Ponemon Institute
Sign Up for the Ponemon News Feed for special reports and important updates regarding privacy and security

News & Updates

Ponemon Institute is pleased to announce the release of Flipping the Economics of Attacks, sponsored by Palo Alto Networks. In this study, we look at the relationships between the time spent and compensation of today’s adversaries and how organizations can thwart attacks. As revealed in this research, while some attackers may be motivated by non-pecuniary reasons, such as those that are geopolitical or reputational, an average of 69 percent of respondents say they are in it for the money.


Category: Security
Fear and Loathing in Online Advertising
May 3, 2010, 2:21 pm

Have you ever seen an interactive advertisement while browsing around on the Web and, even though it was from a brand that you recognized promoting a product, service or event that you found interesting, you simply refused to click on the image because of a nagging sense of trepidation? What really lies beyond that alluring digital veil? Is the offer worth the risk? What of my digital privacy might I be giving up by responding to that message?

Me too… and according to our latest study, those fears are not lost on industry.

We talked to senior marketing executives – decision makers and check signers – with 90 organizations from a broad spectrum of industries that are actively engaged in online marketing. In total these firms account for more than $3 billion in annual revenue, and they believe wholeheartedly in the efficacy of the medium. According to our research, 63 percent of those we surveyed said behavioral advertising generated their greatest return on investment.

Yet 98 percent told us that, because of consumers’ privacy fears, their companies are curtailing investments in online behavioral targeting. These companies are willing to sacrifice the revenue they believe they can generate through an online campaign rather than risk the potential hit to brand reputation for being as aggressive as they would like to be.  Overall that curtailment has kept more than $600 million out of the behavioral targeting industry.

Looking beyond the financial impact, the results of this study strongly suggest that, contrary to what some might say, self-regulation works. I don’t mean to suggest that consumer and privacy advocates are acting like Chicken Little when they lobby regulators with dire messages and thinly veiled accusations of treachery directed at the behavioral targeting industry. To the contrary; in order for self regulation to work effectively there needs to be a rigorous and active dialog that includes industry and consumer advocates as well as the engagement of an objective regulatory body.
The goal of that dialog should not be to force the unconditional surrender of the so-called opposition, but the development of true solutions to the very real potential for misuse or unintended abuse of personal information. Consumers have long benefitted from advertising in its many forms. Radio, television, print, and a great deal of online content is made freely available because of the revenue generated by the sale of advertising space.
As we conclude in our report, “the Internet advertising community should work closely with the privacy community and regulators to find ways that substantially reduce the public’s fears about actual and perceived privacy risks when responding to behaviorally targeted ads. To this end, better disclosure models, consumer education, effective consent mechanisms and enabling technologies will help advance the cause of safe and effective Internet advertising.”
Has your company spent less online because of these fears?  Do you think behavioral advertising self-regulation is working in favor of the consumer?  Do you want to see more or less regulation of this industry?  Let us know what you think.
eGov Initiative Not Without Risk to Citizen Data
November 19, 2009, 7:36 am

The eGovernment movement is a good thing, and maybe too long in coming given how many years businesses have been taking advantage of technology to provide convenience and a higher quality of service to their customers. Constituent services have been available online for years, certainly, but only recently has the effort to modernize government been policy.

Thank You, Friends of the Ponemon Institute!
July 20, 2009, 3:36 pm

A warm thank you to everyone who made this past weekend's RIM Renaissance a success.  The discussions were lively and productive, and I think we all came away just a little bit smarter as a result of the candor.  We do appreciate the enthusiasm that seems to pervade these events, and the willingness to put aside your valuable time to join with us on these annual occasions, as well as the ongoing conversations that take place throughout the year.

More Employees Ignoring Data Security Policies
June 10, 2009, 4:38 pm

Does it surprise you to learn that, according to our recent study, Trends in Insider Compliance with Data Security Policies: Employees Evade and Ignore Security, employee compliance with corporate data security policies is on the wane?

Why do you think this is?  I’m seeing a confluence of conditions that appear to be contributing to this challenge to data integrity: the development of new, mobile technologies that empower employees to do more while away from the office; a failure of organizations to keep pace with the ways technology is changing the dynamics of data security; and current economic conditions that are putting increased pressure on individuals to be more productive with fewer resources.

Dr. Ponemon's Blog
April 6, 2009, 5:02 pm

Welcome to my new blog. I look forward to sharing some of our thought provoking research. I also look forward to receiving your comments and questions. Stay tuned.

2010 Security in the Trenches
April 14, 2010, 10:23 am

We just completed a survey of federal IT security professionals to examine the data protection posture of government agencies. Through the survey, sponsored by CA, we wanted to see whether or not there is consistency in the perception of rank-and-file employees and executive management as it pertains to the safeguarding of sensitive information, regulatory compliance, and the day-to-day management and execution of a security program.

Think Before you Cloud
May 13, 2010, 9:02 am

A few years ago, when wireless networking was still relatively new, there were numerous reports of enterprising employees who, frustrated with the pace of new technology integration in their workplace, took it upon themselves to deploy rogue access points – often hidden behind furniture or above drop-down ceiling panels – in order to provide convenient mobility around the office.

Best Practices in Data Protection Study Released
November 4, 2011, 7:09 pm

 Sponsored by McAfee, the Best Practices in Data Protection survey is our latest effort to find out what separates the best organizations from the rest. We believe this study is important because it provides insights on how organizations can be more successful when investing in and building a data protection program. The study's findings reveal five success factors in a data protection program:

  1. A formal data protection strategy for the organization and metrics to determine if the strategy is effective.
  2. Key metrics from a management console and observation and regular testing of data protection solutions.
  3. Data protection technology features that focus on privileged users, restriction of access and outbound communications are considered critical
  4. Centralized management of the data protection program with such features as actionable information, policy administration, reporting, automatic securing of endpoints and monitoring.
  5. Automated policies for detection and prevention of end-user misuse of information assets. 

To download the complete report click here:  <®ion=us>


Ponemon Releases Cloud Service Provider Study
May 2, 2011, 4:51 pm

Last week with CA Technologies we issued the results of a study of cloud service providers and their views on cloud security. There has been a lot of interest in this study. Readers have reviewed the results and responded with some very good questions and comments. In a nutshell, people – including us – were surprised by the results, which showed that cloud providers didn’t put security as the No. 1 concern in providing their services.

Are we taking adequate steps to protect the critical infrastructure?
April 3, 2011, 11:06 am

Last week I presented the results of our latest study entitled, "The State of IT Security: A Study of Utilities and Energy Companies." Sponsored by Q1 Labs, this research revealed that utilities and energy companies in our study are more concerned about preventing downtime that stopping a cyber attack.  In addition, a majority of respondents said that compliance with standards such as NERC CIP is not a top priority.  Most surprisingly, only 16 percent of respondents believe that their organization's existing controls are designed to protect against exploits and attacks through the smart grid.  For more information about this study, please contact


Cost of a data breach climbs higher
March 8, 2011, 10:00 am

Most privacy advocates and people in the data protection community believe that data breach costs will start coming down eventually because consumers will become somewhat immune to data breach news. The idea is that data breach notifications will become so commonplace that customers just won’t care anymore.

Listen to a new podcast on the True Cost of Compliance study
March 7, 2011, 9:31 am

Dear friends and colleagues,

Please listen to a recent podcast on the True Cost of Compliance study completed last month.  Martin KcMeay at Network Security Blog did a great job conducting this 30 minute interview.

If you would like a copy of the full report, please visit Tripwire's website as follows:


Compliance Like a Club
January 31, 2011, 10:14 am

Have you ever noticed how some organizations wield compliance like a club when marketing their products or services? They remind you of the latest in information security regulations, such as the HITECH Act or Mass 201 CMR 17, and then menacingly predict doom for those who transgress. If you fail to comply, their messages warn like a cross schoolmarm, the boogey man will flash his regulator badge and lower the boom (unless, of course, you buy the appropriate product or service).

Data Center Outages and Data Management
October 14, 2010, 4:12 pm

I hear the collective sound of our friends, colleagues, and other interested parties scratching their heads at the release of the most recent piece of Ponemon Institute research, National Survey on Data Center Outages. You read that right, data center outages.

Information Governance in the Cloud
July 15, 2010, 11:08 am

Just a brief note to bring our recent webinar to your attention.  I presented Information Governance in the Cloud along with the good people at Symantec.  The presentation is based in part on results from our earlier report, Flying Blind in the Cloud.

If you want to view the webinar, presented on the Windows Live Meeting platform, please click here.

If you have any questions or comments about this issue, our report, or the webinar, we'd love to hear from you.


Integrated, Holistic Security Strategies
July 12, 2010, 8:30 am

Holistic is a popular word these days. Often applied to food and medicine, the word conjures images of natural, healthy living, but the word holistic refers to the function of an entity as a whole, including the interdependence of all its parts. Given this broader meaning, holistic can (and should) be applied when thinking strategically about the way a business organization operates. Successful, well-functioning organizations most adapt to change, be flexible in their relationships, and innovative in their approach to business. They must not only have the capacity to react to change, but to anticipate change and act innovatively.

Crowe Horwath & Ponemon release HITECH study
November 21, 2009, 11:49 am

I am delighted to share with you our recently completed benchmark study that focuses on healthcare organizations and their ability to comply with new regulations. Of 77 participating covered entities and business associates, 27% percent have not started or are barely aware of what they need to do, 32% are waiting for more details, 14% have a plan but are waiting for more details, and 21% are just starting to act.  This data was collected from June through October 2009. If you are affected by the HITECH Act, this benchmark study may be helpful to you.

The True Cost of Compliance: A Benchmark Study of Multinational Organizations
January 5, 2011, 4:04 am


While the average cost of compliance for the organizations in our study is $3.5 million, the cost of non-compliance is much greater.

2010 Access Governance Trends Survey
January 18, 2010, 4:01 pm

(click to download study) This second annual study examines access governance practices in US organizations. The objective of this study is to track perspectives of IT security and compliance practices about how well they are achieving access governance within their organizations.

Annual Privacy Trust Study for Retail Banking
January 17, 2008, 11:01 am

(click to download study) It should come as no surprise that trust is increasingly important in customers’ loyalty to their bank. While overall trust in the industry is down, banks that experienced a significant data breach also experienced a significant decline in their trust scores. This study also reveals there is a correlation between customers’ trust and how long they remain with the same bank. Customers expect their bank to have protective measures in place to guard their data. If that expectation is not met, they will change banks.

What Auditors Think about Crypto technologies
March 18, 2011, 4:01 pm

Sponsored by Thales eSecurity
(download the study) The purpose of this study was to identify what auditors think abut crypto technologies as it applies to data protection and compliance activities in public and private organizations.  Seventy-one percent of respondents believe that an organization’s information assets cannot be fully protected without the use of crypto solutions.

2012 Web Session Intelligence & Security Report: Business Logic Abuse Edition sponsored by Silver Tail Systems
October 2, 2012, 2:05 am



2011 Second Annual Cost of Cyber Crime Study Benchmark Study of U.S. Companies
August 10, 2011, 10:01 am

(Click to download study) Despite widespread awareness of the impact of cybercrime, cyber attacks continue to occur frequently and result in serious financial consequences for businesses and government institutions. 


Security (23)
Privacy (22)
global security (1)
Providers (1)