Professional Documents
Culture Documents
Breaches
Research sponsored by Onapsis
Independently Conducted by Ponemon Institute LLC
February 2016
1
Uncovering the Risks of SAP Cyber Breaches
Ponemon Institute, February 2016
Part 1. Introduction
Ponemon Institute is pleased to present the results of Uncovering the Risks of SAP Cyber
Breaches sponsored by Onapsis. The purpose of this study is to understand the threat of an SAP
cyber breach and how companies are managing the risk of information theft, modification of data
and disruption of business processes. The companies represented in this study say their SAP
platform has been breached an average of two times in the past 24 months.
We surveyed 607 IT and IT security practitioners who are involved in the security of SAP
applications used by their organizations to manage business operations and customer relations.
The most common SAP products deployed are enterprise management (ERP), technology
platforms (backbone), financial and data management and customer relationship management
(CRM).
The respondents in this study
understand the risk of an SAP cyber
breach. Sixty percent of
respondents say the impact of
information theft, modification of
data and disruption of business
processes on their companys SAP
would be catastrophic (17 percent of
respondents) or very serious (43
percent of respondents).
2
SAP applications (50 percent of respondents). A barrier to achieving security is that only 34
percent of respondents say they have full visibility into the security of SAP applications and many
companies do not have the required expertise to prevent, detect and respond to cyber attacks on
their SAP applications.
The SAP security team is seldom accountable for the security of SAP systems,
applications and processes. The majority of respondents believe it is difficult to secure SAP
applications. One possible reason could be the lack of clear ownership over securing SAP
applications. Twenty-five percent of respondents say no one function is most accountable for
SAP security in their organizations followed by IT infrastructure (21 percent of respondents). Only
19 percent of respondents say the SAP security team is accountable.
SAP platforms are likely to contain one or more malware infections. Fifty-eight percent of
respondents rate the difficulty in securing SAP applications as very high and 65 percent of
respondents rate their level of concern about malware infections in the SAP infrastructure as very
high. Seventy-five percent of respondents say it is very likely (33 percent) or likely (42 percent)
that SAP platforms have one or more malware infections.
If a data breach involving the SAP system occurred, who would be responsible for
remediating the incident? Despite the perceptions of the seriousness of an SAP breach, 30
percent of respondents say no one is most accountable if their organization had an SAP breach
followed by the CIO (26 percent of respondents) and the CISO (18 percent of respondents).
There is little confidence a breach involving the SAP platform would be detected
immediately or within one week. Only 25 percent of respondents say they are very confident or
confident such a data breach would be detected immediately and 35 percent of respondents say
they are very confident or confident a breach would be detected within one week.
Frequency and sophistication of cyber attacks against SAP platforms will increase. Fortyseven percent of respondents say the frequency of cyber attacks against their companies SAP
platform will increase over the next 2 years and 54 percent of respondents say the stealth and
sophistication of cyber attacks against the companies SAP platform will increase.
New technologies and trends increase the risk of a data breach involving SAP
applications. Fifty-nine percent of respondents also believe new technologies and trends such
as cloud, mobile, big data and the Internet of Things increases the attack surface of their SAP
applications. Despite this concern about the cloud, only 43 percent of respondents say it is
important to understand the cybersecurity and privacy risks before deciding to move SAP
applications to the cloud.
How can organizations improve the security of their SAP infrastructure? Understanding the
latest threats and vulnerabilities in SAP applications helps strengthen the organizations
cybersecurity posture. Seventy-three percent of respondents say knowledge about the latest
threats and vulnerabilities affecting SAP applications improves their organizations ability to
manage cybersecurity risks.
Further, 83 percent of respondents say it is very important to be able to detect zero-day
vulnerabilities in SAP applications, 81 percent say the ability to prioritize threats against SAP
applications based on when the attack is likely to succeed and 81 percent say it is very important
to have continuous monitoring in order to ensure SAP applications are safe and secure.
Segregation of duties can improve SAP security. Sixty-six percent of respondents say their
current approach to SAP security includes segregation of duties and access controls and 51
percent of these respondents say it is effective in safeguarding your companys core business.
3
Part 2. Key findings
In this section, we present an analysis of the research findings. The complete audited findings are
presented in the appendix of the report. We have organized the findings according to the
following topics from the research:
76%
63%
41%
23%
0%
SAP systems are critical to the revenues of companies represented in this research. When
asked about the financial consequences of their companies SAP systems being taken offline, the
average cost was estimated to be $4.5 million. This includes all direct cash outlays, direct labor
expenditures, indirect labor costs, overhead costs and lost business opportunities.
4
SAP security challenges
How secure are SAP applications? As shown in Figure 3, 54 percent of respondents believe it
is the responsibility of SAP, not their company, to ensure the security of its applications and
platform.
While 62 percent of respondents say SAP applications are more secure than other applications
deployed by their company, respondents say their companies are evenly divided about whether
they are confident in the security of SAP applications (50 percent of respondents).
Barriers to achieving better security are the lack of full visibility into the security of SAP
applications and required expertise. Less than half (49 percent) of respondents say their
organization has the required expertise to prevent, detect and respond to cyber attacks on their
SAP applications. This lack of expertise could be due to more resources allocated to network
rather than applications security (68 percent of respondents).
Figure 3. How secure are SAP applications?
Strongly agree and agree responses combined
68%
62%
54%
50%
49%
0%
5
The SAP security team is seldom accountable for the security of SAP systems,
applications and processes. The majority of respondents believe it is difficult to secure SAP
applications. One possible reason could be the lack of clear ownership over securing SAP
applications. As shown in Figure 4, 25 percent of respondents say no one function is most
accountable for SAP security in their organizations followed by IT infrastructure (21 percent of
respondents). Only 19 percent of respondents say the SAP security team is accountable followed
by information security (18 percent of respondents).
Figure 4. Which function is most accountable to ensure the security of SAP systems,
applications and processes?
No one function is most accountable for SAP
security
25%
IT infrastructure
21%
19%
Information security
18%
Risk executives
9%
6%
Audit
Board of directors
2%
0%
5%
10%
15%
20%
25%
30%
65%
58%
34%
0%
10%
20%
30%
40%
50%
60%
70%
SAP platforms are likely to contain one or more malware infections As shown in Figure 6,
seventy-five percent of respondents say it is very likely (33 percent) or likely (42 percent) that
SAP platforms have one or more malware infections.
Figure 6. What is the likelihood that your companys SAP platform at any point in time
contains one or more malware infections?
45%
42%
40%
35%
33%
30%
25%
21%
20%
15%
10%
4%
5%
0%
Very likely
Likely
Not likely
No chance
7
SAP and the risk of data breaches and cyber attacks
If a data breach involving the SAP system occurred, who would be responsible for
remediating the incident? Despite the perceptions of the seriousness of an SAP breach, 30
percent of respondents say no one person would be most accountable if their organization had a
SAP breach followed by the CIO (26 percent of respondents) and the CISO (18 percent of
respondents), as shown in Figure 7.
Figure 7. Who is the person most accountable if your organization has an SAP breach?
No one person is accountable
30%
CIO
26%
CISO
18%
SAP security
14%
8%
CFO
1%
Other
3%
0%
5%
10%
15%
20%
25%
30%
35%
There is little confidence that a breach involving the SAP platform would be detected
immediately or within one week. According to Figure 8, only 25 percent of respondents say
they are very confident or confident such a data breach would be detected immediately and 35
percent of respondents say they are very confident or confident a breach would be detected
within one week. Confidence increases in the detection of a breach within one month (41 percent
of respondents) or one year (53 percent of respondents).
Figure 8. How soon would you know if the SAP platform had been breached?
Very confident and confident responses combined
60%
53%
50%
41%
40%
30%
35%
25%
20%
10%
0%
Detected immediately
8
Certain SAP applications are most susceptible to cyber attack. According to respondents,
content and collaboration, data management, customer relationship management (CRM) and the
technology platform (backbone) are the most vulnerable to attack, as shown in Figure 9.
Figure 9. SAP applications most susceptible to attack
More than one response permitted
64%
Data management
56%
50%
48%
37%
35%
Financial management
Supply chain management
33%
31%
25%
11%
5%
Other
5%
0%
10%
20%
30%
40%
50%
60%
70%
Frequency and sophistication of cyber attacks against SAP platforms will increase. As
shown in Figure 10, 47 percent of respondents say the frequency of cyber attacks against their
companys SAP platform will increase over the next 2 years and 54 percent of respondents say
the stealth and sophistication of cyber attacks against the companys SAP platform will increase.
Figure 10. How will the frequency and stealth and sophistication of cyber attacks against
your companys SAP platform change over the next 24 months?
45%
39%
40%
35%
42%
37%
35%
30%
25%
20%
15%
12%
15%
8%
10%
7%
3%
5%
2%
0%
Significant
increase
Increase
No change
Decrease
Significant
decrease
9
New technologies and trends increase the risk of a data breach involving SAP
applications. Fifty-nine percent of respondents believe new technologies and trends such as
cloud, mobile, big data and the Internet of Things increases the attack surface of their SAP
applications, according to Figure 11. Despite this concern about the cloud, only 43 percent of
respondents say it is important to understand the cybersecurity and privacy risks before deciding
to move SAP applications to the cloud.
Figure 11. What new technologies and trends will increase the risk of a data breach
involving SAP applications?
Strongly agree and agree responses combined
59%
43%
0%
10%
20%
30%
40%
50%
60%
70%
10
Certain practices are very important to achieving security and avoiding cyber breaches in
the SAP infrastructure. Understanding the latest threats and vulnerabilities in SAP applications
helps strengthen the organizations cybersecurity posture. Seventy-three percent of respondents
say knowledge about the latest threats and vulnerabilities affecting SAP applications improves
their organizations ability to manage cybersecurity risks.
According to Figure 12, eighty-three percent of respondents say it is very important to be able to
detect zero-day vulnerabilities in SAP applications, 81 percent say the ability to prioritize threats
against SAP applications based on when the attack is likely to succeed and 81 percent say it is
very important to have continuous monitoring in order to ensure SAP applications are safe and
secure.
The following practices are also considered important: the ability to assess and audit SAP
compliance with policies, industry standards and government regulations (78 percent of
respondents), the ability to integrate existing security technologies including GRC, SIEM, network
security and security operations management with their companys SAP security solution (73
percent of respondents), the ability to receive a direct feed of the latest SAP vulnerabilities
confirmed by security experts (72 percent of respondents) and compliance when deploying SAP
applications (67 percent of respondents).
Figure 12. What practices are important in achieving security in the SAP infrastructure?
1 = low importance to 10 = high importance, 7+ responses
83%
81%
81%
10
11
Segregation of duties can improve SAP security. Sixty-six percent of respondents say their
current approach to SAP security includes segregation of duties and access controls. As shown
in Figure 13, 51 percent of these respondents say it is effective in safeguarding your companys
core business.
Figure 13. Is the segregation of duties and access controls effective in safeguarding your
companys core business systems?
60%
51%
50%
44%
40%
30%
20%
10%
5%
0%
Yes
No
Unsure
11
12
Part 3. Methods & Limitations
A sampling frame of 17,473 experienced IT and IT security practitioners located in the United
States were selected as participants to this survey. From this sampling frame, we captured 709
returns of which 102 were rejected for reliability issues. Our final sample was 607, thus resulting
in an overall 3.5 percent response rate, as shown in Table 1.
Table 1. Sample response
Total sampling frame
Total returns
Rejected or screened surveys
Final sample
Freq
17,473
709
102
607
Pct%
100%
4.1%
0.6%
3.5%
Pie Chart 1 summarizes the approximate position levels of respondents in our study. As can be
seen, the majority of respondents (58 percent) are at or above the supervisory level.
Pie Chart 1. Distribution of respondents according to position level
5%
2%2% 3%
17%
Senior Executive
Vice President
Director
Manager
35%
Supervisor
Technician
21%
Staff
Contractor
15%
Pie Chart 2 reveals 25 percent of respondents identified their primary role as being within IT
management, 18 percent responded IT security and 15 percent responded SAP infrastructure.
Pie Chart 2. Primary role within the organization
4%
3% 2%2%
25%
5%
5%
8%
18%
13%
IT management
IT security
SAP infrastructure
Application security
Application development
Security architecture
Risk management
SAP security
SAP consultant
Quality assurance
Other
15%
12
13
Pie Chart 3 reports the respondents organizations primary industry focus. As shown, 18 percent
of respondents identified financial services and insurance, which includes banking, investment
management, insurance, brokerage, payments and credit cards. Nine percent responded
manufacturing, and eight percent responded public sector/government.
Pie Chart 3. Distribution of respondents according to primary industry classification
2% 2%
2%
3%
3%
3%
18%
3%
3%
9%
4%
4%
8%
4%
4%
5%
8%
6%
7%
According to Pie Chart 4, the majority of respondent are located in larger-sized organizations with
a global headcount of more than 1,000 employees.
Pie Chart 4. Distribution of respondents according to world headcount
13%
51%
36%
More than 75,000 people
In addition to the United States, 70 percent of respondents reported that their organization has
employees located in Europe, 67 percent responded Canada, and 63 percent responded AsiaPacific.
Table 2. Location of employees
United States
Europe
Canada
Asia-Pacific
Middle East & Africa
Latin America (including Mexico)
Total
Pct%
100%
70%
67%
63%
54%
49%
403%
13
14
Limitations
There are inherent limitations to survey research that need to be carefully considered before
drawing inferences from findings. The following items are specific limitations that are germane to
most web-based surveys.
Non-response bias: The current findings are based on a sample of survey returns. We sent
surveys to a representative sample of individuals, resulting in a large number of usable
returned responses. Despite non-response tests, it is always possible that individuals who
did not participate are substantially different in terms of underlying beliefs from those who
completed the instrument.
Sampling-frame bias: The accuracy is based on contact information and the degree to
which the list is representative of individuals who are IT or IT security practitioners. We
also acknowledge that the results may be biased by external events such as media
coverage. We also acknowledge bias caused by compensating subjects to complete this
research within a holdout period.
Self-reported results: The quality of survey research is based on the integrity of confidential
responses received from subjects. While certain checks and balances can be incorporated
into the survey process, there is always the possibility that a subject did not provide a
truthful response.
14
15
Appendix: Detailed Survey Results
The following tables provide the frequency or percentage frequency of responses to all survey
questions contained in this study. All survey responses were captured in mid December 2015
through January 4, 2016.
Survey response
Total sampling frame
Total returns
Rejected or screened surveys
Final sample
Response rate
Part 1. Screening
S1a. Does your company use SAP?
Yes
No
Total
Freq.
17,473
709
102
607
3.5%
Pct%
81%
19%
100%
Pct%
S2. Which SAP products (e.g., modules) does your organization deploy?
Enterprise management (ERP)
Technology platform (backbone)
Financial management
Data management
Customer relationship management (CRM)
Human capital management
Supply chain management
Supplier relationship management
Content and collaboration
Product life cycle management
Analytics
Other (please specify)
None of the above (stop)
Total
Pct%
S3. What best describes your involvement in the security of SAP applications
deployed by your organization?
Very significant
Significant
Moderate
Minimal or none (stop)
Total
25%
19%
19%
13%
5%
19%
100%
73%
69%
53%
50%
46%
41%
33%
33%
25%
25%
18%
0%
0%
466%
Pct%
31%
47%
22%
0%
100%
15
16
Part 2. Attributions: Are organizations prepared to deal with SAP security
risks? Strongly agree and Agree responses combined
Q1. My companys budget provides a higher funding level for network rather
than application security.
Q2. C-level executives in my company tend to underestimate the risks
associated with insecure SAP applications.
Q3. My company is confident in the security of SAP applications.
Q4. It is the responsibility of SAP, not my company, to ensure its applications
and platform are safe and secure.
Q5. Our senior leadership understands the importance and criticality of SAP
installations to our organizations bottom line.
Q6. Our organization understands the impact of the value of the data that could
be lost from our SAP system.
Q7. Our senior leadership knows what data resides on our companys SAP
systems.
Q8. Our organization has the required expertise to prevent, detect and respond
to cyber attacks on our SAP applications.
Q9. SAP applications that are not connected to the Internet pose no real
security threat to my company.
Q10. SAP applications are more secure than other applications deployed by my
company.
Q11. Our senior leadership is aware of SAP cybersecurity risks.
Q12. Understanding the latest threats and vulnerabilities affecting SAP
applications improves our organizations ability to manage cyber security risks.
Q13. My company is unlikely to experience a material security or data breach
resulting from insecure SAP applications.
Q14. New technologies and trends such as cloud, mobile, big data and the
Internet of Things increase the attack surface of our SAP applications and
therefore the probability of a breach.
Q15. Understanding the cyber security and privacy risks are considered when
evaluating whether or not to move SAP applications to the cloud.
Part 3. SAP security challenges
Q16. Which function is most accountable to ensure the security of SAP
systems, applications and processes?
SAP security team
Information security
Audit
IT infrastructure
Risk executives
Board of directors
No one function is most accountable for SAP security
Total
Q17a. Does your current approach to SAP security include segregation of
duties and access controls?
Yes
No
Unsure
Total
Q17b. If yes, is it effective in safeguarding your companys core business
systems?
Yes
No
Unsure
Total
Pct%
68%
63%
50%
54%
76%
41%
23%
49%
56%
62%
21%
73%
44%
59%
43%
Pct%
19%
18%
6%
21%
9%
2%
25%
100%
Pct%
66%
30%
4%
100%
Pct%
51%
44%
5%
100%
16
17
Q18. What is the likelihood that your companys SAP platform at any point in
time contains one or more malware infections?
Very likely
Likely
Not likely
No chance
Total
The following items are rated using a 10-point scale ranging from 1 =
lowest to 10 = highest.
Q19. Please rate the level of difficulty in securing SAP applications.
1 or 2
3 or 4
5 or 6
7 or 8
9 or 10
Total
Extrapolated value
Q20. Please rate your organizations level of concern about malware infection in
the SAP infrastructure.
1 or 2
3 or 4
5 or 6
7 or 8
9 or 10
Total
Extrapolated value
Q21. Please rate your organizations effectiveness in managing the SAP
infrastructure.
1 or 2
3 or 4
5 or 6
7 or 8
9 or 10
Total
Extrapolated value
Q22. Please rate the importance of compliance when deploying SAP
applications.
1 or 2
3 or 4
5 or 6
7 or 8
9 or 10
Total
Extrapolated value
Pct%
33%
42%
21%
4%
100%
Average
4%
10%
30%
36%
22%
100%
6.73
Pct%
3%
12%
20%
31%
34%
100%
7.12
Pct%
0%
8%
17%
43%
32%
100%
7.48
Pct%
1%
7%
15%
38%
39%
100%
7.64
17
18
Q23. Please rate the importance of continuous monitoring in ensuring SAP
applications are safe and secure.
1 or 2
3 or 4
5 or 6
7 or 8
9 or 10
Total
Extrapolated value
Q24. Using the following 10-point scale, what best defines your companys
visibility into the security of SAP applications?
1 or 2
3 or 4
5 or 6
7 or 8
9 or 10
Total
Extrapolated value
Q25. Using the following 10-point scale, how important is the ability to integrate
existing security technologies including GRC, SIEM, network security and
security operations management with your companys SAP security solution?
1 or 2
3 or 4
5 or 6
7 or 8
9 or 10
Total
Extrapolated value
Q26. Using the following 10-point scale, how important is the ability to assess
and audit SAP compliance with policies, industry standards and government
regulations?
1 or 2
3 or 4
5 or 6
7 or 8
9 or 10
Total
Extrapolated value
Q27. Using the following 10-point scale, how important is the ability to prioritize
threats against SAP applications based on when the attack is likely to succeed?
1 or 2
3 or 4
5 or 6
7 or 8
9 or 10
Total
Extrapolated value
Pct%
1%
5%
13%
42%
39%
100%
7.76
Pct%
16%
28%
22%
21%
13%
100%
5.24
Pct%
5%
4%
18%
38%
35%
100%
7.38
Pct%
4%
2%
16%
20%
58%
100%
8.02
Pct%
3%
8%
8%
28%
53%
100%
7.90
18
19
Q28. Using the following 10-point scale, how important is the ability to detect
zero-day vulnerabilities in SAP applications?
1 or 2
3 or 4
5 or 6
7 or 8
9 or 10
Total
Extrapolated value
Q29. Using the following 10-point scale, how important is the ability to receive a
direct feed of the latest SAP vulnerabilities confirmed by security experts?
1 or 2
3 or 4
5 or 6
7 or 8
9 or 10
Total
Extrapolated value
Part 4. Data breaches and cyber attack
Q30. What SAP applications are most susceptible to cyber attack? Please
select your top four choices.
Content and collaboration
Data management
Customer relationship management (CRM)
Technology platform (backbone)
Enterprise management (ERP)
Financial management
Supply chain management
Supplier relationship management
Human capital management
Analytics
Product life cycle management
Other (please specify)
Total
Q31. In your opinion, how will the frequency of cyber attacks against you
companys SAP platform change over the next 24 months?
Significant increase
Increase
No change
Decrease
Significant decrease
Total
Q32. In your opinion, how will the stealth and sophistication of cyber attacks
against you companys SAP platform change over the next 24 months?
Significant increase
Increase
No change
Decrease
Significant decrease
Total
Pct%
0%
1%
16%
40%
43%
100%
8.00
Pct%
3%
7%
18%
42%
30%
100%
7.28
Pct%
64%
56%
50%
48%
37%
35%
33%
31%
25%
11%
5%
5%
400%
Pct%
12%
35%
42%
8%
3%
100%
Pct%
15%
39%
37%
7%
2%
100%
19
20
Q33. Who is the primary person most accountable if your organization has a
SAP breach?
CIO
CISO
CFO
SAP security
SAP BASIS administrator
No one person is accountable
Other (please specify)
Total
Q34a. If your companys SAP platform was breached, how confident are you
that this breach would be detected immediately?
Very confident
Confident
Not confident
No confidence
Total
Q34b. If your companys SAP platform was breached, how confident are you
that this breach would be detected within one week?
Very confident
Confident
Not confident
No confidence
Total
Q34c. If your companys SAP platform was breached, how confident are you
that this breach would be detected within one month?
Very confident
Confident
Not confident
No confidence
Total
Q34d. If your companys SAP platform was breached, how confident are you
that this breach would be detected within one year?
Very confident
Confident
Not confident
No confidence
Total
Q35. To the best of your knowledge, how many times has your companys SAP
platform been breached over the past 24 months?
Zero
1 or 2
3 or 4
5 or 6
7 or 8
9 or 10
More than 10
Total
Extrapolated value
Pct%
26%
18%
1%
14%
8%
30%
3%
100%
Pct%
6%
19%
35%
40%
100%
Pct%
12%
23%
34%
31%
100%
Pct%
15%
26%
31%
28%
100%
Pct%
23%
30%
29%
18%
100%
Pct%
35%
32%
16%
12%
3%
1%
1%
100%
2.14
20
21
Q36. What best describes the impact of information theft, modification of data
and disruption of business processes on your companys SAP?
Catastrophic
Very serious
Serious
Not serious
Nominal or none
Total
Q37. How much would it cost your company if your SAP systems were taken
offline? Please note that the cost estimate should include all direct cash outlays,
direct labor expenditures, indirect labor costs, overhead costs and lost business
opportunities.
Zero
Less than $100,000
100,001 to $250,000
250,001 to $500,000
500,001 to $1,000,000
1,000,001 to $5,000,000
5,000,001 to $10,000,000
10,000,001 to $25,000,000
25,000,001 to $50,000,000
50,000,001 to $100,000,000
More than $100,000,000
Total
Extrapolated value
Part 5. Your Role
D1. What organizational level best describes your current position?
Senior Executive
Vice President
Director
Manager
Supervisor
Technician
Staff
Contractor
Other
Total
D2. What best describes your primary role in the organization?
Application development
SAP security
SAP infrastructure
SAP consultant
Application security
Security architecture
IT management
IT security
Quality assurance
Compliance/audit
Risk management
Network engineering
Other
Total
Pct%
17%
43%
32%
8%
0%
100%
Pct%
0%
15%
18%
23%
17%
11%
6%
5%
3%
2%
0%
100%
4,538,750
Pct%
2%
3%
17%
21%
15%
35%
5%
2%
0%
100%
Pct%
8%
4%
15%
3%
13%
5%
25%
18%
2%
1%
5%
1%
0%
100%
21
22
D3. What industry best describes your organizations industry focus?
Agriculture/Food & Beverage
Airlines/Automotive/Transportation
Communications/Telecom
Consumer Products
Chemicals
Defense
Education
Energy/Oil & Gas
Entertainment
Financial services & Insurance
Healthcare
Hospitality
Internet & ISPs
Manufacturing
Media
Mining & Metals
Pharmaceuticals
Professional Services
Public sector/ Government
Research
Retail
Services
Technology & Software
Utilities
Other
Total
Pct%
D4. Where are your employees located? (check all that apply):
United States
Canada
Europe
Middle East & Africa
Asia-Pacific
Latin America (including Mexico)
Total
Pct%
Pct%
1%
4%
3%
3%
2%
1%
2%
3%
0%
18%
7%
4%
4%
9%
2%
1%
4%
2%
8%
0%
8%
6%
5%
3%
0%
100%
100%
67%
70%
54%
63%
49%
403%
51%
36%
13%
100%
22
2
1
23
Ponemon Institute
Advancing Responsible Information Management
Ponemon Institute is dedicated to independent research and education that advances responsible
information and privacy management practices within business and government. Our mission is to conduct
high quality, empirical studies on critical issues affecting the management and security of sensitive
information about people and organizations.
As a member of the Council of American Survey Research Organizations (CASRO),we uphold strict
data confidentiality, privacy and ethical research standards. We do not collect any personally identifiable
information from individuals (or company identifiable information in our business research). Furthermore, we
have strict quality standards to ensure that subjects are not asked extraneous, irrelevant or improper
questions.
23