Ponemon Institute
Sign Up for the Ponemon News Feed for special reports and important updates regarding privacy and security

News & Updates

Ponemon Institute is pleased to announce the release of Flipping the Economics of Attacks, sponsored by Palo Alto Networks. In this study, we look at the relationships between the time spent and compensation of today’s adversaries and how organizations can thwart attacks. As revealed in this research, while some attackers may be motivated by non-pecuniary reasons, such as those that are geopolitical or reputational, an average of 69 percent of respondents say they are in it for the money.


Research Studies & White Papers: Security

Cyber Security Mega Trends: Study of IT Leaders in the U.S. Federal Government





2010 Access Governance Trends Survey, April 2010, (click to download study) This second annual study examines access governance practices in US organizations. The objective of this study is to track perspectives of IT security and compliance practices about how well they are achieving access governance within their organizations.

2010 Global Cost of a Data Breach, April 2010, (click to download study) For the first time we published the findings from our Cost of Data Breach studies conducted in the US, UK, France, Germany and Australia.

2010 PCI DSS Trends: QSA Insights Report, March 2010, (click to download study) Recommendations and guidance for achieving compliance from Qualified Security Assessors.

Business Case for Data Protection: A Study of CEOs and Other C-Level Executives in the UK, March 2010, (click to download study) This research, sponsored by IBM, explores what senior executives believe to be the value proposition of data protection in their organisations. This is a companion study to the Business Case for Data Protection: A Study of CEOs and C-Level Executives in the US.

Security in the Trenches , March 2010, (click to download study) Sponsored by CA Technologies, this is a comparative study of IT practitioners and executives in the US federal government. The findings reveal different perceptions between these two groups about their departments' and agencies' security posture.

Fifth Annual US Cost of Data Breach, January 2010 (click to download study) Ponemon Institute's annual benchmark study tracking what it costs an organization when it has a data breach.
Cost of a Data Breach: Benchmark Study of UK organisations January 2010 (click to download study) What UK organisations are spending to respond to data breaches and factors that influence the cost.

Security of Data Recovery Operations (December 2009) (click to download study) Many companies send their damaged drives to third-party data recovery services. This study reveals why this may be putting data at risk and what security protocols should be in place before trusting your drives to a third-party.This study was sponsored by DriveSavers.

Cyber Security Mega Trends: Study of IT Leaders in the U.S. Federal Government, November 2009 (click to download study)
Sponsored by CA, the purpose of this study was to better understand if certain publicized IT security risks are, or should be, more or less of a concern for organizations in the federal sector.  We believe the results of our study will be helpful to government organizations struggling to understand how they should allocate resources to help ensure their information systems are adequately protected. According to senior-level IT executives in various federal organizations, significant areas of information security risks include rapid growth in unstructured data assets, mobility of the federal workforce, cyber terrorism, outsourcing, cloud computing and much more.

The State of Privacy and Data Security Compliance (November 2009) (click to download study) The purpose of this study is to determine if various international, federal and state data security laws improve an organization's security posture. Or, do these regulations create inefficient outcomes such as the misuse of IT resources.

State of the Endpoint, November 2009 (click to download study)
Sponsored by Lumension, this study was conducted to understand if IT operations and security practitioners believe the endpoint is more or less secure today. In addition, this study examines if these two groups have different perceptions about the risk resulting from insecure endpoints to networks and enterprise systems. The scope of this research includes respondents from five countries including: United States, United Kingdom, Germany, Australia and New Zealand. Our study reveals the challenges organizations face in managing endpoint security risk.

Electronic Health Information at Risk, October 2009 (click to download study)
Sponsored by LogLogic, the purpose of the study was to determine from IT practitioners in healthcare organizations how secure they believe electronic patient health records are —especially those records stored in databases. The majority of IT practitioners in our study believe that their organizations do not have adequate resources to protect patients’ sensitive or confidential information.

PCI DSS Compliance Study, September 2009 (click to download study)
Sponsored by Imperva, the purpose of this study is to determine if PCI compliance improves organizational security. In addition, our study seeks to determine how the move to comply with PCI affects an organization’s strategy, tactics and approach to achieving enterprise data protection and security. Findings show that PCI-DSS compliance is perceived as contributing to an organization’s security posture. However, the main obstacle for PCI-DSS compliance is cost. For that reason, compliance is stronger with larger, more budgeted organizations who adopt cost-effective solutions to achieve compliance. 

The Business Case for Data Protection, July 2009 (click to download study)
What do C-level executives really believe is the value proposition of data protection programs? Ponemon Institute surveyed 213 senior executives, including CEOs, on what they believe are the benefits of data protection. While many believe it is to reduce data breaches, fines and lawsuits, CEOs tend to be more positive that data protection can enhance brand and increase customer loyalty. This study was sponsored by Ounce Labs.

Trends in Insider Compliance with Data Security Policies, June 2009 (click to download study)
An independent study to better understand employee compliance with data security policies in the workplace. In this report, we compare findings from the 2007 study on this topic, Data Security Policies are Not Enforced.

The Cost of a Lost Laptop, May 2009 (click to download study)
An independent study on laptop security commissioned by Intel Corporation and conducted by Ponemon Institute analyzes the potential business costs of stolen or lost laptop computers, suggesting that in an era where "the office" can be almost anywhere, good security precautions are essential.

Business Risk of a Lost Laptop: A Study of IT Practitioners in the US, UK, Germany, France, Mexico and Brazil, April 2009 (click to download study)
This study, also sponsored by Dell Corporation, surveyed 3,100 IT experts in six countries to understand how organizations in these countries perceive the risk of a lost or missing laptop. Respondents all agree that the risk of lost or stolen laptops will most likely increase or stay the same over the next 12 to 24 months. This report provides seven steps to prevent the business risk of a lost or stolen laptop.

Business Risk of a Lost Laptop: A Study of U.S. IT Practitioners, April 2009 (click to download study)
Sponsored by Dell Corporation and independently conducted by Ponemon Institute, this study looks at why it is important to understand the business risk of lost or missing laptops, the most significant threats to data security, how the human factor puts laptops and data at risk and what organizations can do to reduce the business risk of a lost or missing laptop.

Data Loss Risks During Downsizing, February 2009 (click to download study)
Sponsored by Symantec, Ponemon Institute independently conducted this national study to understand what employees are doing with the data on the laptops their employer provided them when they leave the organization. Our study reveals that companies are doing a very poor job at preventing fromer employees from stealing data. Only 15% of respondents' companies review or perform an audit of the paper and/or electronic documents employees are taking. If they conduct a review, 45% say it was not ocmplete and 29% say it was superficial.

Fourth Annual Cost of a Data Breach, February 2009 (click to download study)
Ponemon Institute research indicates that data breaches have serious financial consequences on an organization. According to this year’s Ponemon Institute Annual Cost of a Data Breach study, the average cost of a data breach has risen to $202 from last year’s $197 per customer record.   
First conducted over four years ago, our initial study established objective methods for quantifying specific activities that result in direct, indirect and opportunity costs from the loss or theft of personal information, thus requiring notification to breach victims as required by law or policy. 
The Human Factor in Laptop Encryption: US, UK and Canadian Studies, December 2008 (click to download US study, click to download UK study, click to download Canadian study)
Ponemon Institute conducted this study to understand employees’ perceptions about ensuring that information assets entrusted to their care are effectively managed in encryption environments, especially the use of whole disk encryption on laptop computers. The study also was conducted in the United Kingdom and Canada. The results are published in separate reports. 
2009 Security Megatrends, November 2008 (click to download study)
Organizations trying to determine the best way to ensure sensitive information is protected will benefit from this study, which examines looming threats. Based on interviews with IT experts in operations and information security, the following mega trends were selected for this study: cloud computing, virtualization, mobility and mobile devices, cyber crime, outsourcing to third parties, data breaches and the risk of identity theft, peer-to-peer file sharing and Web 2.0.

Security of Paper Documents in the Workplace, October 2008 (click to download study)
This study dispels the myth that the cause of most or all data breaches is lost or stolen electronic documents. In this study, the vast majority of respondents (80%) who self-reported that their organizations had a data breach, state that they had one or more data breaches in the past 12 months. Forty-nine percent state that one or more of these data breaches involved the loss or theft of paper documents. 

Privacy Breach Index, July 2008 (click to download study)
Ponemon Institute created a benchmarking tool called the Privacy Breach Index (PBI)™ to measure the quality of companies’ response to a data loss or theft, especially when it concerns information about people and their families. The Privacy Breach Index (PBI) benchmark tool  is compiled from surveys completed by individuals in the data protection, IT security and compliance professions who have the expertise or experience to assess their organizations’ quality of response following an organization’s breach incident. Each participant in the survey self-reported that their organization had a data breach involving the loss or theft of customer, consumer or employee data in the past 24 months.

Airport Insecurity: The Case of Lost and Missing Laptops; U.S. and EMEA Results, July 2008 (click to download study)
Companies depend on their employees being able to access information from wherever they are. But because so much sensitive information is placed on laptops, there’s a great risk of a data breach if one of those laptops is lost or stolen. The findings of this study are important in helping companies understand what should be done to protect the information on laptops and reduce the possibility employees will lose laptops while traveling. 

Study on the Uncertainty of Data Breach Detection: Report of IT Practitioners in the United States, UK, France and Germany, June 2008 (click to download US study, click to download UK, France and Germany study)
IT practitioners in the US, UK, France and Germany were surveyed on how their organizations detect a breach and then gather all the facts to make informed decisions about how to respond to the incident. Results of the UK, France and Germany studies are presented in separate reports. Typically, organizations address mainframe data security risks by locking down applications to keep unauthorized outside users from accessing them. However, this doesn’t address threats from the inside, and the survey of IT practitioners showed very few companies have the ability to detect inappropriate action by insiders. According to 75 percent of respondents, their organizations have had data breaches caused by negligent insiders and 26 percent had a breach caused by a malicious insider. 

Survey on the Governance of Unstructured Data, June 2008 (click to download study)
Unstructured data (audio/video files, scans, software code, documents, e-mails etc.) is produced at an astounding rate -- yet few organizations have implemented automated solutions to address its governance. The purpose of this study was to highlight how organizations control and protect unstructured data and what is needed to help ensure its protection.

The Ignored Crisis in Data Security: P2P File Sharing, April 2008 (click to download study)
The explosive growth of peer-to-peer or P2P file-sharing networks has dramatically increased the risk to data stored on computers because when users put software on their computers to share music and movies, they can easily share their hard drive and its contents. This study showed that IT security practitioners may be underestimating the risk. It’s believed six trends are contributing factors.

U.S. Enterprise Encryption Trends, March 2008 (click to download study)
The average cost of data breaches continues to rise, now averaging $6.3 million. To protect customer information and eliminate the potential consequences of a breach, businesses are encrypting sensitive data. This study focused on identifying trends in encryption use, including which applications are being used, how much organizations are spending on key management, and whether leading IT organizations are adopting a strategic approach to encryption.

Consumers’ Report Card on Data Breach Notification, March 2008 (click to download study)
This study was conducted to learn whether consumers who were notified of a data breach involving their personal information were satisfied with the organizations’ response and transparency. The survey required consumers who had received such notifications to share their thoughts about several critical issues related to the organization’s response. A response effort viewed negatively by customers can have substantial negative consequences for a company. 

National Survey on Access Governance: U.S. Study of IT Practitioners, February 2008 (click to download study)
According to recent Ponemon Institute research, insider threats represent one of the most significant information security risks for organizations. Failing to properly control access for employees, temporary employees, contractors and partners is one reason why insiders inadvertently cause information destruction, leakage, or theft. The objective of the study is to learn how well access governance is being achieved.  

Anatomy of a Lost Laptop Survey, January 2008 (click to download study)
What happens when an organization loses a laptop computer that may contain sensitive or confidential information? Ponemon Institute, with sponsorship from Cyber Angel, decided to conduct a study to learn what happens.  What we learned in our Anatomy of a Lost Laptop Survey is that laptop loss or theft is considered a pervasive problem for organizations. According to survey respondents, organizations lack basic controls necessary controls to prevent or curtail the loss of portable devices containing sensitive information.