ponemon institute© private & confidential documentpage 1 recent research on privacy, trust and...

Ponemon Institute© Private & Confidential Document

Recent Research on Privacy, Trust and Data Protection

The Privacy Symposium at Harvard UniversityDr. Larry Ponemon, Chairman

Ponemon Institute LLC

August 22, 2007


Ponemon Institute LLC

The Institute is dedicated to advancing responsible information management practices that positively affect privacy and data protection in business and government.

The Institute conducts independent research, educates leaders from the private and public sectors and verifies the privacy and data protection practices of organizations.

Ponemon Institute is a full member of CASRO (Council of American Survey Research Organizations. Dr. Ponemon serves as CASRO’s chairman of Government & Public Affairs Committee of the Board.

The Institute has assembled more than 50 leading multinational corporations called the RIM Council, which focuses the development and execution of ethical principles for the collection and use of personal data about people and households.

The majority of active participants are privacy leaders (CPOs).


Proposed Agenda

What is privacy trust?

What does recent research tell us?

Scott & Scott – business impact of data breach

Redemtech – debut today of newest study on off-

network security

Ponemon – Is desktop safe

Implications, privacy and the public’s trust

Questions


How the World Looks at Privacy

• Based on over 100 studies conducted between 2003 and 2006, we compiled the following distribution for adult-aged individuals in 16 countries with respect to their preferences for privacy:

– About 12% of the public appear to be privacy-centric. Events that minimize their sense of privacy or diminish the safety of their sensitive personal information will have a significant impact on behavior.

– About 68% of the public appear to be privacy-sensitive. While they say that privacy is important to them, it will not change their behaviors or information sharing practices.

– About 21% of the public appear to be privacy-complacent. They really don’t care very much about the sharing or selling of their most sensitive personal information, such as Social Security number or Country ID.


Distribution of the Public by Four Geographic Regions

How the World Looks at Privacy

8%15%

5%

18%

73%

62%70% 67%

19%23% 25%

15%

0%

20%

40%

60%

80%

North America EMEA Asia Latin America

Privacy Centric Privacy Sensitive Privacy Complacent


What is Privacy Trust? A process for engendering trust and confidence in how an organization’s

leaders, employees, agents and contractors handle, manage, retain

and secure private information about people and our families.

Privacy trust requires an organization to ensure that actual practices are

aligned with the perceptions of key stakeholders such as customers,

consumers and employees.

The key components of privacy trust include: disclosure and notice,

choice or consent, good security measures, reasonable access rights

and data quality (accuracy).


How Does Privacy Increase Corporate Value?

Good privacy creates real value to organizations because it promotes the trust of stakeholders such as customers, employees and business partners.

Beyond perception, privacy practices create real economic benefits in terms of:

Reducing operating inefficiencies

Improving information flows about people

Increasing brand or marketplace image

Decreasing risk of regulatory action, fines and lawsuits

Cost and ROI metrics can be developed that demonstrate the full value of good privacy practices in corporations and governmental entities.

Starting point: need to understand what the public (consumers) thinks – or, what do they care about?


Business Impact of a Data Breach

Study released in May 2007

Sponsored by Scott & Scott, LLP


About the study

Sample of 702 IT and IT security practitioners in US companies

Following are the key questions in our inaugural study:• Are organizations prepared to respond to the breach and what do

they consider the most important actions to take?• Do they measure the cost of the breach to their organization?• What causes data breach incidents?• How has the breach affected an organization’s strategy for

preventing a breach?• What are the differences in approaches to the prevention and

detection of a data breach between organizations that have experienced a breach and organizations that have not had a data breach?


85% of respondents’ companies experienced a breach incident

Bar Chart 1Data breach statistics for the present sample

85%

81%

78%79%80%81%82%83%84%85%86%

Companies experiencing the loss of personalinformation

Companies required to notify breach victims


42% of data breaches occurred because of missing devices such as a laptop computers

Bar Chart 2Probable cause of the data breach event

4%

6%

6%

7%

10%

16%

42%

0% 5% 10% 15% 20% 25% 30% 35% 40% 45%

Missing backup media

Malicious employees

Criminal activity

IT mishaps

Negligent third parties

Negligent employees

Missing devices


What technologies are not being deployed to remedy future

breaches?Bar Chart 3

What organizations are not deploying after data breach

46%

46%

63%

63%

65%

65%

73%

0% 10% 20% 30% 40% 50% 60% 70% 80%

Encryption solutions

Conducting training

Hiring outside counsel

Controlling system disposal

Identity & access management

Controlling endpoints

Event management tools


57% did not have an incident response plan in place when the

breach happened

Bar Chart 4Did you have an incident plan before the breach?

57%

77%

0%

20%

40%

60%

80%

100%

Did not have an incident response plan Did not engage outside legal counsel to draft orreview plan


Notification strategy37% over-report

Bar Chart 7Who needs to be notified?

37% 36%

14%

0%5%

10%15%20%25%30%35%40%

Notify everyone (over-report) Careful assessment beforenotifying

Notify only after absoluteconfirmation of harm


Majority of respondents do not believe that breach victims suffer monetary damages

Bar Chart 8What percentage of breach victims experienced monetary damanges?

50%

20%

11%

0%

10%

20%

30%

40%

50%

60%

0% (no monetary damages) Betw een 1 to 2% Betw een 2 to 4%


National Survey: The Insecurity of Off-Network

Security

Study released today (August 2007)

Sponsored by Redemtech


About the study• Sponsored by Redemtech, Ponemon Institute independently conducted this study to

better understand how business and government organizations are securing confidential data on off-network electronic equipment.

• Our national survey queried 735 respondents who are employed in corporate information technology (IT) departments within U.S.-based business or governmental organizations. Our survey focused on the following four key issues:

– How important is it for an organization to control data on electronic devices that are off-network?

– What controls or procedures do organizations have in place to secure off-network data-bearing equipment or devices?

– How rigorous is the enforcement of policies and procedures to protect confidential off-network data?

– What are the primary causes for the theft or loss of data on electronic devices that are off-network?

– Is an organization’s confidential data as much at risk off-network as when it is on-network?


About the study

• Off-Network electronic equipment – includes all data-bearing devices that

are disconnected from your organization’s system or network for various

reasons, such as for relocation, repair or disposition.

• Electronic equipment includes data-bearing servers, desktop and laptop

computers, PDAs or other portable storage devices. Off-network includes

equipment that is idle; not actively in use or in storage. The term also

applies to equipment being moved; for transition to another user or being

sent for repair, refurbishment, reconfiguration, redeployment, return on

lease, or retirement (disposal).


Sample of respondents

Pie Chart 1: Sample distribution by industry sector

Financial services19%

Government19%

Financial services

Government

Other

Technology & Software

Defense

Telecom, Cable & Wireless

Health Care

P rofessional Services

Transportation

Retailing

Education

Hospitality & Leisure

Manufacturing

Entertainment and Media

Internet & ISP s

P harmaceuticals

Energy


Attitudes

Bar Chart 1Pre/post survey questions on the state of off-network security

Percentages show adjusted responses to a f ive-point scale ranging from strongly agree to strongly disagree

61%62% 62%

59% 59%

67%

62%

68%

62%

68%

52%

54%

56%

58%

60%

62%

64%

66%

68%

70%

Off-netw ork security isnot a priority

Off-netw ork deviceshave unprotected

sensitive data

Off-netw ork controlsare not rigorous

Resources areinadequate

Confidence in controlsto prevent data loss

Pre-survey Post-survey


Data breach experience

Bar Chart 2Data breach experience of survey respondents

73%

42%

0%

10%

20%

30%

40%

50%

60%

70%

80%

Experienced a loss of data-bearing equipment Loss involved sensitive or confidential data


Off-network data loss

Bar Chart 3Data loss or theft involving on and off-network data-bearing devices

27% 26%

44%

0%

5%

10%

15%

20%

25%

30%

35%

40%

45%

50%

Data storage w as on-netw ork Data storage w as off-netw ork Both on and off-netw ork


Most likely causes

Bar Chart 4The most likely causes of the loss or theft of off-network data-bearing devices

27%

24%

19%

9%

7%

0%

5%

10%

15%

20%

25%

30%

Non-compliance w ithpolicy

Negligence Lack of policies Malicious insiders Crime/theft


Devices lostBar Chart 5

Off-network devices involved in a data breach

4%

9%

11%

13%

13%

29%

29%

39%

60%

67%

68%

0% 10% 20% 30% 40% 50% 60% 70% 80%

Printers & fax

Routers

External storage

Copying machines

Zip drives

Desktops

Backup media

Servers

Flash drives

PDAs

Laptops


Security steps

Bar Chart 6Steps taken to secure data on off-network devices

13%

13%

15%

16%

25%

41%

55%

63%

64%

0% 10% 20% 30% 40% 50% 60% 70%

Engage an outside company

Physically destroy equipment

Degauss hard drives

Physically destroy drives

Encrypt data at rest

Control custody (lockdow n)

Control custody in transit

Reset system passw ords

Clean (w ipe) devices


Is policy enforced?

Bar Chart 8Existence of an off-network security policy or SOP that is strictly enforced

86%

26%

0%

10%

20%

30%

40%50%

60%

70%

80%

90%

100%

Have off-netw ork security policy Have policy that is strictly enforced


How long will it take to detect data loss?

Bar Chart 9How quickly will the loss or theft of an off-network device be detected?

15%

7%

15%

12%

13%

8%

30%

0% 5% 10% 15% 20% 25% 30% 35%

Immediately

Within 2 hours

Within 1 day

Within 1 w eek

Within 1 month

More than 1 month

Never


Is Desktop Search Safe?

Study released in July 2007


Background

• Security researcher Robert Hansen recently published details of a man-in-the-middle attack against Google’s Desktop, which places an attacker between Google and someone launching a desktop search query. From this position, the attacker is able to manipulate the search results and possibly take control of or install other programs on the desktop. According to Hansen, this drives home the point “that deep integration between the desktop and the Web is not a good idea.“

• A security research firm named Watchfire identified a cross-site scripting vulnerability that would allow an attacker to place malicious code on a Google Desktop user's computer and possibly to take full control of the computer. Google says that it fixed this particular flaw.


Survey

• Our Web based study was conducted between June 8 and June 12,

2007.

• Our national sampling frame included adult-aged respondents (≥ 18

years) who are in corporate IT or IT security.

• In total, people who reside in the United States received an

invitation to participate. This resulted in 1,268 individuals

responding (with approimxately a 5.4% response rate).

• About 60% of respondents said they were aware of this

controversey. Only this sub-sample were asked to take the survey

the remaining survey questions.


Do you agree with Hansen?

Do you agree with Hansen that such integration creates a security problem for Google Desktop?

66%

6%9%

19%

0%

10%

20%

30%

40%

50%

60%

70%

Yes No Unsure I’m not qualified toanswer


Is the problem resolved?In your opinion, does that mean Google resolved this problem or is Google Desktop

still vulnerable to new cross-site scripting attacks?

18%

71%

11%

0%

10%

20%

30%

40%

50%

60%

70%

80%

I believe that Google is no longervulnerable to new cross-site

scripting attacks

I believe that Google’s desktop isstill vulnerable to new cross-site

scripting attacks

Unsure


Does antivirus software fix the problem?

Do you believe that antivirus software detects and defends computers against these cross-site scripting attacks or are Google Desktop users exposed to these

attacks even if they keep their antivirus software up-to-date?

31%

56%

12%

0%

10%

20%

30%

40%

50%

60%

I believe antivirus software mostlikely defends computers against

such attacks

I believe antivirus software mostlikely does not defend computers

against such attacks

Unsure


What should users do?

For enterprise users including government agencies, does this transfer of data outside the enterprise create an unacceptable security risk?

74%

16%

11%

0%

10%

20%

30%

40%

50%

60%

70%

80%

Yes No Unsure


What should users do?In your opinion, should users with confidential or legally protected data such as

legal, medical or educational records avoid using Google Desktop with this “search across computers” functionality?

83%

10%6%

0%

10%

20%

30%

40%

50%

60%

70%

80%

90%

Yes No Unsure


What can we learn from this jumble of findings?

Privacy matters. Take steps to implement responsible information management practices across the enterprise for all data subjects.

Technology makes a difference. Take stock in new enabling technologies that help protect personal information such as data leak prevention and encryption solutions.

Human factor is important. One of the top privacy risks concern negligent or incompetent employees (a.k.a. the Insider Threat). Make sure employees, temporary employees and contractors understand good privacy and data protection practices. Also, take steps to vigorously monitor behaviors that push the limits of the company’s policies or SOPs.

Understand the law. Privacy requirements vary by state, industry sector and nation. You need to understand how legal requirements impact the company’s information technology requirements. Responsible information management requires more than an adequate level of compliance.


Questions?

Dr. Larry PonemonPonemon Institute LLC

www.ponemon.orgTel: 231.938.9900

Toll Free: 800.887.3118New Michigan HQ: 2308 US 31 N. Traverse City, MI 49686

[email protected]

ponemon institute© private & confidential documentpage 1 recent research on privacy, trust and...

Documents

privacy sensitive73bpgh

privacy complacent19

sense of privacy

privacy leaders cpos

personal data

engendering trust

public sectors

sensitive personal information