Contact me using vCita

Powered by vCita

Saturday, February 13, 2010



The Human Factor in Laptop Encryption: US Study



Encryption is one of the most important security tools in the defense of information assets. Ponemon Institute has conducted numerous studies on organizations' use of encryption to prevent the loss of sensitive and confidential information. These studies have shown that encryption can be an effective deterrent. However, our studies also show that in order to be effective, encryption requires organizations and users to take appropriate steps to make sure sensitive and confidential information is protected as much as possible.


Ponemon Institute conducted this study sponsored by Absolute Software on The Human Factor in Laptop Encryption to understand employees' perceptions about ensuring that information assets entrusted to their care are effectively managed in encryption environments, especially the use of whole disk encryption on laptop computers. The study also was conducted in the United Kingdom and Canada. The results are published in separate reports.


What we learned is that a high percentage of employees we surveyed in non-IT business functions (referred to as business managers in this report) are not taking such precautionary steps as using complex passwords, not sharing passwords, using a privacy shield, keeping their laptop physically safe when traveling or locking their laptop to protect sensitive and confidential data. Further, many respondents believe that encrypted solutions make it unnecessary to take other security measures.


In contrast, their colleagues in corporate IT and IT security functions (referred to as IT security practitioners in this report) are diligent in taking all or most precautionary steps to safeguard the sensitive and confidential information on their laptops. They believe encryption is an important security tool, but believe it is critical to follow certain procedures to ensure that data is protected if a laptop is lost or stolen. The following are some of the most salient findings:


  1. Ninety-two percent of IT security practitioners report that someone in their organization has had a laptop lost or stolen and 71% report that it resulted in a data breach. Only 45% report that the organization was able to prove the contents were encrypted.
  2. Fifty-two percent of business managers surveyed strongly agree and agree that encryption stops cyber criminals from stealing data on laptops versus 46% of IT and IT security practitioners who strongly agree or agree.
  3. Fifty-seven percent of business managers surveyed record their encryption password on a private document such as a post-it note to jog their memory or share the key with other individuals. Virtually none of the IT security practitioners record their password on a private document or share it with another person.
  4. Fifty-six percent of business managers have disengaged their laptop's encryption solution and 48% admit this is in violation of their company's security policy.
  5. Fifty-nine percent of business managers sometimes or often leave their laptop with a stranger when traveling.

We believe this research is particularly timely because previous studies conducted by Ponemon Institute have shown that the lost or stolen laptop is the number one cause of data loss. In this study we surveyed 720 IT security practitioners and 874 business managers from US-based organizations on the following topics related to their use of laptop encryption:


  1. The use of encryption tools to protect information contained on the laptop computers assigned to them by their employer.
  2. Perceptions IT security practitioners have about the use of encryption to protect information assets on their laptops.
  3. Perceptions business managers have about the use of encryption to protect information assets on their laptops.
Ponemon Institute© Private & Confidential Document Page 2
  1. The procedures business managers follow or do not follow to safeguard the sensitive and confidential information on their laptops.

Key Findings


Following are the key findings of this survey research. Please note that most of the results are displayed in a bar chart format. The actual data utilized in each figure and referenced in the paper can be found in the percentage frequency tables attached as Appendix I to this paper.


A large number of employees in participating organizations have encryption solutions on their laptops.


As shown in Bar Chart 1, 82% of IT security practitioners and 58% of business managers have employer-provided encryption solutions on their laptops.


Bar Chart 1Does your organization provide laptop encryption?Each bar shows the percentage Yes response58%82%0%20%40%60%80%100%Business managersIT security practitioners


Bar Chart 2 reports the most widely-used encryption solutions deployed by organizations. They are: whole disk encryption for 41% of IT security practitioners and for 45% of business managers. This is followed by network or gateway encryption (36% IT and 34% business), file-based encryption (25% IT and 38% business) and encrypted backup device including thumb drive (20% IT and 29% business).


Bar Chart 2What encryption solutions are used to protect content on laptops?0%15%24%29%34%38%45%3%9%18%20%36%25%41%0%5%10%15%20%25%30%35%40%45%50%Encryption chip (hardware)Encrypted thumb driveEmail encryptionEncrypted backup device including thumb driveNetwork or gateway encryptionFile-based encryptionWhole disk encryptionBusiness managersIT security practitioners


Ponemon Institute© Private & Confidential Document Page 3

Organizations often are not able to prove data on lost or stolen computers was encrypted.


Bar Chart 3 reports that according to 92% of IT security practitioners, someone in their organization has had a laptop used for business purposes lost or stolen and 71% report that it resulted in a data breach for the organization. Only 45% report that their organization was able to prove the contents of the laptop were encrypted.


Bar Chart 3Experience dealing with a lost laptop17%39%79%83%61%21%45%71%92%55%29%8%0%10%20%30%40%50%60%70%80%90%100%If yes, was your organizationable to prove that thecontents of the laptop wereencrypted?If yes, did this result in a databreach for your organization?Has anyone in yourorganization ever had alaptop used for businesspurposes lost or stolen?Business managers say YesBusiness managers say No/UnsureIT security practitioners say YesIT security practitioners say No/Unsure


The above chart also shows that 79% of business managers report that someone in their organization had their laptop lost or stolen and 39% say it resulted in a data breach. Only 17% report that the organization was able to prove that the contents of the laptop were encrypted.


There is slightly more confidence among business managers in the ability of encryption to protect the sensitive and confidential information that resides on their laptops.


As shown in Bar Chart 4, 68% of business managers strongly agree or agree that encryption protects the information contained on their laptops and 60% of this same group strongly agree or agree it is not necessary to use other security solutions.


Bar Chart 4Confidence in laptop encryptionEach bar shows the combined percentage response for "agree" and "strongly agree"68%60%59%40%0%20%40%60%80%Encryption protects the information contained on mylaptop computer.Encryption makes it unnecessary to use other securitymeasures.Business managersIT security practitioners


Ponemon Institute© Private & Confidential Document Page 4

Fifty-nine percent of IT security practitioners strongly agree or agree that encryption protects the information contained on their laptops and 40% strongly agree or agree that encryption makes it unnecessary to use other security measures.


Bar Chart 5Perceptions about encryption's ability to protect sensitive contentEach bar shows the combined percentage response for "agree" and "strongly agree"61%66%46%39%0%10%20%30%40%50%60%70%Encryption of my laptop prevents the theft of myinformation by cyber criminals.I don't worry about losing my laptop because itscontents are encrypted.Business managersIT security practitioners


The gap in perceptions about the ability of encryption to protect information widens between these two groups when asked if encryption prevents theft by cyber criminals. As shown in Bar Chart 5, 52% of business managers strongly agree or agree with the statement that "encryption of my laptop prevents the theft of my information by cyber criminals" versus 46% of IT security practitioners who strongly agree or agree. Thirty-two percent of respondents in both groups are uncertain if encryption of their laptops prevents theft by cyber criminals.


When asked if they would worry if they lost a laptop that was encrypted, 66% of business managers strongly agree or agree that they would not worry. However, only 39% of IT security practitioners would not worry.


IT security practitioners believe there is a higher probability than business managers believe that a lost laptop or access to an insecure wireless network will result in data loss.


Bar Chart 6What is the likelihood of occurrence?The percent of respondents who stated the probability of occurrence is less than 10%64%66%48%31%0%20%40%60%80%If you lost your laptop computer, what do you think is theprobability that someone else would be able to accessyour sensitive or confidential information?If you were accessing the Internet from an insecurewireless network, what do you think is the probabilitythat someone else would be able to access yoursensitive or confidential information assuming thelaptop computer had an encryption solution?Business managersIT security practitioners


Ponemon Institute© Private & Confidential Document Page 5

Bar Chart 6 reports that 64% of business managers versus 48% of IT security practitioners believe that there is zero or less than a 10% chance of someone having the ability to access sensitive and confidential information if they lost their laptop.


Assuming their laptops are encrypted, 66% of business managers believe that there is no chance or less than a 10% chance of having their sensitive information accessed if they should access an insecure wireless network. In contrast, only 31% of IT security practitioners are confident that there would be zero or less than a 10% chance of losing data when accessing an insecure wireless network.


Business managers put data at risk by not using encryption properly.


As shown in Bar Chart 7, 48% of business managers admit to forgetting their laptop's encryption password.


Bar Chart 7Did you ever forget your laptop's encryption password?Each bar shows the percentage Yes response32%58%48%0%100%3%0%20%40%60%80%100%120%If yes, the information on the laptop could not be accessedand was lost permanently.If yes, the help desk was able to recover my password orkey used to protect the dataQ12a. Did you ever forget your laptop computer'sencryption password?Business managersIT security practitioners


Fifty-eight percent were able to recover their password or key used to protect the data by contacting their organizations' help desk but 32% could not gain access and information was lost permanently. To manage their passwords, business managers circumvent security procedures. As shown in Bar Chart 8, 57% of these respondents record their password on a private document such as a post-it note to jog their memory (36%) or share the key with other individuals in case they forget the password (21%). Virtually none of the respondents from the IT security practitioners group record their password on a private document or share it with another person.


Bar Chart 8How do you remember your encryption password?21%36%2%42%0%0%9%91%0%20%40%60%80%100%I share the key with other individuals in case the password isforgotten.I record the password on a private document such as a post-itnote.Other manual or heuristic methodsThe key is programmed on my computer and is automaticallyloaded after fingerprint or password authentication.Business managersIT security practitioners


Ponemon Institute© Private & Confidential Document Page 6

Bar Chart 9 shows that 56% of business managers have disengaged their laptop's encryption solution. Only 20% of those who turned off the encryption solution believe that this practice is not in violation of their company's security policy and 32% are unsure. In contrast, only 25% of IT security practitioners have disengaged the encryption solution and 13% believe that this practice is not in violation of their company's security policy.


Bar Chart 9Have you ever disengaged your laptop's encryption solution?Each bar shows the percentage Yes response56%20%25%13%0%10%20%30%40%50%60%Have you ever turned-off or disengaged your laptop'sencryption solution?If yes, does your company's security policy allow you toturn-off or disengage your laptop's encryption?Business managersIT security practitioners


Business managers often don't take precautions and could be considered negligent in taking steps to safeguard the sensitive and confidential information on their laptops.


In this study, we asked both business managers and IT security practitioners to respond to questions about typical laptop security procedures.


Bar Chart 10 (below) compares these two groups in terms of their propensity to safeguard their laptop computers. As is shown, business managers may be putting their laptops at serious risk because of their tendency not to protect their passwords, to leave their laptops in unguarded situations and to access insecure wireless connections.


Specifically, among business managers, only 17% always turn off their computers when not in use, 11% always use complex passwords or biometrics to prevent unauthorized access to their laptop, 17% always change passwords frequently, 39% never share their passwords, 9% never reuse the same passwords, 5% always use a privacy shield to prevent prying eyes, 3% always physically lock their computer to their desk.


When traveling, 11% never leave their computer in an insecure or unattended location, 8% always place their laptop in the hotel safe, 11% never leave their laptop with a stranger, 23% never use an insecure wireless network, 37% always keep their anti-virus or malware software current and 40% always set their computer to hibernate if not attended in a very short period of time.


It is uncertain if business managers' negligence, as evidenced by the above responses, is due to an over-reliance on encryption solutions. Although many in this group of respondents do believe that encryption is all that is needed to protect the information on their laptops. What is the conclusion here is that the human factor is the weakest link in any organizations' efforts to defend data at risk.


The practices of IT security practitioners are the direct opposite of the business managers, Specifically, 44% always turn off their computers when not in use, 73% always use complex passwords or biometrics to prevent unauthorized access to their laptop, 78% always change passwords frequently, 96% never share their passwords, 90% never or rarely reuse the same passwords, 68% always use a privacy shield to prevent prying eyes. However, only 39% always lock their computer to their desk.


Ponemon Institute© Private & Confidential Document Page 7

Bar Chart 10The human factor in laptop securityEach bar is the percent of respondents who say that they take the following security precautions 17%11%17%39%9%5%3%11%8%40%11%23%37%44%73%78%96%68%68%39%78%46%84%79%90%93%0%10%20%30%40%50%60%70%80%90%100%I turn off my laptop when it is not in use.I use complex passwords or biometrics.I change passwords frequently.I do not share my password with anyone.I do not reuse the same password twice.I use a privacy shield to prevent prying eyes. I lock my computer to my desk.I don't leave my computer in insecure or unattended locations.When traveling, I place my laptop computer in the hotel safe.I set my computer to hibernate if not attended for a short period.I never ask other travelers to safeguard my laptop.I do not use an insecure wireless network.I keep my anti-virus or malware software current.Business managersIT security practitioners


When traveling, 78% never leave their computer in an insecure or unattended location, 46% always place their laptop in the hotel safe, 79% never leave their laptop with a stranger, 90% never use an insecure wireless network and 93% always keep their anti-virus or malware software current and 84% always set their computer to hibernate if not attended in a very short period of time.


Ponemon Institute© Private & Confidential Document Page 8

Comparisons of US, Canada and UK samples


In addition to this US study, we completed concurrent surveys for IT security practitioners and business managers from organizations in Canada and the UK.1 In all three countries, IT security practitioners face the same challenge of keeping sensitive and confidential information safeguarded in spite of the actions of business managers who may be relying on encryption to protect data and not following critical security procedures. There are significant gaps between the security practices of business managers and IT security practitioners in all three countries.


Bar Chart 11 shows differences between business managers and IT security practitioners in the US, Canada and the United Kingdom about various attributions of encryption. In the US, there is slightly more of a gap between business managers and IT security practitioners in how worried respondents would be if an encrypted laptop was lost or stolen and prevention of cyber criminals from stealing information.


Bar Chart 11Comparison of laptop encryption attributions for the US, Canada and UKEach bar represents the combined percentage of "Strongly Agree" and "Agree" responses59%64%40%18%17%64%58%42%21%19%65%59%45%23%22%68%39%60%45%44%60%32%61%42%37%60%35%68%48%43%0%10%20%30%40%50%60%70%80%Laptop encryption fullyprotects my information.Encryption is easy to use. Encryption makes othermeasures unnecessary.Encryption prevents theft bycyber criminals.Don't worry because mylaptop is encrypted.IT security USIT security CanadaIT security UKBusiness managers USBusiness managers CanadaBusiness managers UK


The most significant between-sample differences shown are in the perception that information contained on an encrypted laptop is protected.


1 The Canadian study included 348 business managers and 435 IT or IT security practitioners. The UK study involved 499 business managers and 645 IT security practitioners.


Ponemon Institute© Private & Confidential Document Page 9

Line Chart 1 recasts the average results shown in the above bar chart to highlight the differences or gaps between the IT security practitioner and business manager samples in three countries.


As can be seen, the gaps – defined as the average percentage response for business managers minus the average percent response for IT security practitioners – are remarkably consistent for all three countries. As can be seen, business managers are much more likely than IT security practitioners to:


  1. Believe encryption makes it unnecessary to use other security measures for laptop protection
  2. Believe encryption is more likely to prevent the theft of information by cyber criminals
  3. Not worry about losing a laptop because the contents are encrypted

Line Chart 1Difference in the perception of encryption among IT security practitioners and business managers in the US, Canada and UK, respectivelyGAP = the average percent response for business managers minus response for IT security-30%-20%-10%0%10%20%30%Laptop encryptionfully protects myinformation.Encryption is easyto use. Encryption makesother measuresunnecessary.Encryption preventstheft by cybercriminals.Don't worrybecause my laptopis encrypted.GAP for USGAP for CanadaGAP for UK


In contrast, IT security practitioners in the US, Canada and UK are much more likely than business managers to believe laptop encryptions solutions are easy to use.


We believe the primary conclusion that can be drawn from this study is that business managers in all three countries are either negligent in the protection of sensitive and confidential information on their laptops or they may be overly dependent on encryption to keep this information secure. Encryption is an excellent security tool. However, if encryption is turned off, if passwords are shared or if other risks are taken, organizations that utilize encryption technologies alone to ensure the security of confidential information may not be well protected from the possibility of a data breach.


Survey Caveats


There are inherent limitations to survey research that need to be carefully considered before drawing inferences from findings. The following items are specific limitations that are germane to most web-based surveys.


  1. Non-response bias: The current findings are based on a sample of survey returns. We sent surveys to a representative sample of managers in IT security and non-IT business functions, resulting in a large number of usable returned responses. Despite non-response tests, it is always possible that individuals who did not participate are substantially different in terms of underlying beliefs from those who completed the instrument.
Ponemon Institute© Private & Confidential Document Page 10
2 Respondents were given nominal compensation to complete all survey questions.
  1. Sampling-frame bias: The accuracy is based on contact information and the degree to which the sample is representative of individuals in the IT and non-IT business disciplines. We also acknowledge that the results may be biased by external events. We also acknowledge bias caused by compensating subjects to complete this research within a holdout period. Finally, because we used a web-based collection method, it is possible that non-web responses by mailed survey or telephone call would result in a different pattern of findings.
  2. Self-reported results: The quality of survey research is based on the integrity of confidential responses received from subjects. While certain checks and balances can be incorporated into the survey process, there is always the possibility that a subject did not provide a truthful response.

Sample


Two random sampling frames of adult-aged individuals who reside within the United States were used to recruit participants to this web survey.2 Our randomly selected sampling frames were selected from three national lists of IT, security, compliance and data protection professionals. Table 1


Sample description


IT Security


Non-IT Business


Total sampling frame


12807


13879


Bounce-back


3316


4506


Total returns


755


874


Rejected surveys


35


47


Final sample


720


827


Response rate


5.6%


6.0%




from monu tripathi


HISTORY OF HALLOWEEN
HISTORY OF HALLOWEEN
Posted by at 1 comment:
Subscribe to: Posts (Atom)

About Me

i am a simple boy who is struggling with his life to overcome his problem's. but in any situation i am always happy.