2015 Global Megatrends in Cybersecurity

Transcription

1 2015 Global Megatrends in Cybersecurity Sponsored by Raytheon Independently conducted by Ponemon Institute LLC Publication Date: February 2015 Ponemon Institute Research Report

2 2015 Global Megatrends in Cybersecurity Ponemon Institute, February 2015 Part 1. Introduction We are pleased to present the findings of the 2015 Global Megatrends in Cybersecurity sponsored by Raytheon. The purpose of this research is to understand the big trends or changes that will impact the security posture of organizations in both the public and private sector in the next three years. Moreover, the study looks at the next generation of protocols and practices as the cybersecurity field evolves and matures. We surveyed 1,006 senior-level information technology and information technology security leaders (hereafter referred to as respondent) in the US, UK/Europe and Middle East/North Africa (MENA) who are familiar with their organizations cybersecurity strategies. The research covered a range of trends related to an organization s ability to protect itself from cyber threats and attacks. Some of the areas addressed in this report are: the critical disconnect between CISOs and senior leadership, insider negligence, the Internet of Things, adoption of new technologies such as big data analytics, predictions of increases in nation state attacks and advanced persistent threats and the dearth of cyber talent. Overall direction of cybersecurity posture As noted in Figure 1, a majority of respondents believe their organizations cybersecurity posture will improve. Respondents in MENA are most positive about improvements in cyber security and the UK/Europe is least positive. According to the findings, the following reasons are why the cyber security posture of organizations are projected to improve over the next three years: Cyber intelligence will become more timely and actionable More funding will be made available to invest in people and technologies Technologies will become more effective in detecting and responding to cyber threats More staffing will be available to deal with the increasing frequency of attacks Employee-related risks will decline Following are reasons why the cyber security posture of organizations might decline: Inability to hire and retain expert staff Lack of actionable and timely intelligence Employee-related risks might not be reduced A lack of funding will prevent appropriate investments in people and technologies Technologies that address the specific cyber threats to the organization will not be available Page 1

3 Part 2. Seven Megatrends in Cybersecurity Based on the findings of the research, there are seven mega trends that will significantly impact the cybersecurity posture of organizations in the following areas: disruptive technologies, cyber crime, cost of compliance, the human factor, organizational and governance factors and enabling security technologies. Following is a summary of these seven mega trends and implications for companies. 1. Cybersecurity will become a competitive advantage and a C-level priority. As part of this study, we asked a panel of cybersecurity experts to predict changes to several normatively important characteristics concerning the role, mission and strategy of security. 1 A total of 110 individuals with bona fide credentials in information security provided their three-year predictions. In each of the following figures, today s average results were derived from the survey sample (n=1,006). An expert panel provided future predictions (n=110). Figure 2 shows only 25 percent of respondents believe their organization s C-level views security as a competitive advantage. However, 59 percent of respondents in the expert panel say C-level executives will view security as a competitive advantage three years from now. Figure 2. Do your organization s senior leadership view cybersecurity as a necessary cost or a competitive advantage? 80% 75% 70% 60% 59% 50% 40% 41% 30% 25% 20% 0% Today Necessary cost Competitive advantage Future (3 years from now) 1 The expert panel consisted of individuals with, on average, more than 20 years of experience in IT or information security leadership. Many of these individuals are Distinguished Fellows of Ponemon Institute. Page 2

4 Figure 3 shows only 34 percent of respondents believe their organization s senior leadership views security as a strategic priority. Fifty-four percent of the expert panel forecast that C-level executives will view security as a strategic priority three years from now. Figure 3. Does senior leadership view cybersecurity as a strategic priority? 70% 66% 60% 50% 54% 46% 40% 34% 30% 20% 0% Today Future (3 years from now) Yes No or Unsure Figure 4 shows 22 percent of respondents say their organization s security leader briefs the board of directors on cybersecurity strategy. Sixty-six percent of the expert panel forecast that three years from now the organization s security leader will regularly brief the board on a recurring basis. Figure 4. Does your organization s security leader brief the board of directors on the cybersecurity strategy? 90% 80% 70% 60% 50% 40% 30% 20% 0% 22% Today 78% 66% 34% Future (3 years from now) Yes No or Unsure Page 3

5 Figure 5 reports 14 percent of respondents say their organization s security leader has a direct reporting relationship with the CEO. In contrast, 30 percent of the expert panel predict that the security leader will directly report to the organization s CEO three years from now. Figure 5. Does your organization s security leader report directly to the CEO? 100% 90% 80% 70% 60% 50% 40% 30% 20% 0% 14% Today 86% 30% 70% Future (3 years from now) Yes No or Unsure Page 4

6 The following megatrends are presented as a percentage net change between the current state (e.g., today) and the future state (e.g., 3 years from now). The formula for percentage net change is defined as: Percentage net change = {[Current state Future state] / ½ * [Current state + Future state]} 2. Insider negligence risks are decreasing. Due to investments in technologies, organizations will gain better control over employees insecure devices and apps. Training programs will increase awareness of cybersecurity practices. A lack of visibility into what employees are doing in the workplace will become less of a problem in the next three years. Figure 6 provides the percentage net changes in human factor security risks. Here, a negative percentage indicates that the security risk rating is expected to increase. A positive percentage indicates the risk is forecasted to decline. As noted in this figure, only one attribution (about the inability to enforce compliance with polices) is expected to worsen over the next three years. According to respondents, the inability to control employees devices and apps, lack of awareness of cybersecurity practices, employee complacency about cybersecurity and a lack of visibility into what employees are doing in the workplace will become less of a problem in the next three years. Investments in technologies to address these threats and better controls over BYOD and BYOC will make these risks more manageable. Figure 6. Percentage net changes in human factor megatrends Consolidated view Inability to enforce compliance with policies -2% Contract workers replacing employees 4% More employees working outside the office Insufficient staff with knowledge and credentials Lack of awareness of cybersecurity practices Inability to control employees' devices and apps 25% 30% 32% Employee complacency about cybersecurity Inability to know what employees are doing in the workplace 40% 51% - 0% 20% 30% 40% 50% 60% Percentage net change on security risk ratings Page 5

7 3. Cyber crime will keep information security leaders up night. There will be significant increases in the risk of nation state attackers and advanced persistent threats, cyber warfare or terrorism, data breaches involving high value information and the stealth and sophistication of cyber attackers. In contrast, there are expected to be slight improvements in mitigating the risk of hacktivism and malicious or criminal insiders. Figure 7 provides the percentage net changes in cyber crime mega trends. Here, a negative percentage indicates that the security risk rating is expected to increase. A positive percentage indicates that risk is forecasted to decline. According to respondents, there will be significant increases in the risk of nation state attackers and advanced persistent threats, cyber warfare or terrorism, data breaches involving high value information and the stealth and sophistication of cyber attackers. In contrast, there are expected to be slight improvements in mitigating the risk of hacktivism and malicious or criminal insiders. Figure 7. Percentage net changes in cyber crime megatrends Consolidated view Nation state attackers -37% Cyber warfare or cyber terrorism -24% Breaches involving high-value information Stealth and sophistication of cyber attackers Zero-day attacks Breaches that disrupt business and IT processes Breaches that damage critical infrastructure -15% -14% -13% -12% -11% Breaches involving large volumes of data -3% Emergence of cyber syndicates Malicious or criminal insiders Emergence of hacktivism 0% 2% 3% -45% -35% -25% -15% -5% 5% 15% Percentage net change on security risk ratings Page 6

8 4. The Internet of Things is here but organizations are slow to address its security risks. The Internet of Things is the expanding network of billions of connected devices that are permeating our daily lives from the computers inside our cars to our WiFi enabled appliances, from wireless medical devices to wearable device. Because consumers are embracing more connected devices, information security leaders predict that the Internet of Things will be one of the most significant disruptive technologies in the near future. Figure 8 shows respondents perceptions about preparedness for cybersecurity risks resulting from the Internet of Things are generally consistent across all three regional samples. The majority of respondents do not believe they are ready for the impact the Internet of Things will have on their organizations. Figure 8. My organization is prepared to deal with potential cybersecurity risks resulting from the Internet of Things 40% 35% 30% 34% 30% 28% 25% 20% 15% 5% 0% US UK/Europe MENA Strongly agree and agree responses combined Page 7

9 Figure 9 shows the disruptive technologies that will increase or decrease in their risk to an organization. The Internet of Things risk is projected to increase by 25 percent and follows virtual currencies (48 percent increase in risk) and big data analytics (32 percent increase in risk). Figure 9. Percentage net changes in disruptive technology megatrends Consolidated view Organization s acceptance of virtual currencies -48% Organization s use of big data analytics The Internet of Things Organization s use of mobile payments -32% -25% -21% Organization s use of IT virtualization 3% Employees use of social media in the workplace Organization s use of cloud infrastructure Organization s use of digital identities Organization s use of cloud file sharing tools Organization s use of cloud services Employee-owned mobile devices (BYOD) Employees use of favorite cloud apps (BYOC) 11% 14% 15% 19% 25% 33% 38% -60%-50%-40%-30%-20%- 0% 20% 30% 40% 50% Percentage net change on security risk ratings Page 8

10 5. The cyber talent gap will persist. Figure 10 shows respondents in three regional samples hold a consistent belief that their organizations need more knowledgeable and experienced cybersecurity practitioners (i.e., the cyber talent gap). Figure 10. My organization needs more knowledgeable and experienced cybersecurity practitioners 80% 70% 67% 66% 65% 60% 50% 40% 30% 20% 0% US UK/Europe MENA Strongly agree and agree responses combined Figure 11 lists the factors that respondents believe could hinder or stall improvements in their organization s cybersecurity posture in the next 3 years. At 45 percent, the number one factor for respondents is the inability to hire and retain staff. This is closely followed by a lack of actionable intelligence (44 percent) and the inability to curtail employee-related security risks (43 percent). Figure 11. Factors that will hinder improvement over the next 3 years Consolidated view Inability to hire and retain expert staff Lack of actionable intelligence Inability to minimize employee risk 44% 43% 45% Lack of funding Lack of suitable technologies Increase in complexity Lack of C-level support 34% 33% 31% 29% Lack of cybersecurity leadership 22% Increase in compliance burden 19% 0% 5% 15% 20% 25% 30% 35% 40% 45% 50% Page 9

11 6. Big shifts in new technologies towards big data analytics, forensics and intelligencebased cyber solutions. The following technologies will gain the most in importance over the next 3 years: encryption for data at rest, big data analytics, SIEM and cybersecurity intelligence, automated forensics tools, encryption for data in motion, next generation firewalls, web application firewalls, threat intelligence feeds and sandboxing or isolation tools. Figure 12 provides the percentage net changes in importance ratings for 25 enabling security technologies for the consolidated sample. Here, a positive net change percentage indicates that the importance of a given technology is projected to increase over the next three years. A negative percentage indicates the importance of the technology is projected to decrease. The technologies that achieve the highest percentage net change are: encryption for data at rest, big data analytics, forensics (automated tools), next generation firewalls, SIEM, threat intelligence feeds, web application firewalls, sandboxing or isolation tools and encryption for data in motion. Technologies that are projected to become less important over time include anti-virus tools and data loss prevention systems. Figure 12. Percentage change in importance of enabling security technologies Consolidated view Encryption for data at rest Big data analytics SIEM and cybersecurity intelligence Forensics (automated tools) Encryption for data in motion Next generation firewalls (NGFW) Web application firewalls (WAF) Threat intelligence feeds Sandboxing or isolation tools Access governance systems Tokenization tools Automated policy generation Perimeter or location surveillance Identity & access management Intrusion detection & prevention Incident response tools Database scanning and monitoring URL or content filtering Device anti-theft solutions Configuration & log management Virtual private network (VPN) ID & credentialing system Endpoint and mobile device management Data loss prevention (DLP) Anti-virus & anti-malware -12% -17% 0% 0% -1% -2% -4% -4% -5% -6% 6% 4% 3% 2% 2% 1% 24% 20% 20% 19% 19% 18% 18% 17% 17% -30% -20% - 0% 20% 30% Percentage net change on importance ratings Page 10

12 7. Despite alarming media headlines, cybersecurity postures are expected to improve. As noted in Figure 13, the majority of respondents say their cybersecurity postures will improve for the following reasons: cyber intelligence will become more timely and actionable, more funding will be made available to invest in people and technologies, technologies will become more effective in detecting and responding to cyber threats, more staffing will be available to deal with the increasing frequency of attacks and employee-related risks will decline. Figure 13. Will our organization s security posture improve, decline or stay at the same level? 70% 60% 60% 55% 64% 50% 40% 30% 31% 32% 26% 20% 9% 13% 0% US UK/Europe MENA Improve Stay the same Decline Page 11

13 Part 3. Country Comparisons In this section we compare the average megatrend ratings for the countries represented in this study. Figure 14 provides the summarized average risk rating for six areas of megatrends by country sample. Each respondent provided a rating on a 5-point scale from 1 = low to 5 = high. A risk scale was used to rate four mega trend categories namely, organizational factors, the human factor, disruptive technologies and cyber crime. Security technologies were rated on importance and compliance was rated on cost burden. Respondents provided ratings in three separate samples (US, UK/Europe and MENA) for today and three years from now (future). As shown below, ratings across country samples vary. The US sample appears to have higher or more risky ratings on average and the MENA sample has lower or less risky ratings. The grand mean for both the current state (today) and future state is 3.6, which is significantly higher than the 5-point scale median of 3.0. Figure 14. Average megatrend ratings for today and future state by country sample Panel A: Current State (Today) Security technologies Organizational factors Human factor Disruptive technologies Cyber crime Compliance cost MENA UK/Europe US Panel B: Future State (3 years from now) Security technologies Organizational factors Human factor Disruptive technologies Cyber crime Compliance cost MENA UK/Europe US Page 12

14 According to the findings, net changes across country samples are generally consistent, with mixed results for human and organizational factors, respectively. Results suggest that security technologies will increase in importance and the human factor risk will improve significantly in the US and UK/Europe over three years. In contrast, organizational factors, disruptive technologies, cyber crime and compliance costs are all predicted to worsen over time. In the US, organizational factors will improve slightly. Figure 15. Percentage net changes between current and future states by country sample Security technologies Worsened State Improved State 17% 17% 14% Organizational factors -20% -2% 2% Human factor - 23% 43% Disruptive technologies Cyber crime Compliance cost -22% -24% -18% -8% -8% - -6% -8% - -30% -20% - 0% 20% 30% 40% 50% MENA UK/Europe US Page 13

15 Part 4. Other Megatrends and Findings Will governance practices evolve to meet cybersecurity challenges? Three years from now, due in part to the growth of connected mobile devices, respondents believe it will become more difficult to secure access to data, systems and physical spaces, as shown in Figure 16. Respondents also believe the complexity of IT operations coupled with the growth of unstructured data assets will cause a substantial increase in security risks. Another factor that is projected to increase risk concerns the inability to integrate disparate technologies. Figure 16. Percentage net change in organizational factor mega trends Consolidated view Inability to secure access rights to data, systems and physical spaces Complexity of business and IT operations -20% -17% Growth of unstructured data assets Inability to integrate disparate technologies Inability to integrate necessary data sources for actionable cyber intelligence Integration of third parties into internal networks and applications Silos and the lack of collaboration -9% -7% -2% 1% 2% Lack of cybersecurity leadership Inability to convince leadership to make cybersecurity a priority Lack of funding to support cyber defense 8% 13% 19% -35% -25% -15% -5% 5% 15% 25% Percentage net change on security risk ratings Page 14

16 The compliance cost burden is predicted to increase. Three years from now, due to the increase in cyber attacks and cyber terrorism, organizations will be facing the need to invest more in compliance with mandates on critical infrastructure protection and national cyber defense strategies. An increase in class action and tort litigation because of the continuation of data breaches will be another concern for organizations. Figure 17. Percentage change in compliance cost megatrends Consolidated view Mandates on critical infrastructure protection National cyber defense strategies -41% -40% Class action and tort litigation Federal laws regulating data protection and privacy International privacy and data protection laws E-Discovery requirements -31% -9% -8% -4% State laws regulating data protection and privacy Self-regulatory programs (such as ISO or PCI) Cybersecurity governance -1% 0% 3% -50% -40% -30% -20% - 0% Percentage net change on cost ratings Page 15

17 What respondents believe is the current state of cybersecurity. Figure 18 provides the strongly agree and agree response to eight attributions about cybersecurity. As can be seen, 66 percent of respondents believe their organization needs more knowledgeable and experienced cybersecurity practitioners. Fifty-nine percent believe cyber intelligence activities are necessary for protecting information assets and IT infrastructure. Slightly less than half (48 percent ) believe their organization has adequate security technologies. Finally, only 31 percent of respondents believe their organization is prepared to deal with cybersecurity risks or issues in the Internet of Things. Figure 18. The current state of cybersecurity Strongly agree and Agree responses combined My organization needs more knowledgeable and experienced cybersecurity practitioners. 66% My organization believes cyber intelligence activities are necessary for protecting information assets and IT infrastructure. 59% My organization has adequate security technologies to protect information assets and IT infrastructure. My organization takes appropriate steps to comply with the leading cybersecurity standards. 48% 47% My organization has ample resources to ensure all cybersecurity requirements are met. 47% My organization consistently follows policies and procedures that seek to protect information assets and IT infrastructure. My organization is investing in big data analytics for cyber defense. My organization is prepared to deal with potential cybersecurity risks resulting from the Internet of things. 31% 39% 37% 0% 20% 30% 40% 50% 60% 70% Strongly agree and Agree responses combined Page 16

18 Why will organizations cybersecurity posture improve? As discussed earlier in the report, there is general optimism that organizations will rise to the challenge of dealing with cyber threats. Figure 19 shows the success factors that respondents believe could drive improvement to their organization s cybersecurity posture in the next 3 years. The top three choices are: increase in funding, improvements to cyber intelligence and improvement in enabling security technologies. Figure 19. Factors that will drive improvement over the next 3 years Consolidated view Increase in funding Cyber intelligence improvements 47% 47% Improvement in technologies Improvement in staffing 41% 40% Ability to minimize employee-related risk 36% Improvement in threat sharing Reduction in complexity Cybersecurity leadership Increase in C-level support 23% 21% 19% 16% Reduction in compliance burden 0% 5% 15% 20% 25% 30% 35% 40% 45% 50% Page 17

19 Figure 20 lists in descending order of importance what respondents believe will be the most prevalent types of cyber threats over the next 3 years. The top five choices are: zero day attacks, data leakage in the cloud, mobile malware/targeted attacks, SQL injection and phishing attacks. Figure 20. What respondents believe will be the most prevalent cyber threats or attacks over the next three years Consolidated view Zero day attacks 49% Cloud data leakage Mobile malware/targeted attacks SQL injection Phishing attacks Critical infrastructure attacks 41% 38% 37% 36% 35% Watering hole attacks 29% Compromised supply chain Insider threats DDoS Rootkits 25% 23% 23% 22% BYOD data theft Cross-site scripting Compromised trusted partners Compromised MSSPs/SaaS providers MacOS malware/targeted attacks Botnet attacks Linux malware/targeted attacks Clickjacking Attacks against control systems 13% 12% 9% 8% 8% 7% 0% 20% 30% 40% 50% 60% Page 18

20 Part 4. Conclusion Many information security professionals believe the next three years will determine if organizations can win the cyber war. Understanding the big trends that will impact the security posture of organizations will help organizations make smarter decisions about their investments in people, processes and technologies to achieve success. To gain this understanding, we turned to information security leaders throughout the world to identify the most important trends for the next three years. Based on the findings, following are recommendations and observations: Prepare to deal with external threats such as nation state attackers, cyber warfare or cyber terrorism. With the negligence insider risk decreasing, more resources should be allocated to dealing with an increasing sophisticated and stealthy cyber criminal. Establish regular cyber training and awareness programs. These programs are critical in making employees and contractors the first line of defense against malicious or criminal activity. Develop a strategy to deal with the risks created by the Internet of Things. Conduct a security impact assessment on how the Internet of Things will impact your organization s security posture. Be aware of the growing adoption of virtual currencies that will pose new risks to both organizations and customers. Understand how to use big data analytics effectively. Big data analytics will have both a negative and positive impact on organizations. The negative will be the vast amounts of sensitive and confidential data that will have to be protected. The positive will be the availability of analytics that will be helpful in detecting and blocking cyber attacks. Go back to school and recruit experts in cybersecurity. A key differentiator among organizations will be the ability to hire and retain knowledgeable and experienced cybersecurity practitioners. Invest in the tried and true technologies because they will become more important. These include encryption for data at rest and in motion, SIEM and cybersecurity technologies and firewalls. While leadership for cybersecurity initiatives will improve other governance issues will become more troublesome. These are the inability to secure access rights to data, systems and physical spaces, complexity of business and IT operations, the growth of unstructured data assets and the inability to integrate disparate technologies. Prepare to deal with an increasing litigious environment due to class action and tort litigation. The compliance cost burden will increase for organizations due to mandates on critical infrastructure protection. Page 19

21 Part 5. Methods A random sampling frame of 27,125 senior-level IT and IT security practitioners located in the United States, Europe and MENA were selected as participants to this survey. All respondents were screened to ensure they had bona fide credentials in cybersecurity or related disciplines. 2 When asked what best describes their role in managing security risk, 58 percent of respondents said they set priorities, 57 percent said they manage budgets, 63 percent select vendors and contractors, 43 percent determine the organization s security strategy and 46 percent evaluate program performance. By design, 97 percent of respondents are at supervisory or executive levels. The organizational level of respondents is as follows: C-level (8 percent), Director (32 percent), Vice President (13 percent), Senior Executive (10 percent), Manager (34 percent) and Other (3 percent). The department or function where respondents are located within the organization is as follows: Chief Information Officer (51 percent), Chief Technology Officer (8 percent), CEO/President (7 percent), Chief Security Officer (6 percent), Chief Risk Officer (6 percent), Chief Financial Officer (5 percent), General Counsel (5 percent), Compliance Officer (4 percent), Business Owner (3 percent) and Other (5 percent). As shown in Table 1, a consolidated total of 1,125 respondents completed the survey. Screening and failed reliability checks resulted in the removal of 119 surveys. The final sample was 1,006 surveys (or a 3.7 percent overall response rate). Table 1. Survey Response Total sampling frame Total survey returns Rejected or screened surveys Final sample Response rate US UK/Europe MENA Consolidated 11,550 9,790 5,785 27, % 4.1% 3.1% 3.7% 2 When asked what best describes their job-related role in managing security risk, 58 percent of respondents said they set priorities, 57 percent said they manage budgets, 63 percent said they select vendors and contractors, 43 percent determine the organization s security strategy and 46 percent evaluate program performance. Page 20

22 Pie Chart 1 reports the industry segments of respondents organizations. This chart identifies financial services (15 percent) as the largest segment, followed by industrial (12 percent) and public sector (11 percent). Pie Chart 1. Industry distribution of respondents organizations 3% 4% 5% 3% 5% 3% 3% 2% 3% 3% 3% 6% 9% 15% 11% 12% Financial services Industrial Public sector Services Health & pharmaceutical Energy & utilities Technology Hospitality & leisure Software Consumer products Retail, store Other Retail, Internet Transportation Communications Education & research Agriculture & food services Pie chart 2 shows 42 percent of respondents are from organizations with a worldwide headcount of more than 5,000 employees. Pie Chart 2. Worldwide headcount of the organization 9% 14% 12% < to % 501 to 5,000 5,001 to 10,000 22% 10,001 to 25,000 > 25,000 24% Page 21

23 Part 6. Caveats There are inherent limitations to survey research that need to be carefully considered before drawing inferences from findings. The following items are specific limitations that are germane to most web-based surveys. Non-response bias: The current findings are based on a sample of survey returns. We sent surveys to a representative sample of individuals, resulting in a large number of usable returned responses. Despite non-response tests, it is always possible that individuals who did not participate are substantially different in terms of underlying beliefs from those who completed the instrument. Sampling-frame bias: The accuracy is based on contact information and the degree to which the list is representative of individuals who are IT or IT security practitioners. We also acknowledge that the results may be biased by external events such as media coverage. We also acknowledge bias caused by compensating subjects to complete this research within a holdout period. Self-reported results: The quality of survey research is based on the integrity of confidential responses received from subjects. While certain checks and balances can be incorporated into the survey process, there is always the possibility that a subject did not provide a truthful response. Please contact research@ponemon.org or call us at if you have any questions. Ponemon Institute Advancing Responsible Information Management Ponemon Institute is dedicated to independent research and education that advances responsible information and privacy management practices within business and government. Our mission is to conduct high quality, empirical studies on critical issues affecting the management and security of sensitive information about people and organizations. As a member of the Council of American Survey Research Organizations (CASRO), we uphold strict data confidentiality, privacy and ethical research standards. We do not collect any personally identifiable information from individuals (or company identifiable information in our business research). Furthermore, we have strict quality standards to ensure that subjects are not asked extraneous, irrelevant or improper questions. Copyright 2015, Raytheon Company, Ponemon Institute, LLC. All rights reserved. No parts of this material may be reproduced in any form without the written permission of Raytheon or the Ponemon Institute, LLC. Permission has been obtained from the copyright co-owner, Raytheon to publish this reproduction, which is the same in all material respects, as the original unless approved as changed. No parts of this document may be reproduced, stored in any retrieval system, or transmitted in any form, or by any means electronic, mechanical, photocopying, recording, or otherwise, without prior written permission of Raytheon or the Ponemon Institute, LLC. Page 22