Ponemon Institute
Sign Up for the Ponemon News Feed for special reports and important updates regarding privacy and security

News & Updates

Reshaping Financial Services IT: CIO Best Practices for the Shift Toward Mobile Speakers: Dr. Larry Ponemon, Chairman, Ponemon Institute Ojas Rege, VP Strategy, MobileIron Session Times: April 1st 8:00 AM PDT (San Francisco) / 4:00 PM BST (London) April 2nd 9:00 AM HKT (Hong Kong) / 6:00 PM PDT (San Francisco)    Widespread consumer adoption of mobile technology has set in motion a fundamental shift within financial services organizations. CIOs are learning to leverage the power of mobility to deliver a strategic business advantage by helping their firms become more efficient and flexible. For the first time, MobileIron will share data from a Ponemon Institute survey of 400 financial services organizations about the future of BlackBerry, BYOD, apps, and governance. Join MobileIron VP of Strategy Ojas Rege and Ponemon Institute Chairman and Founder Dr. Larry Ponemon for a practical and “eyes-wide-open” look at the issues CIOs and CISOs in financial services will need to address as mobile becomes a fundamental part of their computing environment. Key topics include: • Financial services mobile adoption forecasts • Trends in migration to multi-OS environments • Dependencies for successful mobile strategy deployment • Implications of user experience and security Register Now This session will be recorded and available for replay.


Blog Archives for October 2012
2012 Web Session Intelligence & Security Report: Business Logic Abuse Edition sponsored by Silver Tail Systems
October 2, 2012, 2:05 am


We have just released the first study we conducted on business logic abuse or as it is sometimes called, precision hacking. The 2012 Web Session Intelligence & Security Report: Business Logic Abuse Edition sponsored by Silver Tail Systems is intended to learn important information about organizations’ ability to stop or quickly detect business logic abuses. In the context of this research, business logic abuse results from the criminal discovering a flaw in the business logic or functionality of a website. In most cases, the criminal uses the legitimate pages of the website to perpetrate cyber attacks, hacks or fraud. One objective of this fraud is to steal money, confidential information or exploit the system for illicit gains. Another possible goal is to destroy the reputation or brand of a company.

In addition to theft of money and information, fixing the consequences is expensive. We estimate on average the total cost of business logic abuses to be $6.8 million if every customer-facing website of the companies represented in this research had a business logic abuse.

The cost includes system downtime, lost revenue, inefficiencies customers must deal with and technical staff dedicated to fixing the problem.

There are many ways hackers can take advantage of websites. Respondents admit a high likelihood that these will occur in their organization and agree that in many instances such attacks are very difficult to detect. Remediating these abuses is very challenging because the fixes that stop the bad guys may diminish the web experience of legitimate customers.

We hope you will read the report and consider our recommendations:

  • Assign responsibility for website security and ensure there is sufficient in-house personnel to minimize business logic abuses.
  • Establish a partnership between website developers and IT to make sure a prevention and detection strategy is in place and enforced.
  • Strive to have a strategy that minimizes the risk but does not frustrate legitimate customers.
  • Ensure ongoing monitoring of websites for business logic abuses.
  • Check business partner websites for business logic abuses.
  • Invest in technologies that enable real-time visibility into website traffic.

These recommendations can be key in stopping the criminals from stealing money or confidential information and committing other fraudulent acts that can cost a company its reputation.

The full report is available at

Security (23)
Privacy (22)
global security (1)
Providers (1)