Intelligence Driven Cyber Defense

Transcription

1 Intelligence Driven Cyber Defense Sponsored by Lockheed Martin Independently conducted by Ponemon Institute LLC Publication Date: February 2015 Ponemon Institute Research Report

2 Intelligence Driven Cyber Defense Ponemon Institute, February 2015 Part 1. Introduction Ponemon Institute is pleased to present the results of Intelligence Driven Cyber Defense sponsored by Lockheed Martin. The purpose of this research is to understand if organizations are improving their ability to reduce the risk of hackers and other cyber criminals. If so, are they adopting new strategies, such as intelligence driven cyber defense, to deal with the rise in frequency and severity of cyber attacks? We surveyed 678 US IT and IT security practitioners who are familiar with their organizations defense against cybersecurity attacks and have responsibility in directing cybersecurity activities. Following are the key findings of this study: An intelligence driven cyber defense against hackers and other cyber criminals eludes many organizations. Intelligence driven cyber defense is the ability of an organization to thwart an attacker s offensive maneuvers while maintaining its defensive position. As shown in Figure 1, respondents rate their ability to launch or implement an intelligence driven cyber defense against hackers and other cyber criminals as below average. The main reasons are the lack of expert personnel and budget. Organizations that succeed in an intelligence driven cyber defense use commercial threat intelligence feeds. Respondents who rate their organizations ability to launch or implement an intelligence driven cyber defense as above average rely primarily on commercial threat intelligence feeds (68 percent) followed by collaborative threat intelligence groups, partnerships and forums (37 percent) or dedicated analysts on staff (35 percent). Understanding the attacker s weak spots is the most important feature of a security intelligence tool. Considered less important are a technology that slows down or even halts the attacker s computers and technology that uses big data analytics to achieve a strong cybersecurity defense. The greatest cyber threat is inside the organization. The greatest area of potential cybersecurity risk is inside the organization. Thirty-six percent of respondents point to negligent insiders and 25 percent of respondents say malicious insiders are the greatest areas of cybersecurity risk. Cyber attacks target high value intellectual property. Respondents were asked to rank the most negative consequences of a cyber attack. Lost intellectual property, reputation damage and disruption to business process are considered the worst. The types of cyber attacks against their organizations networks of most concern are advanced persistent threats (APT), malicious insiders and phishing and social engineering. Ponemon Institute Research Report Page 1

3 Part 2. Key findings In this section, we present an analysis of the research findings. The complete audited findings are presented in the appendix of this report. We have organized the paper according to the following themes: Challenges addressing cybersecurity risks Cybersecurity strategies missing the mark Achieving an intelligence driven cyber defense Challenges addressing cybersecurity risks Organizations are not prepared to deal with severe and frequent cyber attacks. As shown in Figure 2, 75 percent of respondents say they see an increase in the severity of cyber attacks experienced by their organizations and 68 percent of respondents say they are more frequent. However, a smaller percentage of respondents (53 percent) say launching a strong offensive against hackers and other cyber criminals is very important to their organizations security strategy. An impediment to achieving a strong security posture is a lack of vigilance and budget. Only 46 percent of respondents say their organization is vigilant in monitoring cyber attacks and only 27 percent of respondents believe their security budget is sufficient for mitigating most cyber attacks. Figure 2. Challenges to achieving a strong cyber defense Strongly agree and agree response combined The severity of cyber attacks experienced by my organization is on the rise 75% The frequency of cyber attacks experienced by my organization is on the rise 68% Launching a strong offensive against hackers and other cyber criminals is very important to my organization s security strategy My organization is vigilant in monitoring cyber attacks 46% 53% My organization s security budget is sufficient for mitigating most cyber attacks (intrusions) 27% 0% 10% 20% 30% 40% 50% 60% 70% 80% Ponemon Institute Research Report Page 2

4 The biggest challenge is preventing a cyber attack. Eighty-five percent of respondents say preventing an attack is very difficult or difficult, as shown in Figure 3. Not as difficult is the ability to isolate (57 percent), to block (56 percent) and detect (46 percent). Figure 3. What is the biggest challenge in dealing with cyber attacks? Very difficult and difficult response combined How difficult are cyber attacks to prevent? 85% How difficult are cyber attacks to isolate? 57% How difficult are cyber attacks to block? 56% How difficult are cyber attacks to detect? 46% 0% 10% 20% 30% 40% 50% 60% 70% 80% 90% The malicious insider is considered the greatest threat. Thirty-seven percent of respondents are most concerned about attacks from malicious insider followed by 26 percent of respondents who say it is criminal syndicates, as shown in Figure 4. Figure 4. What attacker presents the greatest cyber threat to your organization today? 40% 37% 35% 30% 26% 25% 20% 15% 19% 15% 10% 5% 2% 1% 0% Malicious insider Criminal syndicates State sponsored attacker Hacktivists Lone wolf hacker Other Ponemon Institute Research Report Page 3

5 The insider risk in the IT environment worries respondents most. As shown in Figure 5, the greatest area of potential cybersecurity risk is inside the organization. Thirty-six percent of respondents point to negligent insiders and 25 percent of respondents say malicious insiders are the greatest areas of cybersecurity risk. Thirty-three percent worry about organizational misalignment and complexity and 30 percent say it is a lack of system connectivity/visibility. Figure 5. Greatest areas of potential cybersecurity risk within the IT environment today Three responses permitted Negligent insiders Organizational misalignment and complexity Lack of system connectivity/visibility Mobile/remote employees Mobile devices such as smart phones Malicious insiders Cloud computing infrastructure and providers Across 3rd party applications 36% 33% 30% 29% 28% 25% 25% 23% 0% 5% 10% 15% 20% 25% 30% 35% 40% Lost intellectual property is the most negative consequence of a cyber attack. Respondents were asked to rank the most negative consequences of a cyber attack. According to Figure 6, lost intellectual property, reputation damage and disruption to business process are considered the most severe consequences. The types of cyber attacks against their organizations networks of most concern are advanced persistent threats (APT), malicious insiders and phishing and social engineering. Figure 6. Negative consequences as a result of a cyber attack or intrusion 10 = most severe to 1 = least severe Lost intellectual property (including trade secrets) Reputation damage Disruption to business process Productivity decline Damage to critical infrastructure Customer turnover Regulatory actions or lawsuits Lost revenue Stolen or damaged equipment Cost of outside consultants and experts Ponemon Institute Research Report Page 4

6 Cybersecurity strategies miss the mark Intuition not logical deduction is often used to determine if an organization is a target. When asked if respondents believe their organization is targeted for attack, 35 percent say no or it is unlikely. According to Figure 7, 35 percent say it is based on intuition or gut feel. One-third of respondents say it is based on logical deduction. However, 32 percent say they do not think they are targeted because they did not receive any warnings or alerts from intelligence sources. Figure 7. How do you know your organization is not targeted? 36% 35% 35% 34% 34% 33% 33% 32% 32% 31% 31% 35% 33% 32% Intuition (gut feel) Logical deduction Did not receive warnings or alerts from intelligence sources Respondents believe live intelligence is key to a strong cybersecurity defense. In the context of this survey, live intelligence refers to the near real time feed of information used to detect, evaluate and prioritize threats to the organization. As shown in Figure 8, 44 percent say such intelligence is essential and 32 percent say it is very important. Figure 8. How important is live intelligence to a strong cybersecurity defense? 50% 45% 40% 35% 30% 25% 20% 15% 10% 5% 0% 44% 32% 15% 9% Essential Very important Important Not important Ponemon Institute Research Report Page 5

7 Cyber threat intelligence fails to provide an effective defense. Difficulty disseminating intelligence to key stakeholders in a timely fashion (84 percent of respondents) and a high false positive rate (81 percent) are the biggest problems facing an organization s use of cyber threat intelligence, as shown in Figure 9. Other negatives are intelligence is too old to be actionable (67 percent), often inaccurate and incomplete (66 percent), activities are too difficult to manage (64 percent), does not integrate with various security technologies (59 percent) and complexity (56 percent). Figure 9. The problems with current cyber threat intelligence Strongly agree and agree response combined Difficult to disseminate threat intelligence to key stakeholders in a timely fashion Has a high false positive rate 84% 81% Often too old to be actionable Often inaccurate or incomplete Threat intelligence activities/process are difficult to manage Does not integrate easily with various security technologies Threat intelligence activities/process are very complex 67% 66% 64% 59% 56% 0% 10% 20% 30% 40% 50% 60% 70% 80% 90% Cybersecurity effectiveness is static or in decline. Forty-three percent of respondents say their cybersecurity posture remains the same in terms of their effectiveness in combating attacks and intrusions and 24 percent of respondents say their organizations are actually less effective, according to Figure 10. Figure 10. How has your cybersecurity posture changed in the past 12 months? Cyber security posture remains the same in terms of its effectiveness in combating attacks and intrusions 43% Cyber security posture is more effective in combating attacks and intrusions 33% Cyber security posture is less effective in combating attacks and intrusions 24% 0% 5% 10% 15% 20% 25% 30% 35% 40% 45% 50% Ponemon Institute Research Report Page 6

8 The most serious risks do not receive the most budget. According to Figure 11, while user awareness about cyber threats and the supply chain are considered to have potentially the most impact on an organization s security posture, they do not seem to receive funding commensurate with the risk they pose. Mobile and cloud security are receiving the most budget. Figure 11. How organizations are allocating budget to address security risks User awareness 4% 25% Supply chain 15% 24% Mobile 20% 34% Cloud 18% 27% Desktops/laptops 8% 8% Perimeter servers 5% 12% 0% 5% 10% 15% 20% 25% 30% 35% 40% Security risk Spending level Budget is considered the most significant barrier to achieving a strong cybersecurity posture. This is followed by insufficient visibility of people and business processes, according to Figure 12. This reinforces the concerns respondents have about the insider threat. Figure 12. Barriers to achieving a stronger cybersecurity posture Two responses permitted Insufficient resources or budget Insufficient visibility of people and business processes 45% 49% Lack of skilled or expert personnel Lack of effective security technology solutions 24% 29% Lack of oversight or governance Complexity of compliance and regulatory requirements Insufficient assessment of cyber security risks Lack of leadership 18% 13% 12% 9% Other 1% 0% 10% 20% 30% 40% 50% 60% Ponemon Institute Research Report Page 7

9 An intelligence driven cyber defense An intelligence driven cyber defense against hackers and other cyber criminals eludes many organizations. Intelligence driven cyber defense is the ability of an organization to thwart an attacker s offensive maneuvers while maintaining its defensive position. Respondents rate their ability to launch or implement an intelligence driven cyber defense against hackers and other cyber criminals as below average. The main reasons are not the availability of enabling technologies but the lack of expert personnel and budget, as shown in Figure 13. Figure 13. Why can t your organization launch an intelligence driven cyber defense? More than one response permitted Do not have ample expert personnel 65% Lack of resources or budget 64% Not considered a security-related priority 39% Lack of enabling technologies 19% 0% 10% 20% 30% 40% 50% 60% 70% Organizations that succeed in an intelligence driven cyber defense use commercial threat intelligence feeds. Figure 14 reveals that respondents who rate their organizations ability to launch or implement an intelligence driven cyber defense as above average rely primarily on commercial threat intelligence feeds (68 percent) followed by collaborative threat intelligence groups, partnerships and forums (37 percent) or dedicated analysts on staff (35 percent). Figure 14. How does your organization gain actionable intelligence about hackers and other cyber criminals? More than one response permitted Commercial threat intelligence feeds 68% Collaborative threat intelligence groups, partnerships, forums 37% Dedicated analysts on staff 35% Other 2% 0% 10% 20% 30% 40% 50% 60% 70% 80% Ponemon Institute Research Report Page 8

10 Geo-location is considered important for determining the severity of cyber threats. Seventyfour percent of respondents say it is essential or very important to know the geo-location of the threat. However, only 36 percent say they are very certain or certain about the origin of cyber attacks facing their organization, as shown in Figure 15. Figure 15. The certainty about the geo-location (origin) of cyber attacks 40% 35% 30% 30% 34% 25% 20% 15% 10% 5% 16% 20% 0% Very certain Certain Somewhat certain Not certain Understanding the attacker s weak spots is the most important feature of a security intelligence tool. Respondents were asked to rate the importance of four features of security intelligence tools that provide offensive capabilities. Figure 16 shows that 72 percent of respondents say understanding the attacker s weak spots is most important followed by technology that neutralizes attacks before they happen (69 percent). Also important is a technology that slows down or even halts the attacker s computers (56 percent). Less important is a technology that uses big data analytics to achieve a strong cybersecurity defense (47 percent). Figure 16. Important features of security intelligence tools Just one number Very important and important response combined Technology that pinpoints the attacker s weak spots 72% Technology that neutralizes attacks before they happen 69% Technology that slows down or even halts the attacker s computers 56% Technology that uses big data analytics to achieve a strong cyber security defense 47% 0% 10% 20% 30% 40% 50% 60% 70% 80% Ponemon Institute Research Report Page 9

11 The Cyber Kill Chain is viewed as helpful to an organization s cyber defense. The term Cyber Kill Chain refers to a life cycle approach that allows information security professionals to proactively remediate and mitigate advanced threats as part of the organization s intelligence driven defense process. Sixty-seven percent of respondents say they are familiar with the term Cyber Kill Chain. Almost all respondents familiar with the term say it is very or somewhat helpful to their organization s cybersecurity defenses and strategy, according to Figure 17. Figure 17. How helpful is the Cyber Kill Chain to cybersecurity defenses and strategy? 50% 45% 40% 35% 30% 25% 20% 15% 10% 5% 0% 45% 39% 16% Very helpful Somewhat helpful Not helpful Most organizations in this study operate a Security Operations Center (SOC). Sixty-seven percent of respondents say their organization operates a SOC. These organizations are most likely to use a tiered approach to escalating and responding to cyber threats and attacks, as shown in Figure 18. In fact, 53 percent of respondents say they have three or more tiers. While 56 percent of organizations represented in this study operate a fully staffed 24/7/365 schedule, respondents are evenly divided as to whether such staffing is necessary in order to have a strong cyber defense. Figure 18. Utilization of a tiered approach to escalating and responding to cyber threats 40% 35% 30% 25% 20% 15% 10% 5% 0% 36% 30% 23% 11% Yes, 2 tiers Yes, 3 tiers Yes, more than 3 tiers No Ponemon Institute Research Report Page 10

12 Technologies that minimize the insider threat are considered most promising. As discussed, insider negligence is a big worry for organizations. Accordingly, 46 percent of respondents would like to have technologies that minimize insider threats, including negligence, according to Figure 19. This is followed by technologies that secure information assets (39 percent) and intelligence about networks and traffic (35 percent). Figure 19. What are the technologies for a strong cybersecurity posture? Two responses permitted Technologies that minimize insider threats (including negligence) 46% Technologies that secure information assets Technologies that provide intelligence about networks and traffic 35% 39% Technologies that simplify the reporting of threats Technologies that provide intelligence about attackers motivation and weak spots Technologies that secure endpoints including mobile-connected devices Technologies that isolate or sandbox malware infections Technologies that secure the perimeter 7% 9% 18% 23% 23% 0% 5% 10% 15% 20% 25% 30% 35% 40% 45% 50% Ponemon Institute Research Report Page 11

13 Part 3. Conclusion The findings of this study reveal that cyber attacks are viewed as becoming more severe and frequent. Unfortunately, the security posture of many companies is not up to the challenge of dealing with cyber threats. Most respondents rate their cybersecurity posture as static or in decline. Following are recommendations to reverse this trend and achieve a more intelligence driven defense process: Assess and improve the deficiencies in cyber threat intelligence. An intelligence driven cyber defense requires timely, accurate and actionable information. Respondents in organizations that are believed to have a more successful cyber defense rely primarily on commercial threat intelligence feeds. Respondents cite the difficulty in disseminating threat intelligence to key stakeholders in a timely fashion and a high false positive rate as to why cyber threat intelligence fails to provide an effective defense. Proactive management of cybersecurity risks requires adequate budgets and skilled personnel. Throughout the study, respondents say it is a lack of budget and expertise that are the biggest barriers to a stronger cybersecurity posture. The research also reveals the areas believed to pose the greatest risks, user awareness and supply chain, are underfunded. Reducing the insider threat should be a priority. According to the findings, the greatest cyber threat is the malicious insider. Further, the greatest areas of potential cybersecurity risk within the IT environment are negligent and malicious insiders. Accordingly, respondents believe technologies that minimize the insider threat, including negligence, are considered most promising. Intelligence about the attacker s weak spot would improve an organization s cybersecurity posture. Seventy-two percent of respondents say understanding the attacker s weak spots is most important followed by technology that neutralizes attacks before they happen (69 percent). Consider adopting the Cyber Kill Chain. This life cycle approach allows information security professionals to proactively remediate and mitigate advanced threats as part of the organization s intelligence driven defense process. Respondents in this research believe it is helpful to achieving a more effective cybersecurity defense and strategy. Ponemon Institute Research Report Page 12

14 Part 4. Methods The survey instrument was fielded over a nine-day period from November 4, 2014 to November 13, All analysis was conducted subsequently. A sampling frame composed of 19,818 IT and IT security practitioners located in the United States were selected for participation in this survey. To ensure a knowledgeable respondent, the selected participants are familiar with their organizations defense against cybersecurity attacks and have some responsibility in directing cybersecurity activities. As shown in Table 1, 765 respondents completed the survey. Screening removed 94 surveys. The final sample was 671 surveys (or a 3.9 percent response rate). Table 1. Sample response Freq Total sampling frame 19, % Total returns % Rejected or screened surveys % Final sample % We calculated a margin of error for all statistical survey questions that yielded a proportional or percentage result. Most questions utilized the full sample size of n = 671 qualified respondents. Assuming a confidence level at the 95 percent level, the margin of error for survey questions ranged from ± 1.1 percent to ± 6.3 percent, with an overall average of ± 3.8 percent. Pie chart 1 reports the current position or organization level of respondents. By design, 56 percent of respondents reported their current position is at or above the supervisory level. Pie Chart 1. Current position or organizational level 2% 5% 2% 2% 17% 35% 22% Vice President Director Manager Supervisor Technician Staff Consultant Other 15% Ponemon Institute Research Report Page 13

15 As shown in Pie Chart 2, more than half of the respondents (55 percent) indicated they report to the CIO and 18 percent report to the CISO. Pie Chart 2. Primary person respondent or IT security leader reports to 5% 6% 2% 2% 2% 3% 3% 4% 18% 55% Chief Information Officer Chief Information Security Officer Chief Risk Officer Compliance Officer Human Resources VP Chief Security Officer CEO/Executive Committee General Counsel Data Center Management Other Pie Chart 3 reports the primary industry classification of respondents organizations. This chart identifies financial services (21 percent) as the largest segment, followed by federal government (18 percent) and healthcare (17 percent). Pie Chart 3. Primary industry classification 4% 6% 21% 8% 10% 18% 16% Financial services Federal government Healthcare Utilities Energy, oil & gas Pharmaceuticals Chemical All others 17% Ponemon Institute Research Report Page 14

16 According to Pie Chart 4, more than half (62 percent) of the respondents are from organizations with a global headcount of over 1,000 employees. Pie Chart 4. Worldwide headcount of the organization 8% 7% 12% 11% Less than to to 1,000 18% 19% 1,001 to 5,000 5,001 to 25,000 25,001 to 75,000 More than 75,000 25% As shown in Figure 20, in addition to having employees in the United States, respondents also indicated their organization has employees in Europe (72 percent), Canada (71 percent), Asia- Pacific (68 percent), Latin America (54 percent) and Middle East & Africa (44 percent). Figure 20. Where are participating companies employees located? United States 100% Europe 72% Canada 71% Asia-Pacific 68% Latin America 54% Middle East & Africa 44% 0% 20% 40% 60% 80% 100% 120% Ponemon Institute Research Report Page 15

17 Part 5. Caveats There are inherent limitations to survey research that need to be carefully considered before drawing inferences from findings. The following items are specific limitations that are germane to most web-based surveys. Non-response bias: The current findings are based on a sample of survey returns. We sent surveys to a representative sample of individuals, resulting in a large number of usable returned responses. Despite non-response tests, it is always possible that individuals who did not participate are substantially different in terms of underlying beliefs from those who completed the instrument. Sampling frame bias: The accuracy is based on contact information and the degree to which the list is representative of individuals who are IT or IT security practitioners located in the United States. We also acknowledge that the results may be biased by external events such as media coverage. We also acknowledge bias caused by compensating subjects to complete this research within a specified time period. Self-reported results: The quality of survey research is based on the integrity of confidential responses received from subjects. While certain checks and balances can be incorporated into the survey process, there is always the possibility that a subject did not provide accurate responses. Ponemon Institute Research Report Page 16

18 Appendix: Detailed Survey Results The following tables provide the frequency or percentage frequency of responses to all survey questions contained in this study. All survey responses were captured from November 4, 2014 to November 13, Survey response Freq Total sampling frame 19, % Total returns % Rejected or screened surveys % Response rate % Part 1. Screening questions S1. How familiar are you with your organization s defense against cybersecurity attacks? Very familiar 50% Familiar 32% Somewhat familiar 18% No knowledge (Stop) 0% S2. Do you have any responsibility in directing cybersecurity activities within your organization? Yes, full responsibility 32% Yes, some responsibility 44% Yes, minimum responsibility 24% No responsibility (Stop) 0% Part 2. Priorities Q1a. How familiar are you with the term Cyber Kill Chain? Very familiar 27% Familiar 40% Not familiar 18% No knowledge 15% Q1b. [Those selecting very familiar or familiar], How helpful is the Cyber Kill Chain to your organization s cybersecurity defenses and strategy? Very helpful 39% Somewhat helpful 45% Not helpful 16% Q2a. Does your organization operate a Security Operations Center (SOC)? Yes 67% No 33% Ponemon Institute Research Report Page 17

19 Q2b. If yes [Q2a], does your organization s SOC utilize a tiered approach to escalating and responding to cyber threats and attacks? Yes, 2 tiers 11% Yes, 3 tiers 30% Yes, more than 3 tiers 23% No 36% Q2c. If yes [Q2a], what best describes your SOC s operating schedule. Our organization s SOC operates a fully staffed 24/7/365 schedule 56% Our organization s SOC has teams that have on-call staff to work off hours 44% Q2d. If yes [Q2a], In your opinion, is a SOC schedule that is 24/7/365 and fully staffed necessary to have a strong cyber defense? Yes 50% No 50% Q2e. If yes [Q2a], Is your organization s SOC operated by a managed security services provider (MSSP)? Yes, fully outsourced 28% Yes, partially outsourced 33% No 39% Q3a. Please rate your organization s ability to launch or implement an intelligence driven cyber defense against hackers and other cyber criminals? Please use the following 10- point scale. 1 or 2 31% 3 or 4 24% 5 or 6 10% 7 or 8 15% 9 or 10 20% Extrapolated value 4.9 Q3b. If your rating is below 5, what are the main reasons why your organization is not fully capable of launching an intelligence driven cyber defense? Do not have ample expert personnel 65% Lack of resources or budget 64% Not considered a security-related priority 39% Lack of enabling technologies 19% Total 187% Ponemon Institute Research Report Page 18

20 Q3c. If your rating is above 5, how does your organization gain actionable intelligence about hackers and other cyber criminals? Please check all that apply. Commercial threat intelligence feeds 68% Collaborative threat intelligence groups, partnerships, forums 37% Dedicated analysts on staff 35% Other (please specify) 2% Total 142% Q4. Please rank each one of the following five (5) cybersecurity objectives in terms of a business priority within your organization from 5 = highest priority to 1 = lowest priority. Average rank Compliance Confidentiality Interoperability Integrity Availability Q5. What types of cyber attacks against your organization s networks cause the greatest concern? Please select the top four (4) choices only. Advanced persistent threats (APT) 54% Malicious insiders 53% Phishing and social engineering 48% Compromised/stolen credentials 44% Denial of service (DoS) 36% Malware 33% Man-in-the-middle attack 28% Server side injection (SSI) 25% Registration spamming 19% Root kits 14% Web scrapping 10% Clickjacking 9% Botnets 8% Watering hole attacks 6% Cross-site scripting 5% SQL and code injection 5% Contact form or comment spam 3% Total 400% Rank order Ponemon Institute Research Report Page 19

21 Q6. Please rank each one of the following ten (10) negative consequences that your organization might have experienced as a result of a cyber attack or intrusion, from 10 = most severe to 1 = least severe. Average rank Rank order Lost intellectual property (including trade secrets) Reputation damage Disruption to business process Productivity decline Damage to critical infrastructure Customer turnover Regulatory actions or lawsuits Lost revenue Stolen or damaged equipment Cost of outside consultants and experts Q7. Please rate the following statements about security posture using the five-point scale provided below each item. Strongly agree Agree Unsure Disagree Strongly disagree Q7a. My organization is vigilant in monitoring cyber attacks. 21% 25% 21% 21% 12% Q7b. My organization s security budget is sufficient for mitigating most cyber attacks (intrusions). 12% 15% 24% 27% 22% Q7c. The severity of cyber attacks experienced by my organization is on the rise. 42% 33% 15% 6% 4% Q7d. The frequency of cyber attacks experienced by my organization is on the rise. 38% 30% 19% 6% 7% Q7e. Launching a strong offensive against hackers and other cyber criminals is very important to my organization s security strategy. 23% 30% 23% 14% 10% Q8. Please rate the following statements about threat intelligence using the five-point scale provided below each item. Strongly agree Agree Unsure Disagree Strongly disagree Q8a. My organization s cyber threat intelligence is often too old (out of date) to be actionable 36% 31% 13% 10% 10% Q8b. My organization s cyber threat intelligence is often inaccurate or incomplete 33% 33% 14% 11% 9% Q8c. My organization s cyber threat intelligence activities or process is very complex 27% 29% 18% 15% 11% Q8d. My organization s cyber threat intelligence activities or process is difficult to manage 31% 33% 22% 12% 2% Q8e. My organization s cyber threat intelligence has a high false positive rate 45% 36% 11% 5% 3% Q8f. It is difficult to disseminate threat cyber intelligence to key stakeholders in a timely fashion 49% 35% 6% 6% 4% Q8g. My organization s cyber threat intelligence does not integrate easily with various security technologies 30% 29% 23% 12% 6% Ponemon Institute Research Report Page 20

22 Q9. What statement best describes changes to your organization s cybersecurity posture over the past 12 months? Our organization s cybersecurity posture is more effective in combating attacks and intrusions. 33% Our organization s cybersecurity posture is less effective in combating attacks and intrusions. 24% Our organization s cybersecurity posture remains the same in terms of its effectiveness in combating attacks and intrusions. 43% Q10a. The following table contains 6 factors that can impact an organization s security posture. Please allocate the security risk inherent in each one of the 6 factors as experienced by your organization. Note that the sum of your risk allocation must equal 100 points. Points User awareness 25 Desktops/laptops 8 Mobile 20 Cloud 18 Perimeter servers 5 Supply chain 24 Total points 100 Q10b. Please allocate the security budget or spending level for each one of the 6 factors as experienced by your organization. Note that the sum of your allocation must equal 100 points. Points User awareness 4 Desktops/laptops 8 Mobile 34 Cloud 27 Perimeter services 12 Supply chain 15 Total points 100 Ponemon Institute Research Report Page 21

23 Q11. What do you see as the most significant barriers to achieving a strong cybersecurity posture within your organization today? Please choose only your top two choices. Insufficient resources or budget 49% Insufficient visibility of people and business processes 45% Lack of skilled or expert personnel 29% Lack of effective security technology solutions 24% Lack of oversight or governance 18% Complexity of compliance and regulatory requirements 13% Insufficient assessment of cybersecurity risks 12% Lack of leadership 9% Other (please specify) 1% Total 200% Q12. Where are you seeing the greatest areas of potential cybersecurity risk within your IT environment today? Please choose only your top three choices. Negligent insiders 36% Organizational misalignment and complexity 33% Lack of system connectivity/visibility 30% Mobile/remote employees 29% Mobile devices such as smart phones 28% Cloud computing infrastructure and providers 25% Malicious insiders 25% Across 3 rd party applications 23% Removable media (USB sticks) and/or media (CDs, DVDs) 18% Desktop or laptop computers 15% Data centers 12% The server environment 9% Network infrastructure environment (gateway to endpoint) 7% Within operating systems 5% Virtual computing environments (servers, endpoints) 5% Total 300% Ponemon Institute Research Report Page 22

24 Q13. What are the most promising technologies in general? Please choose only your top two choices. Technologies that minimize insider threats (including negligence) 46% Technologies that secure information assets 39% Technologies that provide intelligence about networks and traffic 35% Technologies that provide intelligence about attackers motivation and weak spots 23% Technologies that simplify the reporting of threats 23% Technologies that secure endpoints including mobile-connected devices 18% Technologies that isolate or sandbox malware infections 9% Technologies that secure the perimeter 7% Total 200% Q14. What cyber defenses does your organization deploy to protect your organization from attacks or intrusions? Please rate each one of the following defenses in terms of its importance in preventing or quickly detecting cyber attacks using the following 5-point scale. Select 5 (not applicable) if your organization does not deploy or implement the given defense. 1 = Very important, 2 = Important, 3 = Somewhat important, 4 = Not important, 5 = Not applicable Very important Somewhat Important Not important Important Irrelevant Security intelligence systems including SIEM 40% 32% 12% 10% 6% Identity and authentication systems 41% 26% 17% 15% 1% Anti-virus/anti-malware 30% 33% 23% 11% 3% Content aware firewalls including next generation firewalls (NGFW) 32% 29% 21% 10% 8% Secure network gateways including virtual private networks (VPN) 28% 29% 32% 6% 5% Anti-DoS/DDoS (Denial of Services) 31% 23% 25% 11% 10% Intrusion prevention systems (IPS) 26% 27% 30% 12% 5% Intrusion detection systems (IDS) 26% 25% 25% 13% 11% Endpoint security systems 21% 30% 26% 16% 7% Web application firewalls (WAF) 23% 25% 23% 19% 10% Enterprise encryption for data at rest 23% 25% 33% 10% 9% Enterprise encryption for data in motion 23% 24% 31% 12% 10% Secure coding in the development of new applications 25% 18% 40% 8% 9% Mobile device management 18% 24% 30% 23% 5% Other crypto technologies including tokenization 21% 20% 39% 12% 8% Data loss prevention systems 18% 20% 23% 21% 18% ID credentialing including biometrics 20% 16% 44% 12% 8% Ponemon Institute Research Report Page 23

25 Q15. Who is most responsible for defining your organization s cybersecurity strategy? Chief information officer (CIO) 35% Chief information security officer (CISO) 25% No one person or function has overall responsibility 15% Chief technology officer (CTO) 7% Outside managed service provider (MSSP) 4% Chief security officer (CSO) 3% Business unit management 3% Chief executive officer (CEO) 2% Chief risk officer (CRO) 2% Data center management 2% Corporate compliance or legal department 2% Website development leader/manager 0% Please rate your answer using a four-point scale. Very difficult Difficult Not difficult Easy Q16a. In your opinion, how difficult are cyber attacks to detect? 21% 25% 42% 12% Q16b. In your opinion, how difficult are cyber attacks to block? 32% 24% 40% 4% Q16c. In your opinion, how difficult are cyber attacks to prevent? 45% 40% 11% 4% Q16d. In your opinion, how difficult are cyber attacks to isolate? 31% 26% 40% 3% Q17. Using the following 10-point scale, please rate the overall effectiveness of your organization s ability to use intelligence to reduce risk or mitigates attacks. 1 or 2 7% 3 or 4 20% 5 or 6 41% 7 or 8 19% 9 or 10 13% Extrapolated value 5.72 Q18a. Do you believe your organization is presently targeted for attack? Yes with certainty 11% Yes, very likely 20% Yes, likely 18% Somewhat likely 16% Unlikely 5% No 30% Ponemon Institute Research Report Page 24

26 Q18b. If no, how do you know your organization is not targeted? Logical deduction 33% Did not receive warnings or alerts from intelligence sources 32% Intuition (gut feel) 35% Q19. In your opinion, how important is geolocation for determining the severity of cyber threats to your organization? Essential 39% Very important 35% Important 16% Not important 8% Irrelevant 2% Q20. How certain are you about the geolocation (origin) of cyber attacks posed against your organization? Very certain 16% Certain 20% Somewhat certain 30% Not certain 34% Q21. What attacker presents the greatest cyber threat to your organization today? Please select only one choice. Malicious insider 37% Criminal syndicates 26% State sponsored attacker 19% Hacktivists 15% Lone wolf hacker 2% Other (please specify) 1% Q22. In your opinion, how important is live intelligence to achieving a strong cybersecurity defense? Essential 44% Very important 32% Important 15% Not important 9% Irrelevant 0% Ponemon Institute Research Report Page 25

27 Part 3. Your role and organization D1. What organizational level best describes your current position? Senior Executive 1% Vice President 2% Director 17% Manager 22% Supervisor 15% Technician 35% Staff 5% Consultant 2% Contractor 1% D2. Check the Primary Person you or your IT security leader reports to within the organization. CEO/Executive Committee 2% Chief Financial Officer 1% General Counsel 2% Chief Information Officer 55% Chief Information Security Officer 18% Compliance Officer 5% Human Resources VP 4% Chief Security Officer 3% Data Center Management 2% Chief Risk Officer 6% Other 2% D3. What industry best describes your organization s industry focus (stratified list)? Utilities 16% Energy, oil & gas 10% Pharmaceuticals 8% Healthcare 17% Financial services 21% Chemical 6% Federal government (various departments) 18% All others 4% D4. Where are your employees located? United States 100% Canada 71% Europe 72% Asia-Pacific 68% Middle East & Africa 44% Latin America (including Mexico) 54% Ponemon Institute Research Report Page 26

28 D5. What is the worldwide headcount of your organization? Less than 100 7% 100 to % 501 to 1,000 19% 1,001 to 5,000 25% 5,001 to 25,000 18% 25,001 to 75,000 12% More than 75,000 8% Ponemon Institute Advancing Responsible Information Management Ponemon Institute is dedicated to independent research and education that advances responsible information and privacy management practices within business and government. Our mission is to conduct high quality, empirical studies on critical issues affecting the management and security of sensitive information about people and organizations. As a member of the Council of American Survey Research Organizations (CASRO), we uphold strict data confidentiality, privacy and ethical research standards. We do not collect any personally identifiable information from individuals (or company identifiable information in our business research). Furthermore, we have strict quality standards to ensure that subjects are not asked extraneous, irrelevant or improper questions. Ponemon Institute Research Report Page 27