Cyber Security on the Offense: A Study of IT Security Experts

Cyber Security on the Offense: A Study of IT Security Experts Co-authored with Radware Independently conducted by Ponemon Institute LLC Publication Date: November 2012 Ponemon Institute Research Report

Cyber Security on the Offense: A Study of IT Security Experts Ponemon Institute, November 2012 Part 1. Introduction We are pleased to present the findings of Cyber Security on the Offense: A Study of IT Security Experts authored by Radware and Ponemon Institute. The purpose of the study is to understand organizations recognition of the need to operate on the offense to prevent and detect cyber attacks. Further, the study looks at their ability to deploy offensive tactics such as prevention and counter measures to protect their organizations As cyber attacks grow in sophistication and stealth, organizations are urged to be proactive in addressing the threats. As revealed in this research, a major consequence of not preventing attacks such as DDoS (denial of service) can be costly. On average DDoS attacks are costing companies approximately $3.5 million annually, according to the findings of this research. 1 Other negative consequences include lost intellectual property, declines in productivity, damage to brand and reputation and lost revenue. These findings are corroborated in other Ponemon Institute studies. In this study, we surveyed 705 IT and IT security practitioners. Most report directly to the Chief Information Officer (61 percent) and 21 percent report to the Chief Information Security Officer. Sixty-two percent of respondents are at the supervisor level or higher with an average of more than 11 years experience. All respondents have, to some degree, responsibility for managing their organization s cyber security activities. Some of the most noteworthy findings include the following: Critical Counter Techniques The IT security experts surveyed agree that cyber attacks are more difficult to prevent than detect. That is why in this study they rate technologies that neutralize DDoS attacks, halt the attackers computers and pinpoint the attacker s weak spots as critical to achieving a strong cyber security posture. The majority of organizations (64 percent) say the severity of cyber attacks is on the rise yet less than half say they are vigilant in monitoring attacks. The most negative consequence experienced by organizations in this research as a result of a cyber intrusion is the loss of intellectual property. The average amount of downtime following a DDoS attack is 54 minutes and the average cost for each minute of downtime was about $22,000. However, the cost can range from as little as $1 to more than $100,000 per minute of downtime. Critical to achieving a strong cyber security posture is the ability to have visibility into the motives of the cyber criminal, network infrastructure and applications. Insufficient visibility of people and business processes is most often cited as a barrier to achieving a strong cyber security posture. The majority of respondents give their organizations an average or below rating for the ability to launch or implement a counter technique against hackers and other cyber criminals. Only 29 percent say their organizations are above average. Availability of information and systems to those who need it is the most important cyber security business priority. 1 To determine the average annual cost we used the following calculation: $21,699 (average cost per minute of downtime) x 53.5 minutes (average amount of downtime as a consequence of one DDoS attack) x average number of DDoS attacks in the past 12 months = $3,482,689.50 Ponemon Institute Research Report Page 1

Part 2. Key Findings Following is an analysis of the key findings in this research. The complete audited findings of this research are presented in the appendix of this report. We have organized the report according to the following themes: Cyber attacks are outpacing many organizations ability to respond. Respondents perceptions about the threats and barriers to achieving an effective offensive approach to cyber risk. Organizations need to build a stronger offense. Cyber attacks are outpacing many organizations ability to respond. Severity of cyber attacks is believed to be on the rise. According to Figure 1, the majority of respondents (64 percent) say the severity of cyber attacks experienced by their organization is on the rise yet only 29 percent agree that they have the in-house expertise to launch counter measures against hackers and other cyber criminals. Figure 1. Current perceptions and response to cyber attacks Strongly agree and agree response combined The severity of cyber attacks is on the rise 64% My organization is vigilant in monitoring cyber attacks Launching a strong offensive against cyber criminals is very important Security budget is sufficient for mitigating most cyber attacks 44% 44% 48% My organization has in-house expertise to launch counter measures against cyber criminals 29% 0% 10% 20% 30% 40% 50% 60% 70% Less than half of organizations say they are vigilant in monitoring attacks (48 percent). Possible reasons holding organizations back in addressing the attacks include lack of sufficient budget and not embracing the importance of launching a strong offensive against hackers and other cyber criminals, (both 44 percent). Ponemon Institute Research Report Page 2

Many organizations are lagging behind in their effectiveness to combat attacks and intrusions. Despite the recognition that cyber attacks are on the rise, 36 percent say their effectiveness is not improving but staying the same (Figure 2). Thirty-five percent of respondents say their organizations are less effective in dealing with attacks. Only 29 percent say their organization s cyber security posture is more effective in combating attacks and intrusions. The increase in frequency and severity of cyber attacks could be the reason. When asked what they thought about the current state of cyber risk, 64 percent of respondents say both frequency and severity are increasing and only 10 percent say they are decreasing. Figure 2. Effectiveness in combating cyber attacks The same in terms of its effectiveness in combating attacks and intrusions 36% Less effective in combating attacks and intrusions 35% More effective in combating attacks and intrusions 29% The most negative consequence of a cyber intrusion is the loss of intellectual property. When asked to rank the severity of consequences Figure 3 shows that by far organizations are losing intellectual property (including trade secrets). Other negative consequences are productivity declines and reputation damage. The security layers most vulnerable are the data and application layers. Figure 3. Negative consequences of a cyber attack 8 = most severe to 1 = least severe 0% 5% 10% 15% 20% 25% 30% 35% 40% Lost intellectual property/trade secrets 7.5 Productivity decline 6.8 Reputation damage Lost revenue Customer turnover 6.2 6.1 6.4 Stolen or damaged equipment Cost of outside consultants and experts 3.2 3.5 Regulatory actions or lawsuits 2.2 0.0 1.0 2.0 3.0 4.0 5.0 6.0 7.0 8.0 Ponemon Institute Research Report Page 3

Lack of visibility and inability to protect against mobile and negligent insiders is putting organizations at risk. Visibility can be defined as an organization s ability to observe or record what employees are doing when logged onto their business computers, including mobileconnected devices such as laptops, smart phones, notebooks, tablets and other devices. As shown in Figure 4, respondents believe this lack of visibility is the greatest area of potential cyber security risk. Other risks that worry respondents are: mobile/remote employees, negligent insiders and third-party applications. Figure 4. Greatest areas of potential cyber security risk Three responses permitted Lack of system connectivity/visibility Mobile/remote employees Negligent insiders Across 3rd party applications Cloud computing infrastructure and providers Organizational misalignment and complexity Mobile devices such as smart phones Malicious insiders Desktop or laptop computers Network infrastructure environment Removable media and/or media (CDs, DVDs) Virtual computing environments Within operating systems The server environment Data centers 8% 7% 6% 6% 15% 13% 34% 32% 31% 29% 28% 25% 24% 22% 20% 0% 5% 10% 15% 20% 25% 30% 35% 40% Ponemon Institute Research Report Page 4

DDoS attacks are costly. Sixty-five percent of organizations represented in this study had an average of three DDoS attacks in the past 12 months. The average amount of downtime that their organization s network or enterprise systems experienced as a result of one DDoS attack was about 54 minutes, as shown in Figure 5. Figure 5. Average downtime after one DDoS attack 25% 22% 20% 16% 15% 10% 5% 10% 13% 11% 9% 5% 4% 10% 0% Less than 1 minute 1 to 10 minutes 11 to 20 minutes 21 to 30 minutes 31 to 60 minutes 1 to 2 hours 3 to 5 hours More than 5 hours Cannot determine Figure 6 shows that the average cost for each minute of downtime, which includes lost traffic, diminished end user productivity and lost revenues, was about $22,000. The cost can range from as little as $1 to more than $100,000 per minute of downtime. We calculated that these attacks average companies more than $3,482,689.50 annually. Figure 6. Cost per minute of downtime 25% 21% 20% 15% 12% 15% 15% 11% 10% 5% 1% 8% 7% 5% 5% 0% $1 to $10 $10 to $100 $101 to $1,000 $1,001 to $5,000 $5,001 to $10,000 $10,001 to $25,000 $25,001 to $50,000 $50,001 to More than $100,000 $100,000 Cannot determine Ponemon Institute Research Report Page 5

The majority of organizations are using anti-virus/anti-malware and anti-ddos to deal with cyber attacks. Figure 7 reveals the cyber defenses most frequently considered important to protect their organizations from attacks or intrusions are anti-virus/anti-malware, anti-dos/ddos (denial of services) and identity and authentication systems. Figure 7. Cyber defenses most important Very important and important response combined Anti-virus/anti-malware Anti-DoS/DDoS Identity and authentication systems Intrusion prevention systems Intrusion detection systems Secure network gateways Endpoint security systems Security intelligence systems including SIEM Web application firewalls Content aware firewalls 75% 71% 64% 59% 56% 52% 51% 51% 50% 50% 0% 10% 20% 30% 40% 50% 60% 70% 80% The least important cyber defenses are shown in Figure 8. Although respondents are concerned about employees mobile devices, only 26 percent of respondents say mobile device management is important. Also not considered as important are enterprise encryption for data at rest and ID credentialing, including biometrics. Figure 8. Cyber defenses not as important Very important and important response combined Secure coding in the development of new applications Data loss prevention systems 47% 45% Enterprise encryption for data in motion Other crypto technologies including tokenization ID credentialing including biometrics Enterprise encryption for data at rest 39% 38% 36% 32% Mobile device management 26% 0% 5% 10% 15% 20% 25% 30% 35% 40% 45% 50% Companies are using outside security services providers (MSSP) to help deal with attacks and intrusions. On average, 24 percent of their organizations security defenses are managed outside Ponemon Institute Research Report Page 6

and the most typical services are remote perimeter management and penetration and vulnerability testing. Respondents perceptions about the threats and barriers to achieving an effective offensive approach to cyber risks. Respondents are clear about the major threats and barriers they face. We asked respondents to rank specific cyber security threats according to their risk mitigation priority within their organizations. According to Figure 9, organizations are most concerned about addressing denial of service (DoS), server-side injections (SSI) and distributed denial of service (DDoS). The following threats are ranked as a lower priority for risk mitigation: phishing and social engineering, web scrapping and cross-site scripting. Figure 9. Cyber security threats according to risk mitigation priority 10 = highest priority to 1 = lowest priority Denial of service (DoS) Server side injection (SSI) Distributed denial of service (DDoS) Viruses, worms and trojans Malware Botnets Malicious insiders Cross-site scripting Web scrapping Phishing and social engineering 3.0 2.8 3.2 5.4 6.4 9.0 8.6 8.2 7.9 7.7 0.0 1.0 2.0 3.0 4.0 5.0 6.0 7.0 8.0 9.0 10.0 Ponemon Institute Research Report Page 7

The biggest barrier to achieving a strong cyber security posture is the lack of visibility into the enterprise and user behavior. Critical to achieving a strong cyber security posture is the ability to have visibility into the motives of the cyber criminal, network infrastructure and applications. Figure 10 reveals that respondents believe the biggest barrier to creating a strong security posture is insufficient visibility of people and business processes. Insufficient resources or budget and lack of effective security technology solutions are also major barriers. Only 22 percent say it is the lack of assessment of cyber security risks. Figure 10. Barriers to achieving a strong cyber security posture Two responses permitted Insufficient visibility of people and business processes 44% Insufficient resources or budget Lack of effective security technology solutions 35% 34% Lack of oversight or governance 27% Insufficient assessment of cyber security risks Lack of skilled or expert personnel 19% 22% Complexity of compliance and regulatory requirements Lack of leadership 8% 10% Other 1% 0% 5% 10% 15% 20% 25% 30% 35% 40% 45% 50% Ponemon Institute Research Report Page 8

To reduce cyber risks organizations need to build a strong offense. Availability is the cyber security priority for many organizations. We asked respondents to select the top security objectives in terms of being a business priority within their organization. As shown in Figure 11, availability of information and systems to those who need it is considered most important. Compliance with regulations and laws is a close second. Maintaining the integrity or original state of information is about an average priority. Less important are confidentiality of sensitive and confidential information and interoperability. Figure 11. Ranking of cyber security objectives in terms of a business priority objective 5 = highest priority to 1 = lowest priority 5.0 4.5 4.0 3.5 3.0 2.5 2.0 1.5 1.0 0.5 0.0 4.7 4.4 3.5 Availability Compliance Integrity Confidentiality Interoperability 2.8 1.9 Ponemon Institute Research Report Page 9

Cyber attacks are more difficult to prevent than detect. Seventy-five percent say the attacks are difficult to stop and 60 percent say they are difficult to detect. Accordingly, as shown in Figure 12, 67 percent say technology that neutralizes denial of service attacks before they happen is important and 60 percent say it is technology that slows down or even halts the attacker s computers. Figure 12. Counter technique capabilities most important Very important and important response combined 68% 66% 64% 67% 62% 60% 58% 56% 54% 52% Technology that neutralizes denial of service attacks before they happen 60% Technology that slows down or even halts the attacker s computers 58% Technology that pinpoints the attacker s weak spots Network intelligence technologies are considered most promising to deal with cyber threats. Fifty-seven percent of respondents place importance on technologies that provide intelligence about networks and traffic, as shown in Figure 13. This is followed by 33 percent who say it is technologies that provide intelligence about attackers motivation and weak spots and technologies that secure information assets. Least valuable are technologies that secure the perimeter. Figure 13. Technologies most favored Two responses permitted Intelligence about networks and traffic technologies 57% Security of information assets technologies Intelligence about attackers motivation and weak spots technologies Insider threat minimizing technologies 33% 33% 31% Simplifying threat reporting technologies Endpoint security technologies including mobile devices Perimeter security technologies 10% 15% 21% 0% 10% 20% 30% 40% 50% 60% 70% Ponemon Institute Research Report Page 10

Counter techniques enable companies to thwart an attacker s offensive maneuvers while maintaining its defensive position. Seventy-one percent of respondents give their organizations an average or below rating for the ability to launch or implement a counter technique against hackers and other cyber criminals (Figure 14). Only 29 percent of respondents say their organizations are above average. Figure 14. Ability to launch a counter technique against a cyber criminal 1 = unable to perform counter technique to 10 = fully capable 20% 18% 16% 14% 12% 10% 8% 6% 4% 2% 0% 16% 19% 17% 11% Figure 15 shows that the main reasons for not being effective in launching a counter measure or technique is the lack of enabling technologies and resources or budget. Also significant is the dearth of expert personnel and the fact that very often counter measures are not a security priority. Figure 15. Reasons for not being fully capable of launching a counter technique More than one response permitted 80% 70% 8% 1 (weak) 2 3 4 5 6 7 8 9 10 (strong) 71% 69% 5% 7% 5% 9% 3% 60% 50% 53% 53% 40% 30% 20% 10% 0% Lack of enabling technologies Lack of resources or budget Do not have ample expert personnel Not considered a security-related priority 2% Other Ponemon Institute Research Report Page 11

According to Figure 16, if respondents rated their organizations above average, the counter techniques deployed against hackers and other cyber criminals are manual surveillance methods and close examination of logs and configuration settings. Figure 16. Methods for performing counter techniques More than one response permitted 80% 70% 60% 67% 61% 50% 40% 43% 30% 20% 10% 0% Manual surveillance methods Close examination of logs and configuration settings Use of security intelligence tools 2% Other Ponemon Institute Research Report Page 12

Comparison of three industries In this section we compare three industry sectors namely, financial service, public sector (government) and health and pharmaceutical organizations. Please note that only these three industries had large enough sub-samples to be culled out of the total sample and analyzed separately. 2 The following bar chart compares three industry sectors according to their average ranking of eight negative consequences that they experienced as a result of a cyber attack or intrusion (wherein 8 is the most severe consequence). As can be seen in Figure 17, productivity declines are considered a very severe consequence among respondents in all three industry sectors. However, reputation damage and lost revenue appears to be less severe for the public sector. In contrast, respondents in financial services rate reputation damage, customer turnover and regulatory action as a more severe consequence of a cyber attack than the other sectors. Finally, organizations in healthcare and pharmaceuticals rate productivity decline, lost revenue, lost intellectual property and regulatory actions as a more severe consequence of a cyber attack than financial services and public sector organizations. Figure 17. Most severe consequences of a cyber attack for three industry sectors 8 = most severe to 1 = least severe Productivity decline 7.5 7.1 6.8 Reputation damage 5.0 7.0 7.2 Lost revenue 5.0 7.2 7.0 Lost intellectual property 5.2 5.5 6.9 Customer turnover 2.0 3.9 5.7 Regulatory actions or lawsuits 1.9 4.1 5.3 Stolen or damaged equipment 3.0 3.2 4.4 Cost of consultants and experts 1.9 1.6 2.8 1.0 2.0 3.0 4.0 5.0 6.0 7.0 8.0 Health & pharmaceuticals Public sector Financial services 2 The sample sizes are as follows: financial services (n = 134), public sector (n = 93) and health & pharmaceuticals (n = 78). Ponemon Institute Research Report Page 13

Figure 18 reports the average frequency of denial of service attacks experienced by financial service, public sector and health and pharmaceutical companies over the past 12 months. As can be seen, public sector organizations experienced a higher rate of DDoS attacks. Figure 18. Frequency of DDoS attacks experienced for organizations in three industries 4.5 4.0 3.5 3.0 2.5 2.0 1.5 1.0 0.5-4.1 3.0 2.4 Financial services Public sector Health & pharmaceuticals Figure 19 summarizes the average amount of downtime that organizations in three industries experienced as a consequence of one DDoS attack. Here again, public sector organizations experience a longer period of downtime than financial service and health and pharmaceutical companies. Figure 19. Average downtime organizations in three industries Minutes of downtime 80 70 70.1 60 50 40 30 20 10 47.9 51.2 0 Financial services Public sector Health & pharmaceuticals Ponemon Institute Research Report Page 14

Figure 20 reports the extrapolated cost incurred by organizations in three industries each minute of downtime. The estimated cost includes lost traffic, end-user productivity and lost revenues that occur because of denial of service attacks. As can be seen, financial service organizations experienced the highest cost per minute of downtime. In contrast, public sector organizations had a substantially lower cost of downtime estimate as shown below. Figure 20. Estimated cost per minute of downtime for organizations in three industries $35,000 $32,560 $30,000 $25,000 $23,519 $20,000 $15,000 $15,447 $10,000 $5,000 $- Financial services Public sector Health & pharmaceuticals Ponemon Institute Research Report Page 15

Part 3. Conclusion and recommendations As is revealed in this research, organizations are lagging behind in their ability to deal with the aggressive and sophisticated tactics of cyber criminals. The IT security experts surveyed give their organizations a below average score in their effectiveness to launch counter measures. To achieve a proactive cyber security posture, organizations should consider the following practices: Create a strategy and plan that puts emphasis on having a strong offense against hackers and other cyber criminals. Ensure internal IT staff as well as such external support as IT vendors and MSSPs are knowledgeable and available to respond to attacks before they take place. Support the strategy with the right technologies to prevent and detect cyber attacks. In this and other Ponemon Institute studies on cyber crimes, the financial and reputational consequences are well documented. Organizations that suffer attacks face real-world consequences. The findings of this research can help organizations make the business case for adopting a more proactive approach to the advanced persistent threats facing them. Ponemon Institute Research Report Page 16

Part 4. Methods A random sampling frame of 22,501 IT and IT security practitioners located in all regions of the United States were selected as participants to this survey. As shown in Table 1, 895 respondents completed the survey. Screening removed 139 surveys and an additional 51 surveys that failed reliability checks were removed. The final sample was 705 surveys (or a 3.1 percent response rate). Table 1. Sample response Freq. Pct% Total sampling frame 22,501 100.0% Total returns 895 4.0% Rejected surveys 51 0.2% Screened surveys 139 0.6% Final sample 705 3.1% As noted in Table 2, the respondents average (mean) experience in IT, IT security or related fields is 11.4 years. Table 2. Other characteristics of respondents Mean Total years of overall experience 11.4 Total years in your current position 6.2 Pie Chart 1 reports the respondents primary industry segments. Nineteen percent of respondents are in financial services and 13 percent are in the public sector. Another eleven percent is in health and pharmaceuticals. Pie Chart 1. Distribution of respondents according to primary industry classification 4% 2% 2% 2% 1% 4% 5% 5% 5% 6% 6% 7% 8% 19% 11% 13% Financial services Public sector Health & pharmaceuticals Retail (conventional) E-commerce Industrial Services Energy & utilities Hospitality Technology & software Consumer products Transportation Communications Education & research Entertainment & media Agriculture & food services Ponemon Institute Research Report Page 17

Pie Chart 2 reports the respondent s organizational level within participating organizations. More than half (62 percent) of respondents are at or above the supervisory levels. Pie Chart 2. What organizational level best describes your current position? 4% 1% 2% 1% 17% Senior executive Vice president 33% Director Manager Supervisor 23% Technician Staff Consultant 19% According to Pie Chart 3, 61 percent of respondents report directly to the Chief Information Officer and 21 percent report to the CISO. Pie Chart 3. The primary person you or the IT security leader reports to within the organization 5% 3% 2% 2% 2% 4% Chief Information Officer Chief Information Security Officer 21% 61% Chief Risk Officer General Counsel Chief Financial Officer Compliance Officer Chief Security Officer Other Ponemon Institute Research Report Page 18

Forty-one percent of respondents say the CIO is most responsible for managing the cyber security posture and 21 percent say it is the CISO, as shown in Pie Chart 4. Pie Chart 4. The person most responsible for managing the cyber security posture 11% 12% 4% 3% 3% 2% 2% 1% 21% As shown in Pie Chart 5, 65 percent of respondents are from organizations with a global headcount of more than one thousand. Pie Chart 5. Global headcount 41% Chief information officer Chief information security officer No one person has overall responsibility Business unit management Outside managed service provider Chief risk officer Corporate compliance or legal department Chief technology officer Data center management Chief security officer 6% 4% 7% 9% < 100 21% 19% 100 to 500 501 to 1,000 1,001 to 5,000 5,001 to 25,000 25,001 to 75,000 > 75,000 34% Ponemon Institute Research Report Page 19

Part 5. Caveats There are inherent limitations to survey research that need to be carefully considered before drawing inferences from findings. The following items are specific limitations that are germane to most web-based surveys. Non-response bias: The current findings are based on a sample of survey returns. We sent surveys to a representative sample of individuals, resulting in a large number of usable returned responses. Despite non-response tests, it is always possible that individuals who did not participate are substantially different in terms of underlying beliefs from those who completed the instrument. Sampling-frame bias: The accuracy is based on contact information and the degree to which the list is representative of individuals who are IT or IT security practitioners. We also acknowledge that the results may be biased by external events such as media coverage. We also acknowledge bias caused by compensating subjects to complete this research within a holdout period. Self-reported results: The quality of survey research is based on the integrity of confidential responses received from subjects. While certain checks and balances can be incorporated into the survey process, there is always the possibility that a subject did not provide a truthful response. Ponemon Institute Research Report Page 20

Appendix: Detailed Survey Results The following tables provide the frequency or percentage frequency of responses to all survey questions contained in this study. All survey responses were captured in September 2012. Survey response Freq Pct% Total sampling frame 22,501 100.0% Total returns 895 4.0% Rejections 51 0.2% Screening reductions 139 0.6% Final sample 705 3.1% Part 1. Screening questions S1. How familiar are you with your organization s defense against cyber security attacks? Freq Pct% Very familiar 233 28% Familiar 311 37% Somewhat familiar 210 25% No knowledge (Stop) 90 11% Total 844 100% S2. Do you have any responsibility in managing cyber security activities within your organization? Freq Pct% Yes, full responsibility 291 39% Yes, some responsibility 299 40% Yes, minimum responsibility 114 15% No responsibility (Stop) 49 6% Total 754 100% Adjusted final sample 705 Part 2. Perceptions about the organization Strongly agree Agree Q1a. My organization is vigilant in monitoring cyber attacks. 22% 26% Q1b. My organization s security budget is sufficient for mitigating most cyber attacks (intrusions). 19% 25% Q1c. The severity of cyber attacks experienced by my organization is on the rise. 33% 31% Q1d. Launching a strong offensive against hackers and other cyber criminals is very important to my organization s security strategy. 17% 27% Q1e. My organization has the in-house expertise to launch counter measures against hackers and other cyber criminals. 11% 18% Part 3. Security environment Q2. Please rank each one of the following five (5) cyber security objectives in terms of a business priority within your organization from 5 = highest priority to 1 = lowest priority. Average rank Rank order Availability 4.7 1 Integrity 3.5 3 Confidentiality 2.8 4 Interoperability 1.9 5 Compliance 4.4 2 Average 3.5 Ponemon Institute Research Report Page 21

Q3. Please rank each one of the following ten (10) cyber security threats in terms of a risk mitigation priority within your organization from 10 = highest priority to 1 = lowest priority. Average rank Rank order Malware 7.7 5 Server side injection (SSI) 8.6 2 Cross-site scripting 3.2 8 Denial of service (DoS) 9.0 1 Distributed denial of service (DDoS) 8.2 3 Web scrapping 3.0 9 Viruses, worms and trojans 7.9 4 Botnets 6.4 6 Malicious insiders 5.4 7 Phishing and social engineering 2.8 10 Average 6.2 Q4. Please rank each one of the following eight (8) negative consequences that your organization experienced as a result of a cyber attack or intrusion, from 8 = most severe to 1 = least severe. Average rank Rank order Lost revenue 6.2 4 Lost intellectual property (including trade secrets) 7.5 1 Stolen or damaged equipment 3.5 6 Productivity decline 6.8 2 Regulatory actions or lawsuits 2.2 8 Reputation damage 6.4 3 Customer turnover 6.1 5 Cost of outside consultants and experts 3.2 7 Total 5.2 Q5. Has the frequency and/or severity of cyber attacks experienced by your organization changed over the past 12 months? Pct% No change 20% Small increase (less than 10%) 25% Moderate increase (between 10% and 25%) 30% Increase Substantial increase (more than 25%) 9% 64% Small decrease (less than 10%) 5% Moderate decrease (between 10% and 25%) 3% Substantial decrease (more than 25%) 2% Decrease Cannot determine 6% 10% Total 100% Q6. What statement best describes changes to your organization s cyber security posture over the past 12 months? Pct% Our organization s cyber security posture is more effective in combating attacks and intrusions. 29% Our organization s cyber security posture is less effective in combating attacks and intrusions. 35% Our organization s cyber security posture remains the same in terms of its effectiveness in combating attacks and intrusions. 36% Total 100% Ponemon Institute Research Report Page 22

Q7. The following table contains 6 layers in the typical multi-layered security infrastructure. Please allocate the security risk inherent in each one of the 6 layers experienced by your organization. Note that the sum of your allocation must equal 100 points. Points Physical layer 7.0 Network layer 18.9 Host layer 12.4 Application layer 21.6 Data layer 24.0 Human layer 16.1 Total points 100.0 Q8. Where are you seeing the greatest areas of potential cyber security risk within your IT environment today? Please choose only your top three choices. Pct% The server environment 6% Data centers 6% Within operating systems 7% Across 3 rd party applications 29% Desktop or laptop computers 20% Mobile devices such as smart phones 24% Removable media (USB sticks) and/or media (CDs, DVDs) 13% Network infrastructure environment (gateway to endpoint) 15% Malicious insiders 22% Negligent insiders 31% Cloud computing infrastructure and providers 28% Virtual computing environments (servers, endpoints) 8% Mobile/remote employees 32% Lack of system connectivity/visibility 34% Organizational misalignment and complexity 25% Total 300% Q9. What do you see as the most significant barriers to achieving a strong cyber security posture within your organization today? Please choose only your top two choices. Pct% Insufficient resources or budget 35% Lack of effective security technology solutions 34% Lack of skilled or expert personnel 19% Lack of leadership 8% Lack of oversight or governance 27% Insufficient visibility of people and business processes 44% Insufficient assessment of cyber security risks 22% Complexity of compliance and regulatory requirements 10% Other (please specify) 1% Total 200% Ponemon Institute Research Report Page 23

Part 4. Security tools & technologies Q10. What are the most promising technologies in general? Please choose only your top two choices. Pct% Technologies that secure the perimeter 10% Technologies that provide intelligence about networks and traffic 57% Technologies that provide intelligence about attackers motivation and weak spots 33% Technologies that simplify the reporting of threats 21% Technologies that secure endpoints including mobile-connected devices 15% Technologies that minimize insider threats (including negligence) 31% Technologies that secure information assets 33% Total 200% Q11. What cyber defenses does your organization deploy to protect your organization from attacks or intrusions? Please rate each one of the following defenses in terms of its importance in preventing or quickly detecting cyber attacks using the following 5- point scale. Very important and Important Very important Important Anti-virus/anti-malware 35% 40% Anti-DoS/DDoS (Denial of Services) 34% 37% Security intelligence systems including SIEM 26% 24% Web application firewalls (WAF) 19% 31% Secure coding in the development of new applications 24% 24% Content aware firewalls including next generation firewalls (NGFW) 19% 30% Identity and authentication systems 23% 42% Enterprise encryption for data at rest 13% 19% Enterprise encryption for data in motion 19% 20% Other crypto technologies including tokenization 15% 24% Data loss prevention systems 19% 27% Intrusion detection systems (IDS) 33% 24% Intrusion prevention systems (IPS) 32% 28% Endpoint security systems 20% 31% Mobile device management 12% 14% Secure network gateways including virtual private networks (VPN) 23% 30% ID credentialing including biometrics 16% 19% Average 22% 27% Q12a. Approximately, what percentage of your organization s cyber security defenses are managed by an outside security services provider (MSSP)? Pct% None (skip to Q13) 30% 1 to 25% 24% 26 to 50% 21% 51 to 75% 10% 76 to 100% 5% Cannot determine 10% Extrapolation Average 100% 24% Ponemon Institute Research Report Page 24

Q12b. What types of security services are typically provided to your organization s MSSP? Please check all that apply. Pct% DDoS protection 25% Remote perimeter management 50% Managed security monitoring 34% Penetration and vulnerability testing 43% Compliance monitoring 26% Mitigation support including forensics following an intrusion 29% Content filtering services 16% Other (please specify) 2% Total 225% Part 5. DDoS experience Q13. In the past 12 months, how many DDoS attacks did your organization experience? Pct% None (skip to Q15) 35% Only 1 21% 2 to 5 18% 6 to 10 11% More than 10 10% Cannot determine 5% Extrapolation Total 100% 3.0 Q14. What is the average amount of downtime that your organization s network or enterprise systems experience as a consequence of one DDoS attack? Pct% None 0% Less than 1 minute 10% 1 to 10 minutes 13% 11 to 20 minutes 16% 21 to 30 minutes 22% 31 to 60 minutes 11% 1 to 2 hours 9% 3 to 5 hours 5% More than 5 hours 4% Cannot determine 10% Extrapolation Total 100% 53.5 Q15. Approximately, how much does it cost your organization each minute of downtime? Please include possible lost traffic, end-user productivity and lost revenues in this estimate. Pct% None 0% $1 to $10 1% $10 to $100 8% $101 to $1,000 12% $1,001 to $5,000 15% $5,001 to $10,000 15% $10,001 to $25,000 21% $25,001 to $50,000 11% $50,001 to $100,000 7% More than $100,000 5% Cannot determine 5% Extrapolation Total 100% $21,699 Ponemon Institute Research Report Page 25

Part 6. Counter techniques Q16a. Please rate your organization s ability to launch or implement a counter technique against hackers and other cyber criminals? Please use the following 10-point scale from weak (1 = unable to perform counter techniques) to strong (10 = fully capable of launching counter techniques). Pct% 1 (weak) 16% 2 19% 3 17% At or below 5 4 11% 71% 5 8% 6 5% Above 5 7 7% 29% 8 5% 9 9% 10 (strong) 3% Extrapolation Total 100% 4.2 Q16b. If your rating is at or below 5, what are the main reasons why your organization is not fully capable of launching counter techniques? Pct% Lack of resources or budget 69% Lack of enabling technologies 71% Do not have ample expert personnel 53% Not considered a security-related priority 53% Other (please specify) 2% Total 248% Q16c. If your rating is above 5, how does your organization perform counter techniques against hackers and other cyber criminals? Pct% Manual surveillance methods 67% Close examination of logs and configuration settings 61% Use of security intelligence tools 43% Other (please specify) 2% Total 173% Q17. Following are three features of security intelligence technologies that provide offensive or counter technique capabilities. In the context of your organization, please rate the importance of each feature using the following 5-point scale. Very important and Important Very important Important Technology that pinpoints the attacker s weak spots 27% 31% Technology that neutralizes denial of service attacks before they happen 31% 36% Technology that slows down or even halts the attacker s computers 27% 33% Average 28% 33% Q18. In your opinion, how difficult are cyber attacks to detect? Very difficult Difficult Very difficult and difficult 28% 32% Q19. In your opinion, how difficult are cyber attacks to prevent? Very difficult Difficult Very difficult and difficult 35% 40% Ponemon Institute Research Report Page 26

Part 3. Your role and organization D1. What organizational level best describes your current position? Pct% Senior executive 2% Vice president 1% Director 17% Manager 23% Supervisor 19% Technician 33% Staff 4% Consultant 1% Contractor 0% Other 0% Total 100% D2. Check the Primary Person you or your IT security leader reports to within the organization. Pct% CEO/Executive Committee 1% Chief Financial Officer 2% General Counsel 3% Chief Information Officer 61% Chief Information Security Officer 21% Compliance Officer 2% Human Resources VP 0% Chief Security Officer 2% Data Center Management 1% Chief Risk Officer 5% Other 2% Total 100% D3. Total years of relevant experience Mean Median Total years of IT or security experience 11.4 11.0 Total years in current position years 6.2 6.0 D4. Who is most responsible for managing your organization s cyber security posture? Pct% Chief information officer (CIO) 41% Chief technology officer (CTO) 2% Chief information security officer (CISO) 21% Chief security officer (CSO) 1% Chief risk officer (CRO) 3% Data center management 2% Business unit management 11% Website development leader/manager 0% Corporate compliance or legal department 3% Outside managed service provider (MSSP) 4% No one person or function has overall responsibility 12% Other (please specify) 0% Total 100% Ponemon Institute Research Report Page 27

D5. What industry best describes your organization s industry focus? Pct% Agriculture & food services 1% Communications 2% Consumer products 4% E-commerce 7% Education & research 2% Energy & utilities 5% Entertainment & media 2% Financial services 19% Health & pharmaceuticals 11% Hospitality 5% Industrial 6% Public sector 13% Retail (conventional) 8% Services 6% Technology & software 5% Transportation 4% Other (please specify) 0% Total 100% D6. Where are your employees located? (Check all that apply): Pct% United States 100% Canada 63% Europe 65% Asia-Pacific 54% Middle East & Africa 46% Latin America (including Mexico) 43% D7. What is the worldwide headcount of your organization? Pct% < 100 7% 100 to 500 9% 501 to 1,000 19% 1,001 to 5,000 34% 5,001 to 25,000 21% 25,001 to 75,000 6% > 75,000 4% Extrapolation Total 100% 10,546 Ponemon Institute Research Report Page 28

For more information about this study, please contact Ponemon Institute by sending an email to research@ponemon.org or calling our toll free line at 1.800.887.3118. Ponemon Institute Advancing Responsible Information Management Ponemon Institute is dedicated to independent research and education that advances responsible information and privacy management practices within business and government. Our mission is to conduct high quality, empirical studies on critical issues affecting the management and security of sensitive information about people and organizations. As a member of the Council of American Survey Research Organizations (CASRO), we uphold strict data confidentiality, privacy and ethical research standards. We do not collect any personally identifiable information from individuals (or company identifiable information in our business research). Furthermore, we have strict quality standards to ensure that subjects are not asked extraneous, irrelevant or improper questions. Ponemon Institute Research Report Page 29