The security data and survey directory

Security data. Everybody needs it. Lots of companies and organizations are producing it. Here's where to find it.

CSO —

Survey statistics and research studies are a great way to help you recognize impending threats and emerging attack vectors. Data can even help you identify and substantiate the need for specific budgetary increases to the C-suite. So we've compiled this list of where to find research-backed data you can use.

Where possible we've made note of some key facts about each survey to help you decide its potential value: the number and type of respondents, who sponsored the survey (if a security product or service vendor was involved, which could influence the perception of bias), and whether the report requires registration or a fee.

Have suggestions about additional data sources? Email CSO editor Derek Slater at dslater@cxo.com. Data sources will be added, removed or modified at the whim of the editor.
Many thanks to Shawna McAlearney for compiling the bulk of the initial directory.
Thanks also to the securitymetrics.org mailing list, a forum for discussing security metrics, quantification and modeling. List members have helped suggest data sources for inclusion. See the list's signup page for more.

Research Survey & Study Categories (click to skip directly to any category)

• Risk Management
• Attack Vectors
• Security Spending, Budgets & Priorities
• Physical Security and Loss Prevention
• Security Controls
• Data Security and Data Breaches
• Software/Application Security
• Compliance & Governance
• Business Continuity & Disaster Recovery
• Social Networking
• Security Careers, Skills, Salary and Benefits
• Virtualization & Cloud Computing

State of the CSO 2010: Progress and Peril
Conducted by: CSO
Number of respondents:
Today, as organizations come to grips with a wide swath of risks, the 2010 State of the CSO survey shows those organizations are rapidly adopting a more sophisticated view of security. Of course, there's more work to be done—most prominently in the areas of security metrics and awareness programs.
2009 results
2008 results

Global Risk Management Survey, Sixth Edition: Risk Management in the Spotlight
Conducted by: Deloitte
Sponsored by: Unsponsored
Number of respondents: Responses from 111 financial institutions worldwide with more than $19 trillion in total assets.
2009 survey looks at risk management during economic downturn and finds more than half of firms falling under Basel II requirements reported they were nearly in compliance or had already complied. Also, only 24 percent have a defined and approved enterprise-level statement of the firms risk appetite; 72 percent of firms with ERM programs reported that the quantifiable benefits exceeded its costs.

An index of ERM survey data
The Enterprise Risk Management Initiative (at NC State's College of Management) rounds up articles covering ERM research.

Global Risk Management Survey, Sixth Edition: Risk Management in the Spotlight
Conducted by: Deloitte
Sponsored by: Unsponsored
Number of respondents: Responses from 111 financial institutions worldwide with more than $19 trillion in total assets.
2009 survey looks at risk management during economic downturn and finds more than half of firms falling under Basel II requirements reported they were nearly in compliance or had already complied. Also, only 24 percent have a defined and approved enterprise-level statement of the firms risk appetite; 72 percent of firms with ERM programs reported that the quantifiable benefits exceeded its costs.

Security Survey Spotlights Consumers' Influence on Enterprise IT
Conducted by: InsightExpress
Sponsored by: Cisco
Number of respondents: 512 IT security professionals across the U.S., Germany, Japan, China and India.
Survey of IT pros from 5 counties compares threat perception, technologies and tools used. For example, nearly one third perceive unauthorized users as the primary IT risk.

Social Networking or Reputational Risk: 2009 Ethics & Workplace Survey
Conducted by: Opinion Research
Sponsored by: Deloitte LLP
Number of respondents: 2,008 employed adults and 500 business executives.
Many companies are using social networking to build their businesses; however, it can also hurt companies. A survey finds 58 percent of executives believe the reputational risk of social networking makes it a boardroom issue but only 15 percent are taking it to that level.

The Index of Cyber Security
Conducted by: Dan Geer and Mukul Prateek
Respondents: "Publication will commence when 100 respondents are in hand and active; the target survey population is 300."
"A sentiment-based measure of the risk to the corporate, industrial, and governmental information infrastructure from a spectrum of cybersecurity threats. It is sentiment-based in recognition of the rapid change in cybersecurity threats and postures, the state of cybersecurity metrics as a practical art, and the degree of uncertainty in any risk-centered field."

Also see Security metrics: Critical issues

Security Intelligence Report
Conducted by: Microsoft
"Investigation of the current threat landscape. It analyzes exploits, vulnerabilities, and malware based on data from over 600 million systems worldwide, as well as internet services, and three Microsoft Security Centers."
Conducted periodically with earlier reports still available for download.

IBM X-Force Reports
- Trend and Risk Report published twice per year
- Threat Insight Report podcast and transcript produced quarterly
Methodology: Data compiled through IBM managed services
Registration required

Trustwave Global Security Report 2011
Methodology: Data from Trustwave's SpiderLabs unit.
Registration required

Federal Cyber Security Outlook for 2010 Survey
Conducted by: Clarus Research Group
Sponsored by: Lumension
Number of respondents: 201 Federal government IT security decision makers.
A lack of collaboration across IT and security is increasing the risk of the Federal government's ability to defend against sophisticated attacks, according to the survey. Additionally, 74 percent working in national defense and security expect a cyberattack by a foreign country in the next year.

The Symantec Global Internet Threat Report
Conducted by: Symantec
Origin of data: More than 240,000 sensors in more than 200 countries and territories monitor attack activity; malicious code intelligence from more than 133 million client, server, and gateway systems; Symantecs distributed honeypot network; the Symantec Probe Network; MessageLabs Intelligence; more than 8 billion e-mail messages; more than 1 billion Web requests; and an extensive antifraud community.
Study researches attack trends, future threats and the effect of the economic downturn on security. Among other highlights, it reported that 60 percent of identities exposed came from hacking attacks—the majority of which came from a single attack.

MessageLabs Security Intelligence Reports
Origin of data: MessageLabs sensors
Analyzes origins and nature of email-based security threats and attacks. Updated frequently.

CSI Computer Crime and Security Survey 2009
Conducted by: CSI
Sponsored by: Unsponsored
Number of respondents: 443 information security and information technology professionals in United States corporations, government agencies, financial institutions, educational institutions, medical institutions and other organizations.
Password sniffing, financial fraud and malware infection increased, but average losses caused by security incidents are down from 2008. The survey includes attack information, details about respondents' security programs, end-user security awareness training and much, much more.
The 2010 Survey will be available in late November.
Cost: $185.00

2010 CyberSecurity Watch Survey&Survey Results
Conducted by: CSO in cooperation with the U.S. Secret Service, Software Engineering Institute CERT Program at Carnegie Mellon University and Deloitte.
Sponsored by: Unsponsored
Number of respondents: 523
Comprehensive 2010 survey reports that 37 percent of respondents believe that the number of cybersecurity events experienced in the last 12 months has increased. Of those, 50 percent believed the attack was caused by an outsider.

The 2010 State of Cyberethics, Cybersafety, Cybersecurity Curriculum in the U.S. Survey
Conducted by: Zogby International
Sponsored by: National Cyber Security Alliance
Number of respondents: 1,003 teachers, 400 K-12 school adminstrators and 200 technology coordinators.
Survey targets teachers, school administrators and technology coordinators in an effort to understand whether students are receiving adequate guidance to use digital technology and the Internet in a safe and responsible manner. Thirty-nine percent of teachers responded that over the last 12 months they'd taught students how to make decisions about sharing personal information online; 33 percent about the dangers of social networking sites; 30 percent about watching for online predators; and 28 percent about what to do if they receive harassing messages.

What Security Issues Are You Currently Facing?
Conducted by: RSA
Sponsored by: Unsponsored
Number of respondents: Nearly 150 C-level executives and professionals charged with directing, managing and engineering security infrastructures.
The RSA Conference Survey 2009 reported an increase in e-mail phishing (72 percent) and Web-borne malware (57 percent). The survey also found IT pros were quite concerned about zero-day attacks (28 percent) and rogue employees as a result of layoffs (26 percent).

• Print