Caution advised with information security surveys

CISOs and IT security team members frequently lie when they participate in surveys.

Before anyone takes offense, read on.

All respondents aren’t liars. And when people do lie on surveys, they don’t always mean to.

Conducting research and publishing reports can take a long time and cost a lot of money. Those are two reasons why some security vendors take short cuts and turn to surveys as an alternative.

Want to conduct a survey? Put together a multiple-choice question. For instance, “Are you getting hacked more or less this year (compared to last year)?”

Now, email it to a few thousands CISOs and/or IT security professionals. Just a few hundred responses will do.

The results are in. Seventy-nine percent of IT security pros say their organizations are suffering more hacks and data breaches in 2017 compared to 2016!

Then write some commentary around that figure, and it’s a blog post. Or an article. Or a social media post. Put a good PR firm on it — and it might even be a “report” that shows up as headline news in the media.

What’s wrong with this picture?

Why survey respondents aren’t truthful

mTAB, a market research firm working with the world’s leading brands for over 25 years, says survey respondents boast about their behavior and tend to be drawn toward making themselves out better than, more than, or somehow superior to others.

Some respondents are defensive and may be unwilling to disclose something about their beliefs or nature that they don’t want others to know, according to mTAB.

Infosurv Research, an online survey firm, says respondents believe they can influence the outcome of the research in their favor.

Consider an IT security leader who wants to use the survey results to help ask the bosses for more budget. That respondent may be prone to lie about exactly how much more they are being hacked this year.

A Naked Security blog post states that more than 75% of people lie on social media.

The point here is not to condemn survey respondents. Lying is part of human nature, and it’s going to happen — in polls — and elsewhere.

Rather, this is a heads-up because there’s a growing number of surveys and resulting statistics being churned out in the security industry.

CISOs and IT security leaders have a more important job (than being respondents) when it comes to reports: reading them and trying to interpret the results in a meaningful way as it relates to cyber defending their organizations.

The best research takes months or even a year or more to produce.

There are many security vendors, research firms, analysts and media outlets that are publishing excellent reports.

Not all surveys are misleading. But a survey is just that — and something worth telling busy CSO readers. It may help explain the next outlandish hack statistic they read.

Visit SteveOnCyber.com to read all of my blogs and articles covering cybersecurity.

Follow me on Twitter @CybersecuritySF, or connect with me on LinkedIn. Send story tips, feedback and suggestions to me here.