Ponemon Institute
Sign Up for the Ponemon News Feed for special reports and important updates regarding privacy and security

News & Updates

Ponemon Institute is pleased to announce the release of Flipping the Economics of Attacks, sponsored by Palo Alto Networks. In this study, we look at the relationships between the time spent and compensation of today’s adversaries and how organizations can thwart attacks. As revealed in this research, while some attackers may be motivated by non-pecuniary reasons, such as those that are geopolitical or reputational, an average of 69 percent of respondents say they are in it for the money.



Welcome to my new blog. I look forward to providing interesting content from our latest research studies. Please stay tuned to some very thought provoking research!

Cost of a data breach climbs higher
March 8, 2011, 10:00 am

Most privacy advocates and people in the data protection community believe that data breach costs will start coming down eventually because consumers will become somewhat immune to data breach news. The idea is that data breach notifications will become so commonplace that customers just won’t care anymore.

But, that hasn’t happened yet. The latest U.S. Cost of a Data Breach report, which was just released today, shows that costs continue to rise. This year, they reached $214 per compromised record and averaged $7.2 million per data breach event. The fact is that individuals still care deeply about their personal information and they lose trust in companies that fail to protect it.

It’s not only direct costs of a data breach, such as notification and legal defense costs that impact the bottom line for companies, but also indirect costs like lost customer business due to abnormal churn. This year’s study showed some very interesting results. In my view, there are a few standout trends.

Rapid response to data breach costs more. For the second year, we’ve seen companies that quickly respond to data breaches pay more than companies that take longer. This year, they paid 54 percent more.

Fueling this rush to notify is compliance with regulations like HIPAA and the HITECH Act and the numerous state data breach notification laws. It seems that U.S. companies have this urgency to just get the notification process over with. Unfortunately, these companies are in such a hurry to do the right thing and notify victims that they end up over-notifying. This causes customers who are not actually at risk to lose trust in the company and abnormal customer churn increases. Companies that take a more surgical approach and spend the time on forensics to detect which customers are actually at risk and require notification, ultimately spend less on data breaches.

Malicious or criminal attacks are causing more breaches. This year malicious attacks were the root cause of 31 percent of the data breaches studied. This is up from 24 percent in 2009 and 12 percent in 2008. The significant jump in malicious attacks over the past two years is certainly indicative of the worsening threat environment. Malicious attacks come from both outside and inside the organization, ranging from data-stealing malware to social engineering.

What’s more, these data breaches are the most expensive. Malicious attacks create more costs because they are harder to detect, the investigation is more involved and they are more difficult to contain and remediate. Another reason malicious attacks are so expensive is the criminal is out to monetize their work; they’re trying to profit off the breach.

However, it’s not always the bad guys doing bad things that cause data breaches. It’s often your best employees making silly mistakes. Negligence is still the leading cause of data breaches at 41 percent.

There is good news. Companies are more proactively protecting themselves from malicious threats. Three response characteristics increased in frequency: the number of organizations responding quickly (within 30 days), those putting CISOs in charge of data breach response, and those with an above-average IT security posture. Moreover, breaches due to systems failures, lost or stolen devices and third-party mistakes all fell. And, average detection and escalation costs went up by 72 percent, suggesting that companies are investing more resources in prevention and detection. Taken together, these figures may indicate organizations are taking more active steps to thwart hostile attacks.

So, what’s a company to do with all of this data breach cost information? Calculate your potential cost of a data breach. This year, in conjunction with the report, Symantec and the Ponemon Institute have launched the Data Breach Risk Calculator. This free online tool let’s companies connect the dots between all of this research and what it really means to them. The Data Breach Risk Calculator lets you estimate how a data breach could impact your company. You can check it out at

Listen to a new podcast on the True Cost of Compliance study
March 7, 2011, 9:31 am

Dear friends and colleagues,

Please listen to a recent podcast on the True Cost of Compliance study completed last month.  Martin KcMeay at Network Security Blog did a great job conducting this 30 minute interview.

If you would like a copy of the full report, please visit Tripwire's website as follows:


Compliance Like a Club
January 31, 2011, 10:14 am

Have you ever noticed how some organizations wield compliance like a club when marketing their products or services? They remind you of the latest in information security regulations, such as the HITECH Act or Mass 201 CMR 17, and then menacingly predict doom for those who transgress. If you fail to comply, their messages warn like a cross schoolmarm, the boogey man will flash his regulator badge and lower the boom (unless, of course, you buy the appropriate product or service).

Poor Privacy Practice is Ailing Healthcare Industry
November 9, 2010, 6:05 am

It has been more than six years since the ChoicePoint data breach thrust the issue of privacy protection into the headlines. Since then hundreds of information security failures have been disclosed and the tools and techniques used to keep sensitive information safe have advanced at a healthy pace. Recent incidents in the healthcare industry, however, strongly suggest that best practices have not been universally adopted.

Data Center Outages and Data Management
October 14, 2010, 4:12 pm

I hear the collective sound of our friends, colleagues, and other interested parties scratching their heads at the release of the most recent piece of Ponemon Institute research, National Survey on Data Center Outages. You read that right, data center outages.

Information Governance in the Cloud
July 15, 2010, 11:08 am

Just a brief note to bring our recent webinar to your attention.  I presented Information Governance in the Cloud along with the good people at Symantec.  The presentation is based in part on results from our earlier report, Flying Blind in the Cloud.

If you want to view the webinar, presented on the Windows Live Meeting platform, please click here.

If you have any questions or comments about this issue, our report, or the webinar, we'd love to hear from you.


Integrated, Holistic Security Strategies
July 12, 2010, 8:30 am

Holistic is a popular word these days. Often applied to food and medicine, the word conjures images of natural, healthy living, but the word holistic refers to the function of an entity as a whole, including the interdependence of all its parts. Given this broader meaning, holistic can (and should) be applied when thinking strategically about the way a business organization operates. Successful, well-functioning organizations most adapt to change, be flexible in their relationships, and innovative in their approach to business. They must not only have the capacity to react to change, but to anticipate change and act innovatively.

Benchmarking Information Security Efficiency
July 1, 2010, 4:07 pm

Recently the Ponemon Institute completed a new project, the Security Efficiency Benchmark Study, the purpose of which was to learn what IT security leaders in the UK and European think are the key components to having an efficient and effective security operation. In other words, we wanted to know what is necessary for achieving data security goals and protect information assets and infrastructure.

Think Before you Cloud
May 13, 2010, 9:02 am

A few years ago, when wireless networking was still relatively new, there were numerous reports of enterprising employees who, frustrated with the pace of new technology integration in their workplace, took it upon themselves to deploy rogue access points – often hidden behind furniture or above drop-down ceiling panels – in order to provide convenient mobility around the office.

Fear and Loathing in Online Advertising
May 3, 2010, 2:21 pm

Have you ever seen an interactive advertisement while browsing around on the Web and, even though it was from a brand that you recognized promoting a product, service or event that you found interesting, you simply refused to click on the image because of a nagging sense of trepidation? What really lies beyond that alluring digital veil? Is the offer worth the risk? What of my digital privacy might I be giving up by responding to that message?

Records 61 - 70 of 82 — Jump to page First 1 2 3 4 5 6 7 8 9 Last
Security (23)
Privacy (22)
global security (1)
Providers (1)