The State of Information Security Awareness: Trends & Developments

The State of Information Security Awareness: Trends & Developments Global Findings from the Ponemon Research Institute and Security Innovation 187 Ballardvale Street, Wilmington, MA 01887 +1.978.694.1008 www.securityinnovation.com

2 Table of Contents Introduction... 3 A. Training Goals... 4 TRAINING OBJECTIVES... 4 B. Curriculum Development, Customization, Delivery... 5 CONTENT CUSTOMIZATION... 5 DELIVERY METHOD... 6 TRAINING DEVELOPMENT... 6 PROGRAM CUSTOMIZATION... 8 FREQUENCY OF UPDATES... 9 DURATION OF TRAINING... 9 C. Measuring Results... 10 IMMEDIATE FEEDBACK... 10 MEASURING LONG-TERM EFFECTIVENESS... 11 D. Plans for Training... 12 IMPLEMENTATION SCHEDULE AND BUDGET... 12 PROGRAM REQUIREMENTS... 13 Summary... 14 Appendix A Survey Respondents... 16 Appendix B Detailed Survey Results... 17

3 Introduction Organizations of all sizes face serious challenges with online payment card security. Technical environments frequently change, best practices continually evolve, and industry standards are regularly updated - all while hackers and other criminals diligently develop new ways to cause trouble. Security awareness training programs have become a much higher, more accelerated priority for risk-sensitive employers, due in large part to the efforts of the PCI Security Standards Council and other global agencies that promote employee awareness to mitigate data security risk. To better understand the extent that organizations are educating employees about information security standards, Security Innovation commissioned a research study from Ponemon Institute, a leading independent research firm specializing in privacy, data protection and information security. Ponemon Institute surveyed a global sample of 3,089 IT and security professionals who are influential in their organization s PCI DSS compliance and/or audit activities. 45% of the respondents currently provide information security awareness training to their employees, while 55% do not (although as you will Qualified Responses* 3,089 Currently Offer Training 1,394 (45%) Currently Do Not 1,695 (55%) see, many of them plan to in the near future). This report presents information for each category those who currently offer training, and those who do not yet. Because there was minimal variation between global regions, this report represents worldwide responses in aggregate. Below are the key findings of the 2014 Ponemon Institute Information Security Awareness Training Trends survey, and what they mean to the IT managers and decision makers responsible for ensuring the highest levels of data security within the enterprise. PCI DSS and Security Awareness Training: Major Themes and Trends Mitigating the Human Risk Given the increase in information security threats, it s not surprising that 26% of organizations surveyed plan to roll out training programs in the coming year... and spend some serious money doing it. There s Room for Improvement Most managers and employees are less than satisfied with the training currently available within their organizations. Short, Flexible and Online Awareness training is most effective when available in short sessions, making computer-based training (CBT) the most popular approach for many companies. It s not Just About Compliance Although compliance is currently the single biggest driver of data security training, protecting sensitive data is rapidly growing in importance. * Excludes incomplete responses or those considered invalid for other reasons.

4 A. Training Goals It is impossible to understand, plan for, and properly measure the outcome of any training initiative without first understanding its context or purpose. Knowing whether an organization is required to satisfy a set of industry regulations, needs to improve customer experience, or has some other reason for employee education, is the first step in implementing a relevant, effective training strategy. TRAINING OBJECTIVES Ensuring compliance with PCI requirements and advancing good data security practices are two of the main drivers of data security awareness training. Ensuring compliance with PCI requirements (specifically requirement 12.6 of the PCI DSS) is the predominant goal of security awareness training for companies who currently offer it. This aligns with an increased emphasis on security awareness training as reflected in the latest version (v3.0) of the PCI DSS standard. PCI Data Security Standard v3.0 requirement 12.6 Implement a formal security awareness program to make all personnel aware of the importance of cardholder data security. If personnel are not educated about their security responsibilities, security safeguards and processes that have been implemented may become ineffective through errors or intentional actions. The Ponemon study also shows that a significant number of organizations implement programs to improve their overall level of data security. This quickly growing trend stems from an increase in the number and severity of security threats, and encompasses objectives such as advancing good data security practices, preventing information loss or theft, preventing reputation or brand damage, and changing employee behaviors. Question: What is the primary purpose of PCI DSS or other security awareness training? (select the top two) Note: Percentages total 200% due to allowing two answers from each of the 1,394 respondents.

5 B. Curriculum Development, Customization, Delivery Once the training objectives are understood, the next step is to make some decisions about the curriculum itself, and how it will be delivered to employees. CONTENT CUSTOMIZATION Of the respondents who do provide training, 38% adapt the content to fit employees job functions. Of that group, 45% stated that IT professionals are the most likely to receive customized training. Each job function or role requires different types of information, and very few technical training programs are applied equally across employee roles. For instance, when it comes to information security practices, management and administrative teams may require merely a broad awareness of the subject matter. Conversely, the technical IT team, which is typically responsible for critical infrastructure and support systems, needs customized (and possibly more frequent) training to recognize and manage new threats and attacks. In some cases, increasingly granular distinctions in job responsibility drive further training customization within the IT department. Where some employees focus on hardware and networking, for example, others may be solely responsible for Internet-dependent transactions or application deployment. All Employees In these cases, focused awareness training can be developed using a tiered approach: all employees receive general content; the IT department receives a more technical layer; and the Web or Networking teams get even more specific material related to secure coding and/or the technologies they use. An effective program builds the right level of detail for each group of constituents using this layering approach, building upon foundational concepts that are relevant and timely for each role. IT Department Only Web Team, Networking Team, etc. 70% 60% 50% 40% 30% 20% 10% 0% 66% IT 45% 31% 22% Internal audit or Senior or middle Customer-facing risk management management people 10% Finance & accounting 13% Other Question: Which functions receive customized training? (check all that apply) Note: Percentages do not total 100% due to the potential for multiple answers from each respondent.

6 DELIVERY METHOD Most companies who offer PCI DSS training deliver it via computer-based training (CBT). In addition to content customization, the learning platform itself should be tailored to specific organizational roles and training goals. There are many ways to train employees, but the Ponemon survey results show CBT to be the most popular method of delivery, which supports the need for frequent curriculum updates and short education sessions. And because the timeframe for rolling out training for many companies is within 6 months, quick development and deployment are important. Training Formats However, CBT is not the only effective method, and it is not the right solution for all training needs. Effective organizations assess their training audience and goals, and then evaluate all delivery options before assuming one method of training is better than the rest. It is not uncommon for companies with more complex training requirements to implement a hybrid program consisting of multiple delivery options which can include instructor-led courses, virtual instructor-led courses, recorded live presentations, static slide decks, and many others. Additionally, companies leverage newsletters, email updates, posters and other reinforcement assets to keep security in the forefront of their staff s minds. Question: How is your organization s PCI DSS training delivered? (check all that apply) Note: Percentages do not total 100% due to the potential for multiple answers from each respondent.

7 TRAINING DEVELOPMENT About half of the organizations that currently provide training for their employees procure it from a third-party vendor, rather than developing a program in-house. Developing, implementing and tracking an information security awareness training program usually requires a significant investment in both staff and technology. Many organizations don t have the internal resources to devote to this endeavor; therefore, they partner with external organizations to make sure employees are trained effectively on the most current threat information. What to Look for when Selecting a Third-Party CBT Vendor Meeting PCI DSS requirements. PCI DSS compliance is as important for small companies as it is for enterprises, but they operate with fewer resources and smaller budgets, so outsourcing is often the best option for them. According to a 2011 study from the American Society for Training and Development (ASTD) 1, smaller organizations (fewer than 500 employees) spent almost twice as much per employee on training than large companies (more than 10,000 employees), or $1,605 vs. $825, respectively. It s logical to assume that ASTD s explanation for this phenomenon applies to the information security industry: The cost to develop and administer an hour of training at a large corporation is spread among many more employees than at a small organization with fewer employees. 1 American Society for Training and Development, ASTD 2012 State of the Industry Report: Organizations Continue to Invest in Workplace Learning, November 8, 2012.

8 PROGRAM CUSTOMIZATION Of the companies that currently provide formal training to employees via externally developed CBT programs, most have it customized with content or branding unique to their organization. Companies frequently outsource training program development to a third party, but often the curriculum must comprise unique content about the company s equipment or industry. It s not uncommon for organizations to require training about a unique process or custom hardware. And in many cases, they must satisfy niche industry regulations that necessitate specialized subject matter. Even when the training curriculum does not require customization, many companies incorporate internal product and program lingo into the instructional content, questions and answers, giving employees an increased sense of relevance. This technique is effective in any situation where the goal is to personally engage the user. Regardless of whether the training content itself reflects customization, it is usually branded with the organization s logo or other internally recognized imagery, reinforcing employees perception of corporate endorsement or validation. This subtly helps underscore the message that the company believes in the importance of this training initiative, and considers it to be a significant part of the corporate culture. Without this message, participants may feel the training is strictly a formality and as a result, may not pay as close attention as they would if they recognized it as a management-sponsored initiative. Furthermore, many companies brand everything they publish internally or externally, if only to further establish brand strength. 80% 70% 60% 50% 69% 64% 40% 30% 32% 29% 20% 10% 0% Our company's logo Partially customized for company-specific content Fully customized for company-unique regulations, equipment, etc. Other custom features Question: Did the computer-based training feature any of the following types of customization? (check all that apply) Note: Percentages do not total 100% due to the potential for multiple answers from each respondent.

9 FREQUENCY OF UPDATES Most respondents who provide training said the curriculum is updated at least once per year. Because data security is an extremely dynamic issue, employee training on security threats, recent attacks and industry trends must be current. The Ponemon research shows that 21% of companies who offer security awareness training update the curriculum more than once per year, and another 40% update it about once per year. Many content changes reflect developments in the data security industry, such as technologies, threats, policies and more. Since it doesn t take long for security awareness content to become obsolete, organizations must be able to disseminate updated material easily. The variability of data security training content makes it ideal for on-line CBT delivery, since updates can be rolled out easily and quickly. Question: How often is the security training curriculum changed or updated? DURATION OF TRAINING More than half said their PCI DSS training contains less than 30 minutes of material. The advantage of focused, short modules is that they allow bitesized learning sessions that fit well into employee schedules. This works well, as long as employees get what they need to ensure the appropriate level of data security for the company. In addition, a long session that covers an exhaustive list of problems and solutions won t be useful when a specific issue crops up and the employee can t readily access the right information. When it comes to compliance, quite often the most effective training support consists of short CBT modules, with access to reference materials, trainers and other subject matter experts when real-time issues arise. Question: On average, how long does it take employees to complete the PCI DSS training? A secondary risk is that a short training program may not have as high a perceived value as something more involved. As a result, it is incumbent upon every organization to convey the importance of the initiative, and to ensure the curriculum is comprehensive.

10 C. Measuring Results Given the importance of information security awareness, as well as the corporate investment of time and money that goes into training, measurement of success is critical. Organizations should evaluate whether their training program contains the right content and uses the right approach, so that any necessary adjustments can be made, thus ensuring the highest possible return on investment (ROI). IMMEDIATE FEEDBACK Most organizations that currently provide formal PCI DSS training measure the impact upon program completion. Gathering immediate subjective feedback about the training program is important because a significant element of immediate and long-term training completion and success is participant satisfaction. Asking mostly multiple-choice and a few simple open-ended questions typically gives the review team the information needed: Was the program easy to follow? Did the curriculum seem applicable to the job at hand? Did you feel the time it took was well spent? How could it be better? Employee Satisfaction 58% of survey respondents reported employees were not fully satisfied with existing PCI DSS security training. Regardless of whether a company surveys or tests the employees (or uses another means of measuring the session s immediate impact), it s important they take the next step by communicating the participants feedback to the management and tactical teams responsible for training, either via an informal brainstorm session, a dataheavy report, or something in between. The final crucial step is acting on the feedback. Even if a third party developed the training program, organizations should be able to work closely with them to make adjustments. By gathering, sharing and acting on participant feedback, the training experience can be more positive and effective. Question: How does your organization measure the impact of its PCI DSS training?

11 MEASURING LONG-TERM EFFECTIVENESS 38% percent of organizations track the long-term effectiveness of their PCI DSS training programs, and of those, more look at reductions in non-compliance incidents than any other indicator. Although it s important to get employee feedback about the content and curriculum, the success of any information security awareness program must be tied back to the goals of increasing the level of PCI DSS and other compliance mandates, as well as a demonstrable reduction in attacks. If a training initiative falls short of reaching the organization s objectives (e.g., x% fewer compliance incidents over a y-month period ), it can sometimes help to incorporate learning milestones. Employees are often more motivated to learn - and retain knowledge - when the training isn t treated as just a check box activity. Employer Satisfaction 64% of survey respondents reported being less than fully satisfied with existing PCI DSS security training. Although only 38% of survey respondents say they measure the long-term effectiveness of their PCI DSS training, measurable milestones throughout a training effort are an easy way to show progress, and to share individual accomplishments within the team. Question: Does your organization use the following metrics to track the long-term effectiveness of its PCI DSS training?

12 D. Plans for Training With an increased focus on Information Security Awareness training in the new version of the PCI DSS, many organizations that don t currently provide training are feeling the need to formalize their programs and ensure applicable staff members are trained. IMPLEMENTATION SCHEDULE AND BUDGET Of the companies who do not currently have a formal training program but plan to develop one, 26% expect to do so in 2014. Many of these organizations will spend a significant amount of money ensuring their employees receive the right training. Many organizations now prioritize employee security awareness training more than they have in the past. This is not surprising given the level of risk in today s online payment environment. And because most of these companies employ thousands of people, the training budgets are reaching into the hundreds of thousands of dollars in many cases. $100,001 to $250,000 11% $250,001 to $500,000 21% $50,000 to $100,000 11% < $50,000 12% $500,001 to $1,000,000 27% More than $1,000,000 14% None 5% Budget 0 Immediately 5% When to implement 0 Don't know 11% More than a year 25% Within 6 months 24% Within 1 year 35% Question: What best describes the timeframe for starting the deployment of a formal security training or awareness program? Question: What is the total cost of ownership budgeted for the new security training or awareness program? (excludes employees direct labor costs)

13 PROGRAM REQUIREMENTS For the organizations who don t currently offer a formal training program but who plan to deploy one in the future, most will require the ability for training to be delivered through an extranet portal, incorporate social media and email, and be delivered on-line. The most important criteria when developing employee training strategies is ensuring access to training via an extranet portal, making it easily available wherever an employee has a web browser and Internet connection. Organizations also benefit from being able to centralize training deployment for ease of content updates (this regularly applies to information security awareness training) and tracking. In some cases, portals also offer a collaborative environment, encouraging participants to work together and share information. As in almost every other area of business communications, the use of social media is growing quickly. As the Ponemon survey data shows, many companies are building it into what is increasingly considered a social learning model. Organizations who use social media platforms to share information internally via an intranet can apply the same approach for sharing information security awareness content. Social media communities also enhance online coursework by making information sharing and collaboration easier, and can be helpful as an ongoing reference resource. The use of email and newsletters is the next most common requirement for awareness training. This is not surprising, given the ubiquitous nature and low cost of this method of communication. Sharing processes, standards and other updates by push communication lets an organization get the information to the right audience quickly and consistently. Computer-Based Training (CBT) is the final of the top criteria when developing a new security training or awareness program. This correlates to a previous finding, which showed that the vast majority of training is already delivered this way. It s scalable, more cost-effective and convenient than classroom training, and is easy to update. Question: What are the requirements for the new security training or awareness program? (check all that apply) Note: Percentages do not total 100% due to the potential for multiple answers from each respondent.

14 Summary Today s information security landscape is in constant flux, and IT professionals have learned to anticipate change of all kinds new threats, new risks, new technologies, and new processes. Employee training is one of the most effective tools to combat this onslaught of attacks to remain in compliance with PCI DSS and other industry compliance mandates and standards. To summarize, the results of the 2014 Ponemon Institute Information Security Awareness Training Trends survey illustrate the current state of employee training in the payment card industry via the following key findings: 1. Improving overall security and ensuring compliance with PCI requirements are the two most common drivers of data security awareness training. 2. Within organizations that offer training tailored to job function, IT departments receive the most customized PCI DSS curriculum. 3. Most companies who offer PCI DSS training deliver it via computer-based training (CBT). 4. About half of the organizations that provide training via CBT lean on third-party vendors for development of the programs.

5. Most organizations customize their externally developed training curriculum with content that is relevant to their organization. 6. Most of the respondents who provide formal training indicated their curriculum is updated at least once per year. 7. Most survey respondents say their PCI DSS training takes less than half an hour to complete. 8. The predominant requirements for a new training program are that it is accessible through an extranet portal, includes social media and email, and is primarily computer based. 9. More than two-thirds of organizations measure the immediate impact of their PCI DSS training using employee tests or satisfaction surveys upon program completion. 10. The most popular way for organizations to measure the long-term effectiveness of their PCI DSS training is by tracking reductions in non-compliance incidents. 11. Most companies who offer formal training programs update the content regularly. 12. About two-thirds of companies who offer a formal program currently train less than a quarter of their workforce. 13. More than a quarter of companies who don t currently offer a formal training program plan to roll one out in 2014. 14. Of the companies that plan to implement a new training program, about three-quarters plan to spend over $100,000 and many of them will spend over $500,000. With the right attention to content delivery method, customization, and measurement, organizations can achieve and maintain compliance with PCI DSS and other standards, while making the most of training budgets and employees time. 15

16 Appendix A Survey Respondents In November 2013, the Ponemon Institute collected 3,089 responses to their online PCI Awareness Training Survey. Following is a breakdown of the participants by various categories. Global Region Annual Transactions Asia- Pacific 23% Latin America 16% EMEA 29% N. America 32% 1 to 6 million (Tier 2) 46% Less than 1 million (Tiers 3, 4) 17% Over 6 million (Tier 1) 35% Credit card issuer or service provider 3% Supervisor 13% Job Position Staff/ technician 33% Manager 21% Director 16% Admin 6% Consultant / contractor 3% Other 2% Business owner C-level 2% executive/ VP 3% Employee Headcount 5,001 to 10,000 20% 1,001 to 5,000 20% 10,001 to 25,000 24% 500 to 1,000 19% More than 25,000 7% Less than 500 10% Primary Industry Classification Ecommerce 12% Technology / software 5% Retail 8% Automotive 4% Financial Other 7% Communications 4% Consumer products 7% Education & research 4% Public sector 7% Logistics / distribution 4% Services 7% Non-profit 4% Industrial / manufacturing 6% Financial Service provider 3% Entertainment / publishing 5% Airlines 3% Health / pharmaceutical 5% Other 4%

17 Appendix B Detailed Survey Results The following tables provide the frequency or percentage frequency of responses to all survey questions contained in this study. All survey responses were captured in November 2013. Global Sample 3,089 Screen question S1. What best describes your level of involvement in PCI DSS training, compliance and/or audit activities within your organization? Freq Pct% Very significant 789 26% Significant 1548 50% Some 752 24% Minimal or none (stop) 0 0% Total 3089 100% Part 1. PCI DSS training & awareness programs Q1. What best describes your role in managing the IT security function or activities within your organization? Check all that apply. Freq Pct% Setting IT security priorities 1888 61% Administering security programs 1714 55% Managing IT security budgets 1690 55% Selecting vendors and contractors 1823 59% Determining IT security strategy 861 28% Evaluating program performance 1358 44% None of the above (stop) 0 0% Q2. In your role, how much responsibility do you have for IT security training activities? Freq Pct% Full or primary responsibility 948 31% Some or secondary responsibility 1856 60% Minimal or no responsibility 285 9% Total 3089 100% Q3. Does your organization have a PCI DSS training or other security awareness program? Freq Pct% Yes 1394 45 No [Go to Part 2] 1695 55% Total 3089 100% Q4. What best describes your level of satisfaction with existing PCI DSS security training or awareness activities? Freq Pct% Very satisfied 192 14% Satisfied 308 22% Somewhat satisfied 477 34% Not satisfied 417 30% Total 1394 100%

Q5. What best describes employees satisfaction with their existing PCI DSS security training or awareness activities? Freq Pct% Very satisfied 213 15% Satisfied 367 26% Somewhat satisfied 420 30% Not satisfied 394 28% Total 1394 100% Q6. What percentage of your total workforce participated in a basic IT security training program within the past 12 months? Freq Pct% < 10% 335 24% 10 to 25% 309 22% 26 to 50% 366 26% 51 to 75% 313 22% 76 to 100% 71 5% Total 1394 100% Q7. What percentage of your total workforce participated in a security training program that specifically focused on PCI DSS requirements within the past 12 months? Freq Pct% < 10% 574 41% 10 to 25% 344 25% 26 to 50% 270 19% 51 to 75% 167 12% 76 to 100% 39 3% Total 1394 100% Q8. How is your organization s PCI DSS training delivered? Please check all that apply. Freq Pct% Computer-based training 974 70% Classroom training 366 26% Email updates/newsletter 357 26% Extranet or internal web site 264 19% Social media 109 8% Posters 297 21% Other 135 10% Q9. If the training is computer based, what features does it include? Please check all that apply. Freq Pct% Audio 641 66% Animation 263 27% Live action video vignettes 234 24% Tests or quizzes 558 57% Games 185 19% Other 58 6% Q10a. Did a third party (contractor or vendor) produce the computer-based training used by your organization? Freq Pct% Yes 497 51% No 477 49% Total 974 100% 18

19 Q10b. If yes, did the computer-based training feature any of the following? Please check all that apply. Freq Pct% Our company s logo 344 69% Partially customized content to be relevant to our company 316 64% Fully customized content to cover our company s unique regulations, specific 158 32% equipment, specific environmental and facility factors Other custom features 143 29% None of the above 150 30% Q11. On average, how long does it take employees to complete the PCI DSS training? Freq Pct% < 15 minutes 366 26% 15 to 30 minutes 477 34% 31 to 60 minutes 315 23% More than one hour 236 17% Total 1394 100% Q12. Is the PCI DSS training delivered in a single session or spread over the year? Freq Pct% One time 643 46% Once a year 415 30% Quarterly 166 12% Monthly 134 10% Other 36 3% Total 1394 100% Q13. When does your organization deliver the bulk of its security awareness and/or PCI DSS training? Freq Pct% January through March 117 8% April through June 231 17% July through September 224 16% October through December 465 33% Staggered different times for different groups 357 26% Total 1394 100% Q14. How often is the security training curriculum changed or updated? Freq Pct% Never or infrequently 271 19% Approximately once each year 551 40% More than once each year 290 21% Unsure 282 20% Total 1394 100% Q15. If computer-based training is used, are PCI DSS training sessions hosted on your organization s in-house learning management system or in the cloud? Freq Pct% On our own learning management system 606 62% In the cloud or on vendor servers 172 18% Combination (hybrid) 196 20% Total 974 100%

Q16a. Is the content for PCI DSS training different or adapted for the employees specific job function? Freq Pct% Yes 524 38% No 870 62% Total 1394 100% Q16b. If yes, which functions receive customized training? Please check all that apply. Freq Pct% Finance & accounting 55 10% Information technology 344 66% Senior or middle management 160 31% Internal audit or risk management 235 45% Customer facing people (Sales, support, etc.) 116 22% Other 68 13% Q17. What topics are covered in the PCI DSS training program? Please check all that apply. Freq Pct% Email security 956 69% Use of the Internet 984 71% Use of social media 419 30% Desktop security 848 61% Mobile device security 905 65% Password and other authentication methods 1039 75% Working from home and remote locations 775 56% Classification of sensitive information 878 63% Proper handling of sensitive information 991 71% Proper handling and destruction of paper documents 767 55% Physical security measures such as securing away sensitive information and devices 606 43% Safe disposal of computing equipment 428 31% Q18. What is the primary purpose of PCI DSS or other security Choice Choice awareness training? Please check the top two choices only. 1 2 Combined Pct% Ensuring compliance with internal policies and procedures 226 395 621 45% Ensuring compliance with PCI requirements 357 428 785 56% Ensuring compliance with another regulation (please specify) 92 93 185 13% Advancing good data security practices 189 263 452 32% Preventing information loss or theft 200 48 248 18% Preventing reputation or brand damage 154 89 243 17% Changing employee behaviors 151 63 214 15% Other 25 15 40 3% Total 1394 1394 2788 200% Q19. How does your organization measure the impact of its PCI DSS training? Freq Pct% Survey employee about their satisfaction with the training 418 30% Test or quiz employees following training 525 38% Conduct phishing tests internally or with partner 140 10% Conduct social engineering tests internally or with partner 126 9% None of the above 116 8% Other 69 5% Total 1394 100% 20

21 Q20a. Does your organization have specific metrics to measure or track the long-term effectiveness of its PCI DSS training? Freq Pct% Yes 525 38% Not 869 62% Total 1394 100% Q20b. If yes, do you use any of the following measures? Freq Pct% Reduction in non-compliance incidents 180 34% Reduction in security exploits or breaches 86 16% Time to detect security exploits or breaches 81 15% Time to resolve or contain security breaches 90 17% Other 88 17% Total 525 100% Q21. What best describes the incremental cost of PCI DSS or general awareness training for each participating employee? Please exclude employees labor cost in your choice. Freq Pct% < $5 per employee 151 11% $5 to $10 per employee 390 28% $11 to $25 per employee 499 36% $26 to $50 per employee 269 19% Over $50 per employee 85 6% Total 1394 100% Q22. Who is most responsible for the selection of PCI DSS training suppliers? Please check the top two choices only. Choice 1 Choice 2 Combined Pct% Human resources 144 343 487 35% Compliance and/or audit 362 337 699 50% Corporate IT 424 324 748 54% Procurement 357 232 589 42% Other 107 158 265 19% Total 1394 1394 2788 200% Q23. Which of the following criteria does your company use to select a PCI DSS or security awareness program? Please select the top two choices. Choice 1 Choice 2 Combined Pct% Cost 504 318 822 59% Previous relationship with vendor/supplier 153 172 325 23% Recommendation from PCI Auditor 40 210 250 18% Ability/willingness to customize content 115 179 294 21% Proven effectiveness 203 285 488 35% Customer references 128 86 214 15% Ability to customize or translate into other languages 29 86 115 8% Sophistication and quality (audio/visual) of content 222 58 280 20% Total 1394 1394 2788 200%

Q24. Who owns or approves the budget for the PCI DSS training? Please check the top two choices. Choice 1 Choice 2 Combined Pct% Human resources 182 350 532 38% Compliance and/or audit 360 314 674 48% Corporate IT 388 331 719 52% Procurement 346 236 582 42% Other 118 163 281 20% Total 1394 1394 2788 200% Part 2. Organizations with no formal security training or awareness programs Q25. Does your organization have only informal or ad hoc security training or awareness activities? Freq Pct% Yes 504 30% No 1016 60% Unsure 175 10% Total 1695 100% Q26a. Does your organization have plans to deploy a formal security training or awareness program? Freq Pct% Yes 675 40% No 717 42% Unsure 303 18% Total 1695 100% Q26b. If yes, what best describes the timeframe for starting the deployment of a formal security training or awareness program? Freq Pct% Immediately 36 5% Within 6 months 162 24% Within 1 year 234 35% More than a year 171 25% Don t know 72 11% Total 675 100% Q26c. If yes, what are the requirements for the new security training or awareness program? Please check all that apply. Freq Pct% The customized program will be developed internally 124 18% A customized program will be developed by third parties (experts) 110 16% An off-the-shelf program will be procured 110 16% Training will be primarily conducted in classrooms 138 20% Training will be primarily computer-based 279 41% Awareness activities will include email updates/newsletter 313 46% Training will be delivered through an extranet portal 326 48% Awareness activities will include the use of social media 314 47% No specific requirements at this time 296 44% Other 101 15% 22

Q27a. What is the total cost of ownership (TCO) budgeted for the new security training or awareness program? Please exclude employees direct labor costs in your choice. Freq Pct% None (no budget) 35 5% < $50,000 80 12% $50,000 to $100,000 71 11% $100,001 to $250,000 72 11% $250,001 to $500,000 142 21% $500,001 to $1,000,000 183 27% More than $1,000,000 92 14% Total 675 100% Q27b. What best describes the training budget for each employee who will have access to the new security training or awareness modules? Please exclude employees labor cost in your choice. Freq Pct% < $5 per employee 59 9% $5 to $10 per employee 132 20% $11 to $25 per employee 142 21% $26 to $50 per employee 137 20% $51 to $100 per employee 131 19% > $100 per employee 74 11% Total 675 100% Q28. What percentage of your organization s employees will be required to participate in the new security training or awareness program? Freq Pct% None 79 12% < 10% 141 21% 10 to 25% 128 19% 26 to 50% 127 19% 51 to 75% 123 18% 76 to 100% 77 11% Total 675 100% Part 3. Role & Organizational Characteristics D1. What best describes your position level within the organization? Freq Pct%% Business owner 56 2% C-level executive / VP 96 3% Director 488 16% Manager 657 21% Supervisor 406 13% Staff/technician 1012 33% Administrative 197 6% Consultant/contractor 100 3% Other 77 2% Total 3089 100% 23

D2. Which of the following individuals do you report to in your current role? Freq Pct% CEO/executive committee 46 1% CFO, controller or head of finance 229 7% CIO or head of corporate IT 1318 43% Business unit leader or general manager 704 23% Head of compliance or internal audit 198 6% Head of risk management 132 4% Head of IT security 374 12% Other 88 3% Total 3089 100% D3. What best describes your organization s primary industry classification? Freq Pct% Financial Service provider 103 3% Financial Other 231 7% Ecommerce 366 12% Retail 244 8% Airlines 81 3% Automotive 120 4% Communications 133 4% Consumer products 213 7% Education & research 130 4% Entertainment / publishing 162 5% Health / pharmaceutical 147 5% Industrial / manufacturing 192 6% Logistics / distribution 138 4% Non-profit 135 4% Public sector 209 7% Services 210 7% Technology / software 146 5% Other 129 4% Total 3089 100% D4-1. Global regions Freq Pct% North America 979 32% EMEA 889 29% Asia-Pacific 715 23% LATAM 506 16% Total 3089 100% 24

D4-2. Countries Freq Pct% United States 776 25% Canada 203 7% United Kingdom 154 5% Germany 146 5% France 79 3% Italy 64 2% Spain 46 1% Netherlands 78 3% Belgium 34 1% Turkey 31 1% Israel 24 1% Saudi Arabia 38 1% United Arab Emirates 35 1% South Africa 33 1% Scandinavian Cluster 23 1% Switzerland 35 1% Greece 29 1% Russian Federation 40 1% Australia 94 3% New Zealand 20 1% Hong Kong 82 3% China (PRC) 95 3% South Korea 79 3% Japan 88 3% Singapore 29 1% India 133 4% Taiwan 48 2% Thailand 47 2% Brazil 147 5% Argentina 102 3% Chile 54 2% Mexico 95 3% Colombia 16 1% Central America Cluster 92 3% Total 3089 100% D5. How many payment card transactions does your organization process each year? Freq Pct% Over 6 million (Tier 1 merchant) 1067 35% 1 to 6 million (Tier 2 merchant) 1406 46% Less than 1 million (Tier 3 or 4 merchant) 513 17% We are a credit card issuer or service provider 103 3% Total 3089 100% 25

D6. What best describes the global employee headcount of your organization? Freq Pct% Less than 500 310 10% 501 to 1,000 589 19% 1,001 to 5,000 604 20% 5,001 to 10,000 611 20% 10,001 to 25,000 745 24% More than 25,000 230 7% Total 3089 100% 26

27 About Ponemon Institute Ponemon Institute conducts independent research on privacy, data protection and information security policy. Our goal is to enable organizations in both the private and public sectors to have a clearer understanding of the trends in practices, perceptions and potential threats that will affect the collection, management and safeguarding of personal and confidential information about individuals and organizations. Ponemon Institute research informs organizations on how to improve upon their data protection initiatives and enhance their brand and reputation as a trusted enterprise. www.ponemon.org About Security Innovation An application security pioneer since 2002, Security Innovation is dedicated to making software more resilient within the world s most challenging environments; whether on the web, in devices or in the cloud. Our products and services help organizations mitigate risk, eradicate vulnerabilities, prevent data abuse and build internal proficiency. www.securityinnovation.com. 2014 Security Innovation, Inc. All rights reserved.