Intelligence Driven Cyber Defense
Sponsored by Lockheed Martin
Independently conducted by Ponemon Institute LLC
Publication Date: February 2015
Ponemon Institute© Research Report
Intelligence Driven Cyber Defense
Ponemon Institute, February 2015
Part 1. Introduction
Ponemon Institute is pleased to present the results of Intelligence Driven Cyber Defense
sponsored by Lockheed Martin. The purpose of this research is to understand if organizations are
improving their ability to reduce the risk of hackers and other cyber criminals. If so, are they
adopting new strategies, such as intelligence driven cyber defense, to deal with the rise in
frequency and severity of cyber attacks?
We surveyed 678 US IT and IT security practitioners who are familiar with their organizations’
defense against cybersecurity attacks and have responsibility in directing cybersecurity activities.
Following are the key findings of this
study:
An intelligence driven cyber defense
against hackers and other cyber
criminals eludes many organizations.
Intelligence driven cyber defense is the
ability of an organization to thwart an
attacker’s offensive maneuvers while
maintaining its defensive position. As
shown in Figure 1, respondents rate their
ability to launch or implement an
intelligence driven cyber defense against
hackers and other cyber criminals as
below average. The main reasons are the
lack of expert personnel and budget.
Organizations that succeed in an
intelligence driven cyber defense use
commercial threat intelligence feeds.
Respondents who rate their organizations’ ability to launch or implement an intelligence driven
cyber defense as above average rely primarily on commercial threat intelligence feeds (68
percent) followed by collaborative threat intelligence groups, partnerships and forums (37 percent)
or dedicated analysts on staff (35 percent).
Understanding the attacker’s weak spots is the most important feature of a security
intelligence tool. Considered less important are a technology that slows down or even halts the
attacker’s computers and technology that uses big data analytics to achieve a strong cybersecurity
defense.
The greatest cyber threat is inside the organization. The greatest area of potential
cybersecurity risk is inside the organization. Thirty-six percent of respondents point to negligent
insiders and 25 percent of respondents say malicious insiders are the greatest areas of
cybersecurity risk.
Cyber attacks target high value intellectual property. Respondents were asked to rank the
most negative consequences of a cyber attack. Lost intellectual property, reputation damage and
disruption to business process are considered the worst. The types of cyber attacks against their
organizations’ networks of most concern are advanced persistent threats (APT), malicious insiders
and phishing and social engineering.
Ponemon Institute© Research Report
Page 1
Part 2. Key findings
In this section, we present an analysis of the research findings. The complete audited findings are
presented in the appendix of this report. We have organized the paper according to the following
themes:
§
§
§
Challenges addressing cybersecurity risks
Cybersecurity strategies missing the mark
Achieving an intelligence driven cyber defense
Challenges addressing cybersecurity risks
Organizations are not prepared to deal with severe and frequent cyber attacks. As shown in
Figure 2, 75 percent of respondents say they see an increase in the severity of cyber attacks
experienced by their organizations and 68 percent of respondents say they are more frequent.
However, a smaller percentage of respondents (53 percent) say launching a strong offensive
against hackers and other cyber criminals is very important to their organizations’ security
strategy.
An impediment to achieving a strong security posture is a lack of vigilance and budget. Only 46
percent of respondents say their organization is vigilant in monitoring cyber attacks and only 27
percent of respondents believe their security budget is sufficient for mitigating most cyber attacks.
Figure 2. Challenges to achieving a strong cyber defense
Strongly agree and agree response combined
The severity of cyber attacks experienced by my
organization is on the rise
75%
The frequency of cyber attacks experienced by
my organization is on the rise
68%
Launching a strong offensive against hackers
and other cyber criminals is very important to my
organization’s security strategy
53%
My organization is vigilant in monitoring cyber
attacks
46%
My organization’s security budget is sufficient for
mitigating most cyber attacks (intrusions)
27%
0%
Ponemon Institute© Research Report
10% 20% 30% 40% 50% 60% 70% 80%
Page 2
The biggest challenge is preventing a cyber attack. Eighty-five percent of respondents say
preventing an attack is very difficult or difficult, as shown in Figure 3. Not as difficult is the ability to
isolate (57 percent), to block (56 percent) and detect (46 percent).
Figure 3. What is the biggest challenge in dealing with cyber attacks?
Very difficult and difficult response combined
How difficult are cyber attacks to prevent?
85%
How difficult are cyber attacks to isolate?
57%
How difficult are cyber attacks to block?
56%
How difficult are cyber attacks to detect?
46%
0%
10% 20% 30% 40% 50% 60% 70% 80% 90%
The malicious insider is considered the greatest threat. Thirty-seven percent of respondents
are most concerned about attacks from malicious insider followed by 26 percent of respondents
who say it is criminal syndicates, as shown in Figure 4.
Figure 4. What attacker presents the greatest cyber threat to your organization today?
40%
37%
35%
30%
26%
25%
19%
20%
15%
15%
10%
5%
2%
1%
Lone wolf
hacker
Other
0%
Malicious
insider
Criminal
syndicates
Ponemon Institute© Research Report
State
sponsored
attacker
Hacktivists
Page 3
The insider risk in the IT environment worries respondents most. As shown in Figure 5, the
greatest area of potential cybersecurity risk is inside the organization. Thirty-six percent of
respondents point to negligent insiders and 25 percent of respondents say malicious insiders are
the greatest areas of cybersecurity risk. Thirty-three percent worry about organizational
misalignment and complexity and 30 percent say it is a lack of system connectivity/visibility.
Figure 5. Greatest areas of potential cybersecurity risk within the IT environment today
Three responses permitted
Negligent insiders
36%
Organizational misalignment and complexity
33%
Lack of system connectivity/visibility
30%
Mobile/remote employees
29%
Mobile devices such as smart phones
28%
Malicious insiders
25%
Cloud computing infrastructure and providers
25%
Across 3rd party applications
23%
0%
5%
10% 15% 20% 25% 30% 35% 40%
Lost intellectual property is the most negative consequence of a cyber attack. Respondents
were asked to rank the most negative consequences of a cyber attack. According to Figure 6, lost
intellectual property, reputation damage and disruption to business process are considered the
most severe consequences. The types of cyber attacks against their organizations’ networks of
most concern are advanced persistent threats (APT), malicious insiders and phishing and social
engineering.
Figure 6. Negative consequences as a result of a cyber attack or intrusion
10 = most severe to 1 = least severe
Lost intellectual property (including trade
secrets)
9.15
Reputation damage
8.64
Disruption to business process
8.08
Productivity decline
7.22
Damage to critical infrastructure
6.75
Customer turnover
4.55
Regulatory actions or lawsuits
3.97
Lost revenue
Stolen or damaged equipment
Cost of outside consultants and experts
1.00
Ponemon Institute© Research Report
2.89
2.37
1.99
2.50
4.00
5.50
7.00
8.50
10.00
Page 4
Cybersecurity strategies miss the mark
Intuition not logical deduction is often used to determine if an organization is a target.
When asked if respondents believe their organization is targeted for attack, 35 percent say no or it
is unlikely. According to Figure 7, 35 percent say it is based on intuition or gut feel. One-third of
respondents say it is based on logical deduction. However, 32 percent say they do not think they
are targeted because they did not receive any warnings or alerts from intelligence sources.
Figure 7. How do you know your organization is not targeted?
36%
35%
35%
35%
34%
34%
33%
33%
33%
32%
32%
32%
31%
31%
Intuition (gut feel)
Logical deduction
Did not receive warnings or
alerts from intelligence sources
Respondents believe live intelligence is key to a strong cybersecurity defense. In the
context of this survey, live intelligence refers to the near real time feed of information used to
detect, evaluate and prioritize threats to the organization. As shown in Figure 8, 44 percent say
such intelligence is essential and 32 percent say it is very important.
Figure 8. How important is live intelligence to a strong cybersecurity defense?
50%
45%
44%
40%
32%
35%
30%
25%
20%
15%
15%
9%
10%
5%
0%
Essential
Very important
Ponemon Institute© Research Report
Important
Not important
Page 5
Cyber threat intelligence fails to provide an effective defense. Difficulty disseminating
intelligence to key stakeholders in a timely fashion (84 percent of respondents) and a high false
positive rate (81 percent) are the biggest problems facing an organization’s use of cyber threat
intelligence, as shown in Figure 9.
Other negatives are intelligence is too old to be actionable (67 percent), often inaccurate and
incomplete (66 percent), activities are too difficult to manage (64 percent), does not integrate with
various security technologies (59 percent) and complexity (56 percent).
Figure 9. The problems with current cyber threat intelligence
Strongly agree and agree response combined
Difficult to disseminate threat intelligence to key
stakeholders in a timely fashion
84%
Has a high false positive rate
81%
Often too old to be actionable
67%
Often inaccurate or incomplete
66%
Threat intelligence activities/process are difficult
to manage
64%
Does not integrate easily with various security
technologies
59%
Threat intelligence activities/process are very
complex
56%
0% 10% 20% 30% 40% 50% 60% 70% 80% 90%
Cybersecurity effectiveness is static or in decline. Forty-three percent of respondents say their
cybersecurity posture remains the same in terms of their effectiveness in combating attacks and
intrusions and 24 percent of respondents say their organizations are actually less effective,
according to Figure 10.
Figure 10. How has your cybersecurity posture changed in the past 12 months?
Cyber security posture remains the same in
terms of its effectiveness in combating attacks
and intrusions
43%
Cyber security posture is more effective in
combating attacks and intrusions
Cyber security posture is less effective in
combating attacks and intrusions
33%
24%
0% 5% 10% 15% 20% 25% 30% 35% 40% 45% 50%
Ponemon Institute© Research Report
Page 6
The most serious risks do not receive the most budget. According to Figure 11, while user
awareness about cyber threats and the supply chain are considered to have potentially the most
impact on an organization’s security posture, they do not seem to receive funding commensurate
with the risk they pose. Mobile and cloud security are receiving the most budget.
Figure 11. How organizations are allocating budget to address security risks
User awareness
25%
4%
Supply chain
24%
15%
20%
Mobile
34%
18%
Cloud
27%
8%
8%
Desktops/laptops
5%
Perimeter servers
0%
5%
12%
10%
15%
Security risk
20%
25%
30%
35%
40%
Spending level
Budget is considered the most significant barrier to achieving a strong cybersecurity
posture. This is followed by insufficient visibility of people and business processes, according to
Figure 12. This reinforces the concerns respondents have about the insider threat.
Figure 12. Barriers to achieving a stronger cybersecurity posture
Two responses permitted
Insufficient resources or budget
49%
Insufficient visibility of people and business
processes
45%
Lack of skilled or expert personnel
29%
Lack of effective security technology solutions
24%
Lack of oversight or governance
18%
Complexity of compliance and regulatory
requirements
13%
Insufficient assessment of cyber security risks
12%
9%
Lack of leadership
1%
Other
0%
Ponemon Institute© Research Report
10%
20%
30%
40%
50%
60%
Page 7
An intelligence driven cyber defense
An intelligence driven cyber defense against hackers and other cyber criminals eludes
many organizations. Intelligence driven cyber defense is the ability of an organization to thwart
an attacker’s offensive maneuvers while maintaining its defensive position. Respondents rate their
ability to launch or implement an intelligence driven cyber defense against hackers and other
cyber criminals as below average. The main reasons are not the availability of enabling
technologies but the lack of expert personnel and budget, as shown in Figure 13.
Figure 13. Why can’t your organization launch an intelligence driven cyber defense?
More than one response permitted
Do not have ample expert personnel
65%
Lack of resources or budget
64%
Not considered a security-related priority
39%
Lack of enabling technologies
19%
0%
10%
20%
30%
40%
50%
60%
70%
Organizations that succeed in an intelligence driven cyber defense use commercial threat
intelligence feeds. Figure 14 reveals that respondents who rate their organizations’ ability to
launch or implement an intelligence driven cyber defense as above average rely primarily on
commercial threat intelligence feeds (68 percent) followed by collaborative threat intelligence
groups, partnerships and forums (37 percent) or dedicated analysts on staff (35 percent).
Figure 14. How does your organization gain actionable intelligence about hackers and
other cyber criminals?
More than one response permitted
68%
Commercial threat intelligence feeds
Collaborative threat intelligence groups,
partnerships, forums
37%
Dedicated analysts on staff
35%
Other
2%
0%
Ponemon Institute© Research Report
10%
20%
30%
40%
50%
60%
70%
80%
Page 8
Geo-location is considered important for determining the severity of cyber threats. Seventyfour percent of respondents say it is essential or very important to know the geo-location of the
threat. However, only 36 percent say they are very certain or certain about the origin of cyber
attacks facing their organization, as shown in Figure 15.
Figure 15. The certainty about the geo-location (origin) of cyber attacks
40%
34%
35%
30%
30%
25%
20%
20%
16%
15%
10%
5%
0%
Very certain
Certain
Somewhat certain
Not certain
Understanding the attacker’s weak spots is the most important feature of a security
intelligence tool. Respondents were asked to rate the importance of four features of security
intelligence tools that provide offensive capabilities.
Figure 16 shows that 72 percent of respondents say understanding the attacker’s weak spots is
most important followed by technology that neutralizes attacks before they happen (69 percent).
Also important is a technology that slows down or even halts the attacker’s computers (56
percent). Less important is a technology that uses big data analytics to achieve a strong
cybersecurity defense (47 percent).
Figure 16. Important features of security intelligence tools Just one number
Very important and important response combined
Technology that pinpoints the attacker’s weak
spots
72%
Technology that neutralizes attacks before they
happen
69%
Technology that slows down or even halts the
attacker’s computers
56%
Technology that uses big data analytics to
achieve a strong cyber security defense
47%
0%
Ponemon Institute© Research Report
10% 20% 30% 40% 50% 60% 70% 80%
Page 9
The Cyber Kill Chain is viewed as helpful to an organization’s cyber defense. The term
Cyber Kill Chain refers to a life cycle approach that allows information security professionals to
proactively remediate and mitigate advanced threats as part of the organization’s intelligence
driven defense process. Sixty-seven percent of respondents say they are familiar with the term
Cyber Kill Chain. Almost all respondents familiar with the term say it is very or somewhat helpful to
their organization’s cybersecurity defenses and strategy, according to Figure 17.
Figure 17. How helpful is the Cyber Kill Chain to cybersecurity defenses and strategy?
50%
45%
40%
45%
39%
35%
30%
25%
20%
16%
15%
10%
5%
0%
Very helpful
Somewhat helpful
Not helpful
Most organizations in this study operate a Security Operations Center (SOC). Sixty-seven
percent of respondents say their organization operates a SOC. These organizations are most
likely to use a tiered approach to escalating and responding to cyber threats and attacks, as
shown in Figure 18. In fact, 53 percent of respondents say they have three or more tiers. While 56
percent of organizations represented in this study operate a fully staffed 24/7/365 schedule,
respondents are evenly divided as to whether such staffing is necessary in order to have a strong
cyber defense.
Figure 18. Utilization of a tiered approach to escalating and responding to cyber threats
40%
36%
35%
30%
30%
23%
25%
20%
15%
11%
10%
5%
0%
Yes, 2 tiers
Ponemon Institute© Research Report
Yes, 3 tiers
Yes, more than 3 tiers
No
Page 10
Technologies that minimize the insider threat are considered most promising. As discussed,
insider negligence is a big worry for organizations. Accordingly, 46 percent of respondents would
like to have technologies that minimize insider threats, including negligence, according to Figure
19. This is followed by technologies that secure information assets (39 percent) and intelligence
about networks and traffic (35 percent).
Figure 19. What are the technologies for a strong cybersecurity posture?
Two responses permitted
Technologies that minimize insider threats
(including negligence)
46%
39%
Technologies that secure information assets
Technologies that provide intelligence about
networks and traffic
35%
Technologies that simplify the reporting of threats
23%
Technologies that provide intelligence about
attackers’ motivation and weak spots
23%
Technologies that secure endpoints including
mobile-connected devices
Technologies that isolate or sandbox malware
infections
Technologies that secure the perimeter
18%
9%
7%
0% 5% 10% 15% 20% 25% 30% 35% 40% 45% 50%
Ponemon Institute© Research Report
Page 11
Part 3. Conclusion
The findings of this study reveal that cyber attacks are viewed as becoming more severe and
frequent. Unfortunately, the security posture of many companies is not up to the challenge of
dealing with cyber threats. Most respondents rate their cybersecurity posture as static or in
decline. Following are recommendations to reverse this trend and achieve a more intelligence
driven defense process:
§
Assess and improve the deficiencies in cyber threat intelligence. An intelligence driven
cyber defense requires timely, accurate and actionable information. Respondents in
organizations that are believed to have a more successful cyber defense rely primarily on
commercial threat intelligence feeds. Respondents cite the difficulty in disseminating threat
intelligence to key stakeholders in a timely fashion and a high false positive rate as to why
cyber threat intelligence fails to provide an effective defense.
§
Proactive management of cybersecurity risks requires adequate budgets and skilled
personnel. Throughout the study, respondents say it is a lack of budget and expertise that are
the biggest barriers to a stronger cybersecurity posture. The research also reveals the areas
believed to pose the greatest risks, user awareness and supply chain, are underfunded.
§
Reducing the insider threat should be a priority. According to the findings, the greatest
cyber threat is the malicious insider. Further, the greatest areas of potential cybersecurity risk
within the IT environment are negligent and malicious insiders. Accordingly, respondents
believe technologies that minimize the insider threat, including negligence, are considered
most promising.
§
Intelligence about the attacker’s weak spot would improve an organization’s
cybersecurity posture. Seventy-two percent of respondents say understanding the attacker’s
weak spots is most important followed by technology that neutralizes attacks before they
happen (69 percent).
§
Consider adopting the Cyber Kill Chain. This life cycle approach allows information security
professionals to proactively remediate and mitigate advanced threats as part of the
organization’s intelligence driven defense process. Respondents in this research believe it is
helpful to achieving a more effective cybersecurity defense and strategy.
Ponemon Institute© Research Report
Page 12
Part 4. Methods
The survey instrument was fielded over a nine-day period from November 4, 2014 to November
13, 2014. All analysis was conducted subsequently.
A sampling frame composed of 19,818 IT and IT security practitioners located in the United States
were selected for participation in this survey. To ensure a knowledgeable respondent, the
selected participants are familiar with their organizations’ defense against cybersecurity attacks
and have some responsibility in directing cybersecurity activities. As shown in Table 1, 765
respondents completed the survey. Screening removed 94 surveys. The final sample was 671
surveys (or a 3.9 percent response rate).
Table 1. Sample response
Total sampling frame
Total returns
Rejected or screened surveys
Final sample
Freq
19,818
765
94
671
Pct%
100.0%
3.9%
0.5%
3.9%
We calculated a margin of error for all statistical survey questions that yielded a proportional or
percentage result. Most questions utilized the full sample size of n = 671 qualified respondents.
Assuming a confidence level at the 95 percent level, the margin of error for survey questions
ranged from ± 1.1 percent to ± 6.3 percent, with an overall average of ± 3.8 percent.
Pie chart 1 reports the current position or organization level of respondents. By design, 56 percent
of respondents reported their current position is at or above the supervisory level.
Pie Chart 1. Current position or organizational level
5%
2%2%2%
17%
Vice President
Director
Manager
Supervisor
35%
Technician
22%
Staff
Consultant
Other
15%
Ponemon Institute© Research Report
Page 13
As shown in Pie Chart 2, more than half of the respondents (55 percent) indicated they report to
the CIO and 18 percent report to the CISO.
Pie Chart 2. Primary person respondent or IT security leader reports to
2% 3%
2%2%
3%
4%
Chief Information Officer
Chief Information Security Officer
Chief Risk Officer
5%
Compliance Officer
6%
Human Resources VP
55%
Chief Security Officer
CEO/Executive Committee
General Counsel
18%
Data Center Management
Other
Pie Chart 3 reports the primary industry classification of respondents’ organizations. This chart
identifies financial services (21 percent) as the largest segment, followed by federal government
(18 percent) and healthcare (17 percent).
Pie Chart 3. Primary industry classification
6%
4%
21%
8%
Financial services
Federal government
Healthcare
10%
Utilities
Energy, oil & gas
18%
Pharmaceuticals
Chemical
16%
All others
17%
Ponemon Institute© Research Report
Page 14
According to Pie Chart 4, more than half (62 percent) of the respondents are from organizations
with a global headcount of over 1,000 employees.
Pie Chart 4. Worldwide headcount of the organization
7%
8%
11%
12%
Less than 100
100 to 500
501 to 1,000
1,001 to 5,000
19%
18%
5,001 to 25,000
25,001 to 75,000
More than 75,000
25%
As shown in Figure 20, in addition to having employees in the United States, respondents also
indicated their organization has employees in Europe (72 percent), Canada (71 percent), AsiaPacific (68 percent), Latin America (54 percent) and Middle East & Africa (44 percent).
Figure 20. Where are participating companies’ employees located?
100%
United States
Europe
72%
Canada
71%
68%
Asia-Pacific
Latin America
54%
Middle East & Africa
44%
0%
20%
Ponemon Institute© Research Report
40%
60%
80%
100%
120%
Page 15
Part 5. Caveats
There are inherent limitations to survey research that need to be carefully considered before
drawing inferences from findings. The following items are specific limitations that are germane to
most web-based surveys.
Non-response bias: The current findings are based on a sample of survey returns. We sent
surveys to a representative sample of individuals, resulting in a large number of usable returned
responses. Despite non-response tests, it is always possible that individuals who did not
participate are substantially different in terms of underlying beliefs from those who completed the
instrument.
Sampling frame bias: The accuracy is based on contact information and the degree to which the
list is representative of individuals who are IT or IT security practitioners located in the United
States. We also acknowledge that the results may be biased by external events such as media
coverage. We also acknowledge bias caused by compensating subjects to complete this research
within a specified time period.
Self-reported results: The quality of survey research is based on the integrity of confidential
responses received from subjects. While certain checks and balances can be incorporated into the
survey process, there is always the possibility that a subject did not provide accurate responses.
Ponemon Institute© Research Report
Page 16
Appendix: Detailed Survey Results
The following tables provide the frequency or percentage frequency of responses to all survey
questions contained in this study. All survey responses were captured from November 4, 2014 to
November 13, 2014.
Survey response
Total sampling frame
Total returns
Rejected or screened surveys
Response rate
Freq
19,818
765
94
671
Part 1. Screening questions
S1. How familiar are you with your
organization’s defense against cybersecurity
attacks?
Very familiar
Familiar
Somewhat familiar
No knowledge (Stop)
Total
Pct%
50%
32%
18%
0%
100%
S2. Do you have any responsibility in
directing cybersecurity activities within your
organization?
Yes, full responsibility
Yes, some responsibility
Yes, minimum responsibility
No responsibility (Stop)
Total
Pct%
32%
44%
24%
0%
100%
Part 2. Priorities
Q1a. How familiar are you with the term
Cyber Kill Chain?
Very familiar
Familiar
Not familiar
No knowledge
Total
Pct%
27%
40%
18%
15%
100%
Q1b. [Those selecting very familiar or
familiar], How helpful is the Cyber Kill Chain
to your organization’s cybersecurity defenses
and strategy?
Very helpful
Somewhat helpful
Not helpful
Total
Pct%
39%
45%
16%
100%
Q2a. Does your organization operate a
Security Operations Center (SOC)?
Yes
No
Total
Pct%
67%
33%
100%
Ponemon Institute© Research Report
Pct%
100.0%
3.9%
0.5%
3.4%
Page 17
Q2b. If yes [Q2a], does your organization’s
SOC utilize a tiered approach to escalating
and responding to cyber threats and attacks?
Yes, 2 tiers
Yes, 3 tiers
Yes, more than 3 tiers
No
Total
Q2c. If yes [Q2a], what best describes your
SOC’s operating schedule.
Our organization’s SOC operates a fully
staffed 24/7/365 schedule
Our organization’s SOC has teams that have
on-call staff to work off hours
Total
Pct%
11%
30%
23%
36%
100%
Pct%
56%
44%
100%
Q2d. If yes [Q2a], In your opinion, is a SOC
schedule that is 24/7/365 and fully staffed
necessary to have a strong cyber defense?
Yes
No
Total
Pct%
50%
50%
100%
Q2e. If yes [Q2a], Is your organization’s SOC
operated by a managed security services
provider (MSSP)?
Yes, fully outsourced
Yes, partially outsourced
No
Total
Pct%
28%
33%
39%
100%
Q3a. Please rate your organization’s ability to
launch or implement an intelligence driven
cyber defense against hackers and other
cyber criminals? Please use the following 10point scale.
1 or 2
3 or 4
5 or 6
7 or 8
9 or 10
Total
Extrapolated value
Pct%
31%
24%
10%
15%
20%
100%
4.9
Q3b. If your rating is below 5, what are the
main reasons why your organization is not
fully capable of launching an intelligence
driven cyber defense?
Do not have ample expert personnel
Lack of resources or budget
Not considered a security-related priority
Lack of enabling technologies
Total
Pct%
65%
64%
39%
19%
187%
Ponemon Institute© Research Report
Page 18
Q3c. If your rating is above 5, how does your
organization gain actionable intelligence
about hackers and other cyber criminals?
Please check all that apply.
Commercial threat intelligence feeds
Collaborative threat intelligence groups,
partnerships, forums
Dedicated analysts on staff
Other (please specify)
Total
Q4. Please rank each one of the following five
(5) cybersecurity objectives in terms of a
business priority within your organization from
5 = highest priority to 1 = lowest priority.
Compliance
Confidentiality
Interoperability
Integrity
Availability
Q5. What types of cyber attacks against your
organization’s networks cause the greatest
concern? Please select the top four (4)
choices only.
Advanced persistent threats (APT)
Malicious insiders
Phishing and social engineering
Compromised/stolen credentials
Denial of service (DoS)
Malware
Man-in-the-middle attack
Server side injection (SSI)
Registration spamming
Root kits
Web scrapping
Clickjacking
Botnets
Watering hole attacks
Cross-site scripting
SQL and code injection
Contact form or comment spam
Total
Ponemon Institute© Research Report
Pct%
68%
37%
35%
2%
142%
Average
rank
4.65
4.07
3.36
2.14
1.98
Rank
order
1
2
3
4
5
Pct%
54%
53%
48%
44%
36%
33%
28%
25%
19%
14%
10%
9%
8%
6%
5%
5%
3%
400%
Page 19
Q6. Please rank each one of the following ten
(10) negative consequences that your
organization might have experienced as a
result of a cyber attack or intrusion, from 10 =
most severe to 1 = least severe.
Lost intellectual property (including trade
secrets)
Reputation damage
Disruption to business process
Productivity decline
Damage to critical infrastructure
Customer turnover
Regulatory actions or lawsuits
Lost revenue
Stolen or damaged equipment
Cost of outside consultants and experts
Q7. Please rate the following statements
about security posture using the five-point
scale provided below each item.
Q7a. My organization is vigilant in monitoring
cyber attacks.
Q7b. My organization’s security budget is
sufficient for mitigating most cyber attacks
(intrusions).
Q7c. The severity of cyber attacks
experienced by my organization is on the rise.
Q7d. The frequency of cyber attacks
experienced by my organization is on the rise.
Q7e. Launching a strong offensive against
hackers and other cyber criminals is very
important to my organization’s security
strategy.
Q8. Please rate the following statements
about threat intelligence using the five-point
scale provided below each item.
Q8a. My organization’s cyber threat
intelligence is often too old (out of date) to be
actionable
Q8b. My organization’s cyber threat
intelligence is often inaccurate or incomplete
Q8c. My organization’s cyber threat
intelligence activities or process is very
complex
Q8d. My organization’s cyber threat
intelligence activities or process is difficult to
manage
Q8e. My organization’s cyber threat
intelligence has a high false positive rate
Q8f. It is difficult to disseminate threat cyber
intelligence to key stakeholders in a timely
fashion
Q8g. My organization’s cyber threat
intelligence does not integrate easily with
various security technologies
Ponemon Institute© Research Report
Average
rank
9.15
8.64
8.08
7.22
6.75
4.55
3.97
2.89
2.37
1.99
Strongly
agree
Rank
order
1
2
3
4
5
6
7
8
9
10
Agree
Unsure
Disagree
Strongly
disagree
21%
25%
21%
21%
12%
12%
15%
24%
27%
22%
42%
33%
15%
6%
4%
38%
30%
19%
6%
7%
23%
30%
23%
14%
10%
Strongly
agree
Agree
Unsure
Disagree
Strongly
disagree
36%
31%
13%
10%
10%
33%
33%
14%
11%
9%
27%
29%
18%
15%
11%
31%
33%
22%
12%
2%
45%
36%
11%
5%
3%
49%
35%
6%
6%
4%
30%
29%
23%
12%
6%
Page 20
Q9. What statement best describes changes
to your organization’s cybersecurity posture
over the past 12 months?
Our organization’s cybersecurity posture is
more effective in combating attacks and
intrusions.
Our organization’s cybersecurity posture is
less effective in combating attacks and
intrusions.
Our organization’s cybersecurity posture
remains the same in terms of its
effectiveness in combating attacks and
intrusions.
Total
Q10a. The following table contains 6 factors
that can impact an organization’s security
posture. Please allocate the security risk
inherent in each one of the 6 factors as
experienced by your organization. Note that
the sum of your risk allocation must equal 100
points.
User awareness
Desktops/laptops
Mobile
Cloud
Perimeter servers
Supply chain
Total points
Q10b. Please allocate the security budget or
spending level for each one of the 6 factors
as experienced by your organization. Note
that the sum of your allocation must equal
100 points.
User awareness
Desktops/laptops
Mobile
Cloud
Perimeter services
Supply chain
Total points
Ponemon Institute© Research Report
Pct%
33%
24%
43%
100%
Points
25
8
20
18
5
24
100
Points
4
8
34
27
12
15
100
Page 21
Q11. What do you see as the most significant
barriers to achieving a strong cybersecurity
posture within your organization today?
Please choose only your top two choices.
Insufficient resources or budget
Insufficient visibility of people and business
processes
Lack of skilled or expert personnel
Lack of effective security technology solutions
Lack of oversight or governance
Complexity of compliance and regulatory
requirements
Insufficient assessment of cybersecurity risks
Lack of leadership
Other (please specify)
Total
Q12. Where are you seeing the greatest
areas of potential cybersecurity risk within
your IT environment today? Please choose
only your top three choices.
Negligent insiders
Organizational misalignment and complexity
Lack of system connectivity/visibility
Mobile/remote employees
Mobile devices such as smart phones
Cloud computing infrastructure and providers
Malicious insiders
rd
Across 3 party applications
Removable media (USB sticks) and/or media
(CDs, DVDs)
Desktop or laptop computers
Data centers
The server environment
Network infrastructure environment (gateway
to endpoint)
Within operating systems
Virtual computing environments (servers,
endpoints)
Total
Ponemon Institute© Research Report
Pct%
49%
45%
29%
24%
18%
13%
12%
9%
1%
200%
Pct%
36%
33%
30%
29%
28%
25%
25%
23%
18%
15%
12%
9%
7%
5%
5%
300%
Page 22
Q13. What are the most promising
technologies in general? Please choose only
your top two choices.
Technologies that minimize insider threats
(including negligence)
Technologies that secure information assets
Technologies that provide intelligence about
networks and traffic
Technologies that provide intelligence about
attackers’ motivation and weak spots
Technologies that simplify the reporting of
threats
Technologies that secure endpoints including
mobile-connected devices
Technologies that isolate or sandbox malware
infections
Technologies that secure the perimeter
Total
Q14. What cyber defenses does your
organization deploy to protect your
organization from attacks or intrusions?
Please rate each one of the following
defenses in terms of its importance in
preventing or quickly detecting cyber attacks
using the following 5-point scale. Select 5 (not
applicable) if your organization does not
deploy or implement the given defense. 1 =
Very important, 2 = Important, 3 = Somewhat
important, 4 = Not important, 5 = Not
applicable
Security intelligence systems including SIEM
Identity and authentication systems
Anti-virus/anti-malware
Content aware firewalls including next
generation firewalls (NGFW)
Secure network gateways including virtual
private networks (VPN)
Anti-DoS/DDoS (Denial of Services)
Intrusion prevention systems (IPS)
Intrusion detection systems (IDS)
Endpoint security systems
Web application firewalls (WAF)
Enterprise encryption for data at rest
Enterprise encryption for data in motion
Secure coding in the development of new
applications
Mobile device management
Other crypto technologies including
tokenization
Data loss prevention systems
ID credentialing including biometrics
Ponemon Institute© Research Report
Pct%
46%
39%
35%
23%
23%
18%
9%
7%
200%
Very
important
Important
Somewhat
Important
Not
important
Irrelevant
40%
41%
30%
32%
26%
33%
12%
17%
23%
10%
15%
11%
6%
1%
3%
32%
29%
21%
10%
8%
28%
31%
26%
26%
21%
23%
23%
23%
29%
23%
27%
25%
30%
25%
25%
24%
32%
25%
30%
25%
26%
23%
33%
31%
6%
11%
12%
13%
16%
19%
10%
12%
5%
10%
5%
11%
7%
10%
9%
10%
25%
18%
18%
24%
40%
30%
8%
23%
9%
5%
21%
18%
20%
20%
20%
16%
39%
23%
44%
12%
21%
12%
8%
18%
8%
Page 23
Q15. Who is most responsible for defining
your organization’s cybersecurity strategy?
Chief information officer (CIO)
Chief information security officer (CISO)
No one person or function has overall
responsibility
Chief technology officer (CTO)
Outside managed service provider (MSSP)
Chief security officer (CSO)
Business unit management
Chief executive officer (CEO)
Chief risk officer (CRO)
Data center management
Corporate compliance or legal department
Website development leader/manager
Total
Please rate your answer using a four-point
scale.
Q16a. In your opinion, how difficult are cyber
attacks to detect?
Q16b. In your opinion, how difficult are cyber
attacks to block?
Q16c. In your opinion, how difficult are cyber
attacks to prevent?
Q16d. In your opinion, how difficult are cyber
attacks to isolate?
Pct%
35%
25%
15%
7%
4%
3%
3%
2%
2%
2%
2%
0%
100%
Very
difficult
Not
difficult
Easy
21%
25%
42%
12%
32%
24%
40%
4%
45%
40%
11%
4%
31%
26%
40%
3%
Q17. Using the following 10-point scale,
please rate the overall effectiveness of your
organization’s ability to use intelligence to
reduce risk or mitigates attacks.
1 or 2
3 or 4
5 or 6
7 or 8
9 or 10
Total
Extrapolated value
Pct%
7%
20%
41%
19%
13%
100%
5.72
Q18a. Do you believe your organization is
presently targeted for attack?
Yes with certainty
Yes, very likely
Yes, likely
Somewhat likely
Unlikely
No
Total
Pct%
11%
20%
18%
16%
5%
30%
100%
Ponemon Institute© Research Report
Difficult
Page 24
Q18b. If no, how do you know your
organization is not targeted?
Logical deduction
Did not receive warnings or alerts from
intelligence sources
Intuition (gut feel)
Total
Pct%
33%
32%
35%
100%
Q19. In your opinion, how important is geolocation for determining the severity of cyber
threats to your organization?
Essential
Very important
Important
Not important
Irrelevant
Total
Pct%
39%
35%
16%
8%
2%
100%
Q20. How certain are you about the geolocation (origin) of cyber attacks posed
against your organization?
Very certain
Certain
Somewhat certain
Not certain
Total
Pct%
16%
20%
30%
34%
100%
Q21. What attacker presents the greatest
cyber threat to your organization today?
Please select only one choice.
Malicious insider
Criminal syndicates
State sponsored attacker
Hacktivists
Lone wolf hacker
Other (please specify)
Total
Pct%
37%
26%
19%
15%
2%
1%
100%
Q22. In your opinion, how important is live
intelligence to achieving a strong
cybersecurity defense?
Essential
Very important
Important
Not important
Irrelevant
Total
Pct%
44%
32%
15%
9%
0%
100%
Ponemon Institute© Research Report
Page 25
Part 3. Your role and organization
D1. What organizational level best describes
your current position?
Senior Executive
Vice President
Director
Manager
Supervisor
Technician
Staff
Consultant
Contractor
Total
Pct%
1%
2%
17%
22%
15%
35%
5%
2%
1%
100%
D2. Check the Primary Person you or your
IT security leader reports to within the
organization.
CEO/Executive Committee
Chief Financial Officer
General Counsel
Chief Information Officer
Chief Information Security Officer
Compliance Officer
Human Resources VP
Chief Security Officer
Data Center Management
Chief Risk Officer
Other
Total
Pct%
2%
1%
2%
55%
18%
5%
4%
3%
2%
6%
2%
100%
D3. What industry best describes your
organization’s industry focus (stratified list)?
Utilities
Energy, oil & gas
Pharmaceuticals
Healthcare
Financial services
Chemical
Federal government (various departments)
All others
Total
Pct%
16%
10%
8%
17%
21%
6%
18%
4%
100%
D4. Where are your employees located?
United States
Canada
Europe
Asia-Pacific
Middle East & Africa
Latin America (including Mexico)
Pct%
100%
71%
72%
68%
44%
54%
Ponemon Institute© Research Report
Page 26
D5. What is the worldwide headcount of your
organization?
Less than 100
100 to 500
501 to 1,000
1,001 to 5,000
5,001 to 25,000
25,001 to 75,000
More than 75,000
Total
Pct%
7%
11%
19%
25%
18%
12%
8%
100%
Ponemon Institute
Advancing Responsible Information Management
Ponemon Institute is dedicated to independent research and education that advances responsible
information and privacy management practices within business and government. Our mission is to conduct
high quality, empirical studies on critical issues affecting the management and security of sensitive
information about people and organizations.
As a member of the Council of American Survey Research Organizations (CASRO), we uphold strict data
confidentiality, privacy and ethical research standards. We do not collect any personally identifiable
information from individuals (or company identifiable information in our business research). Furthermore, we
have strict quality standards to ensure that subjects are not asked extraneous, irrelevant or improper
questions.
Ponemon Institute© Research Report
Page 27