The Unintentional Insider Risk in United States and German Organizations

Transcription

1 The Unintentional Insider Risk in United States and German Organizations Sponsored by Raytheon Websense Independently conducted by Ponemon Institute LLC Publication Date: July 2015

2 2 Part 1. Introduction The Unintentional Insider Risk in United States and German Organizations July 2015 All workplaces share the same security threat: the well meaning but careless employee who may be more focused on productivity than protecting the company s sensitive or confidential information. Often, without thinking of the potential consequences, they leave confidential documents in plain view, share passwords, circumvent security procedures, are duped by phishing scams and transfer sensitive data to the public cloud without company approval. The Unintentional Insider Risk in United States and German Organizations was conducted by Ponemon Institute and sponsored by Raytheon Websense. We surveyed 1,071 IT and IT security practitioners in the United States and Germany who understand and are familiar with the security risks created by negligent or careless employees and other insiders in their organizations. Organizations in both countries strive to have a strong security posture. Germany is often on the cutting edge of deploying security technologies and is a strict enforcer of security policies in the workplace. 1 With this in mind, we wanted to determine if cultural differences in the workplace would impact how German and U.S. IT security practitioners manage this risk. We also thought it would be interesting to study the characteristics of the negligent insider and if they differ between these two countries. As shown in Figure 1, both German and U.S. IT practitioners agree unintentional employee negligence not only severely diminishes the productivity of the IT function it also causes more security incidents than intentional and malicious acts. We also determined that it can cost a U.S. company as much as $1.5 million and a Germany company 1.6 million in time wasted responding to security incidents caused by human error. Moreover, if a data breach should happen because of negligence, the average cost per record in the U.S. is $198 and 145 in Germany. 2 Following are other key takeaways: Telling the difference between malicious and negligent security incidents is difficult. Forty-four percent of German and 49 percent of U.S. respondents report they cannot tell the difference between security incidents caused by employees who are careless and those who are malicious. Those who say they can differentiate between maliciousness and negligence, say it represents an average of 70 percent (U.S. respondents) or 63 percent (German respondents) of all insider security incidents. 1 Ponemon Institute IT Security Tracking Study, March Cost of Data Breach: United States and Germany, sponsored by IBM, May

3 3 Insider negligence diminishes productivity. IT security practitioners spend an average of almost three hours each day dealing with the security risks caused by employee mistakes or negligence. In addition, they say almost two hours is wasted due to insider carelessness. Improvements in productivity and in-house IT security expertise would be the benefits of fewer insider security incidents. Minimizing the insider threat would enable the IT staff to be more productive and have resources to increase their security expertise. A third benefit would be the ability to increase investment in technologies. German and U.S. respondents have very different perceptions about the unintentional insider risk. German respondents are more likely to agree that their organizations do not have the necessary safeguards in place to protect their organization from careless employees (54 percent of Germans agree and 46 percent of U.S. respondents agree). Respondents in the U.S. are more likely to agree their employees are not properly trained to follow data security policies and senior executives do not consider data security a priority. 3

4 4 Part 2. Key findings In this section, we provide an analysis of the key findings. The complete audited findings are presented in the appendix of the report. We have organized the report according to the following topics: Profile of the unintentional insider The impact of employee negligence on the productivity of IT security staff Cultural differences in the unintentional insider risk Risky scenarios likely to occur and create a security incident Who is most careless and negligent? Both German and U.S. respondents say it is the ordinary user or contractor and third parties who are most likely to put sensitive and confidential information at risk. However, as shown in Figure 2, German respondents are more likely to consider contractors and third parties a threat. U.S. respondents are more likely to view the privileged insider as being negligent. Figure 2. Who is the biggest security risk because of their negligence? Two responses permitted Ordinary users Contractors and third parties Privileged users C-level executives Administrative employees Other CEO 2% 1% 2% 1% 8% 9% 30% 27% 29% 39% 50% 72% 66% 64% 0% 10% 20% 30% 40% 50% 60% 70% 80% U.S. DE 4

5 5 What are the characteristics of employees who pose the greatest risk? As noted above, ordinary users and contractors are considered by respondents to pose the greatest risk. The study also considered the profile of employees who pose the greatest risk. Figure 3 reveals that new or entry employees are considered to create the most risk suggesting the importance of training and awareness programs for this group. Other high-risk employees are those who travel frequently, younger employees and employees who work offsite. The least risky are seasoned employees with several years of relevant work experience. Figure 3. Characteristics of employees who pose the greatest risk On a scale of 1 = low risk to 10 = high risk, 7+ level of risk reported New/entry level employee 81% 80% Frequent travelers Younger employees (millennials) Employees who work offsite Male employees 71% 68% 68% 70% 66% 70% 66% 63% Female employees Older employees (baby boomers) Employees with college or university degree Employees with high school education (no college or university degree) 45% 40% 44% 49% 46% 43% 57% 51% Seasoned employees with several years of relevant work experience 29% 24% 0% 10% 20% 30% 40% 50% 60% 70% 80% 90% U.S. DE 5

6 6 Long hours and multi-tasking are also red flags for risk. Multi-taskers are more likely to be careless or negligent according to 79 percent of U.S. respondents and 81 percent of German respondents, as shown in Figure 4. Employees who work too many hours also pose a risk. On average, U.S. employees work longer than German employees (48 hours versus 35 hours). Figure 4. Do long hours and multi-tasking signal potential risk? Yes response 90% 80% 70% 60% 50% 40% 30% 20% 10% 0% 79% 81% Do you believe employees who multi-task are more likely to be careless or negligent? U.S. 69% 56% Do you believe employees who work too many hours are more likely to be careless or negligent? DE Telling the difference between malicious and negligent security incidents is difficult. As shown in Figure 5, 44 percent of German and 49 percent of U.S. respondents report they cannot tell the difference between security incidents caused by employees who are careless and those who are malicious. Those who say they can tell the difference, say it represents an average of 70 percent (U.S. respondents) or 63 percent (German respondents) of all insider security incidents. Figure 5. Can you tell the difference between security incidents caused by malicious or negligent employees? 60% 50% 51% 56% 49% 44% 40% 30% 20% 10% 0% Yes No U.S. DE 6

7 7 The impact of employee negligence on the productivity of IT security staff If security incidents caused by employees sloppiness could be reduced, companies could save money. Respondents were asked to estimate how much IT security spending could be saved if employee negligence and carelessness could be reduced by 25 percent, 50 percent and 75 percent. As shown in Figure 6, if negligence was reduced by as much as 50 percent, an average of 31 percent (U.S.) or 28 percent (Germany) of IT security spending could be saved and perhaps allocated for investments in people and enabling technologies. A 25 percent reduction would save 20 percent in the U.S. and 19 percent in Germany in IT security spending. If an organization was able to have a 75 percent reduction, the savings could be as much as 39 percent and 37 percent in U.S. and German organizations, respectively. Figure 6. How much IT security spending could be saved if employee negligence was reduced by as much as 50 percent? 40% 35% 37% 36% 30% 25% 20% 15% 20% 23% 23% 25% 18% 15% 10% 5% 0% Less than 10% 11% to 25% 26% to 50% 51% to 75% 76% to 100% 2% 1% U.S. DE 7

8 8 According to Figure 7, IT security practitioners spend an average of almost three hours each day dealing with the security risks caused by employee mistakes or negligence. In addition, they say almost two hours is wasted due to carelessness. Figure 7. The time spent responding to employees mistake and the time wasted Extrapolated value in hours Time spent each day responding to security risks caused by employee mistakes or negligence U.S. Time wasted responding to security issues due to carelessness and negligence of employees DE Table 1 provides a simple extrapolation for the annual cost of wasted time based on our sample of companies participating in this research. As can be seen, the estimated cost of wasted time for US companies is 1.46 million dollars and for German companies is 1.43 million euros. Calculus Table 1: Extrapolated average annual cost of wasted time Average number of FTE IT security support team members (extrapolated value per tracking study)* Fully loaded compensation per day (dollars) $301.4 Fully loaded compensation per day (Euros) Cost per hour (dollars) - 8 hour work day $37.7 Cost per hour (Euros) - 7 hour work day 40.5 Wasted time (extrapolated value from survey) Value of wasted time per individual each day $74 77 Value of wasted time per company each day $4,007 3,926 Value of wasted time per company each year $1,462,725 1,432,930 *See: Ponemon Institute s IT security tracking study: March 2015 US DE 8

9 9 Improvements in productivity and in-house IT security expertise would be the benefits of fewer insider security incidents. As shown in Figure 8, minimizing the insider threat would enable the IT staff to be more productive and have resources to increase their security expertise. A third benefit would be more investment in technologies. Figure 8. How would the reduction in insider security incidents benefit IT? Productivity of IT staff would increase 43% 48% There would be more resources to increase inhouse IT security expertise There would be more resources to invest in technology There would be less concern about a possible security breach 23% 19% 19% 20% 15% 13% 0% 10% 20% 30% 40% 50% 60% U.S. DE IT security is a very stressful job because of employees carelessness and negligence. According to Figure 9, 33 percent of U.S. respondents and 29 percent of German respondents say their current positions are very stressful and the main source is the careless or negligent employee (74 percent and 63 percent of respondents, respectively). This is followed by long hours and a lack of resources and budget. Figure 9. Why is your job stressful? More than one response permitted Constantly putting out fires because of employees carelessness and negligence 63% 74% Long hours The frequent need to solve employees problems with their computers and other devices 50% 51% 56% 67% Lack of resources & budget 44% 56% My boss 30% 55% 0% 10% 20% 30% 40% 50% 60% 70% 80% U.S. DE 9

10 10 German and U.S. respondents have very different ideas about how to stop the unintentional insider risk. Germans are more likely to limit the practices that can create unintentional risk and Americans prefer monitoring employees behavior, according to Figure 10. However, they both agree in the importance of conducting frequent training and awareness programs on the unintentional risk. Figure 10. What are the best solutions to stop unintentional insider risk? More than one response permitted Conduct frequent training and awareness programs on the unintentional risk Assess the unintentional risk to better understand where the greatest risks exist Limit the use of practices that can create unintentional risks Monitor employees behavior Enforce penalties for not complying with data security policies 38% 37% 30% 28% 67% 70% 56% 62% 55% 63% There is no solution Provide incentives to comply with data security policies 19% 14% 15% 8% 0% 10% 20% 30% 40% 50% 60% 70% 80% U.S. DE 10

11 11 Cultural differences in the unintentional insider risk German and U.S. respondents have very different perceptions about the unintentional insider risk. The differences are shown in Figure 11. German respondents are more likely to agree that their organizations do not have the necessary safeguards in place to protect their organization from careless employees (54 percent of Germans agree and 46 percent of U.S. respondents agree). U.S. respondents have a more pessimistic view about the state of unintentional risk in their organizations. Specifically, U.S. respondents are more likely to agree their employees are not properly trained to follow data security policies and senior executives do not consider data security a priority. Figure 11. German & U.S. perceptions about the unintentional insider risk Strongly agree and agree responses combined Our organization is at risk because employees are careless or negligent when accessing and using sensitive information 54% 66% Employees are not properly trained to follow data security policies 46% 60% Employees are pressured to be productive at the expense of not following data security policies 43% 54% Employees frequently ignore or circumvent our data security practices because they are inconvenient 40% 52% Employees do not take data security seriously 40% 52% Senior executives do not consider data security a priority 37% 50% Insufficient safeguards in place to protect our organization from employee negligence or carelessness 46% 54% 0% 10% 20% 30% 40% 50% 60% 70% U.S. DE 11

12 12 Risky scenarios likely to occur and create a security incident In this study, we identified 8 scenarios that often lead to security incidents due to negligence and carelessness. We asked respondents to rate the likelihood of the incident occurring and how much of a risk it creates. As shown in Table 2, the scenario most likely to occur involves employees combining business and personal data on their own devices. The scenario that is likely to occur and poses a high risk in both countries concerns employees who are duped by a phishing scam. In all cases, these risky scenarios are more likely to occur in U.S. organizations than in German organizations. There are also some significant differences between the two countries. Specifically, it is far more likely U.S. organizations will have employees who share passwords, lose mobile devices and do not report the loss immediately, do not use a privacy shield and expose sensitive and confidential information in open and public spaces and copy confidential information from a company collaboration tool in order to send information to individuals without access to the network Table 2. 8 scenarios that often lead to security incidents On a scale of 1 = low likelihood/low risk to 10 = high likelihood/high risk to the organization, respondents rated the scenario 7+ likelihood of occurring and 7+ level of risk reported Scenario 1: Employees combine business and personal data on their own devices. U.S. DE What is the likelihood of this happening in your organization? 94% 91% How much of a risk is this to your organization? 57% 57% Scenario 2: Employees share passwords. U.S. DE What is the likelihood of this happening in your organization? 73% 72% How much of a risk is this to your organization? 26% 23% Scenario 3: When working in open and/or public spaces, employees do not use a privacy shield on their laptops and expose sensitive and confidential information. U.S. DE What is the likelihood of this happening in your organization? 94% 91% How much of a risk is this to your organization? 57% 57% Scenario 4: Employees are duped by a phishing scam. U.S. DE What is the likelihood of this happening in your organization? 86% 77% How much of a risk is this to your organization? 94% 86% Scenario 5: To circumvent file-size limits prescribed for work , employees transfer sensitive company information to an unauthorized public cloud service. U.S. DE What is the likelihood of this happening in your organization? 74% 68% How much of a risk is this to your organization? 54% 52% 12

13 13 Scenario 6: Employees use consumer cloud content services that are not permitted (i.e., Dropbox). U.S. DE What is the likelihood of this happening in your organization? 74% 67% How much of a risk is this to your organization? 58% 51% Scenario 7: Employees lose mobile devices and fail to report the loss immediately. U.S. DE What is the likelihood of this happening in your organization? 72% 57% How much of a risk is this to your organization? 75% 74% Scenario 8: Employees copy confidential information from a company document collaboration tool to an USB stick to be able to send this information to people without access. This enables employees to work from home without needing access to the company s network. U.S. DE What is the likelihood of this happening in your organization? 71% 62% How much of a risk is this to your organization? 57% 55% Conclusion The findings of this study confirm the seriousness of the negligent insider risk. It also reveals the diminishment in the IT function s productivity because of having to respond to security incidents caused by carelessness. Unfortunately, companies are often uncertain what steps beyond training and awareness programs will mediate this threat and not continue to consume the valuable time of their skilled security staff. A close look at the findings reveals how organizations can become more intelligent about addressing this risk. According to the IT security practitioners in our study, there are certain characteristics of insiders and situations that are more prone to create security incidents. A combination of technologies and governance practices that address the areas of greatest risk in an organization would increase the effectiveness and ability to reduce the unintentional risk. 13

14 14 Part 4. Methods Table 3 reports the sample response for the United States and Germany. The U.S. sample is composed of 17,800 IT and IT security practitioners and the German sample is composed of 14,560 IT and IT security practitioners. All respondents are familiar with the security risks created by negligent or careless employees and other insiders in their organizations. From this sampling frame, we captured 1,182 returns of which 111 were rejected for reliability issues. Our final consolidated sample was 1,071, thus resulting in an overall 3.3% response rate. Table 3. Sample response U.S. DE Total sampling frame 17,800 14,560 Total returns Rejected or screened surveys Final sample Table 4 summarizes the approximate position levels of respondents in our study. As can be seen, the majority of respondents reported their current position level as technician or staff (54 percent for the U.S. and 60 percent for Germany). Table 4. What organizational level best describes your current position? U.S. DE Senior Executive 2% 2% Vice President 2% 1% Director 7% 5% Manager 16% 17% Supervisor 16% 13% Technician/staff level 54% 60% Contractor 2% 2% Other 1% 0% Table 5 reports the respondents organizations primary industry concentration or focus. As shown, 18 percent of U.S. respondents and 16 percent of German respondents are located in financial services industry, which includes banking, investment management, insurance, brokerage, payments and credit cards. Table 5. What industry best describes your organization s industry focus? U.S. DE Financial services 18% 16% Health & pharmaceutical 11% 9% Industrial 11% 15% Public sector 10% 13% Services 9% 11% Retail 8% 7% Technology & software 7% 7% Transportation 6% 3% Consumer products 4% 7% Energy & utilities 4% 3% Communications 3% 2% Hospitality 3% 3% Education & research 2% 2% Other 4% 2% 14

15 15 Table 5 reports the worldwide headcount of the respondent s organizations. The majority of U.S. and German respondent are located in organizations with a global headcount of more than 1,000 employees worldwide. Table 6. What is the worldwide headcount of your organization? U.S. DE Less than % 19% 500 to 1,000 20% 17% 1,001 to 5,000 26% 26% 5,001 to 10,000 13% 15% 10,001 to 25,000 9% 10% 25,001 to 75,000 8% 7% More than 75,000 7% 6% Part 4. Caveats to this study There are inherent limitations to survey research that need to be carefully considered before drawing inferences from findings. The following items are specific limitations that are germane to most web-based surveys. Non-response bias: The current findings are based on a sample of survey returns. We sent surveys to a representative sample of individuals, resulting in a large number of usable returned responses. Despite non-response tests, it is always possible that individuals who did not participate are substantially different in terms of underlying beliefs from those who completed the instrument. Sampling-frame bias: The accuracy is based on contact information and the degree to which the list is representative of individuals who are IT or IT security practitioners. We also acknowledge that the results may be biased by external events such as media coverage. Finally, because we used a web-based collection method, it is possible that non-web responses by mailed survey or telephone call would result in a different pattern of findings. Self-reported results: The quality of survey research is based on the integrity of confidential responses received from subjects. While certain checks and balances can be incorporated into the survey process, there is always the possibility that a subject did not provide accurate responses. 15

16 16 Appendix: Detailed Survey Results The following tables provide the frequency or percentage frequency of responses to all survey questions contained in this study. All survey responses were captured in March Survey response U.S. DE Total sampling frame 17,800 14,560 Total returns Rejected or screened surveys Final sample S1. What is your role in IT or IT security? Please select one best choice U.S. DE IT operations 30% 25% Security operations 18% 20% Incident response team 11% 10% Technician 7% 7% Help desk 7% 8% IT compliance 6% 5% Data center management 5% 6% Forensics 3% 2% IT audit 3% 4% Systems administration 3% 5% Cloud administrator 2% 1% Network engineering 2% 3% Database administration 1% 1% Identity & access management 1% 2% Other 1% 1% None of the above (Stop) 0% 0% S2. How familiar are you with the security risks created by negligent or careless employees and other insiders in your organization? U.S. DE Very familiar 23% 18% Familiar 40% 41% Somewhat familiar 37% 41% Not familiar (Stop) 0% 0% Q1. How many years have you worked for your current employer? U.S. DE Less than 1 year 12% 8% 2 to 4 years 24% 20% 5 to 7 years 24% 26% 8 to 10 years 23% 25% More than 10 years 17% 21% Q2a. How stressful is your current position? U.S. DE Very stressful 33% 29% Stressful 29% 30% Somewhat stressful 12% 16% Not stressful 26% 25% 16

17 17 Q2b. If your job is stressful, why is it? Please check all that apply. U.S. DE Long hours 67% 56% Constantly putting out fires because of employees carelessness and negligence 74% 63% Lack of resources & budget 56% 44% My boss 55% 30% The frequent need to solve employees problems with their computers and other devices 50% 51% Total 302% 244% Q3. How much time each day do you spend helping employees with their workrelated computing problems? U.S. DE 30 minutes or less 28% 24% 1 to 2 hours 11% 9% 3 to 4 hours 2% 4% 4 to 6 hours 3% 5% Full time job 7% 8% No time 49% 50% Extrapolated hours Q4. How much time each day do you spend responding to security risks caused by employee mistakes or negligence? U.S. DE 30 minutes or less 17% 16% 1 to 2 hours 18% 20% 3 to 4 hours 7% 6% 4 to 6 hours 8% 9% Full time job 23% 21% No time 27% 28% Extrapolated hours Q5. How much of your day is wasted responding to security issues due to carelessness and negligence of employees? U.S. DE 30 minutes or less 35% 40% 1 to 2 hours 16% 11% 3 to 4 hours 15% 12% 4 to 6 hours 3% 3% Full time job 11% 12% No time is wasted 20% 22% Extrapolated hours Q6a. Can you tell the difference between security incidents caused by malicious employees and those caused by negligence or carelessness? U.S. DE Yes 51% 56% No 49% 44% 17

18 18 Q6b. If yes, what percentage of all insider security incidents caused by employees is due to carelessness and negligence and not maliciousness? U.S. DE Less than 10% 4% 6% 11% to 25% 9% 13% 26% to 50% 9% 15% 51% to 75% 13% 12% 76% to 100% 65% 54% Extrapolated percentage 70% 63% Q7a. How much of IT security spending could be saved if the organization was able to reduce the employee negligence and carelessness by 25 percent? U.S. DE Less than 10% 40% 44% 11% to 25% 28% 27% 26% to 50% 25% 20% 51% to 75% 6% 8% 76% to 100% 1% 1% Extrapolated percentage 20% 19% Q7b. How much of IT security spending could be saved if the organization was able to reduce the employee negligence and carelessness by 50 percent? U.S. DE Less than 10% 20% 23% 11% to 25% 23% 25% 26% to 50% 37% 36% 51% to 75% 18% 15% 76% to 100% 2% 1% Extrapolated percentage 31% 28% Total Q7c. How much of IT security spending could be saved if the organization was able to reduce employee negligence and carelessness by 75 percent? U.S. DE Less than 10% 16% 15% 11% to 25% 16% 20% 26% to 50% 33% 35% 51% to 75% 30% 24% 76% to 100% 5% 6% Extrapolated percentage 39% 37% Q8. If you were able to reduce insider security incidents, how would it benefit the IT function? Please select your top choice. U.S. DE Productivity of IT staff would increase 43% 48% There would be more resources to increase in-house IT security expertise 23% 19% There would be more resources to invest in technology 19% 20% There would be less concern about a possible security breach 15% 13% Other 0% 0% 18

19 19 Q9. What do you think are the best solutions to stopping the unintentional insider risk? U.S. DE Conduct frequent training and awareness programs on the unintentional risk 67% 70% Assess the unintentional risk to better understand where the greatest risks exist 56% 62% Limit the use of practices that can create unintentional risks 38% 55% Monitor employees behavior 63% 37% Provide incentives to comply with data security policies 15% 8% Enforce penalties for not complying with data security policies 30% 28% There is no solution 19% 14% Total 288% 274% Q10. Please rate the following statements from strongly agree to strongly disagree using the scale below each item. Q10a. Employees are not properly trained to follow our organization s data security policies. U.S. DE Strongly agree 26% 19% Agree 34% 27% Unsure 25% 21% Disagree 8% 25% Strongly disagree 7% 8% Q10b. Employees are pressured to be productive at the expense of not following our organization s data security policies. U.S. DE Strongly agree 25% 17% Agree 29% 26% Unsure 25% 20% Disagree 15% 25% Strongly disagree 6% 12% Q10c. Employees do not take data security seriously. U.S. DE Strongly agree 19% 17% Agree 33% 23% Unsure 27% 20% Disagree 16% 29% Strongly disagree 5% 11% Q10d. Senior executives do not consider data security a priority. U.S. DE Strongly agree 23% 16% Agree 27% 21% Unsure 21% 20% Disagree 21% 30% Strongly disagree 8% 13% Q10e. Employees frequently ignore or circumvent our data security practices because they are inconvenient. U.S. DE Strongly agree 21% 18% Agree 31% 22% Unsure 26% 19% Disagree 17% 30% Strongly disagree 5% 11% 19

20 20 Q10f. Our organization is at risk because employees are careless or negligent when accessing and using sensitive and confidential information U.S. DE Strongly agree 30% 27% Agree 33% 27% Unsure 20% 26% Disagree 17% 16% Strongly disagree 0% 4% Q10g. We do not have sufficient safeguards in place to protect our organization from employee negligence or carelessness. U.S. DE Strongly agree 20% 26% Agree 26% 28% Unsure 25% 23% Disagree 13% 12% Strongly disagree 16% 11% Q10h. There are more security incidents caused by unintentional mistakes than intentional and malicious acts. U.S. DE Strongly agree 31% 29% Agree 39% 35% Unsure 21% 24% Disagree 9% 10% Strongly disagree 0% 2% Q10i. Unintentional employee negligence severely diminishes the productivity of the IT function. U.S. DE Strongly agree 40% 30% Agree 33% 37% Unsure 16% 19% Disagree 7% 8% Strongly disagree 4% 6% Q11. In your organization, who poses the greatest security risk because of negligence or carelessness? Please select the top two. U.S. DE CEO 2% 1% C-level executives 27% 29% Administrative employees 8% 9% Privileged users 39% 30% Ordinary users 72% 66% Contractors and third parties 50% 64% Other 2% 1% Total 200% 200% 20

21 21 Q12. Using the scale below, please rate how the following characteristics affect security risks from low risk (1) to high risk (10). Q12a. New/entry level employee U.S. DE 1 or 2 (low risk) 2% 1% 3 or 4 8% 9% 5 or 6 9% 10% 7 or 8 18% 16% 9 or 10 (high risk) 63% 64% Extrapolated value Q12b. Seasoned employees with several years of relevant work experience U.S. DE 1 or 2 (low risk) 27% 21% 3 or 4 18% 25% 5 or 6 26% 30% 7 or 8 18% 17% 9 or 10 (high risk) 11% 7% Extrapolated value Q12c. Employees who work offsite U.S. DE 1 or 2 (low risk) 5% 0% 3 or 4 11% 9% 5 or 6 18% 21% 7 or 8 32% 23% 9 or 10 (high risk) 34% 47% Extrapolated value Q12d. Younger employees (millennials) U.S. DE 1 or 2 (low risk) 5% 3% 3 or 4 9% 8% 5 or 6 18% 19% 7 or 8 27% 26% 9 or 10 (high risk) 41% 44% Extrapolated value Q12e. Older employees (baby boomers) U.S. DE 1 or 2 (low risk) 21% 19% 3 or 4 19% 17% 5 or 6 16% 15% 7 or 8 27% 30% 9 or 10 (high risk) 17% 19% Extrapolated value Q12f. Female employees U.S. DE 1 or 2 (low risk) 16% 19% 3 or 4 14% 18% 5 or 6 25% 23% 7 or 8 17% 24% 9 or 10 (high risk) 28% 16% Extrapolated value