2009 Security Mega Trends Survey
Independently conducted by Ponemon Institute LLC
November 2008
Sponsored by : Page 1
Ponemon Institute© Private & Confidential Document

About the study
• The 2009 Security Mega Trends Survey was conducted by
Ponemon Institute and sponsored by Lumension to better
understand if certain publicized IT risks to personal and confidential
data are or should be more or less of a concern for organizations.
• We asked respondents in IT operations and IT security to consider
how eight Security Mega Trends affect organizations today and
during the next 12 to 24 months.
• Based on interviews with IT experts in operations and information
security, we selected the following eight Mega Trends for this study:
cloud computing, virtualization, mobility and mobile devices, cyber
crime, outsourcing to third parties, data breaches and the risk of
identity theft, peer-to-peer file sharing and Web 2.0
Sponsored by : Page 2
Ponemon Institute© Private & Confidential Document

Security Mega Trends
Mega Trend 1: Cloud computing
• Cloud computing refers to distributed computing solutions owned by third-parties on
data center locations outside the end-user company’s IT infrastructure. The demand
for cloud computing is expanding quickly, especially as the cost of remote
connectivity decreases.
Mega Trend 2: Virtualization
• Virtualization technology allows end-users to access multiple secure networks from a
single computer, wherein the PC or laptop essentially acts as a hardware
authentication token. With one computer, the end-user is able to gain access to
separate virtual devices or machines. Virtualization makes server and operating
system deployments more flexible and improves the use of storage and systems
resources.
Mega Trend 3: Mobility
• Organizations are dependent upon a mobile workforce with access to information no
matter where they work or travel. Employees can use the following mobile devices
when they travel or work at home: laptops, VPNs, PDAs, cell phones and memory
sticks. The opportunity to work from home or other locations is a benefit to many
employees. In addition, mobility can increase employees’ productivity and as a result
improve the organization’s bottom line.
Sponsored by : Page 3
Ponemon Institute© Private & Confidential Document

Security Mega Trends
Mega Trend 4: The external threat of organized cyber criminal syndicates
• The black market for personal records makes data theft an attractive crime for thieves
around the world. Cyber crime usually describes criminal activity in which the
computer or network is an essential part of the illegal criminal activity. This term also
is used to include traditional crimes in which computers or networks are used to
enable the illicit activity.
Mega Trend 5: Outsourcing to third parties
• Organizations outsource sensitive and confidential customer and employee data to
vendors and other third parties to reduce processing costs and improve operating
efficiencies. These purposes can include (but are not limited to): marketing and sales
campaigns, software application development, call center operations, and mortgage
and other credit application processing.
Mega Trend 6: Data breaches involving personal information are increasing
• The Federal Trade Commission reports that the number one consumer complaint it
receives concerns the theft of identity. It addition to potential fines, organizations risk
the loss of customer confidence and trust. Some experts believe that identity theft
crimes will increase substantially over the next several years.
Sponsored by : Page 4
Ponemon Institute© Private & Confidential Document

Security Mega Trends
Mega Trend 7: Peer-to-peer file sharing
• P2P file sharing networks allow a group of computers to connect with each other and
directly access files from one another's hard drives. P2P file sharing networks started
with Napster by enabling Internet users to share music files. P2P file-sharing
networks can cause inadvertent transfers and disclosures of documents that reside
on an organization’s computers and laptops. File sharing networks where inadvertent
file sharing typically occurs include networks. For example, a sales representative
downloads a peer-to-peer music sharing application onto his company assigned
notebook computer. This P2P file sharing network exposes confidential business
documents contained on his computer.
Mega Trend 8: Web 2.0
• Web 2.0 refers to a plethora of Internet tools that enhance information sharing and
collaboration among users. These concepts have led to the evolution of web-based
communities and hosted services, such as social networking sites, wikis and blogs.
This term does not refer to an update to any technical. Unsupervised monitoring of
employees’ use of Web 2.0 applications can result in the loss of critical confidential
business data on the Internet. The other risk is that damaging information can be
posted about an organization that can negatively affect its reputation.
Sponsored by : Page 5
Ponemon Institute© Private & Confidential Document

Two Samples
• Our study utilized two separate sampling
frames (panels) built from
conference, association and professional
certification lists. Sample
description IT Operations IT Security
• Web-based survey responses were
captured on a secure extranet platform. Total sampling
frames 14,518 11,506
• We utilized two separate samples of U.S.
participants:
Bounce-back 3,957 2,109
– IT operations: 825 (5.7% response)
– IT security: 577 (5.0% response)
Total returns 915 658
• Less than 1% rejection rate because of
reliability failures.
Rejected surveys 90 81
• Respondents in both groups were asked
to complete the same survey instrument.
Final sample 825 577
• Margin of error is ≤ 3% on all adjective or
yes/no responses for both samples
Response rate 5.7% 5.0%
Sponsored by : Page 6
Ponemon Institute© Private & Confidential Document

The Survey
Example: Cloud Computing
Mega Trend 1: Cloud computing
Cloud computing refers to distributed computing solutions owned by third-parties on data center
locations outside the end-user company’s IT infrastructure. Consumers of cloud computing services
purchase capacity on-demand and are not concerned with the underlying technologies used
to increase computing capacity.
The demand for cloud computing is expanding quickly, especially as the cost of remote connectivity
decreases. The services that can be delivered from the cloud have expanded Web applications to
include storage, raw computing capability, and access to any number of specialized applications or
services.
Q1a. How familiar are you with cloud computing?
Very familiar
Familiar
Not familiar
Q1b. Does your organization access cloud computing resources or applications?
Yes
No
Unsure
Sponsored by : Page 7
Ponemon Institute© Private & Confidential Document

The Survey – Continued
Example: Cloud Computing
What are the security implications?
Experts say the use of cloud computing increases information security risks because the end-user’s
organization is unable to control the data management environment.
•
Q1c. Do you believe that cloud computing increases the information security risks within your
company?
Yes
No (Go to Q2a)
Q1d. If yes, what is the most significant security risk associated with cloud computing? Please check
only one choice:
Inability to assess or verify the security of data centers in the cloud
Inability to protect sensitive or confidential information
Inability to restrict or limit use of cloud computing resources or applications
Third parties might be able to access private files without authorization
Information may not be properly backed up
Downtime as a result of cloud computing failure
Other (please specify)
Sponsored by : Page 8
Ponemon Institute© Private & Confidential Document

The Survey – Continued
Example: Cloud Computing
Mega Trend 1: Cloud computing
Q1e. If yes, please rate the security risk presented by cloud computing within
your organization today.
Very low
Low
Moderate
High
Very high
Q1e. If yes, please rate the security risk presented by cloud computing in your
organization within the next 12 to 24 months.
Very low
Low
Moderate
High
Very high
Sponsored by : Page 9
Ponemon Institute© Private & Confidential Document

Mega Trends
Comparison of IT Operations and IT Security
Samples – Current Outlook
Line Graph 1a
Security mega trends as perceived today for both samples
Each point reflects the percentage responses for very high or high security risks at presentt
70%
60%
50%
40%
30%
20%
10%
0%
Cloud Virt ualization M obility M obile devices Cyber crime Outsourcing Data breach P2P file sharing Web 2.0 M alware
computing
IT Operations IT Security
Sponsored by : Page 10
Ponemon Institute© Private & Confidential Document

Mega Trends
Comparison of IT Operations and IT Security
Samples – Future Outlook
Line Graph 1b
Security mega trends as perceived 12 to 24 months for both samples
Each point reflects the percentage responses for very high or high security risks at presentt
90%
80%
70%
60%
50%
40%
30%
20%
10%
0%
Cloud Virt ualization M obility M obile devices Cyber crime Outsourcing Data breach P2P file sharing Web 2.0 M alware
computing
IT Operations IT Security
Sponsored by : Page 11
Ponemon Institute© Private & Confidential Document

IT Operations
Mega trend risk rating today and 12 to 24
months in the future
Bar Chart 1a
Mega trends today and in the next 12 to 24 months by respondents in IT operations
Each bar summarizes the combined percentage response for \"Very High\" and \"High\" security risks.
Outsourcing 50%
50%
Mobile devices 45%
48%
Cyber crime 49%
47%
Mobility 47%
47%
Data breach 40%
44%
Cloud computing 42%
39%
P2P file sharing 36%
35%
Web 2.0 35%
31%
Virtualization 18%
25%
Malware 24%
22%
0% 10% 20% 30% 40% 50% 60%
Risk as perceived today Risk as perceived in the next 12 to 24 months
Sponsored by : Page 12
Ponemon Institute© Private & Confidential Document

IT Security
Mega trend risk rating today and 12 to 24
months in the future
Bar Chart 1b
Mega trends today and in the next 12 to 24 months by respondents in IT security
Each bar summarizes the combined percentage response for \"Very High\" and \"High\" security risks.
Data breach 65%
66%
Cyber crime 77%
65%
Mobility 48%
60%
Outsourcing 59%
59%
Cloud computing 61%
58%
Mobile devices 50%
48%
P2P file sharing 44%
46%
Web 2.0 41%
39%
Malware 41%
39%
Virtualization 25%
29%
0% 10% 20% 30% 40% 50% 60% 70% 80% 90%
Risk as perceived today Risk as perceived in the next 12 to 24 months
Sponsored by : Page 13
Ponemon Institute© Private & Confidential Document

Mega Trend: Outsourcing
Causes Data Breach
Bar Chart 2
Security risks due to outsourcing
Each bar is the percentage of respondents who selected the noted information security risk
Sensitive or confidential information may not be properly 60%
protected 56%
Unauthorized parties might be able to access private files 32%
without authorization 23%
4%
Increased threat of social engineering and cyber crimes
10%
IT Operations IT Security
2%
Information may not be properly backed up
3%
1%
Inability to properly identify and authenticate remote users
3%
0% 10% 20% 30% 40% 50% 60% 70%
Sponsored by : Page 14
Ponemon Institute© Private & Confidential Document

Cyber Crime Experience
Bar Chart 3
Did your organization have a cyber attack?
100% 92%
90% IT Operations IT Security
80%
70%
60% 55%
50%
40% 32%
30%
20% 13%
10% 5% 3%
0%
Yes No Don't know
Sponsored by : Page 15
Ponemon Institute© Private & Confidential Document

Mega Trend: Cyber Crime
Will Increase
Bar Chart 4
Security risks due to cyber crime
Each bar is the percentage of respondents who selected the noted information security risk
Attack will cause business
40%
interruption
61%
Attack will result in the loss of
sensitive or confidential
29%
business information
24%
including trade secrets
IT Operations IT Security
Attack will cause the loss of
information about employees 29%
or customers, thus requiring
14%
data breach notification
0% 10% 20% 30% 40% 50% 60% 70%
Sponsored by : Page 16
Ponemon Institute© Private & Confidential Document

Most Risky Mobile Devices
Bar Chart 5
Most risky mobile devices
Each bar is the percentage of respondents who selected the device as their highest risk
38%
Laptop computers
48%
PDAs and other handheld 18%
devices 19%
24%
Insecure wireless networks
14% IT Operations IT Security
15%
USB memory sticks
11%
5%
Cellular phones
8%
0% 10% 20% 30% 40% 50% 60%
Sponsored by : Page 17
Ponemon Institute© Private & Confidential Document

Mega Trend: Mobile Workforce
Increases Security Risk
Bar Chart 6
Security risks due to a mobile workforce
Each bar is the percentage of respondents who selected the noted information security risk
62%
Inability to properly identify and authenticate remote users
59%
16%
Information may not be properly backed up
19%
Third parties might be able to access private files without 11%
authorization 10%
Sensitive or confidential information may not be properly 2%
protected 6%
IT Operations IT Security
9%
Increased threat of social engineering and cyber crimes
3%
0% 10% 20% 30% 40% 50% 60% 70%
Sponsored by : Page 18
Ponemon Institute© Private & Confidential Document

Confidence in the Ability to
Prevent Data Loss
Bar Chart 7
How confident are you that your current security practices are able to prevent
customer and employee data from being lost or stolen?
45%
40%
40%
35% 32%
30%
30%
25% 23% 22%
20%
15% 12% 12% 12% 13%
10%
4%
5%
0%
Very confident Confident Somew hat confident Not confident Uncertain
IT Operations IT Security
Sponsored by : Page 19
Ponemon Institute© Private & Confidential Document

Mega Trend: Data Breach
on the Rise
Bar Chart 8
Security risks due to a data breach
Each bar is the percentage of respondents w ho selected the noted information security risk
Loss of customer or employee information, thus requiring notification 32%
of victims 35%
Sensitive or confidential information that ends up in the hands of 46%
cyber criminals and identity thieves 24%
14%
Diminished reputation as a result of negative media coverage
21%
IT Operations IT Security
5%
Unauthorized parties gain access to private accounts
17%
0% 5% 10% 15% 20% 25% 30% 35% 40% 45% 50%
Sponsored by : Page 20
Ponemon Institute© Private & Confidential Document

Security Risks Due to Data
Breach
Bar Chart 9
Security risks due to a data breach
Each bar is the percentage of respondents who selected the noted information security risk
Inability to restrict or limit use of cloud computing resources or 17%
applications 29%
40%
Inability to assess or verify the security of data centers in the cloud
24%
Third parties might be able to access private files w ithout 13%
authorization 18%
1%
Dow ntime as a result of cloud computing failure
13%
29%
Inability to protect sensitive or confidential information
12%
0% IT Operations IT Security
Information may not be properly backed up
3%
0% 5% 10% 15% 20% 25% 30% 35% 40% 45%
Sponsored by : Page 21
Ponemon Institute© Private & Confidential Document

Mega Trend: P2P File Sharing
Causes Security Risk
Bar Chart 10
Security risks due to P2P file sharing applications
Each bar is the percentage of respondents who selected the noted information security risk
Use of P2P w ill result in the loss
55%
of sensitive or confidential
business information including
41%
trade secrets
20%
Use of P2P w ill increase the risk
of malw are or virus infection
30%
Use of P2P w ill cause the loss of
16%
information about employees or
customers, thus requiring data
20%
breach notification
IT Operations IT Security
3%
Use of P2P w ill cause business
interruption
2%
0% 10% 20% 30% 40% 50% 60%
Sponsored by : Page 22
Ponemon Institute© Private & Confidential Document

Mega Trend: Web 2.0 Use
Increases Security Risk
Bar Chart 11
Security risks due to Web 2.0
Each bar is the percentage of respondents who selected the noted information security risk
Use of Web 2.0 will result in the loss of sensitive or 64%
confidential business information including trade secrets 34%
Use of Web 2.0 will cause the loss of information about 13%
employees or customers, thus requiring data breach
notification 26%
14%
Use of Web 2.0 will increase the risk of malware or virus
infection 23%
IT Operations IT Security
4%
Use of Web 2.0 will cause business interruption
12%
0% 10% 20% 30% 40% 50% 60% 70%
Sponsored by : Page 23
Ponemon Institute© Private & Confidential Document

Mega Trend: Virtualization
Bar Chart 12
Security risks due to virtualization
Each bar is the percentage of respondents who selected the noted information security risk
Inability to properly identify
48%
and authenticate users to
49%
multiple systems
Third parties might be able to
33%
access private files without
28%
authorization
Increased threat of social 11%
engineering and cyber crimes 10%
Sensitive or confidential
3%
information may not be
9% IT Operations IT Security
properly protected
Information may not be 0%
properly backed up 1%
0% 10% 20% 30% 40% 50% 60%
Sponsored by : Page 24
Ponemon Institute© Private & Confidential Document

Implications
• Organizations are faced with a plethora of security threats to their confidential and
sensitive data assets. We asked IT operations and security practitioners to rank those
they believe have a high or very high risk to sensitive and confidential information.
Based on the risks associated with each of these threats, we believe organizations
should consider the following solutions:
– Create and enforce policies that ensure access to private data files is restricted
to authorized parties only.
– Secure corporate endpoints to protect against data leakage and malware.
– Make sure third parties who have access to your sensitive and confidential
information take appropriate security precautions.
– Train employees and contractors to understand their responsibility in the
protection of data assets.
– Ensure that mobile devices are encrypted and that employees understand the
organizations’ policies with respect to downloading sensitive information and
working remotely.
– Understand precautions that should be taken when traveling with laptops, PDAs
and other data bearing devices.
Sponsored by : Page 25
Ponemon Institute© Private & Confidential Document

Conclusion
• We believe the findings from this study provide organizations with
guidance on which threats are more critical than others to address.
IT operations and IT security professionals identified outsourcing of
sensitive information to third parties, external threat of organized
cyber criminal syndicates, a mobile workforce, data breaches and
access to cloud computing as the most significant
Sponsored by : Page 26
Ponemon Institute© Private & Confidential Document

Samples’ Organizational Characteristics
Sponsored by : Page 27
Ponemon Institute© Private & Confidential Document

Samples’ Combined
Industry Distribution
Pie Chart 1
Industry distribution of the combined IT operations and IT security samples
2%1%
2%2% Financial services
3% 17% Government
5% Pharma & Healthcare
Education
5% Defense
Technology & Software
Hospitality & Leisure
6% 11%
Retail
Professional Services
Telecom
6% Manufacturing
Research
9%
Energy
6%
Airlines
6% 8% Entertainment
6% Transportation
Sponsored by : Page 28
Ponemon Institute© Private & Confidential Document

Sample Characteristics
The mean experience level for the IT operations sample
is 8.9 years and for the IT security sample is 9.4 years.
Table 2
What organizational level of respondents IT Operations IT Security
Senior Executive 1% 0%
Vice President 2% 2%
Director 21% 24%
Manager 24% 26%
Associate/Staff/Technician 45% 39%
Consultant 4% 6%
Other 2% 3%
Total 100% 100%
Sponsored by : Page 29
Ponemon Institute© Private & Confidential Document

Sample Characteristics
60% of respondents are male and 40% female.
Table 3a Table 3b.
Geographic location Pct% Organizational headcount Pct%.
Northeast 20% Less than 500 people 2%
Mid-Atlantic 19% 500 to 1,000 people 4%
Midwest 19% 1,001 to 5,000 people 12%
Southeast 13% 5,001 to 25,000 people 29%
Southwest 14% 25,001 to 75,000 people 34%
Pacific 17% More than 75,000 people 19%
Total 100% Total 100%
Sponsored by : Page 30
Ponemon Institute© Private & Confidential Document

Ponemon Institute LLC
The Institute is dedicated to advancing responsible information management
practices that positively affect privacy and data protection in business and
government.
The Institute conducts independent research, educates leaders from the private
and public sectors and verifies the privacy and data protection practices of
organizations.
Ponemon Institute is a full member of CASRO (Council of American Survey
Research Organizations. Dr. Ponemon serves as CASRO’s chairman of
Government & Public Affairs Committee of the Board.
The Institute has assembled more than 50 leading multinational corporations
called the RIM Council, which focuses the development and execution of ethical
principles for the collection and use of personal data about people and
households.
The majority of active participants are privacy or information security leaders.
Sponsored by : Page 31
Ponemon Institute© Private & Confidential Document