Ponemon Institute
Sign Up for the Ponemon News Feed for special reports and important updates regarding privacy and security

News & Updates

Ponemon Institute is pleased to announce the release of Flipping the Economics of Attacks, sponsored by Palo Alto Networks. In this study, we look at the relationships between the time spent and compensation of today’s adversaries and how organizations can thwart attacks. As revealed in this research, while some attackers may be motivated by non-pecuniary reasons, such as those that are geopolitical or reputational, an average of 69 percent of respondents say they are in it for the money.


2010 Security in the Trenches

April 14, 2010, 10:23 am

We just completed a survey of federal IT security professionals to examine the data protection posture of government agencies. Through the survey, sponsored by CA, we wanted to see whether or not there is consistency in the perception of rank-and-file employees and executive management as it pertains to the safeguarding of sensitive information, regulatory compliance, and the day-to-day management and execution of a security program.

What we found was interesting, and in keeping with what we’ve seen in the private sector: executives tend to view the information security programs they manage more positively than do the employees who actually carry out the plans.
That might not seem like a surprising result, but any time we can quantify what may appear to be an intuitive conclusion, it’s a helpful outcome. Progress in addressing operational challenges should be based on fact, and while trusting one’s gut may sometimes be helpful, our data suggest that the gut may not always be reliable. As the old saying goes, “trust, but verify.”
What we did find surprising as a result of our report, Security in the Trenches: Comparative Study of IT practitioners and Executives in the U.S. Federal Government, (available at CA’s web site) was how big some of the gaps were. Some examples:
·         While 62 percent of rank-and-file staff believed password management to be important, only 31 percent of executives agreed. That’s a 31 percent gap.
·         The importance of training and awareness for end-users and for privacy and security professionals showed gaps of 21 percent and 20 percent respectively. Sixty-two percent and 63 percent of IT staff see training of end users and security experts as very important, while only 41 percent and 43 percent of executives agree.
·         Confidence in organizational compliance with regulations such as FISMA is low among federal agencies, but rank and file employees believe a lack of leadership is to blame, while executives see the problem as poor enforcement.
The takeaway for federal agencies – but a lesson for all organizations struggling with information security challenges – is in recognizing that these discrepancies could impact an agency’s ability to properly secure their IT environment and manage risk.
Rather than trusting your gut, why not sit down with the folks in the trenches and listen to what they have to say about their experiences executing against the mandates they’ve been given? Understanding the challenges they face each day may help to better identify some of the ways you can make significant improvements in your organization’s risk management and security readiness strategy.
Let us know what you think about this report, and let us know what you've learned by talking to the pros in your trenches.


December 8, 2011 4:58pm

Government end-users need to be educated on IT security. What will happen if an end-user starts using an outside mail system over the internet to correspond sensitive material? or lose a laptop for months and not report it? or thinking they're on a VPN but end up pulling an unsecured connection while they're at home? End-users need to be educated because any wrong decision has the possibility of being a point of failure for the entire network.

Security (23)
Privacy (22)
global security (1)
Providers (1)