Ponemon Institute
Sign Up for the Ponemon News Feed for special reports and important updates regarding privacy and security

News & Updates

Ponemon Institute is pleased to announce the release of Flipping the Economics of Attacks, sponsored by Palo Alto Networks. In this study, we look at the relationships between the time spent and compensation of today’s adversaries and how organizations can thwart attacks. As revealed in this research, while some attackers may be motivated by non-pecuniary reasons, such as those that are geopolitical or reputational, an average of 69 percent of respondents say they are in it for the money.


Privacy Policy

Ponemon Institute, LLC (Ponemon Institute) respects your privacy. Our homepage on the Web is located at The following Privacy Statement details our online privacy practices, including the personal information we collect, how we use it, and your choices. The full text of our privacy policy is available on the Web at /privacy-policy. Registered users may opt-in or opt-out of use of their information at initial registration and then may change that designation with an e-mail to Some Web pages are P3P-enabled, which allows you additional control over your personal information.

We invite you to contact us if you have questions about this policy. You may contact us by mail at the following address:

Ponemon Institute
2308 US 31 North
Traverse City, MI 49686

You also may contact us by e-mail at or call us at 231.938.9900.


Data Collection and Uses

We collect personal information for three types of users. P3P policies declare the data they collect in groups (also referred to as "statements"). This policy contains 3 data groups. The data practices of each group will be explained separately. We do not collect sensitive personal information such as credit card or social security numbers.  We do not knowingly collect information from children under the age of 13 and do not target our Website to children under 13. 

If you choose to participate in a discussion blog on our Website, you will be asked for your title, name, email address and comment.  Participation in a blog on our Website is voluntary.  Your name, comment and email address are required fields; your title is optional.  Your email address will not be shown to the public, however you should be aware that any personal information submitted, including your name and title or any other information voluntarily provided, can be read, collected, or used by other users. As Public Forums are public and not private communications, you should have no expectation of privacy with regard to any submissions made therein. 



1. Group "Guest Group"

We collect the following information:

  • Click-stream data
  • HTTP protocol elements

At the user's option, we may also collect the following data:

  • HTTP cookies

This data will be used for the following purposes:

  • Anonymous user analysis.
  • Anonymous user profiling and decision-making.

This data will be used by us and our agents.

The following explanation is provided for why this data is collected:

Our Web server collects access logs containing this information.

2. Group "RIM Council or NewFeed Mailing List Registration Group"

We collect the following information:

  • Click-stream data
  • HTTP protocol elements

At the user's option, we also may collect the following data:

  • User's Name
  • Work e-mail address
  • HTTP cookies
  • Business mailing address
  • Work telephone numbers
  • User's Job Title
  • Organization Name
  • Contact Information for the Organization

This data will be used for the following purposes:

  • Completion and support of the current activity.
  • Website and system administration.
  • Research and development.
  • Respond to an inquiry.
  • Send a newsletter or study as requested by the user.

This data will be used by us and our agents.

The following explanation is provided for why this data is collected:

Access to the Ponemon Institute RIM Council members’ Website is only available to registered RIM Council members. In order to access this Website, a registration form must be completed. A username and password is then assigned to the registrant within 48 hours. During the registration process contact information is required, minimally a name and email address. We use this information to contact members about the information, research and services on our site in which interest has been expressed.

Members have the option to provide other contact information such as business mailing address, work telephone numbers, job title, organization name and other contact information for the organization. Members are encouraged to submit this information so we can provide a more personalized service when accessing our site. Ponemon Institute is the sole owner of the information collected on Ponemon Institute collects personally identifiable information from our registered users only at the RIM Council Sign In/Register. Ponemon Institute does not share, sell, rent or trade information collected from our users.
If a user registers for our NewsFeed mailing list, we will collect user first and last name and email address.  This data is used by us to maintain our NewsFeed list and send the user the requested information.

3. Group "The Privacy Statement Disclosure Group"

We collect the following information:

  • Click-stream data
  • HTTP protocol elements

At the user's option, we may also collect the following data:

  • HTTP cookies

This data will be used for the following purposes:

  • Completion and support of the current activity.
  • Website and system administration.

This data will be used by us and our agents.

The data in this group has been marked as non-identifiable. This means that there is no reasonable way for the site to identify the individual person this data was collected from.

The following explanation is provided for why this data is collected:

We use Byte Productions to provide hosting and database management services on our site.  When you sign up for access to the RIM members only portion of the Website, we will share only the information you provide, minimally your contact name and email address as necessary with Byte Productions to provide that service. During the registration process there are two ways for a registrant to indicate an opt-in/opt-out choice. First, during registration the member is asked his or her preference for contact method: Email Only, Phone Only or Email and Phone, or Outlook appointment.  Second, there is a choice as to what information the registrant would like shared. These include: Company Name, Participant Name, Participant Title, Mailing Address, Work Phone, and Work Fax.

Changing your Data/Opt Out of Communications

If your personally identifiable information changes, or if you wish to opt-out of receiving any further communications from our site, or if you wish to delete your registration from our site, you may correct, update, delete or deactivate it by emailing our customer support function available at or by contacting us by telephone or postal mail at the contact information listed previously.


We follow generally accepted industry standards to protect the personal information submitted to us, both during transmission and once we receive it. However, no method of transmission over the Internet, or method of electronic storage is 100% secure.  Therefore, while we strive to use commercially acceptable means to protect your personal information, we cannot guarantee its absolute security. If you have any questions about security on our Website, you can send email us at


We reserve the right to disclose personally identifiable information as required by law and when we believe that disclosure is necessary to protect our rights and/or comply with a judicial proceeding, court order, or legal process served on our Website.

Changes to our Privacy Policy

If we decide to change our privacy policy, we will post those changes to this privacy statement, the homepage, and other appropriate places. This is done to make users aware of what information we collect, how we use it, and under what circumstances, if any, we disclose it. We reserve the right to modify this privacy statement at any time, so please review it frequently. If we make material changes to this policy, we will notify you here, by email, or by means of a notice on our homepage. Last update of this policy occurred on April 9, 2009.



Our site makes use of cookies. Cookies are used for the following purposes:

  • Site administration
  • Completing the user's current activity
  • Pseudononymous analysis
  • Pseudonym-based decision-making
  • User analysis
  • Research and development

Cookies are a technology that can be used to provide you with tailored information from a Website. A cookie is an element of data that a Website can send to your browser, which may then store it on your system. You can set your browser to notify you when you receive a cookie, giving you the chance to decide whether to accept it. In the members' and admin areas cookies are placed on the end users’ computers that identifies their session. Also server logs will record this identification along with the IP, browser version, and URL of pages viewed. This is necessary for the process of authentication of users and maintenance of security. These cookies are temporary and expire once the users’ sessions are over (when they close the browser window). Cookies do not contain username or password information. Ponemon Institute also subscribes to a Web statistical service, which provides a graphical analysis of the server logs (IP, browser version, URL, and other statistical information).


Compact Policy Summary

The compact policy which corresponds to this policy is:


The following table explains the meaning of each field in the compact policy.

Field Meaning
CP= This is the compact policy header; it indicates that what follows is a P3P compact policy.
IDC Access is available to contact information.
DSP The policy contains at least one dispute-resolution mechanism.
COR Violations of this policy will be corrected.
CURa The data is used for completion of the current activity.
ADMa The data is used for site administration.
DEVa The data is used for research and development.
PSAa The data is used for pseudononymous analysis.
PSDa The data is used for pseudononymous decision-making.
IVAi The data is used for analysis, including knowledge of the visitor's identity, if the user selects it.
OUR The data is given to ourselves and our agents.
STP The data is kept for the stated purpose only.
LEG Legal requirements specify how long the data will be kept.
BUS Our business practices specify how long the data will be kept.
IND The data will be kept indefinitely.
PHY Physical contact information is collected.
ONL Online contact information is collected.
COM Computer information is collected.
NAV Navigation and clickstream data is collected.
DEM Demographic and socioeconomic data is collected.

The compact policy is sent by the Web server along with the cookies it describes. For more information, see the P3P deployment guide at

Policy Evaluation

Microsoft Internet Explorer 6 will evaluate this policy's compact policy whenever it is used with a cookie. The actions IE will take depend on what privacy level the user has selected in their browser (Low, Medium, Medium High, or High; the default is Medium. In addition, IE will examine whether the cookie's policy is considered satisfactory or unsatisfactory, whether the cookie is a session cookie or a persistent cookie, and whether the cookie is used in a first-party or third-party context. This section will attempt to evaluate this policy's compact policy against Microsoft's stated behavior for IE6.

Note: this evaluation is currently experimental and should not be considered a substitute for testing with a real Web browser.

Satisfactory policy: this compact policy is considered satisfactory according to the rules defined by Internet Explorer 6. IE6 will accept cookies accompanied by this policy under the High, Medium High, Medium, Low, and Accept All Cookies settings.