Research
What Security Professionals Think about Encryption
In this, our first report from Dr. Larry Ponemon and the Ponemon Institute, results from a study show security professionals know what's good for them but don't embrace it.
By Larry Ponemon
Types of data encrypted:
- The most important types of data that should be encrypted for storage and/or transmission are: business confidential documents (57 percent), records containing intellectual property (56 percent), only sensitive customer information (56 percent), accounting and financial information (41 percent) and employee information (35 percent). Interesting to note that customer and consumer information scored a low 8 percent and 6 percent, respectively.
- The top five types of personal information about a customer, consumer or employee that should be encrypted are health information (72 percent), sexual orientation (69 percent), Social Security number (67 percent), family members (66 percent) and work history (57 percent).
- The bottom five types of personal information about a customer, consumer or employee that should be encrypted are: e-mail addresses (10 percent), home location and telephone (6 percent), educational background (5 percent), interests and preferences (2 percent) and gender (1 percent).
Encryption Increases Confidence in Security
We found that information security and privacy professionals have the most confidence in their organization's security program when it uses encryption as part of an enterprisewide implementation plan.
To arrive at this finding, we asked respondents, "How confident are you that your organization's security program is sufficient to protect or safeguard sensitive and confidential information?" The item is scored using a numeric adjective scale where respondents placed an X mark on a line ranging from range: 0 = no confidence to 1 = significant confidence.
Figure 1 shows the subjects' overall percentage responses to this question.
As shown in Figure 1, the distribution peaks between .5 to .6 on the confidence scale. The grand mean for all 735 subjects is .561.
Table 1 provides the frequency of subjects according to how their organizations implement encryption technologies. As noted, only 31 respondents report that their companies have an encryption plan that is applied consistently across the enterprise. In contrast, 348 respondents state that their companies do not use encryption. According to 178 respondents, while they use encryption their companies do not have an implementation plan.
Table 1 also computes average confidence levels to each one of five encryption implementation categories. As shown, the highest confidence level (.82) is achieved for the group of respondents who report that their companies deploy encryption and have an enterprise implementation plan. The lowest confidence level (.51) occurs for respondents who report that their companies do not use encryption.
| Please check one statement that best describes your organization's encryption implementation plan. | Freq | Average Confidence Score* |
|---|---|---|
| We have an overall encryption plan or strategy that is applied consistently across the entire enterprise. | 31 | .82 |
| We have an overall encryption plan or strategy that is adjusted to fit different applications and data types. | 104 | .63 |
| We use encryption for certain types of sensitive or confidential data such as Social Security numbers or credit card accounts. | 74 | .64 |
| We don't have an encryption implementation plan. | 178 | .54 |
| We don't use encryption. | 348 | .51 |
| Grand Mean | 735 | .56 |
Figure 1 shows the distribution (percentage frequencies) of confidence ratings for two groups in Table 1—namely, subjects who deploy encryption and have an enterprise implementation plan (n=31) and subjects whose organizations do not use encryption (n=348). As suggested from individual responses, companies using encryption as part of an enterprise implementation plan appear to enjoy more confidence about their company's security program that those who do not use encryption.
CSO
Security Directions: A Virtual Conference
Available On Demand Sept. 30 - Dec. 30
Join us for a virtual event with candid, expert information on top security challenges and issues - all from the comfort of your desktop.
Protecting PII: How to Work with IT to Manage Risk
Understand the critical nature of the test data privacy problem and get tips on how to work with IT to implement a test data privacy program.
- Upgrading to VMware vSphere with vWire
- Removing Barriers To Better Server Virtualization Efficiency
- Practical Approaches for Securing Web Applications across the Software Delivery Lifecycle
- Staying A Step Ahead of the Hackers: The Importance of Identifying Critical Web Application Vulnerabilities
- Managing A Growing Threat: An Executive's Guide to Web Application Security
- The Forrester Wave™: Web Filtering, Q2 2009
Get instant notifications when whitepapers, webcasts and case studies are added
to our library. Sign up for a Resource Alert now!
CSO Corporate Partners
CSO Perspectives
-
April 5-7, 2010Hyatt Regency Santa ClaraClick here for more information!
Santa Clara, California
(ISC)2 members can earn up to 24 CPE Credits!
