2012 Web Session Intelligence & Security Report: Business Logic Abuse Edition

Save this PDF as:
 WORD  PNG  TXT  JPG

Size: px
Start display at page:

Download "2012 Web Session Intelligence & Security Report: Business Logic Abuse Edition"

Transcription

1 2012 Web Session Intelligence & Security Report: Business Logic Abuse Edition Sponsored by Silver Tail Systems Independently conducted by Ponemon Institute, LLC Publication Date: October 2012 Ponemon Institute Research Report

2 2012 Web Session Intelligence & Security Report: Business Logic Abuse Edition Ponemon Institute, October 2012 Part 1. Introduction Ponemon Institute is pleased to present the results of 2012 Web Session Intelligence & Security Report: Business Logic Abuse Edition. Sponsored by Silver Tail Systems, this study is intended to learn important information about organizations ability to stop or quickly detect business logic abuses. Also referred to as precision hacking, business logic abuse is quickly gaining the attention of IT security practitioners. According to 88 percent of respondents in this study, it is more important than other security issues or equally important. In the context of this research, business logic abuse results from the criminal discovering a flaw in the business logic or functionality of a website. In most cases, the criminal uses the legitimate pages of the website to perpetrate cyber attacks, hacks or fraud. One objective of this fraud is to steal money, confidential information or exploit the system for illicit gains. Another possible goal is to destroy the reputation or brand of a company. In addition to theft of money and information, fixing the consequences is expensive. We estimate on average the total cost of business logic abuses to be $6.8 million if every customer-facing website of the companies represented in this research had a business logic abuse. The cost includes system downtime, lost revenue, inefficiencies customers must deal with and technical staff dedicated to fixing the problem. There are many ways hackers can take advantage of websites. Respondents admit a high likelihood that these will occur in their organization and agree that in many instances such attacks are very difficult to detect. Remediating these abuses is very challenging because the fixes that stop the bad guys may diminish the web experience of legitimate customers. In this study, we surveyed 643 IT and IT security practitioners (hereafter referred to as IT practitioners) in the United States. A comparable study was conducted in the United Kingdom and the findings are presented in a separate report. To ensure knowledgeable respondents participated in this research, we asked screening questions to determine familiarity with business logic abuse and that they have some responsibility for the security of their website. Further, all respondents work in organizations that derive a percentage of their revenues from website-related activities. On average, respondents have approximately 10 years IT or IT security experience. Most respondents (55 percent) report to the chief information officer and 18 percent report to the chief information security officer. Fifty-eight percent are employed by organizations with a worldwide headcount of more than 1,000. Noteworthy findings from this research include: Ninety percent of organizations represented in this study experienced, at least once, lost revenues due to the financial or brand impact of Internet fraud in the past 12-month period. The majority of respondents in this study believe it is very likely or likely that their companies are at risk for business logic abuse and admit the difficulty of not being able to detect such an attack. Two-thirds of respondents say their organizations lost between 1 percent and 4 percent in revenue as a result of business logic abuse and approximately 25 percent say their organizations lost more than 5 percent. The majority of IT security practitioners (74 percent) say it is very difficult or difficult to distinguish between the real customer and the criminal accessing their company s website. Ponemon Institute Research Report Page 1

3 One-third of respondents say it has taken at least one day to remediate the consequences of one business logic abuse incident and 25 percent say each time a business logic abuse is remediated the business experiences more than four hours of downtime. Fifty-one percent of organizations do not have real time visibility into its website traffic and 13 percent are unsure. More than half (53 percent) of respondents say they do not check business partner websites for business logic abuses or they are unsure if this practice occurs. Ponemon Institute Research Report Page 2

4 Part 2. Key Findings In this section, we provide the detailed analysis of this research. The complete audited findings are presented in the appendix of this report. Topics are organized according to the following themes: Awareness of the risk of business logic abuse to an organization s website How business logic abuse is affecting organizations The business logic abuses most likely to occur and difficult to detect The current state of detection and prevention of business logic abuses Awareness of the risk of business logic abuse to an organization s website IT practitioners are aware of the risk of business logic abuse to websites but many admit it is not a priority within their organizations. Business logic abuse is on IT practitioners radar screen but the majority of organizations are not making it a priority. According to 88 percent of respondents in this study, business logic abuse is more important than other security issues or equally important, as shown in Figure 1. Figure 1. How important is the prevention of business logic abuse? % % More important than other security issues Equally important to other security issues 12% Less important than other security issues Ponemon Institute Research Report Page 3

5 While 53 percent believe the frequency of these types of attacks is on the rise and 48 percent agree the severity is increasing, less than half (42 percent) say it is a priority in their website s development efforts. The following findings reveal the consequences of not making this risk a priority: only 38 percent say most business logic abuses are quickly detected and remediated, 35 percent say they have sufficient in-house personnel to deal with the problem and 34 percent say their company is vigilant in monitoring all websites for business logic abuses. The challenge is that only 31 percent say they have the technologies and only 29 percent say the budget is sufficient for minimizing logic abuses. Figure 2. Attributions about business logic abuses Strongly agree and agree response combined The frequency of business logic abuses is on the rise 53% The severity of business logic abuses is on the rise 48% The prevention of business logic abuses is a priority in website development Most business logic abuses are quickly detected and remediated My company has sufficient in-house personnel for minimizing business logic abuses My company is vigilant in monitoring all websites for business logic abuses My company is better at preventing business logic abuses than other companies My company has sufficient technologies for minimizing business logic abuses The security budget is sufficient for minimizing business logic abuses 42% 38% 35% 34% 33% 31% 29% Ponemon Institute Research Report Page 4

6 How business logic abuse is affecting organizations Companies are losing revenue and productivity as a result of these precision hacking attacks. Business logic abuse can be costly. In addition to theft of money and information, fixing the consequences is expensive. We estimate on average the total cost of business logic abuses to be $6.8 million If every customer-facing website of the companies represented in this research had a business logic abuse. The cost includes system downtime, lost revenue, inefficiencies customers must deal with and technical staff dedicated to fixing the problem. Ninety percent of companies lost revenues due to the financial or brand impact of Internet fraud. As shown in Figure 3, only 10 percent of respondents say their organizations have managed to escape the consequences of business logic abuse. Approximately 25 percent of respondents say their organizations lost more than 5 percent of their total revenues as a consequence of business logic abuse. Figure 3. The percent of revenues lost due to financial or brand impact of Internet fraud 35% 25% 32% 33% 15% 5% 8% 6% 3% 4% 4% None 1 to 2% 3 to 4% 5 to 6% 7 to 8% 9 to 11 to 15% More than 15% Ponemon Institute Research Report Page 5

7 Many organizations represented in this research have experienced multiple incidents. As shown in Figure 4, 30 percent experienced more than 20 separate incidents in the past 12 months. Only 20 percent say they have not experienced a business logic abuse. Figure 4. Number of business logic abuse incidents 25% 18% 22% 15% 5% 11% 7% 3% 6% 8% 6% None 1 to 5 6 to to to to to to 100 More than 100 Fixing the effects of business logic abuses is time intensive. Thirty-three percent of respondents say it can take more than one day to resolve the attack (Figure 5). Downtime for the business, according to 25 percent, can average more than four hours. Figure 5. How much time is spent remediating the consequences of one abuse incident? 27% 25% 19% 15% 13% 13% 14% 5% 9% 6% None < 1 hour 1 to 4 hours 5 to 8 hours 1 to 2 days 2 to 5 days More than 5 days Ponemon Institute Research Report Page 6

8 Respondents are not confident in their ability to stop business logic abuse. Figure 6 reveals the majority of IT practitioners (74 percent) say it is very difficult or difficult to distinguish between the real customer and the criminal. Most also claim that business logic abuses are difficult to detect (63 percent) and fix (66 percent). Fifty-one percent of respondents complain of not having real time visibility into its website traffic and 13 percent are unsure. This is a real impediment to stopping business logic abuse. Figure 6. Difficulty identifying real customers and fixing and detecting business logic abuses % Difficult 42% Very difficult 32% Difficult 33% Difficult 34% Very difficult Very difficult Difficult to know the real customers from criminals Difficult to remediate Difficult to detect Ponemon Institute Research Report Page 7

9 There is no clear assignment of responsibility for reducing the risk of business logic abuses. Twenty-two percent of respondents believe no one person or function has overall responsibility followed by 20 percent who say it is the CIO s responsibility and 14 percent who say it is under the CISO s jurisdiction as shown in Figure 7. Only 10 percent say it is the responsibility of the website development leader or manager. Figure 7. Who is most responsible for stopping business logic abuse? No one person has overall responsibility 22% Chief information officer Chief information security officer Business unit management 14% 14% Website development leader/manager Fraud prevention leader/manager 5% Web hosting service provider Data center management Corporate compliance or legal department Chief risk officer Chief technology officer Other 4% 3% 2% 2% 2% 3% 5% 15% 25% Ponemon Institute Research Report Page 8

10 Business logic abuse scenarios The majority of respondents believe the following situations are likely to occur and are difficult to detect. Scenarios are presented in the order they are most likely to least likely to occur. Scenario 1: Web scraping. A cyber criminal wants to obtain confidential information contained on public pages of a company s website (such as price or inventory lists). This information can be gleaned by a criminal writing a script that goes page by page on a public site without the company s knowledge. Sixty-nine percent say it is very likely or likely to occur and 74 percent say it is very difficult or difficult to detect (Figure 8). Figure 8. Web scraping % Likely 35% Very likely Likelihood of occurring 29% Difficult 45% Very difficult Difficult to detect Scenario 2: Account hijacking. A successful spear phishing scam resulted in cyber criminals obtaining the user names and passwords of customers. The leakage of customer account information occurred because employees were duped by what appeared to be a legitimate internal company communication. The crime originated when the criminal obtained key employee addresses directly from the website. Sixty-three percent say it is very likely or likely to occur and 67 percent say it would be very difficult or difficult to detect (Figure 9). Figure 9. Account hijacking % Likely 35% Very likely Likelihood of occurring 28% Difficult 39% Very difficult Difficult to detect Ponemon Institute Research Report Page 9

11 Scenario 3: Click fraud. A company hires an agency to conduct an online advertising campaign. The agency is paid on a per click basis. In reality, many of the paid per clicks are not authentic (i.e. not involving an interested consumer). Sixty-two percent say it is very likely or likely to happen to their company and a much higher percentage say it would be very difficult or difficult to detect (Figure 10). Figure 10. Click fraud % Likely Very likely Likelihood of occurring 39% Difficult 33% Very difficult Difficult to detect Scenario 4: Testing stolen credit cards. A cyber criminal steals hundreds of credit card numbers and uses a company s credit or debit card payments function to validate active credit cards. More than half (53 percent) of respondents say this very likely or likely to happen and 65 percent say it would be very difficult or difficult to detect (Figure 11). Figure 11. Testing stolen credit cards % Likely 21% Very likely 31% Difficult 34% Very difficult Likelihood of occurring Difficult to detect Ponemon Institute Research Report Page 10

12 Scenario 5: Botnet and DoS. A cyber criminal targets a botnet against a company and this results in a denial of Service (DoS) attack that ultimately brings down its websites. Fifty-two percent say it is very likely or likely to happen and 67 percent say it would be very difficult or difficult to detect (Figure 12). Figure 12. Botnet and DoS Likely 22% Very likely Likelihood of occurring 32% Difficult 35% Very difficult Difficult to detect Scenario 6. Mobility use case. A company expanded its consumer reach using a mobility platform that allows customers to access its websites using smart phones and other mobile devices. Cyber criminals infiltrate these devices with malware that captures customers account access credentials. The criminals harvest this information to takeover accounts using a laptop or desktop computer. Fifty-two percent say it is very likely or likely to occur and 69 percent say it would be very difficult or difficult to detect (Figure 13). Figure 13. Mobility use case % Difficult 4 29% Likely 23% Very likely 41% Very difficult Likelihood of occurring Difficult to detect Ponemon Institute Research Report Page 11

13 Scenario 7. ecoupons. Fraudsters do an end-run around a company s pricing policy. They select a heavily discounted item and place it in the shopping cart. They delay the checkout in order to obtain and apply an ecoupon to the final purchase price, thus obtaining the item well below the company s cost. Again, 52 percent say this is very likely or likely to happen and a significant percentage (69) say this would be very difficult or difficult to detect (Figure 14). Figure 14. ecoupons % Likely 26% Very likely Likelihood of occurring 32% Difficult 37% Very difficult Difficult to detect Scenario 8. Electronic wallet. A company has expanded customer payment options to include Internet payment methods such as PayPal, Google Wallet, Amazon Checkout and others. A criminal looking for sites that have recently added Internet payment processes identifies its site and exploits the lack of fully implemented security controls. Fifty-one percent say this is very likely or likely to happen and a much higher percentage say it would be very difficult or difficult to detect (Figure 15). Figure 15. Electronic wallet % Likely % Likely 22% Very likely Likelihood of occurring 44% Very difficult Difficult to detect Ponemon Institute Research Report Page 12

14 The following two scenarios are considered less likely to occur but are still considered very difficult or difficult to detect. Scenario 9. App store fraud. A company has an app store/marketplace, providing access to products and instant rebates. Criminals masquerading as a merchant and a buyer manipulate the open platform for financial gain, cashing in on rebates and earning points from credit card incentive programs. Less than half (48 percent) say this is very likely or likely to occur but a much larger percentage (76 percent) says such a scheme would be very difficult or difficult to detect (Figure 16). Figure 16. App store fraud % Likely 23% Very likely Likelihood of occurring 31% Difficult 45% Very difficult Difficult to detect Scenario 10. Mass registration. A cyber criminal creates a fake website that imitates your company s website. Loyal and prospective customers are lured to this bogus website, which asks them to provide personal information in order to register for a promotion or offer. This results in the theft of sensitive information. In this case, 45 percent say it is very likely or likely to occur but a higher percentage (59 percent) says it would be very difficult or difficult to detect (Figure 17). Figure 17. Mass registration % Likely 21% Very likely Likelihood of occurring 28% Likely 31% Very difficult Difficult to detect Ponemon Institute Research Report Page 13

15 The current state of detection and prevention of business logic abuses It seems as if the barriers to preventing and detecting business logic abuses are similar to those encountered when dealing with other security threats. There is not enough budget, in-house expertise and technologies to manage this risk, according to respondents. Based on this, many steps that are necessary are not taken. The IT security function is often left out when making decisions about reducing the risk. According to Figure 18, only 11 percent say the security function is involved all the time regarding the prevention and detection of business logic abuses and 40 percent say it is only sometimes. A key vulnerability is a business partner that might have business logic abuses. Also shown in Figure 18, only 12 percent say their organization inspects or tests business partner websites that link to their websites. Forty-one percent say they do not take this step and 12 percent are unsure. Figure 18. Current state of business logic abuse prevention & detection 45% 4 35% 25% 4 35% 36% 41% 15% 11% 12% 13% 12% 5% Yes, always Yes, sometimes No Unsure Is your company s IT security function involved in the prevention or detection of business logic abuses? Are partner websites that link to your websites inspected or tested for business logic abuses? Ponemon Institute Research Report Page 14

16 Manual inspections during development and production of web pages are considered most important to prevent and detect business logic abuses. Manual inspections and assessment during development of web pages are considered very important or important according to 52 percent of respondents. Fifty percent say this step is very important or important during the production of web pages. These steps are followed by content aware firewalls (including next generation firewalls), according to 44 percent of respondents. Intrusion detection and prevention systems are not considered as important to the security of web pages. Figure 19. Steps organizations take to prevent or detect business logic abuses Manual inspection and assessment during development of web pages Manual inspection and assessment of web pages in production 25% 23% 27% 27% Content aware firewalls 19% 25% Security intelligence systems such as SIEM 12% 26% Use of WAF Automated forensic tools that detect business logic abuses Testing of the website s functionality prior to production Network security and VPN 19% 13% 17% 9% 18% 24% 18% 22% Intrusion prevention systems 11% 15% Intrusion detection systems 14% Very important Important Ponemon Institute Research Report Page 15

17 Part 3. Conclusion Business logic abuse poses serious risks to revenue and reputation. Not only are the attacks likely to occur they are also stealthy. We recommend organizations consider taking the following steps. Assign responsibility for website security and ensure there is sufficient in-house personnel to minimize business logic abuses. Establish a partnership between website developers and IT to make sure a prevention and detection strategy is in place and enforced. Strive to have a strategy that minimizes the risk but does not frustrate legitimate customers. Ensure ongoing monitoring of websites for business logic abuses. Check business partner websites for business logic abuses. Invest in technologies that enable real-time visibility into website traffic. These recommendations can be key in stopping the criminals from stealing money or confidential information and committing other fraudulent acts that can cost a company its reputation. Ponemon Institute Research Report Page 16

18 Part 4. Methods A random sampling frame of 23,413 IT and IT security practitioners located in all regions of the United States were selected as participants to this survey. As shown in Table 2, 956 respondents completed the survey. Screening removed 228 surveys and an additional 85 surveys that failed reliability checks were removed. The final sample was 643 surveys (or a 2.7 percent response rate). Table 2. Sample response Freq. Pct% Total sampling frame 23, Total returns % Rejected surveys % Screened surveys Final sample % As noted in Table 3, the respondents average (mean) experience in IT, IT security or related fields is 9.73 years. Table 3. Other characteristics of respondents Mean Total years of IT or IT security experience 9.73 Total years in your current position 5.21 Pie Chart 1 reports the industry segments of respondents organizations. This chart identifies financial services (18 percent) as the largest segment, followed by public sector (13 percent) and e-commerce (10 percent). Pie Chart 1. Industry distribution of respondents organizations 5% 3% 4% 5% 3% 3% 2% 2% 4% 3% 8% 8% 9% 18% 13% Financial services Public sector E-commerce Retail Health & pharmaceuticals Technology & software Services Transportation Hospitality Communications Entertainment & media Gaming Industrial Consumer products Energy & utilities Other Ponemon Institute Research Report Page 17

19 Pie Chart 2 reports the respondent s organizational level within participating organizations. By design, 57 percent of respondents are at or above the supervisory levels. Pie Chart 2. What organizational level best describes your current position? 34% 5% 3% 1% 1% 1% 16% 23% Senior Executive Vice President Director Manager Supervisor Technician Staff Contractor Other 16% According to Pie Chart 3, 55 percent of respondents report directly to the Chief Information Officer and 18 percent report to the Chief Information Security Officer. Pie Chart 3. The primary person you or the IT security practitioner reports to within the organization 6% 5% 3% 2% 4% Chief Information Officer Chief Information Security Officer Compliance Officer 7% 55% Chief Risk Officer Data Center Management Chief Security Officer 18% Chief Financial Officer Other Ponemon Institute Research Report Page 18

20 More than half of the respondents (58 percent) are from organizations with a global headcount of over 1,000 employees, as shown in Pie Chart 4. Pie Chart 4. Global headcount 6% 9% 18% 7% 16% 19% < to to 1,000 1,001 to 5,000 5,001 to 25,000 25,001 to 75,000 > 75,000 25% As shown in Figure 20, 100 percent of respondents reported they have employees located in the United States and 62 percent reported they have employees located in Europe. Figure 20. Location of employees More than one choice permitted % 61% 54% 47% United States Europe Canada Asia-Pacific Latin America (including Mexico) 43% Middle East & Africa Ponemon Institute Research Report Page 19

21 Part 5. Caveats There are inherent limitations to survey research that need to be carefully considered before drawing inferences from findings. The following items are specific limitations that are germane to most web-based surveys. Non-response bias: The current findings are based on a sample of survey returns. We sent surveys to a representative sample of individuals, resulting in a large number of usable returned responses. Despite non-response tests, it is always possible that individuals who did not participate are substantially different in terms of underlying beliefs from those who completed the instrument. Sampling-frame bias: The accuracy is based on contact information and the degree to which the list is representative of individuals who are IT or IT security practitioners. We also acknowledge that the results may be biased by external events such as media coverage. We also acknowledge bias caused by compensating subjects to complete this research within a holdout period. Self-reported results: The quality of survey research is based on the integrity of confidential responses received from subjects. While certain checks and balances can be incorporated into the survey process, there is always the possibility that a subject did not provide a truthful response. Ponemon Institute Research Report Page 20

22 Appendix: Detailed Survey Results The following tables provide the frequency or percentage frequency of responses to all survey questions contained in this study. All survey responses were captured in August Survey response Freq. Pct% Total sampling frame Total returns % Rejected surveys % Screened surveys Final sample % Screening questions S1. How familiar are you with business logic abuse as defined above? Freq. Pct% Very familiar 171 Familiar % Somewhat familiar No knowledge (Stop) % Total S2. Approximately, how much of your organization s revenues (gross sales) are from website-related activities? Freq. Pct% None (Stop) 34 5% 1 to 51 7% 11 to 39 5% 21 to 40 6% 31 to % 41 to % 51 to % 61 to % 71 to % 81 to % 91 to 10 (virtually all) 56 8% Total S3. Do you have any responsibility for the security of your organization s websites? Freq. Pct% Yes, full responsibility % Yes, some responsibility % Yes, minimum responsibility 75 11% No responsibility (Stop) 38 6% Total Final sample (after removal of screened surveys) 643 Ponemon Institute Research Report Page 21

23 Attributions Please rate each one of the following ten (10) statements using the opinion scale from strongly agree to strongly disagree provided below each item. Strongly agree Agree Q1a. Business logic abuse represents a significant security issue for my company. 22% 33% Q1b. The prevention of business logic abuses is a priority in my company s website development efforts. 18% 24% Q1c. Most business logic abuses that occur on my company s websites are quickly detected and remediated. 18% Q1d. My company is vigilant in monitoring all websites for business logic abuses. 14% Q1e. My company is better at preventing business logic abuses than other companies in our industry. 16% 17% Q1f. My company s security budget is sufficient for minimizing business logic abuses. 19% Q1g. My company has sufficient in-house personnel (experts) for minimizing business logic abuses. 17% 18% Q1h. My company has sufficient technologies and tools for minimizing business logic abuses. 13% 19% Q1h. The frequency of business logic abuses experienced by my company is on the rise. 26% 27% Q1i. The severity of business logic abuses experienced by my company is on the rise. 23% 26% Q1j. Remediating business logic abuses are difficult because fixes that curtail criminals may diminish the web experience of legitimate end-users. 34% Q2. Approximately, how many customer-facing websites does your company have in production today? Your best guess is welcome. Pct% Between 1 and 5 7% Between 6 and 10 5% Between 10 and 20 15% Between 21 and 30 15% Between 31 and 40 7% Between 41 and 50 11% Between 51 and % More than % Total 10 Q3. In a 12-month period, what percent of your company s total revenues (gross sales) were lost due to the financial or brand impact of Internet fraud? Your best guess is welcome. Pct% None 1 to 2% 32% 3 to 4% 33% 5 to 6% 8% 7 to 8% 6% 9 to 3% 11 to 15% 4% More than 15% 4% Total 10 Ponemon Institute Research Report Page 22

24 Q4. In the past 12 months, how many separate incidents of business logic abuses did your company experience? Your best guess is welcome. Pct% None Between 1 and 5 18% Between 6 and 10 22% Between 10 and 20 11% Between 21 and 30 7% Between 31 and 40 3% Between 41 and 50 6% Between 51 and 100 8% More than 100 6% Total 10 Q5. On average, how much time is spent by your technical staff (or contractor) remediating the consequences of one business logic abuse incident? Your best guess is welcome. Pct% None 13% < 1 hour 9% 1 to 4 hours 19% 5 to 8 hours 27% 1 to 2 days 13% 2 to 5 days 6% More than 5 days 14% Total 10 Q6. On average, how much downtime does your company experience each time a business logic abuse is being remediated? Your best guess is welcome. Pct% None 5% < 10 minutes 7% 11 to 15 minutes 12% 16 to 30 minutes 11% 31 to 45 minutes 17% 46 to 60 minutes 1 to 2 hours 9% 2 to 4 hours 4% 4 to 8 hours > 8 hours (1 full day) 15% Total 10 Q7. On average, how much does it cost your company in lost traffic and/or online sales when a website is down for one hour? Your best guess is welcome. Pct% None 3% Less than $1,000 19% $1,000 to $5,000 15% $5,001 to $10,000 12% $10,001 to $20,000 14% $20,001 to $50,000 8% $50,001 to $100,000 9% $100,001 to $500,000 7% $500,000 to $750,000 6% $750,001 to $1 million 2% More than $1 million 4% Total 10 Ponemon Institute Research Report Page 23

25 Q8. Relative to other security issues in your company, how important is the prevention of business logic abuses? Pct% More important than other security issues 21% Equally important to other security issues 67% Less important than other security issues 12% Total 10 Q9. What steps does your organization take to prevent or detect business logic abuses? Please rate each one of the following steps in terms of its importance using the following scale: 1 = very important, 2 = important, 3 = somewhat important, 4 = not important, 5 = Irrelevant Very important Important Manual inspection and assessment during development of web pages 25% 27% Manual inspection and assessment of web pages in production 23% 27% Thorough testing of the website s functionality prior to production 17% 18% Automated forensic tools that detect business logic abuses 13% 24% Content aware firewalls (including next generation firewalls) 19% 25% Security intelligence systems such as SIEM 12% 26% Intrusion detection systems 14% Intrusion prevention systems 11% 15% Network security and VPN 9% 22% Use of WAF 19% 18% Opinion questions. Very difficult, difficult, somewhat difficult and not difficult. Very difficult Difficult Q10a. In your opinion, how difficult are business logic abuses to detect? 33% Q10b. In your opinion, how difficult are business logic abuses to fix or remediate? 34% 32% Q10c. In your opinion, how difficult is it to know the real customers from criminals who are accessing your website? 42% 32% Q11. Does your organization have real time visibility into its website traffic? In other words, can you detect the presence of a criminal or fraudster immediately? Pct% Yes 36% No 51% Unsure 13% Total 10 Q12. Who is most responsible for curtailing business logic abuses on your company s websites? Pct% Chief information officer (CIO) Chief technology officer (CTO) 2% Chief information security officer (CISO) 14% Chief security officer (CSO) 1% Chief risk officer (CRO) 2% Data center management 3% Business unit management 14% Website development leader/manager Fraud prevention leader/manager 5% Corporate compliance or legal department 2% Web hosting service provider 4% No one person or function has overall responsibility 22% Other (please specify) 2% Total 10 Ponemon Institute Research Report Page 24

26 Q13. Is your company s IT security function involved in the prevention or detection of business logic abuses? Pct% Yes, always 11% Yes, sometimes 4 No 36% Unsure 13% Total 10 Q14. Are business partner websites that link to your company s websites inspected or tested for business logic abuses? Pct% Yes, always 12% Yes, sometimes 35% No 41% Unsure 12% Total 10 Business logic abuse scenarios The following ten (10) scenarios are examples of business logic abuses that may affect your company s websites. Please rate each scenario in terms of likelihood and difficulty using the scale below each item. Select the not applicable response when the scenario does not fit the nature or context of your company. Already happened, very likely, likely, not likely, not applicable. And, very difficult, difficult, somewhat difficult, not difficult, easy. Testing stolen credit cards. A cyber criminal steals hundreds of credit card numbers and uses your credit or debit card payments function to validate active credit cards. Very likely Likely Q15a. How likely could this happen to your company? 21% 32% Very difficult Difficult Q15b. How difficult would it be to detect this situation? 34% 31% Web scraping. A cyber criminal wants to obtain confidential information contained on non-public pages in your website (such as price or inventory lists). Assume this criminal gains access to restricted pages and proceeds to scrape your company s site without your knowledge. Very likely Likely Q16a. How likely could this happen to your company? 35% 34% Very difficult Difficult Q16b. How difficult would it be to detect this situation? 45% 29% Click fraud. Your company hires an agency to conduct an online advertising campaign. The agency is paid on a per click basis. In reality many of the paid per clicks are not authentic (i.e., not involving an interested consumer). Very likely Likely Q17a. How likely could this happen to your company? 32% Very difficult Difficult Q17b. How difficult would it be to detect this situation? 33% 39% Account hijacking. A successful spear phishing scam resulted in cyber criminals obtaining the user names and passwords of customers. The leakage of customer account information occurred because employees were duped by what appeared to be a legitimate internal company communication. The crime originated when the criminal obtained key employee addresses directly from the website. Very likely Likely Q18a. How likely could this happen to your company? 35% 28% Very difficult Difficult Q18b. How difficult would it be to detect this situation? 39% 28% Ponemon Institute Research Report Page 25

27 Botnet and DoS. A cyber criminal targets a botnet against your company and this results in a denial of service (DoS) attack that ultimately brings down your websites. Very likely Likely Q19a. How likely could this happen to your company? 22% Very difficult Difficult Q19b. How difficult would it be to detect this situation? 35% 32% Mass registration. A cyber criminal creates a fake website that imitates your company s website. Loyal and prospective customers are lured to this bogus website, which asks them to provide personal information in order to register for a promotion or offer. This results in the theft of sensitive information. Very likely Likely Q20a. How likely could this happen to your company? 21% 24% Very difficult Difficult Q20b. How difficult would it be to detect this situation? 31% 28% App store fraud. Your company has an app store/market place, providing access to products and instant rebates. Criminals masquerading as a merchant and a buyer manipulate the open platform for financial gain, cashing in on rebates and earning points from credit card incentive programs. Very likely Likely Q21a. How likely could this happen to your company? 23% 25% Very difficult Difficult Q21b. How difficult would it be to detect this situation? 45% 31% Mobility use case. Your company has expanded its consumer reach using a mobility platform that allows customers to access its websites using smart phones and other mobile devices. Cyber criminals infiltrate these devices with malware that captures customers account access credentials. The criminals harvest this information to takeover accounts using a laptop or desktop computer. Very likely Likely Q22a. How likely could this happen to your company? 23% 29% Very difficult Difficult Q22b. How difficult would it be to detect this situation? 41% 28% ecoupons. Fraudsters do an end-run around your company s pricing policy. They select a heavily discounted item and place it the shopping cart. They delay the check out in order to obtain and apply an ecoupon to the final purchase price, thus obtaining the item well below your company s cost. Very likely Likely Q23a. How likely could this happen to your company? 26% 26% Very difficult Difficult Q23b. How difficult would it be to detect this situation? 37% 32% Electronic wallet. Your company has expanded customer payment options to include Internet payment methods such as PayPal, Google Wallet, Amazon Checkout and others. A criminal looking for sites that have recently added Internet payment processes identifies your site and is able to exploit the lack of fully implemented security controls. Very likely Likely Q24a. How likely could this happen to your company? 22% 29% Very difficult Difficult Q24b. How difficult would it be to detect this situation? 44% 35% Ponemon Institute Research Report Page 26

28 Your role and organization D1. What organizational level best describes your current position? Pct% Senior Executive 1% Vice President 1% Director 16% Manager 23% Supervisor 16% Technician 34% Staff 5% Contractor 3% Other 1% Total 10 D2. Check the Primary Person you or your IT security leader reports to within the organization. Pct% CEO/Executive Committee 1% Chief Financial Officer 2% General Counsel 1% Chief Information Officer 55% Chief Information Security Officer 18% Compliance Officer 7% Human Resources VP 1% Chief Security Officer 3% Data Center Management 5% Chief Risk Officer 6% Other 1% Total 10 D3. Total years of relevant experience Pct% Total years of IT or security experience 9.73 Total years in current position years 5.21 D4. What industry best describes your organization s industry focus? Pct% Agriculture & food services 1% Communications 3% Consumer products 2% E-commerce Education 1% Energy & utilities 2% Entertainment & media 3% Financial services 18% Gaming 3% Health & pharmaceuticals 8% Hospitality 4% Industrial 3% Public sector 13% Retail 9% Services 5% Technology & software 8% Transportation 5% Other 2% Total 10 Ponemon Institute Research Report Page 27

29 D5. Where are your employees located? (Check all that apply): Pct% United States 10 Canada 61% Europe 62% Middle East & Africa 43% Asia-Pacific 54% Latin America (including Mexico) 47% D6. What is the worldwide headcount of your organization? Pct% < 100 7% 100 to % 501 to 1,000 19% 1,001 to 5,000 25% 5,001 to 25,000 18% 25,001 to 75,000 9% > 75,000 6% Total 10 Ponemon Institute Advancing Responsible Information Management Ponemon Institute is dedicated to independent research and education that advances responsible information and privacy management practices within business and government. Our mission is to conduct high quality, empirical studies on critical issues affecting the management and security of sensitive information about people and organizations. As a member of the Council of American Survey Research Organizations (CASRO),we uphold strict data confidentiality, privacy and ethical research standards. We do not collect any personally identifiable information from individuals (or company identifiable information in our business research). Furthermore, we have strict quality standards to ensure that subjects are not asked extraneous, irrelevant or improper questions. Ponemon Institute Research Report Page 28

The 2013 ecommerce Cyber Crime Report: Safeguarding Brand And Revenue This Holiday Season

The 2013 ecommerce Cyber Crime Report: Safeguarding Brand And Revenue This Holiday Season The 2013 ecommerce Cyber Crime Report: Safeguarding Brand And Revenue This Holiday Season Sponsored by RSA Security Independently conducted by Ponemon Institute, LLC Publication Date: October 2013 Ponemon

More information

A Study of Retail Banks & DDoS Attacks

A Study of Retail Banks & DDoS Attacks A Study of Retail Banks & DDoS Attacks Sponsored by Corero Network Security Independently conducted by Ponemon Institute LLC Publication Date: December 2012 Ponemon Institute Research Report A Study of

More information

Is Your Company Ready for a Big Data Breach? Sponsored by Experian Data Breach Resolution

Is Your Company Ready for a Big Data Breach? Sponsored by Experian Data Breach Resolution Is Your Company Ready for a Big Data Breach? Sponsored by Experian Data Breach Resolution Independently conducted by Ponemon Institute LLC Publication Date: March 2013 Ponemon Institute Research Report

More information

Reputation Impact of a Data Breach U.S. Study of Executives & Managers

Reputation Impact of a Data Breach U.S. Study of Executives & Managers Reputation Impact of a Data Breach U.S. Study of Executives & Managers Sponsored by Experian Data Breach Resolution Independently conducted by Ponemon Institute LLC Publication Date: November 2011 Ponemon

More information

Is Your Company Ready for a Big Data Breach? Sponsored by Experian Data Breach Resolution

Is Your Company Ready for a Big Data Breach? Sponsored by Experian Data Breach Resolution Is Your Company Ready for a Big Data Breach? Sponsored by Experian Data Breach Resolution Independently conducted by Ponemon Institute LLC Publication Date: April 2013 Ponemon Institute Research Report

More information

The Unintentional Insider Risk in United States and German Organizations

The Unintentional Insider Risk in United States and German Organizations The Unintentional Insider Risk in United States and German Organizations Sponsored by Raytheon Websense Independently conducted by Ponemon Institute LLC Publication Date: July 2015 2 Part 1. Introduction

More information

Data Breach: The Cloud Multiplier Effect

Data Breach: The Cloud Multiplier Effect Data Breach: The Cloud Multiplier Effect Sponsored by Netskope Independently conducted by Ponemon Institute LLC Publication Date: June 2014 Ponemon Institute Research Report Part 1. Introduction Data Breach:

More information

Aftermath of a Data Breach Study

Aftermath of a Data Breach Study Aftermath of a Data Breach Study Sponsored by Experian Data Breach Resolution Independently conducted by Ponemon Institute LLC Publication Date: January 2012 Ponemon Institute Research Report Aftermath

More information

Is Your Company Ready for a Big Data Breach?

Is Your Company Ready for a Big Data Breach? Is Your Company Ready for a Big Data Breach? The Second Annual Study on Data Breach Preparedness Sponsored by Experian Data Breach Resolution Independently conducted by Ponemon Institute LLC Publication

More information

Risk & Innovation in Cybersecurity Investments. Sponsored by Lockheed Martin

Risk & Innovation in Cybersecurity Investments. Sponsored by Lockheed Martin Risk & Innovation in Cybersecurity Investments Sponsored by Lockheed Martin Independently conducted by Ponemon Institute LLC Publication Date: April 2015 Ponemon Institute Research Report Part 1. Introduction

More information

The Cost of Insecure Mobile Devices in the Workplace Sponsored by AT&T

The Cost of Insecure Mobile Devices in the Workplace Sponsored by AT&T The Cost of Insecure Mobile Devices in the Workplace! Sponsored by AT&T Independently conducted by Ponemon Institute LLC Publication Date: March 2014 Part 1. Introduction The Cost of Insecure Mobile Devices

More information

The Cost of Web Application Attacks

The Cost of Web Application Attacks The Cost of Web Application Attacks Sponsored by Akamai Technologies Independently conducted by Ponemon Institute LLC Publication Date: May 2015 Ponemon Institute Research Report Part 1. Introduction The

More information

The Importance of Cyber Threat Intelligence to a Strong Security Posture

The Importance of Cyber Threat Intelligence to a Strong Security Posture The Importance of Cyber Threat Intelligence to a Strong Security Posture Sponsored by Webroot Independently conducted by Ponemon Institute LLC Publication Date: March 2015 Ponemon Institute Research Report

More information

Understanding Security Complexity in 21 st Century IT Environments:

Understanding Security Complexity in 21 st Century IT Environments: Understanding Security Complexity in 21 st Century IT Environments: A study of IT practitioners in the US, UK, France, Japan & Germany Sponsored by Check Point Software Technologies Independently conducted

More information

The Cost of Malware Containment

The Cost of Malware Containment The Cost of Malware Containment Sponsored by Damballa Independently conducted by Ponemon Institute LLC Publication Date: January 2015 Ponemon Institute Research Report The Cost of Malware Containment Ponemon

More information

Exposing the Cybersecurity Cracks: A Global Perspective

Exposing the Cybersecurity Cracks: A Global Perspective Exposing the Cybersecurity Cracks: A Global Perspective Part I: Deficient, Disconnected & in the Dark Sponsored by Websense, Inc. Independently conducted by Ponemon Institute LLC Publication Date: April

More information

The State of Data Security Intelligence. Sponsored by Informatica. Independently conducted by Ponemon Institute LLC Publication Date: April 2015

The State of Data Security Intelligence. Sponsored by Informatica. Independently conducted by Ponemon Institute LLC Publication Date: April 2015 The State of Data Security Intelligence Sponsored by Informatica Independently conducted by Ponemon Institute LLC Publication Date: April 2015 Ponemon Institute Research Report The State of Data Security

More information

Understaffed and at Risk: Today s IT Security Department. Sponsored by HP Enterprise Security

Understaffed and at Risk: Today s IT Security Department. Sponsored by HP Enterprise Security Understaffed and at Risk: Today s IT Security Department Sponsored by HP Enterprise Security Independently conducted by Ponemon Institute LLC Publication Date: February 2014 Ponemon Institute Research

More information

Data Security in the Evolving Payments Ecosystem

Data Security in the Evolving Payments Ecosystem Data Security in the Evolving Payments Ecosystem Sponsored by Experian Data Breach Resolution Independently conducted by Ponemon Institute LLC Publication Date: April 2015 Ponemon Institute Research Report

More information

Perceptions About Network Security Survey of IT & IT security practitioners in the U.S.

Perceptions About Network Security Survey of IT & IT security practitioners in the U.S. Perceptions About Network Security Survey of IT & IT security practitioners in the U.S. Sponsored by Juniper Networks Independently conducted by Ponemon Institute LLC Publication Date: June 2011 Ponemon

More information

What You Don t Know Will Hurt You: A Study of the Risk from Application Access and Usage

What You Don t Know Will Hurt You: A Study of the Risk from Application Access and Usage What You Don t Know Will Hurt You: A Study of the Risk from Application Access and Usage Sponsored by ObserveIT Independently conducted by Ponemon Institute LLC June 2015 Ponemon Institute Research Report

More information

Managing Cyber Security as a Business Risk: Cyber Insurance in the Digital Age

Managing Cyber Security as a Business Risk: Cyber Insurance in the Digital Age Managing Cyber Security as a Business Risk: Cyber Insurance in the Digital Age Sponsored by Experian Data Breach Resolution Independently conducted by Ponemon Institute LLC Publication Date: August 2013

More information

Achieving Security in Workplace File Sharing. Sponsored by Axway Independently conducted by Ponemon Institute LLC Publication Date: January 2014

Achieving Security in Workplace File Sharing. Sponsored by Axway Independently conducted by Ponemon Institute LLC Publication Date: January 2014 Achieving Security in Workplace File Sharing Sponsored by Axway Independently conducted by Ponemon Institute LLC Publication Date: January 2014 Ponemon Institute Research Report Part 1. Introduction Achieving

More information

The State of Mobile Application Insecurity

The State of Mobile Application Insecurity The State of Mobile Application Insecurity Sponsored by IBM Independently conducted by Ponemon Institute LLC Publication Date: February 2015 Ponemon Institute Research Report Part 1. Introduction The State

More information

The Challenge of Preventing Browser-Borne Malware

The Challenge of Preventing Browser-Borne Malware The Challenge of Preventing Browser-Borne Malware Sponsored by Spikes Security Independently conducted by Ponemon Institute LLC Publication Date: February 2015 Ponemon Institute Research Report Part 1.

More information

Cyber Security on the Offense: A Study of IT Security Experts

Cyber Security on the Offense: A Study of IT Security Experts Cyber Security on the Offense: A Study of IT Security Experts Co-authored with Radware Independently conducted by Ponemon Institute LLC Publication Date: November 2012 Ponemon Institute Research Report

More information

Security of Paper Records & Document Shredding. Sponsored by Cintas. Independently conducted by Ponemon Institute LLC Publication Date: January 2014

Security of Paper Records & Document Shredding. Sponsored by Cintas. Independently conducted by Ponemon Institute LLC Publication Date: January 2014 Security of Paper Records & Document Shredding Sponsored by Cintas Independently conducted by Ponemon Institute LLC Publication Date: January 2014 Ponemon Institute Research Report Part 1. Introduction

More information

Leading Practices in Behavioral Advertising & Consumer Privacy Study of Internet Marketers and Advertisers

Leading Practices in Behavioral Advertising & Consumer Privacy Study of Internet Marketers and Advertisers Leading Practices in Behavioral Advertising & Consumer Privacy Study of Internet Marketers and Advertisers Independently Conducted by Ponemon Institute LLC February 2012 Leading Practices in Behavioral

More information

2012 Application Security Gap Study: A Survey of IT Security & Developers

2012 Application Security Gap Study: A Survey of IT Security & Developers 2012 Application Gap Study: A Survey of IT & s Research sponsored by Innovation Independently Conducted by Ponemon Institute LLC March 2012 1 2012 Application Gap Study: A Survey of IT & s March 2012 Part

More information

The Impact of Cybercrime on Business

The Impact of Cybercrime on Business The Impact of Cybercrime on Business Studies of IT practitioners in the United States, United Kingdom, Germany, Hong Kong and Brazil Sponsored by Check Point Software Technologies Independently conducted

More information

The Fraud Report: How Fake Users Are Impacting Business

The Fraud Report: How Fake Users Are Impacting Business The Fraud Report: How Fake Users Are Impacting Business Sponsored by TeleSign Independently conducted by Ponemon Institute LLC Publication Date: November 2015 Ponemon Institute Research Report The Fraud

More information

The State of USB Drive Security

The State of USB Drive Security The State of USB Drive Security U.S. survey of IT and IT security practitioners Sponsored by Kingston Independently conducted by Ponemon Institute LLC Publication Date: July 2011 Ponemon Institute Research

More information

The Security Impact of Mobile Device Use by Employees

The Security Impact of Mobile Device Use by Employees The Security Impact of Mobile Device Use by Employees Sponsored by Accellion Independently conducted by Ponemon Institute LLC Publication Date: December 2014 Ponemon Institute Research Report The Security

More information

State of Web Application Security U.S. Survey of IT & IT security practitioners

State of Web Application Security U.S. Survey of IT & IT security practitioners State of Web Application Security U.S. Survey of IT & IT security practitioners Sponsored by Cenzic & Barracuda Networks Independently conducted by Ponemon Institute LLC Publication Date: March 2011 Ponemon

More information

2014: A Year of Mega Breaches

2014: A Year of Mega Breaches 2014: A Year of Mega Breaches Sponsored by Identity Finder Independently conducted by Ponemon Institute LLC Publication Date: January 2015 Ponemon Institute Research Report Part 1. Introduction 2014: A

More information

Data Security in Development & Testing

Data Security in Development & Testing Data Security in Development & Testing Sponsored by Micro Focus Independently conducted by Ponemon Institute LLC Publication Date: July 31, 2009 Ponemon Institute Research Report Data Security in Development

More information

Security of Cloud Computing Users Study

Security of Cloud Computing Users Study Security of Cloud Computing Users Study Sponsored by CA Technologies Independently conducted by Ponemon Institute, LLC Publication Date: March 2013 Security of Cloud Computing Users Study March 2013 Part

More information

Efficacy of Emerging Network Security Technologies

Efficacy of Emerging Network Security Technologies Efficacy of Emerging Network Security Technologies Sponsored by Juniper Networks Independently conducted by Ponemon Institute LLC Publication Date: February 2013 Ponemon Institute Research Report Part

More information

The Security of Cloud Infrastructure Survey of U.S. IT and Compliance Practitioners

The Security of Cloud Infrastructure Survey of U.S. IT and Compliance Practitioners The Security of Cloud Infrastructure Survey of U.S. IT and Compliance Practitioners Sponsored by Vormetric Independently conducted by Ponemon Institute LLC Publication Date: November 2011 Ponemon Institute

More information

APPLICATION SECURITY IN THE CHANGING RISK LANDSCAPE

APPLICATION SECURITY IN THE CHANGING RISK LANDSCAPE APPLICATION SECURITY IN THE CHANGING RISK LANDSCAPE INDEPENDENTLY CONDUCTED BY PONEMON INSTITUTE LLC, JULY 2016 Part 1. Introduction Ponemon Institute is pleased to present the results of Application Security

More information

Third Annual Study: Is Your Company Ready for a Big Data Breach?

Third Annual Study: Is Your Company Ready for a Big Data Breach? Third Annual Study: Is Your Company Ready for a Big Data Breach? Sponsored by Experian Data Breach Resolution Independently conducted by Ponemon Institute LLC Publication Date: October 2015 Ponemon Institute

More information

The SQL Injection Threat Study

The SQL Injection Threat Study The SQL Injection Threat Study Sponsored by DB Networks Independently conducted by Ponemon Institute LLC Publication Date: April 2014 1 The SQL Injection Threat Study Presented by Ponemon Institute, April

More information

Global Insights on Document Security

Global Insights on Document Security Global Insights on Document Security Sponsored by Adobe Independently conducted by Ponemon Institute LLC Publication Date: June 2014 Ponemon Institute Research Report Global Insights on Document Security

More information

2015 Global Study on IT Security Spending & Investments

2015 Global Study on IT Security Spending & Investments 2015 Study on IT Security Spending & Investments Independently conducted by Ponemon Institute LLC Publication Date: May 2015 Sponsored by Part 1. Introduction Security risks are pervasive and becoming

More information

Electronic Health Information at Risk: A Study of IT Practitioners

Electronic Health Information at Risk: A Study of IT Practitioners Electronic Health Information at Risk: A Study of IT Practitioners Sponsored by LogLogic Conducted by Ponemon Institute LLC October 15, 2009 Ponemon Institute Research Report Executive summary Electronic

More information

The State of Data Centric Security

The State of Data Centric Security The State of Data Centric Security Sponsored by Informatica Independently conducted by Ponemon Institute LLC Publication Date: June 2014 Ponemon Institute Research Report State of Data Centric Security

More information

Defining the Gap: The Cybersecurity Governance Study

Defining the Gap: The Cybersecurity Governance Study Defining the Gap: The Cybersecurity Governance Study Sponsored by Fidelis Cybersecurity Independently conducted by Ponemon Institute LLC Publication Date: June 2015 Ponemon Institute Research Report Defining

More information

Advanced Threats in Retail Companies: A Study of North America & EMEA

Advanced Threats in Retail Companies: A Study of North America & EMEA Advanced Threats in Companies: A Study of North America & EMEA Sponsored by Arbor Networks Independently conducted by Ponemon Institute LLC Publication Date: May 2015 Ponemon Institute Research Report

More information

Global Survey on Social Media Risks Survey of IT & IT Security Practitioners

Global Survey on Social Media Risks Survey of IT & IT Security Practitioners 0 Global Survey on Social Media Risks Survey of IT & IT Security Practitioners Sponsored by Websense Independently conducted by Ponemon Institute LLC Publication Date: September 2011 1 Global Survey on

More information

Security Metrics to Manage Change: Which Matter, Which Can Be Measured?

Security Metrics to Manage Change: Which Matter, Which Can Be Measured? Security Metrics to Manage Change: Which Matter, Which Can Be Measured? Sponsored by FireMon Independently conducted by Ponemon Institute LLC Publication Date: April 2014 2 Security Metrics to Manage Change:

More information

The Role of Governance, Risk Management & Compliance in Organizations

The Role of Governance, Risk Management & Compliance in Organizations The Role of Governance, Risk Management & Compliance in Organizations Study of GRC practitioners Sponsored by RSA, The Security Division of EMC Independently conducted by Ponemon Institute LLC Publication

More information

Big Data Analytics in Cyber Defense

Big Data Analytics in Cyber Defense Big Data Analytics in Cyber Defense Sponsored by Teradata Independently conducted by Ponemon Institute LLC Publication Date: February 2013 Ponemon Institute Research Report Big Data Analytics in Cyber

More information

State of IT Security Study of Utilities & Energy Companies

State of IT Security Study of Utilities & Energy Companies State of IT Security Study of Utilities & Energy Companies Sponsored by Q1 Labs Independently conducted by Ponemon Institute LLC Publication Date: April 2011 Ponemon Institute Research Report State of

More information

2015 Global Cyber Impact Report

2015 Global Cyber Impact Report 2015 Global Cyber Impact Report Sponsored by Aon Risk Services Independently conducted by Ponemon Institute LLC Publication Date: April 2015 2015 Global Cyber Impact Report Ponemon Institute, April 2015

More information

The SQL Injection Threat & Recent Retail Breaches

The SQL Injection Threat & Recent Retail Breaches The SQL Injection Threat & Recent Retail Breaches Sponsored by DB Networks Independently conducted by Ponemon Institute LLC Publication Date: June 2014 1 Part 1. Introduction The SQL Injection Threat &

More information

Threat Intelligence & Incident Response: A Study of U.S. & EMEA Organizations

Threat Intelligence & Incident Response: A Study of U.S. & EMEA Organizations Threat Intelligence & Incident Response: A Study of U.S. & EMEA Organizations Sponsored by AccessData Independently conducted by Ponemon Institute LLC Publication Date: February 2014 Ponemon Institute

More information

Exposing the Cybersecurity Cracks: A Global Perspective

Exposing the Cybersecurity Cracks: A Global Perspective Exposing the Cybersecurity Cracks: A Global Perspective Part 2: Roadblocks, Refresh and Raising the Human Security IQ Sponsored by Websense Independently conducted by Ponemon Institute LLC Publication

More information

Privileged User Abuse & The Insider Threat

Privileged User Abuse & The Insider Threat Privileged User Abuse & The Insider Threat Commissioned by Raytheon Company Independently conducted by Ponemon Institute LLC Publication Date: May 2014 1 Privileged User Abuse & The Insider Threat Ponemon

More information

Cloud Security: Getting It Right

Cloud Security: Getting It Right Cloud Security: Getting It Right Sponsored by Armor Independently conducted by Ponemon Institute LLC Publication Date: October 2015 Ponemon Institute Research Report Cloud Security: Getting It Right Ponemon

More information

Perceptions about the Potential Expiration of The Terrorism Risk Insurance Act (TRIA)

Perceptions about the Potential Expiration of The Terrorism Risk Insurance Act (TRIA) Perceptions about the Potential Expiration of The Terrorism Risk Insurance Act (TRIA) Sponsored by Property Casualty Insurers Association of America Independently conducted by Ponemon Institute LLC Publication

More information

Cyber Threat Intelligence: Has to Be a Better Way

Cyber Threat Intelligence: Has to Be a Better Way Exchanging Cyber Threat Intelligence: There Has to Be a Better Way Sponsored by IID Independently conducted by Ponemon Institute LLC Publication Date: April 2014 Ponemon Institute Research Report Exchanging

More information

The Importance of Senior Executive Involvement in Breach Response

The Importance of Senior Executive Involvement in Breach Response The Importance of Senior Executive Involvement in Breach Response Sponsored by HP Enterprise Security Services Independently conducted by Ponemon Institute LLC Publication Date: October 2014 The Importance

More information

Breaking Bad: The Risk of Insecure File Sharing

Breaking Bad: The Risk of Insecure File Sharing Breaking Bad: The Risk of Insecure File Sharing Sponsored by Intralinks Independently conducted by Ponemon Institute LLC Publication Date: October 2014 Ponemon Institute Research Report Breaking Bad: The

More information

Challenges of Cloud Information

Challenges of Cloud Information The Challenges of Cloud Information Governance: A Global Data Security Study Sponsored by SafeNet Independently conducted by Ponemon Institute LLC Publication Date: October 2014 Ponemon Institute Research

More information

The Post Breach Boom. Sponsored by Solera Networks. Independently conducted by Ponemon Institute LLC Publication Date: February 2013

The Post Breach Boom. Sponsored by Solera Networks. Independently conducted by Ponemon Institute LLC Publication Date: February 2013 The Post Breach Boom Sponsored by Solera Networks Independently conducted by Ponemon Institute LLC Publication Date: February 2013 Ponemon Institute Research Report Part 1. Introduction The Post Breach

More information

How Single Sign-On Is Changing Healthcare A Study of IT Practitioners in Acute Care Hospitals in the United States

How Single Sign-On Is Changing Healthcare A Study of IT Practitioners in Acute Care Hospitals in the United States How Single Sign-On Is Changing Healthcare A Study of IT Practitioners in Acute Care Hospitals in the United States Sponsored by Imprivata Independently conducted by Ponemon Institute LLC Publication Date:

More information

Corporate Data: A Protected Asset or a Ticking Time Bomb?

Corporate Data: A Protected Asset or a Ticking Time Bomb? Corporate Data: A Protected Asset or a Ticking Time Bomb? Sponsored by Varonis Independently conducted by Ponemon Institute LLC Publication Date: December 2014 Ponemon Institute Research Report Corporate

More information

National Survey on Data Center Outages

National Survey on Data Center Outages National Survey on Data Center Outages Independently conducted by Ponemon Institute LLC Publication Date: 30 September 2010 Part 1. Executive Summary National Survey on Data Center Outages Ponemon Institute,

More information

State of SMB Cyber Security Readiness: UK Study

State of SMB Cyber Security Readiness: UK Study State of SMB Cyber Security Readiness: UK Study Sponsored by Faronics Independently conducted by Ponemon Institute LLC Publication Date: November 2012 Ponemon Institute Research Report Part 1. Introduction

More information

Intelligence Driven Cyber Defense

Intelligence Driven Cyber Defense Intelligence Driven Cyber Defense Sponsored by Lockheed Martin Independently conducted by Ponemon Institute LLC Publication Date: February 2015 Ponemon Institute Research Report Intelligence Driven Cyber

More information

Security of Cloud Computing Providers Study

Security of Cloud Computing Providers Study Security of Cloud Computing Providers Study Sponsored by CA Technologies Independently conducted by Ponemon Institute LLC Publication Date: April 2011 Ponemon Institute Research Report I. Executive Summary

More information

Security of Cloud Computing Providers Study

Security of Cloud Computing Providers Study Security of Cloud Computing Providers Study Sponsored by CA Technologies Independently conducted by Ponemon Institute LLC Publication Date: April 2011 Ponemon Institute Research Report I. Executive Summary

More information

Achieving Data Privacy in the Cloud

Achieving Data Privacy in the Cloud Achieving Data Privacy in the Cloud Study of Information Technology Privacy and Compliance of Small to Medium-Sized Organizations in germany Sponsored by microsoft Independently Conducted by Ponemon Institute

More information

2014 State of Endpoint Risk. Sponsored by Lumension. Independently conducted by Ponemon Institute LLC Publication Date: December 2013

2014 State of Endpoint Risk. Sponsored by Lumension. Independently conducted by Ponemon Institute LLC Publication Date: December 2013 2014 State of Endpoint Risk Sponsored by Lumension Independently conducted by Ponemon Institute LLC Publication Date: December 2013 Ponemon Institute Research Report 2014 State of Endpoint Risk Ponemon

More information

The Human Factor in Data Protection

The Human Factor in Data Protection The Human Factor in Data Protection Sponsored by Trend Micro Independently conducted by Ponemon Institute LLC Publication Date: January 2012 Ponemon Institute Research Report The Human Factor in Data Protection

More information

2015 Global Megatrends in Cybersecurity

2015 Global Megatrends in Cybersecurity 2015 Global Megatrends in Cybersecurity Sponsored by Raytheon Independently conducted by Ponemon Institute LLC Publication Date: February 2015 Ponemon Institute Research Report 2015 Global Megatrends in

More information

The Cyber Security Readiness of Canadian Organizations. results of the 2016 scalar security study

The Cyber Security Readiness of Canadian Organizations. results of the 2016 scalar security study The Cyber Security Readiness of Canadian Organizations results of the 2016 scalar security study THE CYBER SECURITY READINESS OF CANADIAN ORGANIZATIONS Contents 1. INTRODUCTION...3 2. KEY FINDINGS...7

More information

State of Web Application Security

State of Web Application Security State of Web Application Security Executive Summary Sponsored by Cenzic & Barracuda Networks Independently conducted by Ponemon Institute LLC Publication Date: February 2011 Ponemon Institute Research

More information

How Much Is the Data on Your Mobile Device Worth?

How Much Is the Data on Your Mobile Device Worth? How Much Is the Data on Your Mobile Device Worth? Sponsored by Lookout Independently conducted by Ponemon Institute LLC Publication Date: January 2016 Ponemon Institute Research Report Part 1. Introduction

More information

2012 Business Banking Trust Trends Study

2012 Business Banking Trust Trends Study 2012 Business Banking Trust Trends Study Sponsored by Guardian Analytics Independently conducted by Ponemon Institute LLC Publication Date: August 2012 Ponemon Institute Research Report Part 1. Introduction

More information

Sponsored by Zimbra. The Open Source Collaboration Study: Viewpoints on Security & Privacy in the US & EMEA

Sponsored by Zimbra. The Open Source Collaboration Study: Viewpoints on Security & Privacy in the US & EMEA The Open Source Collaboration Study: Viewpoints on Security & Privacy in the US & EMEA Sponsored by Zimbra Independently conducted by Ponemon Institute LLC Publication Date: November 2014 Ponemon Institute

More information

Privacy and Security in a Connected Life: A Study of European Consumers

Privacy and Security in a Connected Life: A Study of European Consumers Privacy and Security in a Connected Life: A Study of European Consumers Sponsored by Trend Micro Independently conducted by Ponemon Institute LLC Publication Date: March 2015 Ponemon Institute Research

More information

Privacy and Security in a Connected Life: A Study of US Consumers

Privacy and Security in a Connected Life: A Study of US Consumers Privacy and Security in a Connected Life: A Study of US Consumers Sponsored by Trend Micro Independently conducted by Ponemon Institute LLC Publication Date: March 2015 Ponemon Institute Research Report

More information

The TCO of Software vs. Hardware-based Full Disk Encryption Summary

The TCO of Software vs. Hardware-based Full Disk Encryption Summary The TCO of vs. -based Full Disk Encryption Summary Sponsored by WinMagic Independently conducted by Ponemon Institute LLC Publication Date: April 2013 Industry Co-Sponsors Ponemon Institute Research Report

More information

The TCO of Software vs. Hardware-based Full Disk Encryption

The TCO of Software vs. Hardware-based Full Disk Encryption The TCO of Software vs. Hardware-based Full Disk Encryption Sponsored by WinMagic Independently conducted by Ponemon Institute LLC Publication Date: April 2013 Industry Co-Sponsors Ponemon Institute Research

More information

The Aftermath of a Data Breach: Consumer Sentiment

The Aftermath of a Data Breach: Consumer Sentiment The Aftermath of a Data Breach: Consumer Sentiment Sponsored by Experian Data Breach Resolution Independently conducted by Ponemon Institute LLC Publication Date: April 2014 Ponemon Institute Research

More information

LiveThreat Intelligence Impact Report 2013

LiveThreat Intelligence Impact Report 2013 LiveThreat Intelligence Impact Report 2013 Sponsored by Independently conducted by Ponemon Institute LLC Publication Date: July 2013 Ponemon Institute Research Report Contents Part 1. Introduction 3 Executive

More information

The Economic and Productivity Impact of IT Security on Healthcare

The Economic and Productivity Impact of IT Security on Healthcare The Economic and Productivity Impact of IT Security on Healthcare Sponsored by Imprivata Independently conducted by Ponemon Institute LLC Publication Date: May 2013 Ponemon Institute Research Report The

More information

Third Annual Survey on Medical Identity Theft

Third Annual Survey on Medical Identity Theft Third Annual Survey on Medical Identity Theft Sponsored by Experian s ProtectMyID Independently conducted by Ponemon Institute LLC Publication Date: June 2012 Ponemon Institute Research Report Part 1:

More information

2015 State of the Endpoint Report: User-Centric Risk

2015 State of the Endpoint Report: User-Centric Risk 2015 State of the Endpoint Report: User-Centric Risk Sponsored by Lumension Independently conducted by Ponemon Institute LLC Publication Date: January 2015 Ponemon Institute Research Report 2015 State

More information

Compliance Cost Associated with the Storage of Unstructured Information

Compliance Cost Associated with the Storage of Unstructured Information Compliance Cost Associated with the Storage of Unstructured Information Sponsored by Novell Independently conducted by Ponemon Institute LLC Publication Date: May 2011 Ponemon Institute Research Report

More information

2013 Study on Data Center Outages

2013 Study on Data Center Outages 2013 Study on Data Center Outages Independently conducted by Ponemon Institute LLC Publication Date: September 2013 2013 Study on Data Center Outages Ponemon Institute, September 2013 Part 1. Introduction

More information

CUSTOMERS & CRIMINALS: USE WEB SESSION INTELLIGENCE TO DETECT WHO IS WHO ONLINE

CUSTOMERS & CRIMINALS: USE WEB SESSION INTELLIGENCE TO DETECT WHO IS WHO ONLINE CUSTOMERS & CRIMINALS: USE WEB SESSION INTELLIGENCE TO DETECT WHO IS WHO ONLINE Jason Sloderbeck Silver Tail Systems, Part of RSA Session ID: SPO1-W22 Session Classification: General Track Question Do

More information

Survey on the Governance of Unstructured Data. Independently Conducted and Published by Ponemon Institute LLC. Sponsored by Varonis Systems, Inc.

Survey on the Governance of Unstructured Data. Independently Conducted and Published by Ponemon Institute LLC. Sponsored by Varonis Systems, Inc. Survey on the Governance of Unstructured Data Independently Conducted and Published by Ponemon Institute LLC Sponsored by Varonis Systems, Inc. June 30, 2008 Please Do Not Quote Without Express Permission.

More information

Best Practices in Data Protection Survey of U.S. IT & IT Security Practitioners

Best Practices in Data Protection Survey of U.S. IT & IT Security Practitioners Best Practices in Data Protection Survey of U.S. IT & IT Security Practitioners Sponsored by McAfee Independently conducted by Ponemon Institute LLC Publication Date: October 2011 Ponemon Institute Research.

More information

Security of Cloud Computing Users A Study of Practitioners in the US & Europe

Security of Cloud Computing Users A Study of Practitioners in the US & Europe Security of Cloud Computing Users A Study of Practitioners in the US & Europe Sponsored by CA Independently conducted by Ponemon Institute LLC Publication Date: 12 May 2010 Ponemon Institute Research Report

More information

2013 State of the Endpoint

2013 State of the Endpoint 2013 State of the Endpoint Sponsored by Lumension Independently conducted by Ponemon Institute LLC Publication Date: December 2012 Ponemon Institute Research Report 2013 State of the Endpoint Ponemon Institute:

More information

IBM QRadar Security Intelligence: Evidence of Value

IBM QRadar Security Intelligence: Evidence of Value IBM QRadar Security Intelligence: Evidence of Value Independently conducted by Ponemon Institute LLC February 2014 Ponemon Institute Research Report Background IBM QRadar: Evidence of Value Ponemon Institute:

More information

Second Annual Benchmark Study on Patient Privacy & Data Security

Second Annual Benchmark Study on Patient Privacy & Data Security Second Annual Benchmark Study on Patient Privacy & Data Security Sponsored by ID Experts Independently conducted by Ponemon Institute LLC Publication Date: December 2011 Ponemon Institute Research Report

More information

Reputation Impact of a Data Breach Executive Summary

Reputation Impact of a Data Breach Executive Summary Reputation Impact of a Data Breach Executive Summary Sponsored by Experian Data Breach Resolution Independently conducted by Ponemon Institute LLC Publication Date: October 2011 Ponemon Institute Research

More information