The security data and survey directory

Survey statistics and research studies are a great way to help you recognize impending threats and emerging attack vectors. Data can even help you identify and substantiate the need for specific budgetary increases to the C-suite. So we’ve compiled this list of where to find research-backed data you can use.

Where possible we’ve made note of some key facts about each survey to help you decide its potential value: the number and type of respondents, who sponsored the survey (if a security product or service vendor was involved, which could influence the perception of bias), and whether the report requires registration or a fee.

Most recent update: 5/31/2011 Have suggestions about additional data sources? Email CSO editor Derek Slater at dslater@cxo.com. Data sources will be added, removed or modified at the whim of the editor. signup page for more.

Many thanks to Shawna McAlearney for compiling the bulk of the initial directory.

Thanks also to the securitymetrics.org mailing list, a forum for discussing security metrics, quantification and modeling. List members have helped suggest data sources for inclusion. See the list’s

Risk Management and Security Leadership

State of the CSO 2010: Progress and Peril Conducted by: CSONumber of respondents: 2009 results2008 results

Today, as organizations come to grips with a wide swath of risks, the 2010 State of the CSO survey shows those organizations are rapidly adopting a more sophisticated view of security. Of course, there’s more work to be done—most prominently in the areas of security metrics and awareness programs.

In-depth reading on risk management

• ERM: Get started in 6 steps
• Turning ERM strategy into specific systems projects
• ERM basics explained
• The CISO’s new focus: IT risk

Global Risk Management Survey, Sixth Edition: Risk Management in the SpotlightConducted by: DeloitteSponsored by: UnsponsoredNumber of respondents: Responses from 111 financial institutions worldwide with more than $19 trillion in total assets.

2009 survey looks at risk management during economic downturn and finds more than half of firms falling under Basel II requirements reported they were nearly in compliance or had already complied. Also, only 24 percent have a defined and approved enterprise-level statement of the firms risk appetite; 72 percent of firms with ERM programs reported that the quantifiable benefits exceeded its costs.

An index of ERM survey data

The Enterprise Risk Management Initiative (at NC State’s College of Management) rounds up articles covering ERM research.

Global Risk Management Survey, Sixth Edition: Risk Management in the SpotlightConducted by: DeloitteSponsored by: UnsponsoredNumber of respondents: Responses from 111 financial institutions worldwide with more than $19 trillion in total assets.

2009 survey looks at risk management during economic downturn and finds more than half of firms falling under Basel II requirements reported they were nearly in compliance or had already complied. Also, only 24 percent have a defined and approved enterprise-level statement of the firms risk appetite; 72 percent of firms with ERM programs reported that the quantifiable benefits exceeded its costs.

Security Survey Spotlights Consumers’ Influence on Enterprise ITConducted by: InsightExpressSponsored by: CiscoNumber of respondents: 512 IT security professionals across the U.S., Germany, Japan, China and India.

Survey of IT pros from 5 counties compares threat perception, technologies and tools used. For example, nearly one third perceive unauthorized users as the primary IT risk.

Social Networking or Reputational Risk: 2009 Ethics & Workplace Survey Conducted by: Opinion ResearchSponsored by: Deloitte LLPNumber of respondents: 2,008 employed adults and 500 business executives.

Many companies are using social networking to build their businesses; however, it can also hurt companies. A survey finds 58 percent of executives believe the reputational risk of social networking makes it a boardroom issue but only 15 percent are taking it to that level.

The Index of Cyber SecurityConducted by: Dan Geer and Mukul PrateekRespondents: “Publication will commence when 100 respondents are in hand and active; the target survey population is 300.”

“A sentiment-based measure of the risk to the corporate, industrial, and governmental information infrastructure from a spectrum of cybersecurity threats. It is sentiment-based in recognition of the rapid change in cybersecurity threats and postures, the state of cybersecurity metrics as a practical art, and the degree of uncertainty in any risk-centered field.”

Also see Security metrics: Critical issues

Attack Vectors

Security Intelligence ReportConducted by: Microsoft

“Investigation of the current threat landscape. It analyzes exploits, vulnerabilities, and malware based on data from over 600 million systems worldwide, as well as internet services, and three Microsoft Security Centers.”

Conducted periodically with earlier reports still available for download.

IBM X-Force ReportsMethodology: Data compiled through IBM managed servicesRegistration required

– Trend and Risk Report published twice per year

– Threat Insight Report podcast and transcript produced quarterly

Trustwave Global Security Report 2011Methodology: Data from Trustwave’s SpiderLabs unit.Registration required Federal Cyber Security Outlook for 2010 SurveyConducted by: Clarus Research GroupSponsored by: LumensionNumber of respondents: 201 Federal government IT security decision makers.

A lack of collaboration across IT and security is increasing the risk of the Federal government’s ability to defend against sophisticated attacks, according to the survey. Additionally, 74 percent working in national defense and security expect a cyberattack by a foreign country in the next year.

The Symantec Global Internet Threat ReportConducted by: SymantecOrigin of data: More than 240,000 sensors in more than 200 countries and territories monitor attack activity; malicious code intelligence from more than 133 million client, server, and gateway systems; Symantecs distributed honeypot network; the Symantec Probe Network; MessageLabs Intelligence; more than 8 billion e-mail messages; more than 1 billion Web requests; and an extensive antifraud community.

Study researches attack trends, future threats and the effect of the economic downturn on security. Among other highlights, it reported that 60 percent of identities exposed came from hacking attacks—the majority of which came from a single attack.

MessageLabs Security Intelligence ReportsOrigin of data: MessageLabs sensors

Analyzes origins and nature of email-based security threats and attacks. Updated frequently.

CSI Computer Crime and Security Survey 2009 Conducted by: CSISponsored by: UnsponsoredNumber of respondents: 443 information security and information technology professionals in United States corporations, government agencies, financial institutions, educational institutions, medical institutions and other organizations. Cost: $185.00

Password sniffing, financial fraud and malware infection increased, but average losses caused by security incidents are down from 2008. The survey includes attack information, details about respondents’ security programs, end-user security awareness training and much, much more.

The 2010 Survey will be available in late November.

2010 CyberSecurity Watch Survey&Survey ResultsConducted by: CSO in cooperation with the U.S. Secret Service, Software Engineering Institute CERT Program at Carnegie Mellon University and Deloitte.Sponsored by: UnsponsoredNumber of respondents: 523

Comprehensive 2010 survey reports that 37 percent of respondents believe that the number of cybersecurity events experienced in the last 12 months has increased. Of those, 50 percent believed the attack was caused by an outsider.

The 2010 State of Cyberethics, Cybersafety, Cybersecurity Curriculum in the U.S. SurveyConducted by: Zogby International Sponsored by: National Cyber Security AllianceNumber of respondents: 1,003 teachers, 400 K-12 school adminstrators and 200 technology coordinators.

Survey targets teachers, school administrators and technology coordinators in an effort to understand whether students are receiving adequate guidance to use digital technology and the Internet in a safe and responsible manner. Thirty-nine percent of teachers responded that over the last 12 months they’d taught students how to make decisions about sharing personal information online; 33 percent about the dangers of social networking sites; 30 percent about watching for online predators; and 28 percent about what to do if they receive harassing messages.

What Security Issues Are You Currently Facing?Conducted by: RSASponsored by: UnsponsoredNumber of respondents: Nearly 150 C-level executives and professionals charged with directing, managing and engineering security infrastructures.

The RSA Conference Survey 2009 reported an increase in e-mail phishing (72 percent) and Web-borne malware (57 percent). The survey also found IT pros were quite concerned about zero-day attacks (28 percent) and rogue employees as a result of layoffs (26 percent).

IT Security Spending, Budgets & Priorities

The Global State of Information Security 2011Conducted by: CSO, PricewaterhouseCoopers, CIONumber of respondents: More than 12,000 CEOs, CFOs, CIOs, CSOs, vice presidents and directors of IT and information security from 130 countries. 2010 results – PDF2008 results2007 results2006 results2005 results2004 results2003 results

Analysis of respondents’ challenges and approaches to cloud security, secure business partner relationships, and more.

2010 TMT Global Security Study Conducted by: Deloitte’s Information & Technology Risk Services practiceSponsored by: UnsponsoredNumber of respondents: Nearly 150 TMT organizations around the world.

This fourth edition of Deloitte’s Technology, Media & Telecommunications Global Security Study examines key areas of security and privacy and finds that information security spending is modestly bouncing back after a decline in 2009.

Deloitte 2010 Global Security Survey: The Faceless ThreatConducted by: Deloitte’s Global Financial Services Sponsored by: UnsponsoredNumber of respondents: 350 major financial institutions.

Of 19 options, nearly half of respondents chose identity and access management as their top security initiative for 2010. The survey also examines data loss and regulatory compliance priorities.

2010 Update: What Organizations Are Spending on IT SecurityConducted by: GartnerSponsored by: UnsponsoredOrigin of data: Information taken from a number of Gartner reports.

Efficient security will allow IT to safely cut security budgets by 3 percent to 6 percent through 2011, according to a Gartner study. Researchers say those with either very mature or recently updated security programs will save even more. Study also looks at security spending and “platforms” versus “best of breed” options.

Insights from Deloitte’s 2009 Global Shared Services SurveyConducted by: DeloitteSponsored by: UnsponsoredNumber of respondents: 265 shared services leaders representing 702 individual shared services centers with a median annual revenue of $10.5 billion.

Cost reduction was highlighted in this survey: 72 percent of respondents said it was one of their top three priorities over the next 2 years. Also, 57 percent plan to increase the number of advisory processes in shared services in the same period.

Information Security Spending Survey: 2009 Results (Impact of the Recession)Conducted by: Joint effort between MetroSITE Group and Pacific Crest Securities.Sponsored by: UnsponsoredNumber of respondents: 53 top security professionals worldwide.brand protection.

Governance, compliance, mobility and identity and access management will continue to receive funding, according to a 2009 survey. IT security spending is primarily being driven by compliance, followed by threat reduction and

2010 Top Five Total Rewards Priorities SurveyConducted by: Deloitte Human CapitalSponsored by: Deloitte and the International Society of Certified Employee Benefit SpecialistsNumber of respondents: 292 diverse employers.

A look at job security and other employee/employer priorities during the 2010 financial crisis.

Physical Security, Fraud and Loss Prevention

Report to the NationConducted by: Association of Certified Fraud ExaminersSponsored by: UnsponsoredOrigin of data: Based on 959 cases of occupational fraud reported by the CFEs who investigated and resolved them.

2008 study examines occupational and other fraud incidents—it finds the typical occupational scheme lasts 2 years and results in a median loss of $175,000.

More on retail security and loss prevention

• Retail security: Critical issues
• Oranized crime and retail theft: Facts and myths
• Mall rats: Shoplifting and ORT

National Retail Federation research

The NRF conducts periodic surveys on Organized Retail Crime, return fraud, and more. See the linked page for connections to their latest research.

Report: Global Theft Decreases in 2010Conducted by: Centre for Retail ResearchSponsored by: Checkpoint SystemsNumber of respondents: 1,103 large retailers in 42 countries.

2010 survey looks at physical loss of retail merchandise to crime and waste, and studies its impact on retailers and consumers.

Theft Surveys by Jack L. Hayes InternationalConducted by: Jack L. Hayes International (a loss prevention consulting firm)Number of respondents:Varied

A limited amount of data is avaible on the linked page, covering retail theft, shoplifting, and related areas.

The Cost of a Lost LaptopConducted by: Ponemon Institute LLCSponsored by: Intel CorporationNumber of respondents: N/A

The 2009 study examined 138 cases involving laptop computers lost by an employee, a temporary worker or contractor. Based on replacement cost, lost intellectual property and other factors, the average value is an estimated $49,246. In cases examined by the study, 80 percent of that cost was attributed to lost intellectual property.

Social Insecurity: What Millions of Online Users Don’t Know Can Hurt ThemConducted by: Consumer Reports National Research CenterSponsored by: UnsponsoredNumber of respondents: 2,000 online U.S. households.

Twice as many U.S. households now use social networks than did last year, and, in many cases, are exposing themselves to new risks. A 2010 study found 40 percent posted their full birth date, exposing themselves to identity theft, while 26 percent posted their children’s photos and names, potentially exposing them to predators. Also, one quarter didn’t use Facebook’s privacy controls at a time when 9 percent of social network users experienced malware infections, scams, identity theft or harassment.

Security of Paper Documents in the WorkplaceConducted by: Ponemon InstituteSponsored by: Alliance for Secure Business InformationNumber of respondents: 819 individuals who work in IT operations, IT security, data protection and compliance in large organizations in a variety of industries.

This 2008 study appears to stand the test of time and has not been replaced by more current research. Eighty percent of respondents said they had one or more data breaches in the past 12 months; of those, 49 percent said one or more of the breaches involved the loss or theft of paper documents. Seventy-one percent of respondents acknowledge an incident in which sensitive or confidential paper documents were lost or misplaced in their organizations.

Airport Insecurity: The Case of Lost LaptopsConducted by: Ponemon InstituteSponsored by: DellNumber of respondents: 864 business air travelers in the U.S.

2008 survey reports that, on average, 12,255 laptops go missing at U.S. airports each week and 42 percent don’t back up the data in their laptop computers. Only one-third of those turned into airport Lost and Found departments are ever reclaimed.

Business Risk of a Lost Laptop: A Study of U.S. IT PractitionersConducted by: Ponemon Institute LLCSponsored by: Dell CorporationNumber of respondents: 714 IT and IT security practitioners with an average of almost 7.5 years of domain-specific experience.

2009 study looks at the business risk of poor laptop security. Sixty-five percent of respondents say the number of lost or stolen laptops is up from previous years; 75 percent say they know of an incident in their organization where sensitive or confidential data was at risk because of a lost or stolen laptop computer.

The 2010 State of Cyberethics, Cybersafety, Cybersecurity Curriculum in the U.S. SurveyConducted by: Zogby International Sponsored by: National Cyber Security AllianceNumber of respondents: 1,003 teachers, 400 K-12 school adminstrators and 200 technology coordinators.

Survey targets teachers, school administrators and technology coordinators in an effort to understand whether students are receiving adequate guidance to use digital technology and the Internet in a safe and responsible manner. Thirty-nine percent of teachers responded that over the last 12 months they’d taught students how to make decisions about sharing personal information online; 33 percent about the dangers of social networking sites; 30 percent about watching for online predators; and 28 percent about what to do if they receive harassing messages.

The National Campus Safety and Security Project SurveyConducted by: The National Association of College and University Business OfficersSponsored by: Funded in part by the Lilly Endowment.Number of respondents: 342 institutions.

Roughly 15 percent of repondents do not currently have an emergency preparedness plan that at least meets the standards set by the National Fire Protection Association; of those, 40 percent are near completion of one. Survey looks at many factors including use of security cameras and other technologies, emergency communication plans and business continuity.

More Than Half of Americans Surveyed Are Not Worried About Swine FluConducted by: Harris InteractiveSponsored by: Deloitte Center for Health Solutions Number of respondents: 1,010 U.S. adults.

2009 survey reports that 52 percent of Americans don’t believe the H1N1 virus will have a major impact in the United States; 41 percent do not plan to get vaccinated. It also examines who plans to get vaccinated, and if they know where to get vaccinated.

Energy Security&America’s Best DefenseConducted by: Deloitte Global and U.S. Aerospace & DefenseSponsored by: UnsponsoredNumber of respondents: Not applicable.

2009 study reports that a huge increase in fuel use by the military (175 percent increase per soldier during wartime since Vietnam) puts a focus on fuel security. Energy supplies are often a primary target, and, according to its methodologies, the Deloitte study found that “without game-changing shifts, the current Afghan conflict may result in a 124 percent increase in U.S. casualties through 2014.”

Security Controls

Trust, Security and Passwords ReportConducted by: Cyber-ArkNumber of respondents: 1,400 IT staffers and C-level professionals across North America and EMEA

57 percent of executive respondents believe that cybercriminals will present more of a security risk than insider threats over the next one to three years. The survey also reports that 20 percent believed their companies had been sabotaged by insider and 16 percent think insider sources may have passed confidential information to their competitors.

Securosis 2010 Data Security SurveyConducted by: Securosis, L.L.C.Sponsored by: ImpervaNumber of respondents: 1,176

Roughly half of responding organizations have some form of data security controls deployed; e-mail filtering was listed as the most common control and also the least effective. While 88 percent of respondents must meet at least one regulatory requirement, “to improve security” was the most common driver for adding data security controls.

SANS Sixth Annual Log Management Survey ReportConducted by: SANS InstituteSponsored by: ArcSight, LogLogic, NetForensics, Novell, RSA and TrustwaveNumber of respondents: 500+

Conducted in April 2010, survey reveals log management is gaining popularity and now includes logs gathered from other devices than firewalls, switches, routers and IDS/IPS. While the number of users trying to derive more value from their log data has increased, many respondents say analyzing and reporting on all the data remains a critical problem.

Security Software and Services Spending Will Outpace Other IT Spending Areas in 2010Conducted by: Gartner, Inc.Sponsored by: UnsponsoredNumber of respondents: More than 1,000 IT professionals with budget responsibility worldwide. Note: $95.00 fee and registration required.

A 4 percent increase in security software budgets is anticipated for 2010, including the areas of security information and event management (SIEM), e-mail security, URL filtering and user provisioning. A managed security services spending increase is also expected.

Data Security and Data Breaches

Data Breach Investigations ReportConducted by: The Verizon RISK Team in cooperation with the U.S. Secret Service.Sponsored by: UnsponsoredOrigin of data: The primary dataset in 2010 analyzed in this report contains the 141 confirmed breach cases worked by Verizon (57) and the USSS (84) in 2009.

Survey examines origins and frequency of breaches, who caused tham and what they have in common. Latest report is 2011.

Analysis: 5 years of data breaches published 2010; PDF link at bottom of pageConducted by: Digital Forensics AssociationOrigin of data: Study of 2,800 data loss incidents from public sources. Laptop thefts the most common source of loss; in cases of insider involvement, accidental loss more common. Securosis 2010 Data Security SurveyConducted by: Securosis, L.L.C.Sponsored by: ImpervaNumber of respondents: 1,176

Roughly half of responding organizations have some form of data security controls deployed; e-mail filtering was listed as the most common control and also the least effective. While 88 percent of respondents must meet at least one regulatory requirement, “to improve security” was the most common driver for adding data security controls.

Application Security: It’s a Case of Good News/Bad NewsConducted by: BankInfoSecurity.comSponsored by: UnsponsoredNumber of respondents: More than 100 banking/security leaders from financial institutions of all sizes.Note: Registration required for full results.

Survey guages perceived strength of financial institutions’ application security programs; 81 percent are only somewhat or not at all confident in the security of third-party applications.

Federal Cyber Security Outlook for 2010 SurveyConducted by: Ernst & YoungSponsored by: UnsponsoredNumber of respondents: Nearly 1,900 organizations worldwide across all major industries.

12th annual survey finds forty-one percent of respondents reported increased internal attacks while 25 percent saw a rise in internal attacks; 50 percent plan to spend more this year to improve information security risk management.

2010 HIMSS Analytics Report: Security of Patient DataConducted by: HIMSS AnalyticsSponsored by: Kroll Fraud SolutionsNumber of respondents: 250 senior information technology (IT) executives, Chief Security Officers and Health Information Management (HIM) Directors/Managers, Compliance Officers and Privacy Officers.Registration required

A study on the shift to electronic health records (EHRs) over the next several years highlights the inability of healthcare providers to adequately secure data—even in the face of increased regulation of the HIPAA and HITECH acts.

Employees Put Personal Security, Interests Above Company’sConducted by: Trend MicroSponsored by: UnsponsoredNumber of respondents: 1,600 end users in the U.S., U.K, Germany and Japan.

Survey examines employees’ unsanctioned use of corporate networks and tools. About half of respondents admitted leaking confidential data through a Web mail account; 60 percent of mobile workers and 44 percent of stationary workers also admitted to having done so through IM or social media applications.

Outbound Email and Data Loss Prevention in Today’s Enterprise, 2010 Conducted by: OstermanSponsored by: ProofpointNumber of respondents: 261 responses from companies with 1,000 or more employees.Note: Registration required

Managing the risks of outbound e-mail, blog postings, social media, mobile devices, etc. is the focus of this survey. One quarter of U.S. companies investigated the leakage of confidential, sensitive or private information via a blog or message board posting; 24 percent disciplined an employee for such a breach in the last year. One fifth investigated a similar breach involving a social networking site.

Business Risk of a Lost Laptop: A Study of U.S. IT PractitionersConducted by: Ponemon Institute LLCSponsored by: Dell CorporationNumber of respondents: 714 IT and IT security practitioners with an average of almost 7.5 years of domain-specific experience.

2009 study looks at the business risk of poor laptop security. Sixty-five percent of respondents say the number of lost or stolen laptops is up from previous years; 75 percent say they know of an incident in their organization where sensitive or confidential data was at risk because of a lost or stolen laptop computer.

60 Percent of Facebook Users Consider Quitting over PrivacyConducted by: SophosSponsored by: UnsponsoredNumber of respondents: 1,588 Facebook users.

Concerns over privacy settings and sharing private information have prompted nearly two thirds of Facebook users to consider leaving the social networking service and 16 percent more say they have already stopped.

2009 Annual Study: Cost of a Data BreachConducted by: Ponemon Institute LLCSponsored by: PGP CorporationNumber of respondents: 45 organizations from 15 different industry sectors.

Survey released in January 2010 reports that, contrary to what many believe, the overall cost of data breaches is increasing, though slowly (up 2 percent over 2008). It also found that breaches caused by malaicious attackers or botnets cost 40 percent more than those caused by negligence or a system problem.

Password Security Survey 2009Conducted by: ElcomSoftSponsored by: UnsponsoredNumber of respondents: About 1,000 security and IT professionals from more than 70 countries.

Up to 77 percent of computer users use a single password to access multiple applications and websites. It also examines password reuse for multiple accounts, passwords written down and use of weak passwords.

Cloud Computing A Transformative Technology with Financial Benefits; Security Concerns, Too: Deloitte PollConducted by: DeloitteSponsored by: UnsponsoredNumber of respondents: More than 750 technology executives ranging from upper management to consultant across multiple industries.

A 2009 webcast-based poll found 60 percent of executives believe cloud computing will benefit enterprise services but 35 percent remain concerned about security and privacy.

The Cost of a Lost LaptopConducted by: Ponemon Institute LLCSponsored by: Intel CorporationNumber of respondents: N/Alost intellectual property and other factors, the average value is an estimated $49,246. In cases examined by the study, 80 percent of that cost was attributed to lost intellectual property.

The 2009 study examined 138 cases involving laptop computers lost by an employee, a temporary worker or contractor. Based on replacement cost,

Why Encrypt? Federal File Transfer ReportConducted by: MeriTalkSponsored by: AxwayNumber of respondents: 200 Federal IT and information security professionals.Note: Registration required.

Comprehensive 2010 survey examines data security at federal agencies. It finds that more than half of employees use personal email, CDs, DVDs, FTP, and USB drives to transfer business files despite known risks. Sixty-two percent of respondents said file transfer security is a top priority, and 80 percent call their agency’s secure file transfer policies adequate but only 58 percent say employees are aware of those policies.

Airport Insecurity: The Case of Lost LaptopsConducted by: Ponemon InstituteSponsored by: DellNumber of respondents: 864 business air travelers in the U.S.

2008 survey reports that, on average, 12,255 laptops go missing at U.S. airports each week and 42 percent don’t back up the data in their laptop computers. Only one-third of those turned into airport Lost and Found departments are ever reclaimed.

Security of Paper Documents in the WorkplaceConducted by: Ponemon InstituteSponsored by: Alliance for Secure Business InformationNumber of respondents: 819 individuals who work in IT operations, IT security, data protection and compliance in large organizations in a variety of industries.

This 2008 study appears to stand the test of time and has not been replaced by more current research. Eighty percent of respondents said they had one or more data breaches in the past 12 months; of those, 49 percent said one or more of the breaches involved the loss or theft of paper documents. Seventy-one percent of respondents acknowledge an incident in which sensitive or confidential paper documents were lost or misplaced in their organizations.

Software and Application Security

The Building Security In Maturity Model (BSIMM)Respondents: 30 organizations engaged in large-scale software development.Registration required.

A survey-based benchmarking study on software security.

Application Security: It’s a Case of Good News/Bad NewsConducted by: BankInfoSecurity.comSponsored by: UnsponsoredNumber of respondents: More than 100 banking/security leaders from financial institutions of all sizes.Registration required.

Survey guages perceived strength of financial institutions’ application security programs; 81 percent are only somewhat or not at all confident in the security of third-party applications.

WhiteHat Website Security Statistics ReportMethodology: Through managed monitoring services, analysis of more than 2,000 websites from 350 client organizations

Fall 2010 highlights: Large organizations more likely to have serious vulnerabilities.

Veracode State of Software Security

“Intelligence gleaned from analyzing billions of lines of code submitted to Veracode for independent verification of software security from more than 15 industries”.

Compliance & Governance

2010 HIMSS Analytics Report: Security of Patient DataConducted by: HIMSS AnalyticsSponsored by: Kroll Fraud SolutionsNumber of respondents: 250 senior information technology (IT) executives, Chief Security Officers and Health Information Management (HIM) Directors/Managers, Compliance Officers and Privacy Officers.Note: Registration required

A study on the shift to electronic health records (EHRs) over the next several years highlights the inability of healthcare providers to adequately secure data—even in the face of increased regulation of the HIPAA and HITECH acts.

Most Respondents Expect FCPA Violations to Increase in Coming Years Conducted by: DeloitteSponsored by: UnsponsoredNumber of respondents: 1,090 business professionals from the financial services; consumer and industrial products; technology, media and telecom; banking and securities; energy and resources industries and other industries.

2009 survey on the Foreign Corrupt Practices Act (FCPA) finds that 72 percent of respondents expect an increase in FCPA violations in the next two years, but 34 percent have no comprehensive FCPA compliance program in place.

State of Privacy & Data Security ComplianceConducted by: Ponemon Institute LLCSponsored by: SophosNumber of respondents: 528 IT security and compliance practitioners in various sized companies located in the U.S.

2009 survey assesses organizations’ regulatory compliance. It finds that a majority do not believe compliance improves security, and 48 percent don’t believe they are compliant with all applicable laws and regulatory requirements.

Information Security Spending Survey: 2009 Results (Impact of the Recession)Conducted by: Joint effort between MetroSITE Group and Pacific Crest Securities.Sponsored by: UnsponsoredNumber of respondents: 53 top security professionals worldwide.

Governance, compliance, mobility and identity and access management will continue to receive funding, according to a 2009 survey. IT security spending is primarily being driven by compliance, followed by threat reduction and brand protection.

Business Continuity & Disaster Recovery

2009: More Than Half of Americans Surveyed Are Not Worried About Swine FluConducted by: Harris InteractiveSponsored by: Deloitte Center for Health Solutions Number of respondents: 1,010 U.S. adults.

2009 survey reports that 52 percent of Americans don’t believe the H1N1 virus will have a major impact in the United States; 41 percent do not plan to get vaccinated. It also examines who plans to get vaccinated, and if they know where to get vaccinated.

The National Campus Safety and Security Project SurveyConducted by: The National Association of College and University Business OfficersSponsored by: Funded in part by the Lilly Endowment.Number of respondents: 342 institutions.

Roughly 15 percent of repondents do not currently have an emergency preparedness plan that at least meets the standards set by the National Fire Protection Association; of those, 40 percent are near completion of one. Survey looks at many factors including use of security cameras and other technologies, emergency communication plans and business continuity.

Social Networking

Outbound Email and Data Loss Prevention in Today’s Enterprise, 2010 Conducted by: OstermanSponsored by: ProofpointNumber of respondents: 261 responses from companies with 1,000 or more employees.Note: Registration required

Managing the risks of outbound e-mail, blog postings, social media, mobile devices, etc. is the focus of this survey. One quarter of U.S. companies investigated the leakage of confidential, sensitive or private information via a blog or message board posting; 24 percent disciplined an employee for such a breach in the last year. One fifth investigated a similar breach involving a social networking site.

Social Insecurity: What Millions of Online Users Don’t Know Can Hurt ThemConducted by: Consumer Reports National Research CenterSponsored by: UnsponsoredNumber of respondents: 2,000 online U.S. households.

Twice as many U.S. households now use social networks than did last year, and, in many cases, are exposing themselves to new risks. A 2010 study found 40 percent posted their full birth date, exposing themselves to identity theft, while 26 percent posted their children’s photos and names, potentially exposing them to predators. Also, one quarter didn’t use Facebook’s privacy controls at a time when 9 percent of social network users experienced malware infections, scams, identity theft or harassment.

Social Networking or Reputational Risk: 2009 Ethics & Workplace Survey Conducted by: Opinion ResearchSponsored by: Deloitte LLPNumber of respondents: 2,008 employed adults and 500 business executives.

Many companies are using social networking to build their businesses, however, it can also hurt companies. A survey finds 58 percent of executives believe the reputational risk of social networking makes it a boardroom issue but only 15 percent are taking it to that level.

60 Percent of Facebook Users Consider Quitting over PrivacyConducted by: SophosSponsored by: UnsponsoredNumber of respondents: 1,588 Facebook users.

Concerns over privacy settings and sharing private information have prompted nearly two thirds of Facebook users to consider leaving the social networking service and 16 percent more say they have already stopped.

Virtualization, Web 2.0 & Cloud Computing

2010 State of Virtualization Security SurveyConducted by: Prism MicrosystemsSponsored by: UnsponsoredNumber of respondents: 302 IT professionals across multiple industries and company sizes.

Survey examines adoption of virtualization and corresponding security concerns and controls. For example, 58 percent of respondents are highly concerned over the potential for Hypervisor to create a single point of entry into multiple machines while 19 percent have no security solutions or strategies in place to secure their virtual environment.

7th Annual Survey: Network and System AdministratorsConducted by: Amplitude Research Sponsored by: VanDyke SoftwareNumber of respondents: 353 network or system administrators.

This U.S.-based survey conducted in April 2010 examines budget and staffing changes, what keeps admins up at night, and the adoption of cloud computing.

IT Skills, Salary and Benefits

7th Annual Survey: Network and System AdministratorsConducted by: Amplitude Research Sponsored by: VanDyke SoftwareNumber of respondents: 353 network or system administrators.

This U.S.-based survey conducted in April 2010 examines budget and staffing changes, what keeps admins up at night, and the adoption of cloud computing.

2010 Security Clearance Jobs Compensation Survey ResultsConducted by: DiceSponsored by: UnsponsoredNumber of respondents: 3,633 security-cleared professionals.

2010 survey finds average annual compensation in the DC area for security-cleared IT workers is $97,821; professionals earn more than $100,000 with intelligence agency-issued clearances.

IT Professional Salary Survey ReportsConducted by: Foote PartnersSponsored by: UnsponsoredNumber of respondents: 1,980 employers (99,400 IT professionals).Cost: $75 and up

2010 survey of IT salary and bonuses for 130 IT positions or for any of 27 IT job families or customized by individual jobs and cities.

2010 IT Salary + Skills Pay Survey ReportsConducted by: Foote PartnersSponsored by: UnsponsoredNumber of respondents: 2,000 employers (99,400 IT workers).Cost: $700 and up

Organized by IT categories, this quartely report examines the total cash compensation of thousands of IT workers in 65 US cities.

2010 IT Security Salary & Skills Pay SurveyConducted by: Foote PartnersSponsored by: UnsponsoredNumber of respondents: Varies by title and area.Cost: $800 and up

A drilldown of IT security-specific earnings from professionals in 65 US cities based on salary, bonuses and certifications pay.