The security data and survey directory

Survey statistics and research studies are a great way to help you recognize impending threats and emerging attack vectors. Data can even help you identify and substantiate the need for specific budgetary increases to the C-suite. So we've compiled this semi-exhaustive list (it certainly made us tired, anyway) of where to find research-backed data you can use.

Where possible we've made note of some key facts about each survey to help you decide its potential value: the number and type of respondents, who sponsored the survey (if a security product or service vendor was involved, which could influence the perception of bias), and whether the report requires registration or a fee.

This list will be updated and expanded on CSOonline.com. Have suggestions about additional data sources? Email CSO editor Derek Slater at dslater@cxo.com. Data sources will be added, removed or modified at the whim of the editor. (We like to be inclusive but make no promises.) Many thanks to Shawna McAlearney for compiling the bulk of the initial directory.

Last update: 11/29/10. Additions planned ASAP: Click fraud, brand abuse, GRC, software security

Research Survey & Study Categories (click to skip directly to any category)

* Risk Management

* Attack Vectors

* Security Spending, Budgets & Priorities

* Physical Security and Loss Prevention

* Security Controls

* Data Security

* Compliance & Governance

* Business Continuity & Disaster Recovery

* Social Networking

* Security Careers, Skills, Salary and Benefits

* Virtualization & Cloud Computing

Risk Management and Security Leadership

State of the CSO 2010: Progress and Peril

Conducted by: CSO

Number of respondents:

Today, as organizations come to grips with a wide swath of risks, the 2010 State of the CSO survey shows those organizations are rapidly adopting a more sophisticated view of security. Of course, there's more work to be done--most prominently in the areas of security metrics and awareness programs.

2009 results

2008 results

In-depth reading on risk management

* ERM: Get started in 6 steps

* Turning ERM strategy into specific systems projects

* ERM basics explained

* The CISO's new focus: IT risk

Global Risk Management Survey, Sixth Edition: Risk Management in the Spotlight

Conducted by: Deloitte

Sponsored by: Unsponsored

Number of respondents: Responses from 111 financial institutions worldwide with more than $19 trillion in total assets.

2009 survey looks at risk management during economic downturn and finds more than half of firms falling under Basel II requirements reported they were nearly in compliance or had already complied. Also, only 24% have a defined and approved enterprise-level statement of the firms risk appetite; 72% of firms with ERM programs reported that the quantifiable benefits exceeded its costs.

An index of ERM survey data

The Enterprise Risk Management Initiative (at NC State's College of Management) rounds up articles covering ERM research.

Global Risk Management Survey, Sixth Edition: Risk Management in the Spotlight

Conducted by: Deloitte

Sponsored by: Unsponsored

Number of respondents: Responses from 111 financial institutions worldwide with more than $19 trillion in total assets.

2009 survey looks at risk management during economic downturn and finds more than half of firms falling under Basel II requirements reported they were nearly in compliance or had already complied. Also, only 24% have a defined and approved enterprise-level statement of the firms risk appetite; 72% of firms with ERM programs reported that the quantifiable benefits exceeded its costs.

Security Survey Spotlights Consumers' Influence on Enterprise IT

Conducted by: InsightExpress

Sponsored by: Cisco

Number of respondents: 512 IT security professionals across the U.S., Germany, Japan, China and India.

Survey of IT pros from 5 counties compares threat perception, technologies and tools used. For example, nearly one third perceive unauthorized users as the primary IT risk.

Social Networking or Reputational Risk: 2009 Ethics & Workplace Survey

Conducted by: Opinion Research

Sponsored by: Deloitte LLP

Number of respondents: 2,008 employed adults and 500 business executives.

Many companies are using social networking to build their businesses; however, it can also hurt companies. A survey finds 58% of executives believe the reputational risk of social networking makes it a boardroom issue but only 15% are taking it to that level.

Also see Security metrics: Critical issues

Attack Vectors

Federal Cyber Security Outlook for 2010 Survey

Conducted by: Clarus Research Group

Sponsored by: Lumension

Number of respondents: 201 Federal government IT security decision makers.

A lack of collaboration across IT and security is increasing the risk of the Federal government's ability to defend against sophisticated attacks, according to the survey. Additionally, 74% working in national defense and security expect a cyberattack by a foreign country in the next year.

Application Security: It's a Case of Good News/Bad News

Conducted by: BankInfoSecurity.com

Sponsored by: Unsponsored

Number of respondents: More than 100 banking/security leaders from financial institutions of all sizes.

Survey gauges perceived strength of financial institutions' application security programs; 81% are only somewhat or not at all confident in the security of third-party applications.

Registration required.

The Symantec Global Internet Threat Report

Conducted by: Symantec

Origin of data: More than 240,000 sensors in more than 200 countries and territories monitor attack activity; malicious code intelligence from more than 133 million client, server, and gateway systems; Symantecs distributed honeypot network; the Symantec Probe Network; MessageLabs Intelligence; more than 8 billion e-mail messages; more than 1 billion Web requests; and an extensive antifraud community.

Study researches attack trends, future threats and the effect of the economic downturn on security. Among other highlights, it reported that 60% of identities exposed came from hacking attacks--the majority of which came from a single attack.

MessageLabs Security Intelligence Reports

Origin of data: MessageLabs sensors

Analyzes origins and nature of email-based security threats and attacks. Updated frequently.

CSI Computer Crime and Security Survey 2009

Conducted by: CSI

Sponsored by: Unsponsored

Number of respondents: 443 information security and information technology professionals in United States corporations, government agencies, financial institutions, educational institutions, medical institutions and other organizations.

Password sniffing, financial fraud and malware infection increased, but average losses caused by security incidents are down from 2008. The survey includes attack information, details about respondents' security programs, end-user security awareness training and much, much more.

The 2010 Survey will be available in late November.

Cost: $185.00

2010 CyberSecurity Watch Survey&Survey Results

Conducted by: CSO in cooperation with the U.S. Secret Service, Software Engineering Institute CERT Program at Carnegie Mellon University and Deloitte.

Sponsored by: Unsponsored

Number of respondents: 523

Comprehensive 2010 survey reports that 37% of respondents believe that the number of cybersecurity events experienced in the last 12 months has increased. Of those, 50% believed the attack was caused by an outsider.

The 2010 State of Cyberethics, Cybersafety, Cybersecurity Curriculum in the U.S. Survey

Conducted by: Zogby International

Sponsored by: National Cyber Security Alliance

Number of respondents: 1,003 teachers, 400 K-12 school administrators and 200 technology coordinators.

Survey targets teachers, school administrators and technology coordinators in an effort to understand whether students are receiving adequate guidance to use digital technology and the Internet in a safe and responsible manner. Thirty-nine percent of teachers responded that over the last 12 months they'd taught students how to make decisions about sharing personal information online; 33% about the dangers of social networking sites; 30% about watching for online predators; and 28% about what to do if they receive harassing messages.

What Security Issues Are You Currently Facing?

Conducted by: RSA

Sponsored by: Unsponsored

Number of respondents: Nearly 150 C-level executives and professionals charged with directing, managing and engineering security infrastructures.

The RSA Conference Survey 2009 reported an increase in e-mail phishing (72%) and Web-borne malware (57%). The survey also found IT pros were quite concerned about zero-day attacks (28%) and rogue employees as a result of layoffs (26%).

IT Security Spending, Budgets & Priorities

The Global State of Information Security 2011

Conducted by: CSO, PricewaterhouseCoopers, CIO

Number of respondents: More than 12,000 CEOs, CFOs, CIOs, CSOs, vice presidents and directors of IT and information security from 130 countries.

Analysis of respondents' challenges and approaches to cloud security, secure business partner relationships, and more.

2010 results - PDF

2008 results

2007 results

2006 results

2005 results

2004 results

2003 results

2010 TMT Global Security Study

Conducted by: Deloitte's Information & Technology Risk Services practice

Sponsored by: Unsponsored

Number of respondents: Nearly 150 TMT organizations around the world.

This fourth edition of Deloitte's Technology, Media & Telecommunications Global Security Study examines key areas of security and privacy and finds that information security spending is modestly bouncing back after a decline in 2009.

Deloitte 2010 Global Security Survey: The Faceless Threat

Conducted by: Deloitte's Global Financial Services

Sponsored by: Unsponsored

Number of respondents: 350 major financial institutions.

Of 19 options, nearly half of respondents chose identity and access management as their top security initiative for 2010. The survey also examines data loss and regulatory compliance priorities.

2010 Update: What Organizations Are Spending on IT Security

Conducted by: Gartner

Sponsored by: Unsponsored

Origin of data: Information taken from a number of Gartner reports.

Efficient security will allow IT to safely cut security budgets by 3% to 6% through 2011, according to a Gartner study. Researchers say those with either very mature or recently updated security programs will save even more. Study also looks at security spending and "platforms" versus "best of breed" options.

Insights from Deloitte's 2009 Global Shared Services Survey

Conducted by: Deloitte

Sponsored by: Unsponsored

Number of respondents: 265 shared services leaders representing 702 individual shared services centers with a median annual revenue of $10.5 billion.

Cost reduction was highlighted in this survey: 72% of respondents said it was one of their top three priorities over the next 2 years. Also, 57% plan to increase the number of advisory processes in shared services in the same period.

Information Security Spending Survey: 2009 Results (Impact of the Recession)

Conducted by: Joint effort between MetroSITE Group and Pacific Crest Securities.

Sponsored by: Unsponsored

Number of respondents: 53 top security professionals worldwide.

Governance, compliance, mobility and identity and access management will continue to receive funding, according to a 2009 survey. IT security spending is primarily being driven by compliance, followed by threat reduction and brand protection.

2010 Top Five Total Rewards Priorities Survey

Conducted by: Deloitte Human Capital

Sponsored by: Deloitte and the International Society of Certified Employee Benefit Specialists

Number of respondents: 292 diverse employers.

A look at job security and other employee/employer priorities during the 2010 financial crisis.

Physical Security, Fraud and Loss Prevention

Report to the Nation

Conducted by: Association of Certified Fraud Examiners

Sponsored by: Unsponsored

Origin of data: Based on 959 cases of occupational fraud reported by the CFEs who investigated and resolved them.

2008 study examines occupational and other fraud incidents--it finds the typical occupational scheme lasts 2 years and results in a median loss of $175,000.

More on retail security and loss prevention

* Retail security: Critical issues

* Oranized crime and retail theft: Facts and myths

* Mall rats: Shoplifting and ORT

National Retail Federation research

The NRF conducts periodic surveys on Organized Retail Crime, return fraud, and more. See the linked page for connections to their latest research.

Report: Global Theft Decreases in 2010

Conducted by: Centre for Retail Research

Sponsored by: Checkpoint Systems

Number of respondents: 1,103 large retailers in 42 countries.

2010 survey looks at physical loss of retail merchandise to crime and waste, and studies its impact on retailers and consumers.

Theft Surveys by Jack L. Hayes International

Conducted by: Jack L. Hayes International (a loss prevention consulting firm)

Number of respondents:Varied

A limited amount of data is available on the linked page, covering retail theft, shoplifting, and related areas.

The Cost of a Lost Laptop

Conducted by: Ponemon Institute LLC

Sponsored by: Intel Corporation

Number of respondents: N/A

1 2 3 Page
Insider: How the basic tech behind the Internet works
Join the discussion
Be the first to comment on this article. Our Commenting Policies