Ponemon Institute
Sign Up for the Ponemon News Feed for special reports and important updates regarding privacy and security

News & Updates

Ponemon Institute is pleased to announce the release of Flipping the Economics of Attacks, sponsored by Palo Alto Networks. In this study, we look at the relationships between the time spent and compensation of today’s adversaries and how organizations can thwart attacks. As revealed in this research, while some attackers may be motivated by non-pecuniary reasons, such as those that are geopolitical or reputational, an average of 69 percent of respondents say they are in it for the money.



Welcome to my new blog. I look forward to providing interesting content from our latest research studies. Please stay tuned to some very thought provoking research!

Ponemon Institute and Raytheon Release New Study on the Insider Threat
May 21, 2014, 2:00 pm

Well-publicized disclosures of highly sensitive information by wiki leaks and former NSA employee Edward Snowden have drawn attention and concern about the insider threat caused by privileged users. We originally conducted a study on this topic in 2011 and decided it was time to see if the risk of privileged user abuse has increased, decreased or stayed the same.  Unfortunately companies have not made much progress in stopping this threat since then. Our latest study commissioned by Raytheon, “Privileged User Abuse & The Insider Threat,” looks at what companies are doing right and the vulnerabilities that need to be addressed with policies and technologies. One area that is a big problem is the difficulty in actually knowing if an action taken by an insider is truly a threat. Sixty-nine percent of respondents say they don’t have enough contextual information from security tools to make this assessment and 56 percent say security tools yield too many false positive. To learn more, we hope you will read the full report:

Ponemon Institute Releases 2014 Cost of Data Breach: Global Analysis
May 5, 2014, 10:15 am

Throughout the world, companies are finding that data breaches have become as common as a cold but far more expensive to treat. With the exception of Germany, companies had to spend more on their investigations, notification and response when their sensitive and confidential information was lost or stolen. As revealed in the 2014 Cost of Data Breach Study: Global Analysis, sponsored by IBM, the average cost to a company was $3.5 million in US dollars and 15 percent more than what it cost last year.

Will these costs continue to escalate? Are there preventive measures and controls that will make a company more resilient and effective in reducing the costs? Nine years of research about data breaches has made us smarter about solutions.

Critical to controlling costs is keeping customers from leaving. The research reveals that reputation and the loss of customer loyalty does the most damage to the bottom line. In the aftermath of a breach, companies find they must spend heavily to regain their brand image and acquire new customers. Our report also shows that certain industries, such as pharmaceutical companies, financial services and healthcare, experience a high customer turnover. In the aftermath of a data breach, these companies need to be especially focused on the concerns of their customers.

As a preventive measure, companies should consider having an incident response and crisis management plan in place. Efficient response to the breach and containment of the damage has been shown to reduce the cost of breach significantly. Other measures include having a CISO in charge and involving the company’s business continuity management team in dealing with the breach.

In most countries, the primary root cause of the data breach is a malicious insider or criminal attack. It is also the most costly. In this year’s study, we asked companies represented in this research what worries them most about security incidents, what investments they are making in security and the existence of a security strategy.

An interesting finding is the important role cyber insurance can play in not only managing the risk of a data breach but in improving the security posture of the company. While it has been suggested that having insurance encourages companies to slack off on security, our research suggests the opposite. Those companies with good security practices are more likely to purchase insurance.

Global companies also are worried about malicious code and sustained probes, which have increased more than other threats. Companies estimate that they will be dealing with an average of 17 malicious codes each month and 12 sustained probes each month. Unauthorized access incidents have mainly stayed the same and companies estimate they will be dealing with an average of 10 such incidents each month.

When asked about the level of investment in their organizations’ security strategy and mission, on average respondents would like to see it doubled from what they think will be spent—an average of $7 million to what they would like to spend—an average of $14 million. This may be a tough sell in many companies. However, our cost of data breach research can help IT security executives make the case that a strong security posture can result in a financially stronger company.

To download the complete report please use the following link:


Unlocking the Mobile Security Potential: The Key to Effective Two-Factor Authentication
March 14, 2014, 9:23 am

An important security issue for many companies is the authentication of users using mobile devices for transactions. Unlocking the Mobile Security Potential: The Key to Effective Two-Factor Authentication sponsored by tyntec and conducted by Ponemon Institute provides insights into mobile authentication in four global regions: North America (NA), Europe, Middle East and Africa (EMEA), Asia-Pacific plus Japan (APJ) and Latin America plus Mexico (LATAM).

The study has interesting findings about the state of mobile authentication and the preferences of companies. Specifically, for security purposes, location and validation of the number in real-time is considered valuable. They believe this would strengthen their security measures assuming opt-in by end-user. Furthermore, in the coming year most of the respondents say they are considering planning to extend the use of SMS-based two-factor authentication for user registration or identity verification or activation of online services. To download the entire report, please use this link.

Warmest regards,

Dr. Larry Ponemon

Fourth Annual Benchmark Study on Patient Privacy and Data Security
March 12, 2014, 6:00 am

Today we are releasing our Fourth Annual Benchmark Study on Patient Privacy and Data Security. We hope you will read the report sponsored by ID Experts that reveals some fascinating trends. Specifically, criminal attacks on healthcare systems have risen a startling 100 percent since we first conducted the study in 2010. This year, we found the number and size of data breaches has declined somewhat. Employee negligence is a major risk and is being fueled by BYOD. Giving healthcare organizations major headaches are: risks to patient data caused by the Affordable Care Act, exchange of patient health information with Accountable Care Organizations and lack of trust in business associates privacy and security practices. For a copy of the Fourth Annual Benchmark Study on Patient Privacy and Data Security, visit

Thales e-Security and Ponemon Institute collaborate to produce 2013 Global Encryption Trends Study
March 7, 2014, 12:00 am

This past February, Thales e-Security released the publication of its latest 2013 Global Encryption Trends Study. The report, based on independent research by the Ponemon Institute and sponsored by Thales, reveals that use of encryption continues to grow in response to consumer concerns, privacy compliance regulations and on-going cyber-attacks and yet there are still major challenges in executing data encryption policy.
The survey indicated that only 14% of organizations surveyed do not have any encryption strategy compared with 22% last year. The study also shows that there has been a steady increase in the deployment of encryption solutions used by organizations over the past nine years, with 35% of organizations now having an encryption strategy applied consistently across the entire enterprise compared with 29% last year. 
“Encryption usage continues to be a clear indicator of a strong security posture but there appears to be emerging evidence that concerns over key management are becoming a barrier to its more widespread adoption. For the first time in this study we drilled down into the issue of key management and found it emerging as a huge operational challenge. But questions are and should be asked about the broader topics of policy issues and choice of encryption algorithms – especially in the light of recent concerns over back doors, poorly implemented crypto systems and weak key management systems.”
- Dr. Larry Ponemon, chairman and founder of The Ponemon Institute

“Whilst key management may be emerging as a barrier to encryption deployment, it is not a new issue. The challenges associated with key management have already been addressed in heavily regulated industries such as payments processing, where best practices are well proven and could translate easily to a variety of other verticals. With more than 40 years’ experience providing key management solutions. Thales is ideally positioned to help organizations re-assess and re-evaluate their crypto security and key management infrastructure and deliver solutions that ensure their integrity and trustworthiness.”
-Richard Moulds, vice president strategy at Thales e-Security

Download your copy of the new 2013 Global Encryption Trends Study today.

Threat Intelligence & Incident Response: A Study of U.S. & EMEA Organizations
February 12, 2014, 2:00 pm

What does a security team tell the CEO and board when a cyber attacker robs the company’s IP or shuts down the networks? CISOs face job insecurity because of the difficulty in being able to gather the threat intelligence quickly enough to know the “who,” “what,” “where,” “how” and “why” to respond and resolve an attack. The study reveals that many reports to senior management about a cyber attack are modified, filtered or watered down because the CISO does not have accurate and actionable threat intelligence.  What needs to be done? The consensus among the IT security practitioners surveyed is that they need the time and tools to discover and understand the nature of attacks faster with greater precision. To learn more about the current state of cyber attack responsiveness, we hope you will read Threat Intelligence & Incident Response: A Study of U.S. & EMEA Organizations sponsored by AccessData. For a copy of the full report, please click here.

The Impact of IT Transformation on Enterprise Computing
February 4, 2014, 3:30 pm

We are pleased to present the findings of The Impact of IT Transformation on Enterprise Computing sponsored by the Logicalis Corporation and HP.  The objective of this research is to better understand how the different stages of IT transformation can affect an organization, the challenges to advancing through each stage and how successful progression can improve an organization’s IT effectiveness, including IT security. (Click to download study)

Cyber Security Incident Response: Are We as Prepared as We Think?
January 21, 2014, 3:00 pm

Why is the CEO the last to know if the company had a cyber attack? According to the IT experts in our latest study, only 20 percent say they have regular communication with their senior leadership about threats and only 14 percent say the C-suite takes part in incident response. We hope you will read our latest study, Cyber Security Incident Response: Are We as Prepared as We Think? Sponsored by Lancope, IT experts share their insights about the state of incident response. The report can be found at:

2013 Survey on Medical Identity Theft
September 11, 2013, 11:00 pm

We are pleased to announce the release of our 2013 Survey on Medical Identity Theft. This is the fourth year of the study and as in previous years we find that medical identity theft continues to be a costly and potentially life-threatening crime. However, unlike other forms of identity theft, the thief is most likely to be someone the victim knows very well. In this study of more than 700 victims of this fraud, most cases of identity theft result not from a data breach but from the sharing of personal identification credentials with family and friends. Or, family members take the victim’s credentials without permission.

We believe that individuals, healthcare organizations and government working together can reduce the risk of medical identity theft. First, individuals need to be aware of the negative consequences of sharing their credentials despite possible good intentions. They should also take the time to read their medical records and explanation of benefits statements to ensure that their information is correct. Second, healthcare organizations and government should improve their authentication procedures to prevent imposters from obtaining medical services and products.
Sponsored by the Medical Identity Fraud Alliance (MIFA), with support from ID Experts, the report can be found at

Live Threat Intelligence Impact Report 2013
August 23, 2013, 2:16 pm

Slow and weak threat intelligence can keep companies from defending against security compromises, breaches and exploits. According to the findings, if actionable intelligence about cyber attacks is available within 60 seconds before a compromise, the average cost of an exploit could be reduced an average of 40 percent. To learn more about the value of immediate threat intelligence, the current state of threat intelligence and the propensity of organizations to invest in live intelligence solutions, please listen to a webcast featuring Dr. Larry Ponemon and Jeff Harrell of Norse discussing the highlights of the research study, Live Threat Intelligence Impact Report 2013. To listen to the webinar and download a copy of the study, click here

Records 31 - 40 of 82 — Jump to page First 1 2 3 4 5 6 7 8 9 Last
Security (23)
Privacy (22)
global security (1)
Providers (1)