of Paper Records & Document Shredding Sponsored by Cintas Independently conducted by Ponemon Institute LLC Publication Date: January 2014 Ponemon Institute Research Report Part 1. Introduction

More information

2014: A Year of Mega Breaches

2014: A Year of Mega Breaches 2014: A Year of Mega Breaches Sponsored by Identity Finder Independently conducted by Ponemon Institute LLC Publication Date: January 2015 Ponemon Institute Research Report Part 1. Introduction 2014: A

More information

The SQL Injection Threat & Recent Retail Breaches

The SQL Injection Threat & Recent Retail Breaches The SQL Injection Threat & Recent Retail Breaches Sponsored by DB Networks Independently conducted by Ponemon Institute LLC Publication Date: June 2014 1 Part 1. Introduction The SQL Injection Threat &

More information

The Role of Governance, Risk Management & Compliance in Organizations

The Role of Governance, Risk Management & Compliance in Organizations The Role of Governance, Risk Management & Compliance in Organizations Study of GRC practitioners Sponsored by RSA, The Security Division of EMC Independently conducted by Ponemon Institute LLC Publication

More information

The State of Data Centric Security

The State of Data Centric Security The State of Data Centric Security Sponsored by Informatica Independently conducted by Ponemon Institute LLC Publication Date: June 2014 Ponemon Institute Research Report State of Data Centric Security

More information

Security of Cloud Computing Users Study

Security of Cloud Computing Users Study Security of Cloud Computing Users Study Sponsored by CA Technologies Independently conducted by Ponemon Institute, LLC Publication Date: March 2013 Security of Cloud Computing Users Study March 2013 Part

More information

2015 Global Study on IT Security Spending & Investments

2015 Global Study on IT Security Spending & Investments 2015 Study on IT Security Spending & Investments Independently conducted by Ponemon Institute LLC Publication Date: May 2015 Sponsored by Part 1. Introduction Security risks are pervasive and becoming

More information

2012 Web Session Intelligence & Security Report: Business Logic Abuse Edition

2012 Web Session Intelligence & Security Report: Business Logic Abuse Edition 2012 Web Session Intelligence & Security Report: Business Logic Abuse Edition Sponsored by Silver Tail Systems Independently conducted by Ponemon Institute, LLC Publication Date: October 2012 Ponemon Institute

More information

How Single Sign-On Is Changing Healthcare A Study of IT Practitioners in Acute Care Hospitals in the United States

How Single Sign-On Is Changing Healthcare A Study of IT Practitioners in Acute Care Hospitals in the United States How Single Sign-On Is Changing Healthcare A Study of IT Practitioners in Acute Care Hospitals in the United States Sponsored by Imprivata Independently conducted by Ponemon Institute LLC Publication Date:

More information

Cyber Security on the Offense: A Study of IT Security Experts

Cyber Security on the Offense: A Study of IT Security Experts Cyber Security on the Offense: A Study of IT Security Experts Co-authored with Radware Independently conducted by Ponemon Institute LLC Publication Date: November 2012 Ponemon Institute Research Report

More information

Cloud Security: Getting It Right

Cloud Security: Getting It Right Cloud Security: Getting It Right Sponsored by Armor Independently conducted by Ponemon Institute LLC Publication Date: October 2015 Ponemon Institute Research Report Cloud Security: Getting It Right Ponemon

More information

APPLICATION SECURITY IN THE CHANGING RISK LANDSCAPE

APPLICATION SECURITY IN THE CHANGING RISK LANDSCAPE APPLICATION SECURITY IN THE CHANGING RISK LANDSCAPE INDEPENDENTLY CONDUCTED BY PONEMON INSTITUTE LLC, JULY 2016 Part 1. Introduction Ponemon Institute is pleased to present the results of Application Security

More information

Third Annual Study: Is Your Company Ready for a Big Data Breach?

Third Annual Study: Is Your Company Ready for a Big Data Breach? Third Annual Study: Is Your Company Ready for a Big Data Breach? Sponsored by Experian Data Breach Resolution Independently conducted by Ponemon Institute LLC Publication Date: October 2015 Ponemon Institute

More information

Exposing the Cybersecurity Cracks: A Global Perspective

Exposing the Cybersecurity Cracks: A Global Perspective Exposing the Cybersecurity Cracks: A Global Perspective Part 2: Roadblocks, Refresh and Raising the Human Security IQ Sponsored by Websense Independently conducted by Ponemon Institute LLC Publication

More information

Encryption in the Cloud

Encryption in the Cloud Encryption in the Cloud Who is responsible for data protection in the cloud? Sponsored by Thales e-security Independently conducted by Ponemon Institute LLC Publication Date: July 2012 Ponemon Institute

More information

Defining the Gap: The Cybersecurity Governance Study

Defining the Gap: The Cybersecurity Governance Study Defining the Gap: The Cybersecurity Governance Study Sponsored by Fidelis Cybersecurity Independently conducted by Ponemon Institute LLC Publication Date: June 2015 Ponemon Institute Research Report Defining

More information

Perceptions about the Potential Expiration of The Terrorism Risk Insurance Act (TRIA)

Perceptions about the Potential Expiration of The Terrorism Risk Insurance Act (TRIA) Perceptions about the Potential Expiration of The Terrorism Risk Insurance Act (TRIA) Sponsored by Property Casualty Insurers Association of America Independently conducted by Ponemon Institute LLC Publication

More information

Advanced Threats in Retail Companies: A Study of North America & EMEA

Advanced Threats in Retail Companies: A Study of North America & EMEA Advanced Threats in Companies: A Study of North America & EMEA Sponsored by Arbor Networks Independently conducted by Ponemon Institute LLC Publication Date: May 2015 Ponemon Institute Research Report

More information

Cyber Threat Intelligence: Has to Be a Better Way

Cyber Threat Intelligence: Has to Be a Better Way Exchanging Cyber Threat Intelligence: There Has to Be a Better Way Sponsored by IID Independently conducted by Ponemon Institute LLC Publication Date: April 2014 Ponemon Institute Research Report Exchanging

More information

Security Metrics to Manage Change: Which Matter, Which Can Be Measured?

Security Metrics to Manage Change: Which Matter, Which Can Be Measured? Security Metrics to Manage Change: Which Matter, Which Can Be Measured? Sponsored by FireMon Independently conducted by Ponemon Institute LLC Publication Date: April 2014 2 Security Metrics to Manage Change:

More information

Data Security in the Evolving Payments Ecosystem

Data Security in the Evolving Payments Ecosystem Data Security in the Evolving Payments Ecosystem Sponsored by Experian Data Breach Resolution Independently conducted by Ponemon Institute LLC Publication Date: April 2015 Ponemon Institute Research Report

More information

National Survey on Data Center Outages

National Survey on Data Center Outages National Survey on Data Center Outages Independently conducted by Ponemon Institute LLC Publication Date: 30 September 2010 Part 1. Executive Summary National Survey on Data Center Outages Ponemon Institute,

More information

State of IT Security Study of Utilities & Energy Companies

State of IT Security Study of Utilities & Energy Companies State of IT Security Study of Utilities & Energy Companies Sponsored by Q1 Labs Independently conducted by Ponemon Institute LLC Publication Date: April 2011 Ponemon Institute Research Report State of

More information

Security of Cloud Computing Providers Study

Security of Cloud Computing Providers Study Security of Cloud Computing Providers Study Sponsored by CA Technologies Independently conducted by Ponemon Institute LLC Publication Date: April 2011 Ponemon Institute Research Report I. Executive Summary

More information

The Fraud Report: How Fake Users Are Impacting Business

The Fraud Report: How Fake Users Are Impacting Business The Fraud Report: How Fake Users Are Impacting Business Sponsored by TeleSign Independently conducted by Ponemon Institute LLC Publication Date: November 2015 Ponemon Institute Research Report The Fraud

More information

The 2013 ecommerce Cyber Crime Report: Safeguarding Brand And Revenue This Holiday Season

The 2013 ecommerce Cyber Crime Report: Safeguarding Brand And Revenue This Holiday Season The 2013 ecommerce Cyber Crime Report: Safeguarding Brand And Revenue This Holiday Season Sponsored by RSA Security Independently conducted by Ponemon Institute, LLC Publication Date: October 2013 Ponemon

More information

Challenges of Cloud Information

Challenges of Cloud Information The Challenges of Cloud Information Governance: A Global Data Security Study Sponsored by SafeNet Independently conducted by Ponemon Institute LLC Publication Date: October 2014 Ponemon Institute Research

More information

Security of Cloud Computing Providers Study

Security of Cloud Computing Providers Study Security of Cloud Computing Providers Study Sponsored by CA Technologies Independently conducted by Ponemon Institute LLC Publication Date: April 2011 Ponemon Institute Research Report I. Executive Summary

More information

Breaking Bad: The Risk of Insecure File Sharing

Breaking Bad: The Risk of Insecure File Sharing Breaking Bad: The Risk of Insecure File Sharing Sponsored by Intralinks Independently conducted by Ponemon Institute LLC Publication Date: October 2014 Ponemon Institute Research Report Breaking Bad: The

More information

Big Data Analytics in Cyber Defense

Big Data Analytics in Cyber Defense Big Data Analytics in Cyber Defense Sponsored by Teradata Independently conducted by Ponemon Institute LLC Publication Date: February 2013 Ponemon Institute Research Report Big Data Analytics in Cyber

More information

Achieving Data Privacy in the Cloud

Achieving Data Privacy in the Cloud Achieving Data Privacy in the Cloud Study of Information Technology Privacy and Compliance of Small to Medium-Sized Organizations in germany Sponsored by microsoft Independently Conducted by Ponemon Institute

More information

The TCO of Software vs. Hardware-based Full Disk Encryption Summary

The TCO of Software vs. Hardware-based Full Disk Encryption Summary The TCO of vs. -based Full Disk Encryption Summary Sponsored by WinMagic Independently conducted by Ponemon Institute LLC Publication Date: April 2013 Industry Co-Sponsors Ponemon Institute Research Report

More information

Data Loss Risks During Downsizing As Employees Exit, so does Corporate Data

Data Loss Risks During Downsizing As Employees Exit, so does Corporate Data Data Loss Risks During Downsizing As Employees Exit, so does Corporate Data Independently conducted by Ponemon Institute LLC Publication Date: February 23, 2009 Sponsored by Symantec Corporation Ponemon

More information

Corporate Data: A Protected Asset or a Ticking Time Bomb?

Corporate Data: A Protected Asset or a Ticking Time Bomb? Corporate Data: A Protected Asset or a Ticking Time Bomb? Sponsored by Varonis Independently conducted by Ponemon Institute LLC Publication Date: December 2014 Ponemon Institute Research Report Corporate

More information

The Human Factor in Data Protection

The Human Factor in Data Protection The Human Factor in Data Protection Sponsored by Trend Micro Independently conducted by Ponemon Institute LLC Publication Date: January 2012 Ponemon Institute Research Report The Human Factor in Data Protection

More information

2015 Global Cyber Impact Report

2015 Global Cyber Impact Report 2015 Global Cyber Impact Report Sponsored by Aon Risk Services Independently conducted by Ponemon Institute LLC Publication Date: April 2015 2015 Global Cyber Impact Report Ponemon Institute, April 2015

More information

The Post Breach Boom. Sponsored by Solera Networks. Independently conducted by Ponemon Institute LLC Publication Date: February 2013

The Post Breach Boom. Sponsored by Solera Networks. Independently conducted by Ponemon Institute LLC Publication Date: February 2013 The Post Breach Boom Sponsored by Solera Networks Independently conducted by Ponemon Institute LLC Publication Date: February 2013 Ponemon Institute Research Report Part 1. Introduction The Post Breach

More information

Privileged User Abuse & The Insider Threat

Privileged User Abuse & The Insider Threat Privileged User Abuse & The Insider Threat Commissioned by Raytheon Company Independently conducted by Ponemon Institute LLC Publication Date: May 2014 1 Privileged User Abuse & The Insider Threat Ponemon

More information

State of SMB Cyber Security Readiness: UK Study

State of SMB Cyber Security Readiness: UK Study State of SMB Cyber Security Readiness: UK Study Sponsored by Faronics Independently conducted by Ponemon Institute LLC Publication Date: November 2012 Ponemon Institute Research Report Part 1. Introduction

More information

Security of Cloud Computing Users A Study of Practitioners in the US & Europe

Security of Cloud Computing Users A Study of Practitioners in the US & Europe Security of Cloud Computing Users A Study of Practitioners in the US & Europe Sponsored by CA Independently conducted by Ponemon Institute LLC Publication Date: 12 May 2010 Ponemon Institute Research Report

More information

2015 Global Megatrends in Cybersecurity

2015 Global Megatrends in Cybersecurity 2015 Global Megatrends in Cybersecurity Sponsored by Raytheon Independently conducted by Ponemon Institute LLC Publication Date: February 2015 Ponemon Institute Research Report 2015 Global Megatrends in

More information

The Billion Dollar Lost Laptop Problem Benchmark study of U.S. organizations

The Billion Dollar Lost Laptop Problem Benchmark study of U.S. organizations The Billion Dollar Lost Laptop Problem Benchmark study of U.S. organizations Independently conducted by Ponemon Institute LLC Publication Date: 30 September 2010 Ponemon Institute Research Report Part

More information

Survey on the Governance of Unstructured Data. Independently Conducted and Published by Ponemon Institute LLC. Sponsored by Varonis Systems, Inc.

Survey on the Governance of Unstructured Data. Independently Conducted and Published by Ponemon Institute LLC. Sponsored by Varonis Systems, Inc. Survey on the Governance of Unstructured Data Independently Conducted and Published by Ponemon Institute LLC Sponsored by Varonis Systems, Inc. June 30, 2008 Please Do Not Quote Without Express Permission.

More information

Sponsored by Zimbra. The Open Source Collaboration Study: Viewpoints on Security & Privacy in the US & EMEA

Sponsored by Zimbra. The Open Source Collaboration Study: Viewpoints on Security & Privacy in the US & EMEA The Open Source Collaboration Study: Viewpoints on Security & Privacy in the US & EMEA Sponsored by Zimbra Independently conducted by Ponemon Institute LLC Publication Date: November 2014 Ponemon Institute

More information

Compliance Cost Associated with the Storage of Unstructured Information

Compliance Cost Associated with the Storage of Unstructured Information Compliance Cost Associated with the Storage of Unstructured Information Sponsored by Novell Independently conducted by Ponemon Institute LLC Publication Date: May 2011 Ponemon Institute Research Report

More information

Threat Intelligence & Incident Response: A Study of U.S. & EMEA Organizations

Threat Intelligence & Incident Response: A Study of U.S. & EMEA Organizations Threat Intelligence & Incident Response: A Study of U.S. & EMEA Organizations Sponsored by AccessData Independently conducted by Ponemon Institute LLC Publication Date: February 2014 Ponemon Institute

More information

2013 Study on Data Center Outages

2013 Study on Data Center Outages 2013 Study on Data Center Outages Independently conducted by Ponemon Institute LLC Publication Date: September 2013 2013 Study on Data Center Outages Ponemon Institute, September 2013 Part 1. Introduction

More information

The TCO for Full Disk Encryption Studies in the US, UK, Germany & Japan

The TCO for Full Disk Encryption Studies in the US, UK, Germany & Japan The TCO for Full Disk Encryption Studies in the US, UK, Germany & Japan Sponsored by WinMagic Independently conducted by Ponemon Institute LLC Publication Date: July 2012 Ponemon Institute Research Report

More information

The TCO of Software vs. Hardware-based Full Disk Encryption

The TCO of Software vs. Hardware-based Full Disk Encryption The TCO of Software vs. Hardware-based Full Disk Encryption Sponsored by WinMagic Independently conducted by Ponemon Institute LLC Publication Date: April 2013 Industry Co-Sponsors Ponemon Institute Research

More information

The Importance of Senior Executive Involvement in Breach Response

The Importance of Senior Executive Involvement in Breach Response The Importance of Senior Executive Involvement in Breach Response Sponsored by HP Enterprise Security Services Independently conducted by Ponemon Institute LLC Publication Date: October 2014 The Importance

More information

LiveThreat Intelligence Impact Report 2013

LiveThreat Intelligence Impact Report 2013 LiveThreat Intelligence Impact Report 2013 Sponsored by Independently conducted by Ponemon Institute LLC Publication Date: July 2013 Ponemon Institute Research Report Contents Part 1. Introduction 3 Executive

More information

Ed Adams, CEO Security Innovation. Dr. Larry Ponemon Ponemon Institute. 2012 ISACA Webinar Program. 2012 ISACA. All rights reserved.

Ed Adams, CEO Security Innovation. Dr. Larry Ponemon Ponemon Institute. 2012 ISACA Webinar Program. 2012 ISACA. All rights reserved. 2012 Study on Application Security: AS Survey of fits Security and dd Developers Ed Adams, CEO Security Innovation Dr. Larry Ponemon Ponemon Institute 2012 ISACA Webinar Program. 2012 ISACA. All rights

More information

2013 State of the Endpoint

2013 State of the Endpoint 2013 State of the Endpoint Sponsored by Lumension Independently conducted by Ponemon Institute LLC Publication Date: December 2012 Ponemon Institute Research Report 2013 State of the Endpoint Ponemon Institute:

More information

How Much Is the Data on Your Mobile Device Worth?

How Much Is the Data on Your Mobile Device Worth? How Much Is the Data on Your Mobile Device Worth? Sponsored by Lookout Independently conducted by Ponemon Institute LLC Publication Date: January 2016 Ponemon Institute Research Report Part 1. Introduction

More information

2014 State of Endpoint Risk. Sponsored by Lumension. Independently conducted by Ponemon Institute LLC Publication Date: December 2013

2014 State of Endpoint Risk. Sponsored by Lumension. Independently conducted by Ponemon Institute LLC Publication Date: December 2013 2014 State of Endpoint Risk Sponsored by Lumension Independently conducted by Ponemon Institute LLC Publication Date: December 2013 Ponemon Institute Research Report 2014 State of Endpoint Risk Ponemon

More information

IBM QRadar Security Intelligence: Evidence of Value

IBM QRadar Security Intelligence: Evidence of Value IBM QRadar Security Intelligence: Evidence of Value Independently conducted by Ponemon Institute LLC February 2014 Ponemon Institute Research Report Background IBM QRadar: Evidence of Value Ponemon Institute:

More information

Privacy and Security in a Connected Life: A Study of European Consumers

Privacy and Security in a Connected Life: A Study of European Consumers Privacy and Security in a Connected Life: A Study of European Consumers Sponsored by Trend Micro Independently conducted by Ponemon Institute LLC Publication Date: March 2015 Ponemon Institute Research

More information

Smartphone Security Survey of U.S. consumers

Smartphone Security Survey of U.S. consumers Smartphone Security Survey of U.S. consumers Sponsored by AVG Technologies Independently conducted by Ponemon Institute LLC Publication Date: March 2011 Ponemon Institute Research Report Smartphone Security

More information

Privacy and Security in a Connected Life: A Study of US Consumers

Privacy and Security in a Connected Life: A Study of US Consumers Privacy and Security in a Connected Life: A Study of US Consumers Sponsored by Trend Micro Independently conducted by Ponemon Institute LLC Publication Date: March 2015 Ponemon Institute Research Report

More information

Best Practices in Data Protection Survey of U.S. IT & IT Security Practitioners

Best Practices in Data Protection Survey of U.S. IT & IT Security Practitioners Best Practices in Data Protection Survey of U.S. IT & IT Security Practitioners Sponsored by McAfee Independently conducted by Ponemon Institute LLC Publication Date: October 2011 Ponemon Institute Research.

More information

Economic impact of privacy on online behavioral advertising

Economic impact of privacy on online behavioral advertising Benchmark study of Internet marketers and advertisers Independently Conducted by Ponemon Institute LLC April 30, 2010 Ponemon Institute Research Report Economic impact of privacy on online behavioral advertising

More information

IBM QRadar: Evidence of Value

IBM QRadar: Evidence of Value IBM QRadar: Evidence of Value Independently conducted by Ponemon Institute LLC February 2014 Ponemon Institute Research Report IBM QRadar: Evidence of Value Ponemon Institute: February 2014 Part 1. Introduction

More information

2013 Cost of Data Center Outages

2013 Cost of Data Center Outages 2013 Cost of Data Center Outages Independently conducted by Ponemon Institute LLC Publication Date: December 2013 Part 1. Executive Summary 2013 Cost of Data Center Outages Ponemon Institute, December

More information

First Annual Cost of Cyber Crime Study Benchmark Study of U.S. Companies

First Annual Cost of Cyber Crime Study Benchmark Study of U.S. Companies First Annual Cost of Cyber Crime Study Benchmark Study of U.S. Companies Sponsored by ArcSight Independently conducted by Ponemon Institute LLC Publication Date: July 2010 Ponemon Institute Research Report

More information