Growing Risk of

Advanced Threats

Sponsored by NetWitness
Independently conducted by Ponemon Institute LLC
Publication Date: 30 June 2010

Ponemon Institute© Research Report

 Growing Risk of Advanced Threats
Study of IT Practitioners in the United States
Ponemon Institute, 30 June 2010

I. Executive Summary

Ponemon Institute and NetWitness are pleased to present the results of a comprehensive study on
advanced threats. While the definition of what constitutes an advanced threat still varies within the
industry, for purposes of this research we have defined an advanced threat as a methodology employed
to evade an organization’s present technical and process countermeasures which relies on a variety of
attack techniques as opposed to one specific type.

The predominant majority of these threats are represented by unknown, zero-day attacks, but there are
increasingly many instances where known attacks are being re-engineered and repackaged to extend
their usefulness. According to the IT and IT security practitioners in our study, the issue of advanced
threats is of growing concern – with 83 percent stating that they believe their organization has been the
target of such threats in the recent past.

According to our study, the top two problems organizations face in managing advanced threats are
insufficient intelligence and the proper security technologies. The majority of respondents also believe
that advanced exploits and malware have successfully evaded the anti-virus (AV) and intrusion detection
system (IDS) technologies they primarily rely upon to prevent attacks against their information systems. .

In addition to the difficulty in preventing advanced threats, the study reveals how slow organizations are
to detect them. It takes one month or longer before an advanced threat is detected, according to 46
percent of respondents which leaves a very large window of opportunity for any type of nefarious activity.
As documented in Ponemon Institute’s Cost of a Data Breach studies, the theft of sensitive and
confidential information about customers, employees and business partners can result in devastating
1
economic consequences.

We surveyed 591 IT and IT security practitioners (hereafter referred to as IT practitioners) located in the
United States. We queried these individuals about the following topics:

ƒ Are advanced threats a major, growing problem for organizations?

ƒ Are organizations ready to deal with advanced threats against their organization?
ƒ What is most at risk to an organization when it does not detect an advanced threat?
ƒ What are key problems in managing advanced threats that target their organization and what should
organizations do?

Following is a summary of the most salient findings from our study. We expand upon each one of these
findings in the following section of this paper.

ƒ Advanced threats seem to be pervasive and growing. 83 percent of respondents believe their
organization has been the target of an advanced threat. 71 percent believe they have seen an
increase in advanced threats over the past 12 months and 70 percent say that advanced threats
suggest a new, more dangerous threat landscape.

ƒ Uncertainty about the frequency of attacks indicates the difficulty in detecting them. 44 percent
of respondents believe they were frequent targets of such threats. However, 41 percent say they
were unable to determine how frequently they were targeted, indicating a lack of the proper
intelligence required to pinpoint these threats.

1
See the 2009 Cost of Data Breach: US Study, Ponemon Institute January 2010.

Sponsored by NetWitness
Ponemon Institute©: Private & Confidential Document Page 1
ƒ Sensitive data is targeted. 50 percent believe the targets of advanced threat attacks were sensitive
proprietary data such as source code, non-financial business confidential information and financial
information. 48 percent believe the targets were PII including customer or consumer information and
employee records.

ƒ Organizational commitment and understanding of the changing threat environment is lacking.

Only 24 percent of respondents strongly agree or agree that prevention or quick detection of
advanced threats is a top security priority in their organization. Further, only 19 percent believe their
IT leaders are fully aware of advanced threats and how they can negatively impact the enterprise.

ƒ Policies and procedures exist but support from personnel and technology seems to be
inadequate to address the problem. More than half (58 percent) of respondents believe they have
the procedures and policies in place to defend against advanced threats. However, only about one-
third (32 percent) report that their security-enabling technologies are adequate and only 26 percent
report security personnel are adequate to deal with advanced threats.

ƒ Prevention and detection of advanced threats is difficult. Organizations risk a costly data breach
because detection of an advanced threat takes too long. 80 percent of respondents say it takes a day
or longer to detect an advanced threat and 46 percent say it takes 30 days or longer. This leaves a
huge window of opportunity to steal confidential or sensitive information. In addition, 79 percent
believe that advanced threats are very difficult to prevent, detect and resolve.

ƒ The most effective technologies have yet to be deployed. 92 percent of respondents believe
network and traffic intelligence solutions are essential, very important or important. Yet, only 8
percent say these technologies are their first choice to detect or prevent an advanced threat. 69
percent of respondents say that AV and 61 percent of respondents say that IDS are typically used to
detect or discover advanced threats. Yet, 90 percent report that exploits or malware have either
evaded their IDS systems or they are unsure. 91 percent say that exploits and malware have evaded
their AV systems or they are unsure. The same percentage (91 percent) believes exploits bypassing
their IDS and AV systems to be advanced threats.

Sponsored by NetWitness
Ponemon Institute©: Private & Confidential Document Page 2
II. Key Findings

This section provides details about our most important findings. We organized the paper according to four
major themes that emerged from the findings. These are: attributions about advanced threats; why
organizations face a growing security problem; the lack of preparedness to deal with advanced threats;
and the difficulty in detecting advanced threats. Whenever feasible, we provide a simple graph to
illustrate the result. A tabular presentation may be provided as an alternative illustration when the result is
too complex to graph.

Attributions about advanced threats

Table 1 reports IT practitioners’ agreement with six attributions about their organizations’ approach to
dealing with advanced threats. These findings indicate that respondents are aware of the risk of
advanced threats, but are not prepared to deal with them because of insufficient resources and
personnel.

Table 1: Attributions about Advanced Threats Strongly

Agree Agree
My organization has enabling security technologies that effectively
prevent or quickly detect advanced threats. 13% 19%
My organization has sufficient resources to prevent or quickly detect
advanced threats. 15% 20%
My organization has security personnel who are well trained and able
to identify and resolve advanced threats. 11% 16%
In my organization, IT leaders are fully aware of advanced threats and
how they can negatively impact the enterprise. 8% 11%
In my organization, the prevention or quick detection of advanced
threats is a top security priority. 10% 14%
My organization is more likely than most other companies to be the
target of advanced threats. 24% 24%

As shown above, 48 percent strongly agree or agree that their organization is more likely than most other
organizations to be the target of advanced threats. However, less than one-third strongly agree or agree
that their organization has enabling security technologies that effectively prevent or quickly detect
advanced threats (32 percent) or resources to prevent or quickly detect advanced threats (35 percent).

Advanced threats are an increasing problem

As shown in Bar Chart 1, 19 percent of respondents say that absolutely their organization has been the
target of an advanced threat. Twenty-eight percent say it is very likely and 36 percent say it is likely. Only
12 percent say it is possible they had an attack and 5 percent say they never had an attack.

Sponsored by NetWitness
Ponemon Institute©: Private & Confidential Document Page 3
 Bar Chart 1: Likelihood the organization has been a target

Bar Chart 2 reports 44 percent of respondents believe their organization has been the target of an
advanced threat all the time (12 percent), most of the time (17 percent) or some of the time (15 percent).
However, almost the same percentage (41 percent) can’t determine if they have been the target.

Bar Chart 2: Frequency of advanced threats

The realization that this is a growing threat among IT practitioners is shown in Bar Chart 3, where the
majority of respondents believe attacks are rapidly increasing (35 percent) or increasing (36 percent).

Bar Chart 3: Perceived change over the past 12 months

As shown in Bar Chart 4, the primary consequences of an advanced threat are IT downtime (51 percent),
theft of intellectual property (45 percent) and theft of confidential or sensitive information (44 percent).
Thirty percent report that nothing happened.

Sponsored by NetWitness
Ponemon Institute©: Private & Confidential Document Page 4
 Bar Chart 4: What happened as a result of advanced threats

Bar Chart 5 reports the respondent’s views on the most frequent attack techniques that have been
employed against their organizations, which are viruses (91 percent), malware (80 percent) and worms
(67 percent). It is important to note that for the purposes of this research, we have defined an advanced
threat as a methodology employed to evade an organization’s present technical and process
countermeasures which relies on a variety of attack techniques as opposed to one specific type.

Bar Chart 5: Attack techniques employed

Bar Chart 6 shows 79 percent strongly agree or agree that advanced threats are very difficult to prevent,
detect and resolve. In addition, 70 percent believe advanced threats suggest a new, more dangerous
threat landscape.

Sponsored by NetWitness
Ponemon Institute©: Private & Confidential Document Page 5
 Bar Chart 6: Perceptions about advanced threats

Organizations do not seem prepared to deal with advanced threats.

There does not appear to be one consistent approach used by IT practitioners to prevent and detect
advanced threats. Specifically, respondents describe their approach for preventing and detecting
advanced threats in Bar Chart 7 as ad hoc (31 percent), a combination of manual procedures and
security technologies (27 percent), mostly a process that relies on perimeter controls such as IDS and AV
solutions (17 percent) and mostly a process that relies on manual controls such as log management
procedures. It is notable that only 8 percent select as their one best choice a process that relies on
network intelligence technologies when considering the findings detailed later in Bar Chart 9.

Bar Chart 7: Process for preventing and detecting advanced threats

Policies and procedures exist but their implementation may be lagging. More than half (58 percent) state
they have the procedures and policies in place to defend against advanced threats (see Bar Chart 8).
However, 50 percent report that their security-enabling technologies are not adequate and 64 percent
report their security personnel are not adequate to deal with the threat.

Sponsored by NetWitness
Ponemon Institute©: Private & Confidential Document Page 6
 Bar Chart 8: Defensive capabilities against advance threats

As shown in Pie Chart 1 below, 51 percent have no dedicated staff to respond to advanced threats and
34 percent have less than two staff members. As revealed throughout these findings, the lack of
personnel who are knowledgeable about advanced threats is making it difficult for IT practitioners to
protect their information systems.

According to Table 2, the key problems organizations in our study face when managing advanced threats
are insufficient intelligence and insufficient technologies. Keeping pace with the rash of sophisticated
attacks is also of concern to more than a quarter of all respondents.

Pie Chart 1: Staff dedicated to advance threats Table 2: Problems managing advance threats

What are the key problems you

face in managing advanced
threats that target your
organization? Pct%
Insufficient intelligence about
threats 45%
Insufficient security technologies 39%
Insufficient resources 37%
Lack of well trained or
experienced personnel 36%
Keeping pace with the rash of
sophisticated attacks 27%
Lack of consistently applied
control procedures 12%
Other 2%

Bar Chart 9 shows 92 percent of respondents believe network or traffic intelligence technologies are
important (24 percent), very important (45 percent), or essential (23 percent) to discovering advanced
threats. Only 8 percent say this technology is not important.

Sponsored by NetWitness
Ponemon Institute©: Private & Confidential Document Page 7
 Bar Chart 9: Importance of network and traffic intelligence

Discovery of advanced threats is difficult

As shown in Bar Chart 10, only 25 percent are very confident (8 percent) or confident (17 percent) that
their organizations have the ability to detect advanced threats, 37 percent are not confident and 7 percent
are unsure. This finding is consistent with the fact that only 8 percent of organizations in our study select
as their first choice a process that relies upon network intelligence technologies. However, 92 percent
believe those technologies to be important or essential in discovering advanced threats. The more
common approach is ad hoc and a combination of manual procedures and security technologies.

Bar Chart 10: Confidence in detection capability

Bar Chart 11 shows different ways organizations detect advance threats. Anti-virus/anti-malware software
(69 percent) and IDS (61 percent) are the two technologies most frequently cited for preventing or
detecting advance threats. 2

2
Cross-tab analysis revealed that respondents who expressed a very confident or confident response in Bar Chart 10
were almost twice as likely to deploy event correlation management software (SIEM) or network intelligence tools
than respondents who are not confident.

Sponsored by NetWitness
Ponemon Institute©: Private & Confidential Document Page 8
 Bar Chart 11: How organizations detect advanced threats
`

Despite the importance of AV and IDS solutions, as noted in Bar Chart 12, more than 79 percent report
that they have experienced situations when exploits and malware have evaded AV solutions and 71
percent report that exploits and malware have evaded IDS solutions.

According to a recent white paper by NetWitness related to the discovery of a large ZeuS botnet labeled
“Kneber”, the botnet “had less than a 10 percent detection rate among all anti-virus products and the
botnet communication was not identified by existing intrusion systems. This compromise, the scope of
global penetration and the shear magnitude of the collected data illustrates the inadequacy of signature-
based network monitoring methods used by most commercial and public sector organizations today.” 3

Bar Chart 12: Exploits and malware evade IDS or AV systems

Percentage Yes response

As noted in Bar Chart 13, less than 9 percent of respondents say their organizations are able to detect
the attack immediately. About 26 percent are able to detect an attack within a few hours (11 percent) or
one day (15 percent). Thirty-nine percent report that it is within 30 days (23 percent) or 60 days (16

3
See: The “Kneber” Botnet: A ZeuS Discovery and Analysis White Paper, NetWitness 2010 p.2.

Sponsored by NetWitness
Ponemon Institute©: Private & Confidential Document Page 9
percent). Only 7 percent of respondents say it takes longer than 60 days, on average, to detect an
advanced threat.

The inability of organizations to respond to advanced threats, such as zero days, can immediately result
in significant business impact, such as data loss, disruption of service and malicious attacks upon critical
infrastructure. The “typical” slower than necessary response is unlikely to change for many respondents
given that only 24 percent believe that prevention or quick detection of advanced threats is a top security
priority within their organizations today (see Table 1). As described above, respondents believe that
advanced threats put customer information at risk and this creates a perfect storm for a costly data
breach. 4
Bar Chart 13: Length of time before an advanced threat is detected

Bar Chart 14 reports the average rank for four threat areas, where four is the highest possible rank and
one is the lowest possible rank in terms of significance if detection does not occur. Clearly, the most
significant risk to organizations is the loss of confidential information followed by the theft of trade secrets.

Unfortunately, it is well known that criminals are profiting from the sale of these types of sensitive and
proprietary business information. The ultimate consequence of these data thefts can be devastating for
any organization.
Bar Chart 14: Risks of an undetected advance threat
Average rank from 4 = most significant to 1 = least significant risk

4
In a study conducted by Verizon Business RISK team, it was shown that data breaches still go undiscovered and
uncontained for weeks or months in 75 percent of the cases they examined. See 2009 Data Breach Investigations
Report, A Study Conducted by the Verizon Business RISK team.

Sponsored by NetWitness
Ponemon Institute©: Private & Confidential Document Page10
Bar Chart 15 shows the data most at risk are customer or consumer information or intellectual property
such as source code, followed by intellectual property such as source code. Employee records and
financial information appear to be at a lower risk level.

Bar Chart 15: Data is most at risk due to advance threats

III. Final Thoughts & Recommendations

The findings of our research suggest a growing awareness among IT practitioners of the problem of
advanced threats. However, there appears to be a series of problems in confronting the issue:

• In the view of our respondents, senior management does not appear to understand the seriousness
of the threat nor do they appear to be making the issue a top priority.

• Those surveyed believed that they had the proper processes in place but lacked the appropriate
resources, skill sets and technologies needed to combat the problem.

• Detection is a major concern amongst IT practitioners. While most of those surveyed felt confident
that their organizations were the target of advanced threats, nearly half were unable to determine
accurately how frequently they were targeted.

• The two most heavily relied upon technologies for combating advanced threats are Anti-Virus and
IDS but the vast majority of respondents believe that these technologies are inadequate in detecting
these types of threats. Further, they say their A/V and IDS solutions are being bypassed.

• There is overwhelming majority consensus that network and traffic intelligence solutions are needed
to detect and combat advanced threats but only a very slim minority currently have these solutions in
place.

We believe there are four important recommendations for organizations:

1. Senior management must be educated on the seriousness of the advanced threats issue in order to
garner support for the investments in people and technology required to combat the problem.

2. There is a need to train existing security teams and hire new team members in advanced threat
detection techniques.

Sponsored by NetWitness
Ponemon Institute©: Private & Confidential Document Page11
3. Over reliance on A/V and IDS solutions has weakened the collective security posture as these
solutions cannot stand up in the face of the advanced threats we now see.

4. New solutions focused on network and traffic intelligence are seen as the best way to combat
advanced threats and much broader adoption is required.

IV. Methods and Demographics

A sampling frame of nearly 12,000 adult-aged individuals who reside within the United States was used to
recruit and select participants to this survey. Our randomly selected sampling frame was built from
several proprietary lists of experienced IT and IT security practitioners. In total, 702 respondents
completed the survey. Of the returned instruments, 111 surveys failed reliability checks. A total of 591
surveys were used as our final sample, which represents a 5 percent response rate.

Table 3: Sample response Freq. Pct%

Total sampling frame 11,930 100%
Invitations sent 10,991 92%
Bounce-back 1,816 15%
Total response 702 6%
Rejections for reliability 111 1%
Final sample 591 5%

Pie Chart 3 reports the primary industry sector of respondents’ organizations. As shown, the largest
segments include financial services (19 percent), government (16 percent), and healthcare (11 percent).

Pie Chart 3: Industry distribution of respondents’ organizations

Sponsored by NetWitness
Ponemon Institute©: Private & Confidential Document Page12
Table 4 reports the respondent organization’s global headcount. As shown, a majority of respondents
work within companies with more than 1,000 employees. Over 51 percent of respondents are located in
larger-sized companies with more than 5,000 employees.

Table 4: The worldwide headcount of your organization? Pct%

Less than 500 people 11%
500 to 1,000 people 14%
1,001 to 5,000 people 25%
5,001 to 25,000 people 28%
25,001 to 75,000 people 19%
More than 75,000 people 4%
Total 100%

Table 5 reports the respondent’s primary reporting channel. As can be seen, 52 percent of respondents
are located in the organization’s IT department (led by the company’s CIO). Seventeen percent report to
the company’s security officer or CISO.

Table 5: Respondent’s primary reporting channel Pct%

Chief Financial Officer (CFO) 3%
Chief Technology Officer (CTO) 7%
Chief Information Officer (CIO) 52%
Chief Information Security Officer (CISO) 17%
Compliance Officer 7%
Chief Security Officer (CSO) 4%
Chief Risk Officer 7%
Other 2%
Total 100%

Table 6 reports the respondent organization’s global footprint. As can be seen, a large number of
participating organizations are multinational companies that operate outside the United States, Canada
and Europe.

Table 6: Geographic footprint of respondents’ organizations Pct%

United States 100%
Canada 63%
Europe 65%
Middle east 16%
Asia-Pacific 29%
Latin America 31%

Sponsored by NetWitness
Ponemon Institute©: Private & Confidential Document Page13
Table 7 reports the approximate position level or title of respondents. As shown, a majority of
respondents state they are at or above the supervisory level (56 percent). The mean experience of
respondents in this study is 11.12 years and the median is 10.5 years.

Table 7: Respondent’s self-reported position level Pct%

Senior Executive 1%
Vice President 2%
Director 17%
Manager 21%
Supervisor 15%
Technician 32%
Staff 5%
Contractor 5%
Other 3%
Total 100%

V. Caveats

There are inherent limitations to survey research that need to be carefully considered before drawing
inferences from findings. The following items are specific limitations that are germane to most Web-based
surveys.

 Non-response bias: The current findings are based on a sample of survey returns. We sent surveys
to a representative sample of individuals, resulting in a large number of usable returned responses.
Despite non-response tests, it is always possible that individuals who did not participate are
substantially different in terms of underlying beliefs from those who completed the instrument.

 Sampling-frame bias: The accuracy is based on contact information and the degree to which the list is
representative of individuals who are IT or IT security practitioners. We also acknowledge that the
results may be biased by external events such as media coverage. We also acknowledge bias
caused by compensating subjects to complete this research within a holdout period. Finally, because
we used a Web-based collection method, it is possible that non-Web responses by mailed survey or
telephone call would result in a different pattern of findings.

 Self-reported results: The quality of survey research is based on the integrity of confidential
responses received from subjects. While certain checks and balances can be incorporated into the
survey process, there is always the possibility that a subject did not provide a truthful response.

Sponsored by NetWitness
Ponemon Institute©: Private & Confidential Document Page14
 Appendix I: Survey Details
The survey was conducted in April and May 2010. Our sampling frame includes qualified IT and IT security
practitioners located in business and government organizations in the United States.

Sample response Freq. Pct%

Total sampling frame 11,930 100%
Invitations sent 10,991 92%
Bounce-back 1,816 15%
Total response 702 6%
Rejections for reliability 111 1%
Final sample 591 5.0%

I. Background
Q1a. Have you experienced situations when exploits and malware
have evaded your IDS? Pct%
Yes 71%
No 10%
Unsure 19%
Total 100%

Q1b. Have you experienced situations when exploits and malware

have evaded your AV solutions? Pct%
Yes 79%
No 9%
Unsure 12%
Total 100%

Q1c Do you consider these any of these exploits as an advanced

threat? Pct%
Yes 91%
No 9%
Total 100%

Q1d. What other terms are used to describe an advanced threat?

Please select all that apply. Pct%
Advanced persistent threat 50%
Emerging threat 41%
Spear-phishing 38%
SQL Injection 33%
Cyber warfare 25%
Continuous attack 21%
Cyber terrorism 21%
Denial of service attack 19%
Other 9%
Total 257%

Sponsored by NetWitness
Ponemon Institute©: Private & Confidential Document Page15
II. Attributions
Please rate your opinions for Q2a to Q2f using the scale provided
below each statement. Strongly agree Agree
Q2a. My organization has enabling security technologies that
effectively prevent or quickly detect advanced threats. 13% 19%
Q2b. My organization has sufficient resources to prevent or quickly
detect advanced threats. 15% 20%
Q2c. My organization has security personnel who are well trained
and able to identify and resolve advanced threats. 11% 16%
Q2d. In my organization, IT leaders are fully aware of advanced
threats and how they can negatively impact the enterprise. 8% 11%
Q2e. In my organization, the prevention or quick detection of
advanced threats is a top security priority. 10% 14%
Q2f. My organization is more likely than most other companies to be
the target of advanced threats. 24% 24%
Average 14% 17%

III. Experience
Q3a. Has your organization been the target of an advanced threat? Pct%
Absolutely 19%
Very likely 28%
Likely 36%
Possible [Go to 4a] 12%
Never [Go to 4a] 5%
Total 100%

Q3b. To the best of your knowledge, how often has your organization
been the target of an advanced threat over the past 12 months? Pct%
All the time 12%
Most of the time 17%
Some of the time 15%
Rarely 9%
Never 6%
Can’t determine 41%
Total 100%

Q3c. How has the frequency or rate of advanced threats changed

over the past 12 months. Pct%
Rapid increase 35%
Increase 36%
No change 15%
Decrease 10%
Rapid decrease 4%
Total 100%

Sponsored by NetWitness
Ponemon Institute©: Private & Confidential Document Page16
Q3d. What happened to your organization as a result of an advanced
threat? Please select all that apply. Pct%
Nothing happened 30%
IT downtime 51%
Business interruption 26%
Theft of confidential or sensitive information 44%
Theft of intellectual property 45%
Damage to IT infrastructure 6%
Damage to software (source code) 7%
Destruction of information asset 2%
Other 0%
Total 211%

Q3e. What advance threat attack methods or technologies were

unleashed against your organization? Please select up to four most
frequently experienced attack methods. Pct%
Viruses 91%
Worms 67%
Trojans 32%
Botnets 35%
Malware 80%
Phishing scam 26%
Malicious code (SQL injection) 29%
Social engineering 25%
Other 3%
Total 388%

Q3f. Typically, how does your organization detect or discover

advanced threats? Please select up to four most likely discovery
methods. Pct%
Warning from law enforcement or intelligence agencies 16%
Warning from InfoSec community 21%
Notice from a bona fide CERT 36%
Network or traffic intelligence software 29%
Event correlation management software 28%
Managed or outsourced security provider 25%
Anti-virus & anti-malware software (AV) 69%
Intrusion detection systems (IDS) 61%
Intrusion prevention systems (IPS) 49%
Discovered AT by accident 45%
Other (please specify) 3%

Q3g. Typically, how long does it take you and your organization to Extrapolated
detect an advanced threat? Pct% days
Immediately (zero days) 9% 0.00
Within a few hours 11% 0.02
Within one day 15% 0.15
Within one week 19% 1.33
Within 30 days 23% 6.90
Within 60 days 16% 9.60
More than 60 days 7% 5.04
Total 100% 23.04

Sponsored by NetWitness
Ponemon Institute©: Private & Confidential Document Page17
Q4a. How familiar are you with ZeuS? Pct%
Very familiar 20%
Familiar 43%
Not familiar 29%
No knowledge 8%
Total 100%

Familiar & Very

Q4b. Has your organization been the victim of a ZeuS botnet? Overall familiar
Yes 35% 57%
No 26% 34%
Unsure 39% 9%
Total 100% 100%

Q5a. How familiar are you with Spear-Phishing? Pct%

Very familiar 23%
Familiar 49%
Not familiar 22%
No knowledge 6%
Total 100%

Familiar & Very

Q5b. Has your organization been the victim of Spear-Phishing? Overall familiar
Yes 23% 39%
No 41% 51%
Unsure 36% 10%
Total 100% 100%

Q6. With respect to technologies, personnel, policies and resources,

how would you describe your organization’s defensive capabilities
against advanced threats? Adequate Inadequate
Security enabling technologies 32% 50%
Security personnel 26% 64%
Policies & procedures 58% 23%
Budget resources 28% 61%

Q7. Please rate the following statements using the scale provided
below. Strongly agree Agree
Q7a. Nation-state sponsored advanced threats occur frequently. 8% 13%
Q7b. Criminal group sponsored advanced threats occur frequently. 16% 28%
Q7c. Advanced threats suggest a new, more dangerous threat
landscape. 26% 44%
Q7d. Advanced threats are simply another form of computer crime
(i.e., nothing new). 18% 16%
Q7e. Advanced threats are very difficult to prevent, detect and
resolve. 29% 50%

Sponsored by NetWitness
Ponemon Institute©: Private & Confidential Document Page18
Q8. In what countries do advanced threats come from? Please
select the top five countries from the following list. Pct%
China (PRC) 25%
Russian Federation 14%
Romania 10%
Brazil 9%
Czech Republic 6%
UAE (Dubai) 6%
All other countries 28%
Total 100%

Q9. What industries do you see as the most susceptible to an

advanced threat attack? Pct%
Financial services 23%
Technology & software 20%
Communications 13%
Government 11%
Energy 8%
All others 25%
Total 100%

Q10. Has your organization been the target of an advanced threat? Pct%
Absolutely 20%
Very likely 28%
Likely 35%
Possible 17%
Never 0%
Total 100%

Q11a. What is most at risk within your organization as a result of an

advanced threat that goes undetected? Please rank from 1 = most at
risk to 4 = least at risk. Forced rank Rank order
Business disruption and continuity 2.55 3
Damage to critical infrastructure 3.64 4
Loss of confidential information 1.83 1
Theft of trade secrets 1.98 2
Average 2.50

Q11b. What data is most at risk within your organization as a result of

advanced threats that go undetected? Pct%
Intellectual property such as source code 23%
Customer or consumer information 33%
Employee records 15%
Non-financial business confidential information 19%
Financial business confidential information 8%
Others 2%
Total 100%

Q12. Omitted during instrument pretest

Sponsored by NetWitness
Ponemon Institute©: Private & Confidential Document Page19
Q13. What level of staffing do you have to respond to advanced Extrapolated
threats throughout the enterprise? Pct% dedicated staff
No dedicated staff 51% 0
Less than 2 34% 0.51
Between 2 and 5 9% 0.32
Between 6 and 10 6% 0.48
Between 11 and 15 0% 0
Greater than 15 0% 0
Total 100% 1.31

Q14. What best describes the process for preventing and detecting
advanced threats in your organization today? Please select one best
choice. Pct%
An “ad hoc” process 31%
Mostly a process that relies on manual controls such as log
management procedures 16%
Mostly a process that relies on perimeter controls such as IDS and
AV solutions 17%
Mostly a process that relies on network intelligence technologies 8%
A combination of manual procedures and security technologies 27%
None of the above. 0%
Total 100%

Q15. Who is most responsible for preventing and detecting advanced

threats against your organization? Pct%
Information technology department 57%
Information security department 23%
Compliance department 12%
Legal department 0%
Business unit managers 5%
Human resource department 0%
Other 3%
Total 100%

Q16. How confident are you that your organization has the ability to
detect to advanced threats that attack your organization? Pct%
Very confident 8%
Confident 17%
Somewhat confident 30%
Not confident 37%
Unsure 7%
Total 100%

Sponsored by NetWitness
Ponemon Institute©: Private & Confidential Document Page20
Q17. In your opinion, what are the key problems you face in
managing advanced threats that target your organization? Please
select only your top two choices. Pct%
Insufficient intelligence about threats 45%
Insufficient security technologies 39%
Keeping pace with the rash of sophisticated attacks 27%
Lack of consistently applied control procedures 12%
Insufficient resources 37%
Lack of well trained or experienced personnel 36%
Other (please specify) 2%
Total 199%

Q18. How important are network or traffic intelligence technologies

for your organization’s ability to defend itself against advanced
threats. Pct%
Essential 23%
Very important 45%
Important 24%
Not important 8%
Irrelevant 0%
Total 100%

Q19. In your opinion (best guess), what dollar range best describes Extrapolated
the total cost incurred by your organization in the past 12 months to value in
defend it against advanced threats? Pct% $millions
Less than $1 million 7% 0.05
Between $1 to 5 million 9% 0.26
Between $6 to $10 million 15% 1.20
Between $11 to $15 million 23% 3.00
Between $16 to $20 million 20% 3.56
Between $21 to $30 million 15% 3.85
Between $31 to $40 million 5% 1.92
Between $41 to $50 million 2% 0.90
Between $51 to $60 million 0% 0.00
Between $61 to $70 million 1% 0.65
Between $71 to $80 million 0% 0.00
Between $81 to $90 million 1% 0.93
Between $91 to $100 million 0% 0.00
Over $100 million 2% 2.64
Total 100% 18.97

Sponsored by NetWitness
Ponemon Institute©: Private & Confidential Document Page21
IV. Your role
D1. What organizational level best describes your current position? Pct%
Senior Executive 1%
Vice President 2%
Director 17%
Manager 21%
Supervisor 15%
Technician 32%
Staff 5%
Contractor 5%
Other 3%
Total 100%

D2. Check the Primary Person you or your IT security leader reports
to within the organization. Pct%
CEO/Executive Committee 0%
Chief Financial Officer (CFO) 3%
Chief Technology Officer (CTO) 7%
Chief Information Officer (CIO) 52%
Chief Information Security Officer (CISO) 17%
Compliance Officer 7%
Human Resources VP 0%
Chief Security Officer (CSO) 4%
Chief Risk Officer 7%
Other 2%
Total 100%

Mean Median
D3. Total years of relevant work experience 11.12 10.5

D4. What industry best describes your organization’s industry focus? Pct%
Communications 7%
Consumer products 6%
Defense 3%
Education 3%
Energy 2%
Financial services 19%
Government 16%
Health & pharma 11%
Hospitality 3%
Industrial 4%
Media 2%
Retail 6%
Services 4%
Technology 5%
Transportation 4%
Other 3%

Sponsored by NetWitness
Ponemon Institute©: Private & Confidential Document Page22
D5. Where are your employees located? (check all that apply): Pct%
United States 100%
Canada 63%
Europe 65%
Middle east 16%
Asia-Pacific 29%
Latin America (including Mexico) 31%
Total 304%

D6. What is the worldwide headcount of your organization? Pct%

Less than 500 people 11%
500 to 1,000 people 14%
1,001 to 5,000 people 25%
5,001 to 25,000 people 28%
25,001 to 75,000 people 19%
More than 75,000 people 4%
Total 100%

Please contact research@ponemon.org or call us at 800.877.3118 if you have any questions.

Ponemon Institute
Advancing Responsible Information Management

Ponemon Institute is dedicated to independent research and education that advances responsible information and
privacy management practices within business and government. Our mission is to conduct high quality, empirical
studies on critical issues affecting the management and security of sensitive information about people and
organizations.

As a member of the Council of American Survey Research Organizations (CASRO),we uphold strict data
confidentiality, privacy and ethical research standards. We do not collect any personally identifiable information from
individuals (or company identifiable information in our business research). Furthermore, we have strict quality
standards to ensure that subjects are not asked extraneous, irrelevant or improper questions.

Sponsored by NetWitness
Ponemon Institute©: Private & Confidential Document Page23