SURVEY
#1: NETWORK SECURITY
SUMMARY ANALYSIS
Purpose
Summary
of Findings
Findings
Demographics
Section
The
Survey Questionnaire
The Survey
An online panel of 1,509 members was recruited in
January-March of 1998 for the World Research MIS Panel. Various means
were used, including online banners, newsletter sponsorships and email
campaigns.
The first survey was sent to these panelists on March
24. The subject was NETWORK SECURITY.
584 panelists (39%) filled out all or
part of the survey form during the week the survey was active.
Click here
to see the questionnaire.
Purpose
The survey was commissioned to determine
attitudes and concerns about Network Security among IT executives and
professionals.
Summary of Findings
- Compliance with network security policies is spotty,
on the whole.
- The majority would prefer to enforce security transparently,
and also to try to customize the security policy to the company.
- There is also interest in restricting activities
that give too much access, but those activities don't include
web access.
- Most respondents are not very concerned about the
danger of firewall bypass.
- Where a firewall exists, the remaining danger mostly
comes from human factors such as employee disaffection, incompetence,
and access to secure LAN files.
- Virus attacks continue to be a strong concern.
- There is only average concern about intranet
and dialup attacks.
- Browser-, email-related and physical attacks,
employee web accesses, outside hackers and exotic bandwidth attacks
are a minimal concern.
- There is NO concern about e-commerce and other
Internet services.
- Usage Control: The respondents want to get to the
"needle in a haystack" isolating specific instances of
misuse in volumes of usage data. And they want to do it in real
time, with a combined desktop security and usage control product.
- Again, employee web access and email are NOT
concerns. Neither is fancy presentation.
- The core concern about unrestricted web access
is not the access itself, but what it could open up the company
to.
- There is a concern about the cost to the
company of this kind of access, but little about the content itself.
- Interest in the subject, and satisfaction with
this survey, were evident in the extremely low opt-out figures,
and the very high level of opt-in requests for information from
the survey sponsor.
Findings
- Would you say your network security policies
are followed by...
- There is definitely leakage here.
- Only 23% report complete or near-complete compliance.
- Adding "most users" and "half
of the users", we have a majority of 60% of responses.
Spotty compliance is the rule.
- For 22%, there is little or no compliance.
- Amazingly, only 1% of respondents preferred not
to report their company’s state of compliance. An amazing level
of trust!
- ...how effective would these be in an overall
program of achieving adequately secure operations
Ranked by Mean Response
|
Effective in helping
to achieve secure operations
|
Mean
|
Median
|
Pct
5’s
|
|
Aiming
for user transparency wherever possible
|
3.8
|
4.0
|
35
|
|
Customizing
the policy to the company
|
3.7
|
4.0
|
21
|
|
Restricting
activities that give employees too much access
|
3.6
|
4.0
|
25
|
|
Operating
an effective security education program
|
3.5
|
4.0
|
19
|
|
Documenting
and communicating a security policy
|
3.5
|
3.0
|
18
|
|
Investing
in audit and surveillance PRODUCTS
|
3.4
|
3.0
|
13
|
|
Enforcing
stiff penalties for non-compliance
|
3.2
|
3.0
|
21
|
|
Investing
in audit and surveillance SERVICES
|
3.0
|
3.0
|
10
|
|
Putting
aside security where the activity isn't mission-critical
|
2.5
|
3.0
|
7
|
- ...how concerned are you about traditional
firewalls not protecting from inside attacks such as through the
desktop?
- While there is concern (76% of respondents rated
the issue a "3" or greater),
- only 19% were "extremely concerned",
- and the average is low at 3.4.
- Inside attacks are not
a hot button.
- Let's say a company has already implemented
a proper firewall on its web gateway. Which of these would still
be a risk to that company?
- It's clear that employee failings rank highest
in concern here. The panelists are most concerned about employees
being:
- disgruntled (#1 at 85%),
- incompetent (76%),
- able to get to confidential LAN files (75%.)
- Also high: Virus concerns (82%.)
- Middling concerns:
- Attacks through dialup connections (70%)
- Criminal hackers (crackers)
- Intranet attacks.
- Low concerns:
- Browser-based (Java/ActiveX/Cookies) (63%)
- Email-based (62%/53%)
- Physical Attacks (56%)
- Inappropriate employee web accesses (55%) (!)
- Outside hackers (55%)
- Exotic attacks such as broadcast storms, ICMP,
UDP etc. (50%)
- Contrary to media reports about e-commerce security
concerns, this group is just not concerned about Internet Services
(38%) and Web-based financial transactions (33%.)
- please rate these features in a usage monitoring
product:
Ranked by Mean Response
|
Desired
features in a usage monitoring product
|
Mean
|
Median
|
Pct 5’s
|
|
Zeroing
in on instances of misuse in large volumes of data
|
3.8
|
4.0
|
30
|
|
Real-time
responses to misuse
|
3.8
|
4.0
|
34
|
|
Getting
both usage control and desktop security in a single product
|
3.7
|
4.0
|
26
|
|
Getting
accurate data on what employees are actually accessing on
the web
|
3.5
|
4.0
|
27
|
|
Getting
great reports, charts and graphs showing types of accesses
|
3.2
|
3.0
|
18
|
|
Curtailing
personal web accesses while allowing productive work
|
3.1
|
3.0
|
18
|
|
Curtailing
inappropriate email usage
|
2.8
|
3.0
|
11
|
- There is keen interest in being
able to "mine" the reams of access data for the specific
instances of misuse. These managers know how difficult it is to
find those exceptions.
- Being able
to operate in real-time is considered important.
- There is also strong demand
for combining desktop security and usage control.
- Again, employee web access
and email are NOT concerns. Neither is fancy presentation.
- please rate these dangers in unrestricted
web access:
Ranked by Mean Response
|
Dangers
in unrestricted web access
|
Mean
|
Median
|
Pct 5’s
|
|
Opening
up the company to more serious security violations
|
4.1
|
4.0
|
46
|
|
Waste
of company time and money
|
3.6
|
4.0
|
32
|
|
Secondary
exposure of employees to sex, hate, abuse materials
|
3.2
|
3.0
|
21
|
|
Potential
public disclosure of what employees are surfing
|
3.2
|
3.0
|
21
|
|
Morale
and discipline problems
|
3.1
|
3.0
|
16
|
- The
core concern about unrestricted web access is not the access itself,
but what it could open up the company to.
This is a hot direction, worth more investigation.
- There is a concern about the cost of this kind
of access.
- Concerns relating to the material itself are
minimal.
- Opt-in/Opt-Out Data:
- (Pre-checked Question): I would like to receive
an executive summary of the results of this survey from the survey's
sponsor:
- Yes: 94%
- (Unchecked Question): I would like to be contacted
by the sponsor about a solution or answer to the types of problems
discussed in the interview.
- Yes: 19%
- Panel Loss Factors from this survey:
- Bad email addresses: 61 (4% of panel)
- Remove Requests: 22 (1.5% of panel)
Demographics Section
- Being calculated at this time. Please
ensure you have joined the panel at www.survey.com/mispanel.html,
to receive updated demographics.
(Panel profiles acquired in initial recruitment phase
showed a broad cross-section of IT execs and professionals, from a
wide range of organizations.)
Analysis
R. Eckelberry, VP Marketing
NetVersant Technologies, Inc.
Research
Firm Contact
World Research, Inc.
Michael Bach (408) 323-9240
Email: Michael@survey.com
Sponsor
Contact
NetVersant Technologies,
Inc.
Anton Wurr
Email: netvital@netversant.com
Agency
Contact
Independent Marketing
Pamela Jacques (626) 821-1885
Email: pajacques@earthlink.net
|
|
CURRENT
SURVEY
