D6.2 Stakeholder and Consumer Requirements Survey Report · Gabriela Hrasko (AS) Georgios Germanos...
Transcript of D6.2 Stakeholder and Consumer Requirements Survey Report · Gabriela Hrasko (AS) Georgios Germanos...
Work Package WP6: Outreach, Dissemination
and Exploitation
D6.2 Stakeholder and Consumer Requirements Survey Report
This work is performed within the SAINT Project – Systemic Analyser in Network Threats – with the support of the European Commission and the Horizon 2020 Program, under Grant Agreement No 740829
Document Dissemination Level
P
CΟ
Document Due Date: 30/04/2018 Document Submission Date: 11/05/2018
Public
Confidential, only for members of the Consortium (including the Commission Services)
☒
☐
D6.2 Stakeholder and Consumer Requirements Survey Report
Copyright SAINT Consortium. All rights reserved. 2
Document Information
Deliverable number: D6.2
Deliverable title: Stakeholder and Consumer Requirements Survey Report
Deliverable version: 1.0
Work Package number: WP6
Work Package title: Outreach, Dissemination and Exploitation
Due Date of delivery: 30/04/2018
Actual date of delivery: 11/05/2018
Dissemination level: Public
Editor(s): Bryn Thompson (CYBE)
Contributor(s): All Partners
Reviewer(s): Edgardo de Montes (MNTMG)
Gabriela Hrasko (AS)
Georgios Germanos (KEMEA )
Jart Armin (CYBE)
Andreas Zalonis (NCSRD)
Ethical advisor(s): Christina Chalanouli (KEMEA)
Project name: Systemic Analyser in Network Threats
Project Acronym SAINT
Project starting date: 1/5/2017
Project duration: 24 months
Rights: SAINT Consortium
Version History
Version Date Beneficiary Description
0.1 20/12/2017 CYBE TOC
0.2 23/02/2018 CYBE 1st Draft
0.3 18/04/2018 CYBE Draft for review
1.0 27/04/2018 CYBE Final version
D6.2 Stakeholder and Consumer Requirements Survey Report
Copyright SAINT Consortium. All rights reserved. 3
Abbreviations and Acronyms ACRONYM EXPLANATION
AI Artificial Intelligence
BYOD Bring Your Own Device
DoS (DDoS) Denial of Service (Distributed Denial of Service)
ENISA European Union Agency for Network and Information Security
FICORA Finnish Communications Regulatory Authority
GDPR General Data Protection Regulation
IoT Internet of Things
ML Machine Learning
D6.2 Stakeholder and Consumer Requirements Survey Report
Copyright SAINT Consortium. All rights reserved. 4
Table of Contents
1 Introduction 6
1.1 Methodology 6
2 Results and findings 7
2.1 Survey demographics 8
2.2 Cyber security concerns 10
2.3 Cyber security awareness 11
2.4 Personal experiences of cybercrime 14
2.5 Cyber security concerns in the workplace 17
2.6 Personal online behaviour 19
2.7 Workplace practices 20
2.8 Personal cyber security 24
2.9 New technologies and security 25
2.10 Perceptions on the causes of increasing levels of cybercrime 27
2.11 Cyber security responsibilities 27
2.12 Cyber security preventions 28
2.13 Information sharing 35
2.14 Cyber risk protection 36
2.15 Perceptions on cyber security and the economy 37
3 Conclusions 41
References 43
Appendix – Initial Survey Questions 44
D6.2 Stakeholder and Consumer Requirements Survey Report
Copyright SAINT Consortium. All rights reserved. 5
Table of figures
Figure 2.1.1: Age of respondent ....................................................................................................................... 8 Figure 2.1.2: Company location ........................................................................................................................ 8 Figure 2.1.3: Number of employees ................................................................................................................. 9 Figure 2.1.4: Organisation type ........................................................................................................................ 9 Figure 2.2.1: Are you concerned about cybercrime or cyber security? .......................................................... 10 Figure 2.2.2: Level of organization concern .................................................................................................... 10 Figure 2.3.1: Are you sufficiently informed about cyber security? ................................................................. 11 Figure 2.3.2: Is the risk from cybercrime greater than conventional crime? .................................................. 11 Figure 2.3.3: Company risk of exposure to cyber threats ............................................................................... 12 Figure 2.3.4: Awareness levels of cyber threats ............................................................................................. 13 Figure 2.4.1:Concerns about cyber threats .................................................................................................... 14 Figure 2.4.2: Cybercrime victimisation ........................................................................................................... 15 Figure 2.4.3: Type of cybercrime action experienced ..................................................................................... 16 Figure 2.5.1: Preventative actions at work, following a cyber attack ............................................................. 17 Figure 2.5.2: Impacts of cyber attacks at work ............................................................................................... 18 Figure 2.6.1: Internet usage ........................................................................................................................... 19 Figure 2.6.2: Device use for Internet access ................................................................................................... 19 Figure 2.7.1: Personal devices within the workplace...................................................................................... 20 Figure 2.7.2: Exposure to common risk factors at work ................................................................................. 21 Figure 2.7.3: Core online services at work ...................................................................................................... 22 Figure 2.7.4: Online services as a proportion of revenue ............................................................................... 22 Figure 2.7.5: Cyber attack preparedness in the workplace ............................................................................ 23 Figure 2.7.6: Perceptions on potential workplace losses from cyber attack .................................................. 23 Figure 2.8.1: Changes in behaviour due to cyber security concerns............................................................... 24 Figure 2.9.1: Levels of IoT-technology adoption within the workplace .......................................................... 25 Figure 2.9.2: Does AI and IOT increase security? ............................................................................................ 26 Figure 2.10.1: Causes for increasing levels in cybercrime .............................................................................. 27 Figure 2.11.1: Personal responsibility for cyber security ................................................................................ 27 Figure 2.11.2: Cyber security responsibility at work ....................................................................................... 28 Figure 2.12.1: Security capabilities of free software ...................................................................................... 28 Figure 2.12.2: Antivirus use ............................................................................................................................ 29 Figure 2.12.3: Investment in cyber security preventatives ............................................................................. 29 Figure 2.12.4: VPN usage ................................................................................................................................ 30 Figure 2.12.5: The impact of stronger law enforcement ................................................................................ 30 Figure 2.12.6: Investment and cybercrime reduction..................................................................................... 31 Figure 2.12.7: Workplace monitoring of the cost of cyber attacks ................................................................. 32 Figure 2.12.8: Under-investment in cyber security ........................................................................................ 32 Figure 2.12.9: Workplace cyber security investment ..................................................................................... 33 Figure 2.12.10: Where should investment be?............................................................................................... 33 Figure 2.12.11: The effectiveness of preventative measures ......................................................................... 34 Figure 2.13.1: Levels of information sharing with outside organisations ....................................................... 35 Figure 2.13.2: Seeking guidance on cyber security ......................................................................................... 35 Figure 2.13.3: Should there be more information sharing? ........................................................................... 36 Figure 2.14.1: Cyber insurance (personal) ...................................................................................................... 36 Figure 2.14.2: Cyber insurance (company) ..................................................................................................... 37 Figure 2.15.1: Currency of choice for subsequent answers ............................................................................ 37 Figure 2.15.2: Respondents’ perceptions on the cost of cybercrime (country of residence) ......................... 38 Figure 2.15.3: Respondents’ perceptions on the cost of cyber security (worldwide) ..................................... 38 Figure 2.15.4: Respondents’ perceptions on the cost of cyber security (country) ......................................... 39 Figure 2.15.5: Respondents’ perceptions on cyber security spend (company) .............................................. 39 Figure 2.15.6: Respondents’ perceptions on cyber security spend (personal) ............................................... 40
D6.2 Stakeholder and Consumer Requirements Survey Report
Copyright SAINT Consortium. All rights reserved. 6
1 Introduction
This deliverable is a report on the findings from stakeholder and consumer surveys as an extension and
further analysis of the initial SAINT surveys as outlined in D2.3 ‘Initial Comparative Analysis of Cybercrime
Victims by Region, Country and Forecasting’.
A survey of EU-related threats, following a similar approach to the EU FP7 project CyberROAD1, was
conducted to provide high- and low-level views of the current cyber-security landscape.
A broad range of stakeholders were invited to complete the survey to maximise the analysis of evidence-
based practices. Stakeholders incorporate policy makers, governmental, legal and law enforcement,
academic researchers, industry practitioners, expert groups, service providers, commercial providers,
consumers and end-users, for example.
In D2.3 specific areas were reported on. These included sections on: 5.1 ‘Cybercrime victims’ including
metrics, 5.2 ‘The threat landscape as presented by the survey’, including place of work threats, money
invested, 5.3 ‘The technological landscape as presented by the survey’, including IoT, 5.4 ‘The social, political
and legal landscape as presented by the survey’, including the Dark Web, 5.5 ‘The economics as presented
by the survey’ including econometrics at macro and micro levels.
In this deliverable a broader picture of the landscape is given with further analysis of the remaining topics
that were not covered from the initial survey in the earlier D2.3. These include areas such as cyber security
concerns and cyber security awareness, personal and workplace experiences of cybercrime, and personal
online behaviour. Finally, the requirements for consumers is discussed within the aims of the SAINT project.
1.1 Methodology
The methodology for the SAINT survey is detailed in D2.3 ‘Initial Comparative Analysis of Cybercrime Victims
by Region, Country and Forecasting’. To briefly recap; our survey is designed following a Delphi-like method
where opinions are sought through a series of questionnaires over two or more rounds [1]. The Delphi
method for surveys has been widely adopted and is popular in science, technology or education fields [2]. A
well-known specialised online tool was used for the design and implementation of the survey,
SurveyMonkey2. The survey was added to the SAINT website with stakeholders informed about the link via
emails and general publicity on the project3. A complete set of survey questions is available in Appendix 1.
The initial survey included questions about preparedness against cyber attack, risk and cyber threats, Deep
Web activities, cyber insurance and econometrics at macro and micro levels. The survey was distributed in a
variety of formats: project website, announcements via social media, and prompting by email by consortium
partners to interested parties. A total of 2,196 respondents completed the initial survey. A second survey will
follow a similar drawdown approach with the questions devised according to the results from the initial
survey. To increase the target audience and remove cultural bias, the survey was available in six European
languages: English, French, German, Greek, Spanish and Swedish. As this is an initial report the results for all
languages have been combined, any specific differences are described. Survey demographics are depicted in
Section 2.1.
1 https://www.cyberroad-project.eu 2 https://www.surveymonkey.com/ 3 https://project-saint.eu/surveys
D6.2 Stakeholder and Consumer Requirements Survey Report
Copyright SAINT Consortium. All rights reserved. 7
2 Results and findings
In part, results and findings of the initial SAINT survey are explored in D2.3 ‘Initial Comparative Analysis of
Cybercrime Victims by Region, Country and Forecasting’. The emphasis in D2.3 was to perform a comparative
analysis on publicly available data and SAINT metrics from our initial survey. It was found that performing
like-for-like comparisons with other reports is difficult when methodologies and question formats vary
between different surveys. This serves to emphasize the difficulties faced by the cyber security industry in
trying to produce metrics that are fully quantifiable, of value and have relevance to an audience, be it select
or wide.
The problem encountered is greater for research surveys, in general, than it is for benchmarking surveys.
However, a major limitation for benchmarking is sampling-frame bias, as outlined by Accenture in the “Cost
of Cybercrime Study 2017” (page 55) [3]. For the SAINT survey we tried to avoid this by making our survey
available online and without restrictions on who this would be available to. A natural bias is experienced, and
is somewhat unavoidable, as only those with a prior interest in the subject will bother to take the survey.
A major learning point to carry forward to the next round of surveys is to design questions to have a
comparative value, either to the previous round of our own surveys, which is the basis of a Delphi
questionnaire, and/or to other publicly available reports.
An ongoing theme of our research is on the impact that a general lack of quantifiable and trusted metrics has
on the perceptions of stakeholders. The evidences suggest that there are many publicly available reports,
many of which cannot be used quantifiably or comparatively against each other. This relies a confusing
picture to many. In such a situation as this, each report can only be assessed as a standalone piece of research
using its own methodology and producing results that realistically can only be used comparatively over
several years.
The cyber security industry is clearly lacking a joined-up approach to metrics. This is already an important
outcome of the SAINT project and demonstrates that little has changed since a similar finding resulted from
the CyberROAD project. This remains a major requirement for stakeholders and consumers alike.
In the following sections, we provide further results from the initial SAINT survey.
D6.2 Stakeholder and Consumer Requirements Survey Report
Copyright SAINT Consortium. All rights reserved. 8
2.1 Survey demographics
Respondents were asked a series of non-identifiable questions to gain basic demographics on the
participants:
Respondents show a cross-section of ages as depicted in Figure 2.1.1:
Figure 2.1.1: Age of respondent
Figure 2.1.2, shows the business location of the respondents:
Figure 2.1.2: Company location
21.37%
35.62%
23.01%
15.89%
4.11%
What is your age?
18 to 24 25 to 34 35 to 54 55 to 64 65 +
D6.2 Stakeholder and Consumer Requirements Survey Report
Copyright SAINT Consortium. All rights reserved. 9
The size of the company where the respondents work is represented in the number of employees in Figure
2.1.3:
Figure 2.1.3: Number of employees
The single largest group of employees work for a large organisation. Micro, SME or small enterprises employ
a sizeable proportion of SAINT respondents.
Figure 2.1.4 displays the spread of stakeholders across sector type. Consumers, commercial businesses and
scholarly research are highly represented in the initial SAINT survey.
Figure 2.1.4: Organisation type
18.18%
13.77%
10.47%
8.82%
14.88%
33.88%
How many employees work for your company?
1-5 6-20 21-100 101-500 501-1000 1000+
24.24%
21.49%20.94%
15.98%
10.47%
6.89%
Commercial
business
Consumer group
or end-user
Scholarly research Cyber security
practitioner,
cyber security
expert (any field)
Internet service
provider or
operator
Policy making,
government, legal
or law
enforcement
0.00%
5.00%
10.00%
15.00%
20.00%
25.00%
30.00%
Which category most closely fits your organisation type?
D6.2 Stakeholder and Consumer Requirements Survey Report
Copyright SAINT Consortium. All rights reserved. 10
2.2 Cyber security concerns
Respondents indicate high levels of concern on cyber security issues. This is an expected result for a survey
on this topic.
Figure 2.2.1: Are you concerned about cybercrime or cyber security?
When asked the same question about the organisation they are employed for, Figure 2.2.2, the results show
that respondents perceive that their company has a lower concern about cyber security issues than they do.
Figure 2.2.2: Level of organization concern
55.93%
23.73%
18.08%
2.26%0.00%
Extremely
concerned
Very concerned Moderately
concerned
Not very
concerned
Not at all
concerned
0.00%
10.00%
20.00%
30.00%
40.00%
50.00%
60.00%
Are you concerned about cybercrime or cyber security issues?
40.56%
27.04%
15.49%13.52%
3.38%
Extremely high Very High Moderately high Not very high Not at all
0.00%
5.00%
10.00%
15.00%
20.00%
25.00%
30.00%
35.00%
40.00%
45.00%
How high a concern is cyber security for your organisation?
D6.2 Stakeholder and Consumer Requirements Survey Report
Copyright SAINT Consortium. All rights reserved. 11
2.3 Cyber security awareness
There is an almost exact divide between respondents who feel sufficiently informed about cyber security
issues than those who do not, see Figure 2.3.1. This result is similar to the Eurobarometer public opinion
survey, “Special Eurobarometer: Europeans’ attitudes towards cyber security” where “… less than half of
respondents consider themselves to be well informed about cybercrime” [4].
Figure 2.3.1: Are you sufficiently informed about cyber security?
Figure 2.3.2 displays the concern of respondents (more than 2:1) that cybercrime presents a greater risk than
conventional crime.
Figure 2.3.2: Is the risk from cybercrime greater than from conventional crime?
49.57% 48.43%
1.99%
Yes No I don't know
0.00%
10.00%
20.00%
30.00%
40.00%
50.00%
60.00%
Do you feel sufficiently informed about cyber security issues?
68.19%
29.80%
2.01%
Yes No I don't know
0.00%
10.00%
20.00%
30.00%
40.00%
50.00%
60.00%
70.00%
80.00%
Do you think that cybercrime is now a bigger risk than 'conventional' crime?
Responses
D6.2 Stakeholder and Consumer Requirements Survey Report
Copyright SAINT Consortium. All rights reserved. 12
The ratio is also more than 2:1 for respondents who do not receive regular information on the risk of exposure
to cyber threats at work than for those who do (Figure 2.3.3).
Figure 2.3.3: Company risk of exposure to cyber threats
In the initial SAINT survey respondents were asked: How informed or aware do you consider yourself to be
about each of the following…? (See Figure 2.3.4) The list provided contained the top 14 threats as published
in the latest available edition (2016) of ENISA’s series of reports on the Threat Landscape [5]. (Note: In January
2018 a further addition to the series was published. However, this was published after the initial SAINT survey
was completed [6]).
Respondents indicate high levels of confidence in their knowledge of spam, phishing of banking or website
credentials, and DoS (DDoS). The greatest lack of confidence in knowledge is on physical damage to Internet
infrastructures, cyber espionage and cyber terrorism. Both cyber espionage and cyber terrorism were the
most popular topics on which respondents would like more information along with data breaches, and Web
application / Injection attacks.
26.84%
64.12%
9.04%
Do you receive regular information about your company's
risk of exposure to the threat of a cybercriminal attack?
Yes No I don't know
D6.2 Stakeholder and Consumer Requirements Survey Report
Copyright SAINT Consortium. All rights reserved. 13
Figure 2.3.4: Awareness levels of cyber threats
0.00%
10.00%
20.00%
30.00%
40.00%
50.00%
60.00%
70.00%
80.00%
How informed or aware do you consider yourself to be about each of the following:
I am well informed
Would like to be more
informed
Not informed
D6.2 Stakeholder and Consumer Requirements Survey Report
Copyright SAINT Consortium. All rights reserved. 14
2.4 Personal experiences of cybercrime
Respondents were asked a series of questions on their personal experiences on cybercrime. This section
enquired about actual experiences as well as concerns about perceived threats. Figure 2.4.1 represents the
concerns of respondents in order of the perceived risk from low (Rank 1) to high (Rank 7). By far, the greatest
risk was perceived as coming from identity theft. The lowest risk on a personal level is thought to be from
DDoS.
Figure 2.4.1:Concerns about cyber threats
The concern about identity theft is mirrored in the Eurobarometer report where identity theft and discovering malicious code on their device were found to be of equal concern (69%) [7].
0.00%
20.00%
40.00%
60.00%
80.00%
100.00%
120.00%
DDoS - Denial ofservice bypreventingaccess towebsites
Identity theft -somebody
stealing yourpersonal data
andimpersonating
you, e.g.shopping under
your name
Malware /Viruses -
Discoveredmalicious
software on yourdevice
Online fraud -where goods
purchased arenot delivered,counterfeit or
not asadvertised
Phishing - Beinga victim of bankcard or onlinebanking fraudvia an email
Ransomware -Being asked for a
payment inreturn for
getting backcontrol of yourPC or mobile
device
Trackers andSpyware -
Monitoring orcontrol of whatand where you
use the Internet
Cybercrime can include many different types of criminal activity. How concerned are you personally about experiencing, or being a victim of, the
following cybercrime? Rank the following from 1 - 7 where 1 causes you the least concern and 7 causes you the
Rank 1 (Low) Rank 2 Rank 3 Rank 4 Rank 5 Rank 6 Rank 7
D6.2 Stakeholder and Consumer Requirements Survey Report
Copyright SAINT Consortium. All rights reserved. 15
When asked about actual experiences of cybercrime (Figure 2.4.2), just under half had been a victim in the
last 12 months. This figure is slightly higher in comparison to other recent reports. For example, in the 2017
Norton Cyber Security Insights Report, 44% or respondents had been impacted by, or had a personal
experience of, cybercrime in the last 12 months [8]. The difference in results between the two surveys could
be due to a self-reporting bias, i.e., people who were a target of cybercriminals are more willing to respond
to our survey. The type of cybercriminal actions experienced by our stakeholders was investigated more fully
in subsequent questions.
Figure 2.4.2: Cybercrime victimisation
14.25%
23.93%
9.12%
52.71%
Have you experienced a cybercriminal action in the last 12 months?
Personal capacity At work Personally and at work No
D6.2 Stakeholder and Consumer Requirements Survey Report
Copyright SAINT Consortium. All rights reserved. 16
The type of activities experienced by respondents was explored as represented in Figure 2.4.3:
Figure 2.4.3: Type of cybercrime action experienced
The most common type of activity (33.5%) in the last 12 months for respondents was to be asked for access
to their computer, logins or personal details either via an email or phone. The next most frequent activity
was finding malicious software (viruses, etc.,) on a device. Ransomware was the least encountered activity
(5.58%).
6.09%
33.50%
12.18% 11.17%
6.09% 5.58%4.06%
21.32%
0.00%
5.00%
10.00%
15.00%
20.00%
25.00%
30.00%
35.00%
40.00%
1
Have you experienced or been a victim of the following situations in the last 12 months?
Identity theft (somebody stealing your personal data and impersonating you, e.g. shopping under your name)
Received emails or phone calls fraudulently asking for access to your computer, logins or personal details(including banking or payment information)
Online fraud where goods purchased were not delivered, counterfeit or not as advertised
Not being able to access online services (e.g. banking services or public services) because of cyber attacks
Your social media or email account being hacked
Being a victim of bank card or online banking fraud
Being asked for a payment in return for getting back control of your device (i.e. ransomware)
Discovered malicious software (viruses, etc.) on your device
D6.2 Stakeholder and Consumer Requirements Survey Report
Copyright SAINT Consortium. All rights reserved. 17
2.5 Cyber security concerns in the workplace
Figure 2.5.1 represents respondents’ replies when asked what did happen, or should have happened, at their
place of work following a data breach or attack. The most common activity performed, or perceived to have
been the correct course of action, was to change or update firewall/system configurations. Performing a
post-incident review was only selected by slightly more than a quarter of respondents.
Figure 2.5.1: Preventative actions at work, following a cyber attack
Changed nature of the business carried out
Nothing
Outsourced cyber security/hired an external provider
Disciplinary action
Recruited new staff
I don't know
Deployed new systems
Formal post-incident review
Penetration testing
Increased monitoring of third parties' cyber security
Created/changed backup/contingency plans
Increased spending on cyber security
Changed which users have admin/access rights
Created/changed policies/procedures
Installed/changed/updated antivirus/anti-malware software
Changed/updated firewall/system configurations
0.00% 10.00% 20.00% 30.00% 40.00% 50.00% 60.00%
In your experience at work, what preventative actions have been taken, or should have been taken, following a data breach or attack? (Select
any options that apply)
D6.2 Stakeholder and Consumer Requirements Survey Report
Copyright SAINT Consortium. All rights reserved. 18
The most common choice of perceived, or actual, impact following a data breach/attack was loss of work
time, see Figure 2.5.2 where the top six choices are represented. This is an interesting selection and a
requirement for inclusion in future metrics on the cost of cybercrime/security if accurate numbers are to be
realised.
Figure 2.5.2: Impacts of cyber attacks at work
Stopped staff
from carrying out
their day-to-day
work
Loss of revenue
or share value
Reputational
damage
Prevented
provision of
goods or services
to customers
Inconvenience
0.00%
5.00%
10.00%
15.00%
20.00%
25.00%
30.00%
If you had, or would have, a data breach/attack at your place of work what was, or would be, the likely
impact? (Select multiple options)
D6.2 Stakeholder and Consumer Requirements Survey Report
Copyright SAINT Consortium. All rights reserved. 19
2.6 Personal online behaviour
The extent to which the Internet has become an integral part of our daily lives is reflected in Figure 2.6.1.
Over 96% of respondents use the Internet every day. This compares to 70% reported by in the Eurobarometer
[4]. The difference may be explained by the survey type; the SAINT survey is conducted online whereas the
Eurobarometer is conducted face-to-face.
Figure 2.6.1: Internet usage
The type of devices used to access the Internet reflect societal changes and the use of multiple devices (Figure
2.6.2). The mobile market share overtook that of the desktop PC in October 20164. As of March 2018, the
worldwide market share was: mobile 51.96%, Desktop 44.27%, Tablet 4.18% [9].
Figure 2.6.2: Device use for Internet access
4 http://gs.statcounter.com/platform-market-share/desktop-mobile-tablet/worldwide/2016
96.07%
3.37% 0.56%
Daily Most days (3-6) Occasionally (<2)
0.00%
20.00%
40.00%
60.00%
80.00%
100.00%
120.00%
How often, if at all, do you use the Internet?
100.00%
80.74%
38.53%
6.80%
Computer (desktop,
laptop, netbook)
Touchscreen tablet Smartphone TV
0.00%
20.00%
40.00%
60.00%
80.00%
100.00%
120.00%
What devices do you use to access the Internet?
D6.2 Stakeholder and Consumer Requirements Survey Report
Copyright SAINT Consortium. All rights reserved. 20
2.7 Workplace practices
Figure 2.7.1. reflects the wide practice of using personally-owned devices in the workplace. Almost 80% of
respondents confirmed this as the situation at their work. It is not known what percentage of the workplaces
have best practices, or policies, in place to govern the use of Bring Your Own Devices (BYOD).
Figure 2.7.1: Personal devices within the workplace
79.36%
13.08%
7.56%
Does anyone in your place of work use personally-owned devices such as smartphones, tablets, home laptops or
desktop computers to carry out regular business-related activities?
Yes No I don't know
D6.2 Stakeholder and Consumer Requirements Survey Report
Copyright SAINT Consortium. All rights reserved. 21
Workplaces use a variety of web-based applications and online services during an ordinary day as displayed
in Figure 2.7.2. The operational management of such services is a determining factor in risk control.
Figure 2.7.2: Exposure to common risk factors at work
Figure 2.7.3 and Figure 2.7.4, illustrate the extent to which organisations rely on online services to provide a
core part of their services or goods. This is further reflected in the annual revenues provided by such services.
0.00%
20.00%
40.00%
60.00%
80.00%
100.00%
120.00%
Which of the following, if any, does your organisation currently have or use?
Email addresses for your organisation or its employees
A website or blog
Accounts or pages on social media sites (e.g. Facebook or Twitter)
Sensitive company data held on internal IT systems
Cloud services
Personal information about your customers held electronically
The ability for your customers to order, book or pay for products or services online
Sensitive company data held on external IT systems
An industrial control system, e.g. SCADA architecture, or software applications for monitoring systems
Don't know
None of these
D6.2 Stakeholder and Consumer Requirements Survey Report
Copyright SAINT Consortium. All rights reserved. 22
Figure 2.7.3: Core online services at work
Although over 40% of the workplaces of respondents do not generate a revenue from online services (they
may be employed in research organisations, policy making, governmental or law enforcement) but,
nonetheless, a loss of Internet access would impact upon their daily functions, as indicted by usage rates
shown in Figure 2.7.4.
Figure 2.7.4: Online services as a proportion of revenue
31.21%
46.34%
15.85%
To what extent, if at all, are online services a core part of the goods or services your organisation provides? Is it…
A large extent To some extent Not at all
40.45%
23.30%22.01%
14.24%
0 >10% 10 to 50% 50 to 100%
0.00%
5.00%
10.00%
15.00%
20.00%
25.00%
30.00%
35.00%
40.00%
45.00%
Online services correspond to what proportion of annual revenues in your work?
D6.2 Stakeholder and Consumer Requirements Survey Report
Copyright SAINT Consortium. All rights reserved. 23
Over 40% of respondents had faith in their company preparedness against cyber attack, Figure 2.7.5.
Figure 2.7.5: Cyber attack preparedness in the workplace
Respondents perceive that the most damaging aspect of a cyber attack would be from indirect losses, loss of
reputation, brand, trust and missed business opportunities, (Figure 2.7.6). Indirect losses are the most
difficult to quantify. If respondent’s fears are to be accepted and understood, greater effort into the
quantification of the object of their concern is required. These will enable an informed decision to be made
on the justification of these concerns.
Figure 2.7.6: Perceptions on potential workplace losses from cyber attack
44.30%
18.99%16.46% 15.19%
5.06%
Probably Probably not Yes I don't know No
0.00%
5.00%
10.00%
15.00%
20.00%
25.00%
30.00%
35.00%
40.00%
45.00%
50.00%
Do you think that your company is well-prepared against a cyber attack?
0.00% 10.00% 20.00% 30.00% 40.00% 50.00% 60.00% 70.00%
Environmental costs
Health & safety costs
Infrastructure costs
Direct financial losses & damage (money stolen fromaccounts, regulatory fees, loss of clients, business, etc)
Indirect financial losses (loss of reputation, brand, trust,missed business opportunities, etc.)
At your place of work, which of the following pose the biggest risks from
cyber threats?
I don't know Low Medium High
D6.2 Stakeholder and Consumer Requirements Survey Report
Copyright SAINT Consortium. All rights reserved. 24
2.8 Personal cyber security
SAINT survey respondents indicate high levels of practicing safe cyber security (Figure 2.8.1) and high
confidence in using online banking and other online services. Respondents could choose multiple practices
that they had changed: the top eight are represented here.
Figure 2.8.1: Changes in behaviour due to cyber security concerns
0.00%
10.00%
20.00%
30.00%
40.00%
50.00%
60.00%
70.00%
80.00%
90.00%
You do notdownload
emailattachmentsunless youknow the
sender
You usedifferent
passwordsfor different
sites
You havechanged
your securitysettings (e.g.
yourbrowser,
online socialmedia,search
engine, etc.)
You are lesslikely to give
personalinformationon websites
You haveinstalledantivirussoftware
You onlyvisit
websites youknow and
trust
You do not open emails from people
you don’t know
Youregularly
change yourpasswords
Has concern about cyber security issues made you change the way
you use the Internet in any of the following ways?
D6.2 Stakeholder and Consumer Requirements Survey Report
Copyright SAINT Consortium. All rights reserved. 25
2.9 New technologies and security
Note: Internet of Things (IoT) is the inter-networking of physical devices, vehicles (also referred to as
"connected devices" and "smart devices"), buildings, and other items embedded with electronics, software,
sensors, actuators, and network connectivity which enable these objects to collect and exchange data.
Adoption of smart devices or IoT technology is evolving as depicted in Figure 2.9.1. Over a third of respondents confirmed the use of this technology in their workplace.
Figure 2.9.1: Levels of IoT-technology adoption within the workplace
36.14%
44.58%
19.28%
Has your company adopted smart devices or IoT-based technology?
Yes No I don't know
D6.2 Stakeholder and Consumer Requirements Survey Report
Copyright SAINT Consortium. All rights reserved. 26
The views of respondents (Figure 2.9.2) reflect a concern that adoption of the new technologies, artificial
intelligence (AI) and IoT, increases the threat risk for companies. Security predictions for the future also lay
claim to the advent of AI being used to carry out attacks [10]. Conversely, there are claims that AI will benefit
the cyber security industry through the application of Machine Learning (ML) to improve accuracy and
understanding of threat levels. ML can adapt to conditions and to self-remediate against threats. However,
it has been shown that with every new technological advance, cybercriminals use the same techniques to
their own advantage.
Figure 2.9.2: Does AI and IOT increase security?
66.67%
20.51%
12.82%
What is your view on artificial intelligence (AI) and the Internet -of-things (IoT)?
AI/IOT increases the company's exposure to cyber-attacks
AI/IOT-based devices grant better security against cyber-attacks
I don't know
D6.2 Stakeholder and Consumer Requirements Survey Report
Copyright SAINT Consortium. All rights reserved. 27
2.10 Perceptions on the causes of increasing levels of cybercrime
Respondents were asked to rank their answers in order of importance (1=Low, 5=High). Figure 2.10.1
represents the choices selected as being the greatest force behind increasing levels of cybercrime Rank 5).
The main reason for the increase is believed to be economic interests. Lack of education on cyber safety for
end users was highly placed. The latter may be a more practical point from which to start to effect changes.
If the challenges posed by cybercrime are to be met then this is a necessity.
Figure 2.10.1: Causes for increasing levels in cybercrime
2.11 Cyber security responsibilities
Figure 2.11.1 depicts high levels of acceptance of responsibility for respondents own cyber security.
Figure 2.11.1: Personal responsibility for cyber security
0.00%5.00%
10.00%15.00%20.00%25.00%30.00%35.00%40.00%45.00%50.00%
Economicinterests
Lack ofeducation on
cyber safety forend users
Businessstrategies
Societial Politics
What do you think is the greatest force behind
increasing levels of cybercrime? (Rank 5= high)
95.06%
2.47% 2.47%
Yes No I don't know
0.00%
10.00%
20.00%
30.00%
40.00%
50.00%
60.00%
70.00%
80.00%
90.00%
100.00%
Do you feel responsible for your own cyber security on the Internet?
D6.2 Stakeholder and Consumer Requirements Survey Report
Copyright SAINT Consortium. All rights reserved. 28
SAINT survey respondents show high levels of acceptance of shared responsibility for cyber security in their
place of work, Figure 2.11.2.
Figure 2.11.2: Cyber security responsibility at work
2.12 Cyber security preventions
The responses depicted in Figure 2.12.1 when asked if free software covers all personal and workplace
security requirements indicate an acceptance that some cost is needed to keep networks secure.
Figure 2.12.1: Security capabilities of free software
There are high levels of antivirus use by respondents, Figure 2.12.2. However, almost 10% admitted that they
have no antivirus on their PCs. A further 11% said that they use Mac or Linux and, therefore, do not need to
use anti-virus. There is a long-held belief that Mac and Linux systems are safe from malicious viruses and
87.50%
11.25%
1.25%
Yes No I don't know
0.00%
10.00%
20.00%
30.00%
40.00%
50.00%
60.00%
70.00%
80.00%
90.00%
100.00%
Do you feel you share responsibility for cyber security of your company or place of work?
13.75%
67.50%
18.75%
Do you think that free software covers all your security needs or the needs of your workplace?
Yes No I don't know
D6.2 Stakeholder and Consumer Requirements Survey Report
Copyright SAINT Consortium. All rights reserved. 29
other forms of attack but recent announcements highlight that no operating system is totally safe from the
latest forms of ransonware5. Such beliefs are sometimes difficult to dispel with our research illustrating a
sizeable core of believers that Mac and Linux do not require current antivirus solutions.
Figure 2.12.2: Antivirus use
Respondents show a high level of awareness of the benefits of investing in cyber security preventative
measures as illustrated in Figure 2.12.3.
Figure 2.12.3: Investment in cyber security preventatives
5 https://www.krollontrack.co.uk/blog/the-world-of-data/are-mac-and-linux-users-safe-from-ransomware/
79.01%
9.88%
11.11%
Do you use antivirus software on your PC?
Yes No No (I use a Mac or Linux and they do not need anti-virus)
55.13%
41.03%
1.28%2.56%
They reduce the
likelihood of a
cybercriminal attack
They reduce the
expected loss from an
attack
There is no specific
reason to invest into
cyber security for my
company
I don't know
0.00%
10.00%
20.00%
30.00%
40.00%
50.00%
60.00%
What are the main reasons to invest in cyber security preventatives and/or offensive measures for your
company?
D6.2 Stakeholder and Consumer Requirements Survey Report
Copyright SAINT Consortium. All rights reserved. 30
VPN use is widespread among SAINT survey respondents as seen in Figure 2.12.4. Fewer than 40% of SAINT
survey participants do not use VPN, either at home or at work. According to research from GlobalWebIndex,
25% of Internet users used VPN in the preceding month [7]. Our respondents display a higher than average
usage of VPN.
Figure 2.12.4: VPN usage
Contributors to the SAINT survey have little faith that stronger law enforcement will reduce cybercriminals’
incentives to attack, Figure 2.12.5.
Figure 2.12.5: The impact of stronger law enforcement
38.75%
27.50%
17.50%16.25%
Never Yes (at work and
home)
Yes (at home) Yes (at work)
0.00%
5.00%
10.00%
15.00%
20.00%
25.00%
30.00%
35.00%
40.00%
45.00%
Do you use a VPN to access the Internet?
48.75%
38.75%
12.50%
No Yes I don't know
0.00%
10.00%
20.00%
30.00%
40.00%
50.00%
60.00%
Do you think that stronger law enforcement mechanisms will reduce cybercriminals' incentives to commit an
attack?
D6.2 Stakeholder and Consumer Requirements Survey Report
Copyright SAINT Consortium. All rights reserved. 31
The largest group of respondents do not believe that money is currently being wisely invested in the right
technologies to bring about improvements to cyber security, Figure 2.12.6. Over 27% did not have a view,
preferring to answer that they did not know.
Figure 2.12.6: Investment and cybercrime reduction
32.50%
40.00%
27.50%
Do you think money is currently being invested into the right technologies to improve cyber
security and to reduce the level of cybercrime?
Yes No I don't know
D6.2 Stakeholder and Consumer Requirements Survey Report
Copyright SAINT Consortium. All rights reserved. 32
As depicted in Figure 2.12.7, the largest single group of survey contributors to this question (38.46%) did not
know if their workplace was monitoring the cost of cyber security breaches. Nearly 30% categorically stated
that breaches or attacks was not monitored at their place of work.
Figure 2.12.7: Workplace monitoring of the cost of cyber attacks
Participants were asked to rank their choice of why they think that companies may be under investing in
cyber security measures. The main reason (Rank 4) is represented in Figure 2.12.8 below. SAINT survey
contributors indicate a clear preference for increasing the cyber threat awareness of managers at their
company as this is seen as a deterrent to effective investment levels.
Figure 2.12.8: Under-investment in cyber security
32.05%
29.49%
38.46%
Is the financial cost of cyber security breaches or attacks monitored or estimated at your place of
work?
Yes No I don't know
0.00%
10.00%
20.00%
30.00%
40.00%
50.00%
60.00%
There is not sufficientawareness about cyber
threats at themanagerial level of my
company
The company's budgetis better invested
elsewhere
The cost-effectivenessof existing solutions is
too low
Cyber-criminality is nota significant threat to
business
According to you, what are the main reasons that some companies under invest in cyber security measures?
D6.2 Stakeholder and Consumer Requirements Survey Report
Copyright SAINT Consortium. All rights reserved. 33
A sizeable majority of participants (78.21%) would recommend more investment in cyber security in their
place of work, Figure 2.12.9.
Figure 2.12.9: Workplace cyber security investment
The preferred choice of participants for the destination of increased investment is in a combination of safer
technology and cyber education, as illustrated in Figure 2.12.10.
Figure 2.12.10: Where should investment be?
78.21%
1.28%
20.51%
In general, would you recommend more or less investment in cyber security for your company?
More Less I don't know
15.19%
16.46%
40.51%
41.77%
Would you prefer increased investment in safer technology or cyber security education, as a means of
reducing the risks of a cyber attack?
Safer technology
Cyber education
A combination of both with stronger focus on safer technology
A combination of both with stronger focus on safer education
D6.2 Stakeholder and Consumer Requirements Survey Report
Copyright SAINT Consortium. All rights reserved. 34
Survey participants selected, “Employee education on how to prevent cyber intrusion” as the most effective preventative measure, depicted in Figure 2.12.11.
Figure 2.12.11: The effectiveness of preventative measures
As reported in D3.3” Initial Analysis on Cyber-Security Failures and Requirements”, Section 2.1.3, “The role
of behavioural science”, negligence is the #1 cause of insider threats while it is also reported that in the UK,
“4 of the 5 top causes of data breaches are because of human or process error” [11], [12]. Better employee
education would seem a sensible choice as an effective preventative measure.
0.00%
20.00%
40.00%
60.00%
80.00%
100.00%
120.00%
Employeeeducation on
how to preventcyber intrusion
ManagementBoard
awarenesstraining
Stronger lawenforcement
Safer softwareand hardware
Moreinformation
sharing
Betterdefinitions and
standards
Which of the following measures do you think is the most
effective? (Rank 1-6, 1=low, 6=highest)
Rank 1 (Low) Rank 2 Rank 3 Rank 4 Rank 5 Rank 6 (High)
D6.2 Stakeholder and Consumer Requirements Survey Report
Copyright SAINT Consortium. All rights reserved. 35
2.13 Information sharing
Figure 2.13.1 depicts that most respondents believes that information about cyber attacks is shared with
outside organisations. The group that answered “I don’t know” is likely to contain at least some further
positive answers which would increase the “Yes” contribution further. This is an encouraging result which is
in alliance with the following Figure 2.13.2 that depicts an even split (37.97% each) between those seeking
guidance on cyber security for work and in a personal capacity, in the last 12 months.
Figure 2.13.1: Levels of information sharing with outside organisations
Less than a quarter of respondents had not sought any advice in the last year.
Figure 2.13.2: Seeking guidance on cyber security
50.63%
20.25%
29.11%
Do you, or does someone else in your place of work, share information about cyber
events/attacks with an outside organisation?
Yes No I don't know
37.97%
37.97%
24.05%
In the last 12 months have you sought information, advice or guidance on Cyber
Security /Cybercrime / Threats / CTI?
In a personal capacity For your place of work No
D6.2 Stakeholder and Consumer Requirements Survey Report
Copyright SAINT Consortium. All rights reserved. 36
There is a great belief that there should be more information sharing on cyber threats within the industry, Figure 2.13.3.
Figure 2.13.3: Should there be more information sharing?
2.14 Cyber risk protection
Cyber insurance for consumers is not as widely available as corporate policies although it is seen within the
industry as being a potential growth area with well-known insurance companies beginning to push their
customized policies [13]. SAINT results confirm that few consumers have a customised policy although Figure
2.14.1, illustrates that respondents consider that they are covered within a generic insurance package.
Figure 2.14.1: Cyber insurance (personal)
91.14%
3.80% 2.53% 2.53%
Yes Not necessarily No I don't know
0.00%
10.00%
20.00%
30.00%
40.00%
50.00%
60.00%
70.00%
80.00%
90.00%
100.00%
Would you recommend more information sharing on cyber threats within the industry?
3.80%
64.56%
8.86%
22.78%
Are you covered, in a personal capacity, by a cyber insurance policy?
Yes No Within a generic insurance package I don't know
D6.2 Stakeholder and Consumer Requirements Survey Report
Copyright SAINT Consortium. All rights reserved. 37
In a work capacity, most respondents do not know if a cyber insurance policy is in place, Figure 2.14.2. This
is not an unexpected response to this question although 34.18% of the participants are confident enough to
answer that a policy is not in place at work.
Figure 2.14.2: Cyber insurance (company)
2.15 Perceptions on cyber security and the economy
Answers to the survey within this section are covered in greater detail in D2.3 “Initial Comparative Analysis
of Cybercrime Victims by Region, Country and Forecasting”, Section 5.5 “The economics as presented by the
survey”. Here, charts are included from the survey to give an overview on perceptions on cyber security and
the economy.
Respondents were asked to select a currency, Figure 2.15.1, for their answers to the questions in this section:
Figure 2.15.1: Currency of choice for subsequent answers
8.86%
34.18%
1.27%
55.70%
Does your place of work have a cyber insurance policy?
Yes No Within a generic insurance package I don't know
29.49%
70.51%
Pick a major currency for these economic questions
US$ EURO
D6.2 Stakeholder and Consumer Requirements Survey Report
Copyright SAINT Consortium. All rights reserved. 38
Over two thirds of respondents selected the Euro for their answers.
Figure 2.15.2 to Figure 2.15.3, depict a lack of confidence that respondents have in their knowledge of the
cyber security economic landscape. The clear majority prefer to answer, “I don’t know” when questioned on
the cost of cybercrime to the economy of their country of residence, and to the spend on cyber security:
worldwide, to their country, and to their place of work, in 2017.
Figure 2.15.2: Respondents’ perceptions on the cost of cybercrime (country of residence)
It is perhaps reasonable that respondents may not know this type of information about their company, but
it is also a reflection on a landscape where there is a lack of readily available data and of not knowing where
to go to find trusted data.
Figure 2.15.3: Respondents’ perceptions on the cost of cyber security (worldwide)
3.80%6.33%
3.80%6.33%
31.65%
48.10%
0-25m 26m-50m 51m-100m 100m-200m 200m+ I don't know
0.00%
10.00%
20.00%
30.00%
40.00%
50.00%
60.00%
What do you think is the cost (millions) of cybercrime to the economy of your country of residence per annum?
6.33% 6.33%
18.99%
12.66%
8.86%
46.84%
1bn-10bn 11bn-25bn 26bn-100bn 100bn-200bn 201bn+ I don't know
0.00%
5.00%
10.00%
15.00%
20.00%
25.00%
30.00%
35.00%
40.00%
45.00%
50.00%
What do you think the estimated spend (billions) will be on cyber security worldwide in 2017?
D6.2 Stakeholder and Consumer Requirements Survey Report
Copyright SAINT Consortium. All rights reserved. 39
Figure 2.15.4: Respondents’ perceptions on the cost of cyber security (country)
Figure 2.15.5: Respondents’ perceptions on cyber security spend (company)
9.09%
19.48%
25.97%
45.45%
Up to 25m 26m-100m 100 million+ I don't know
0.00%
5.00%
10.00%
15.00%
20.00%
25.00%
30.00%
35.00%
40.00%
45.00%
50.00%
What do you think the estimated spend (millions) will be on cyber security in your country in 2017?
2.56%
19.23%
3.85% 3.85%
7.69%
11.54%
51.28%
0.00%
10.00%
20.00%
30.00%
40.00%
50.00%
60.00%
What do you think the estimated spend ('000s ) will be on cyber security in your company / enterprise in 2017?
D6.2 Stakeholder and Consumer Requirements Survey Report
Copyright SAINT Consortium. All rights reserved. 40
Figure 2.15.6: Respondents’ perceptions on cyber security spend (personal)
29.87%
42.86%
18.18%
5.19%3.90%
0 1-100 101-250 250-1000 1000+
0.00%
5.00%
10.00%
15.00%
20.00%
25.00%
30.00%
35.00%
40.00%
45.00%
50.00%
What do you think the estimated spend will be on cyber security by you personally in 2017?
D6.2 Stakeholder and Consumer Requirements Survey Report
Copyright SAINT Consortium. All rights reserved. 41
3 Conclusions
SAINT respondents display high levels of personal responsibility towards their personal cyber security. They
express confidence in their knowledge of specific areas of security, mostly spam, phishing of banking or
website credentials, and DoS (DDoS). However, their greatest lack of confidence is on physical damage to
Internet infrastructures, cyber espionage and cyber terrorism. Conversely, respondents indicate that they do
not feel sufficiently informed about cyber security issues (Figure 2.15.1.). Over a half (55.93%) say that they
are extremely concerned about cyber security issues.
For the survey contributors, the rising levels of cybercrime can be attributed to economic interests while lack
of education on cyber safety was also considered to be a strong force behind this increase. As such, the latter
explanation is less complicated to tackle and should be a requirement if the challenges posed by cybercrime
are to be met.
SAINT results confirm that Internet usage is firmly integrated into our daily lives with multiple devices used
to connect online. Personally-owned devices are used extensively throughout the workplace bringing
another level of risk to the work environment if proper safeguards and protections are not in place. Mobile
malware continues to rise and should be of serious concern for the workplace when preventative measures
are not taken.
Respondents are not as confident that cyber security in the workplace is as high a concern as it is for them
personally. They admit to having changed their online behaviour in several ways due to concerns over
security. The most frequently changed behaviour (84 %) is to never download an attachment unless it is from
someone that they know, while 79% used different passwords for different sites. Almost three quarters had
changed their security settings (on their browser, social media, search engine, etc) at some point.
Personally, survey participants were mostly concerned about identity theft. In the workplace, they felt that
the greatest damage because of an attack would be in lost time from being unable to carry out normal
processes. This is classed as an indirect loss and is a classification of loss that is difficult to quantify. It is
possible to calculate this to some extent based on down-time and should be included in all future costs
calculations.
From our results it does seem that concerns over cybercrime are justified as just under half had been a victim
in the last 12 months. The most common type of activity (33.5%) in the last 12 months for respondents was
to be asked for access to their computer, logins or personal details either via an email or phone. The next
most frequent activity was finding malicious software (viruses, etc ) on a device. Ransomware was the least
encountered activity (5.58%).
The largest single group of survey contributors to this question (38.46%) did not know if their workplace was
monitoring the cost of cyber security breaches. Nearly 30% categorically stated that there was no monitoring
at their work. The situation may improve with the advent of the GDPR6 and at least half of respondents
claiming that their company already shares at least some sort of information. However, only a quarter of
respondents claim that a post-incident review has taken place, or would take place, after an attack which
indicates that information sharing within the workplace is not extensively taking place. There is a confusing
picture around the what is valuable to be known and what should be shared with whom. Unless this is to
change, cyber security will continue to be flawed and there will still be an absence of meaningful data.
6 https://www.eugdpr.org/
D6.2 Stakeholder and Consumer Requirements Survey Report
Copyright SAINT Consortium. All rights reserved. 42
Adoption of smart devices or IoT technology is not yet common place although over a third of respondents
confirmed the use of this technology in their workplace. On the other hand, VPN use is widespread among
SAINT survey respondents. Fewer than 40% survey participants never use VPN, either at home or at work.
Respondents display a lack of confidence in their knowledge of the cyber security economic landscape with
most preferring to say that they don’t know what the cost of cybercrime to the economy is. This is not a
surprising result as sources on this topic are fragmented and difficult to find. This is a major requirement
going forward and a conclusion that the SAINT project will continue to support.
The second round of the surveys are underway together with a comparative survey designed for FICORA
stakeholders. These will be reported on in D2.4 “Final Comparative Analysis of Cybercrime Victims by Region,
Country and Forecasting”, due M18, October 2018, where a final overview of survey results will be
undertaken.
The advanced survey will be based on stakeholders' views from the initial survey and our analysis of the
requirements that could be fulfilled with the right actions. From our initial analysis actions needed include:
• Strengthen cyber security education across the board for companies
• Strengthen cyber security education for all users
• Ensure BYOD's are managed within the workplace
• Improve quantification of cyber security to advance ROI processes
• Improve transparency on cyber security issues within the workplace
These requirements provide a solid base for the preparation of the advanced survey.
D6.2 Stakeholder and Consumer Requirements Survey Report
Copyright SAINT Consortium. All rights reserved. 43
References
[1] Wikipedia, “Delphi method,” [Online]. Available: https://en.wikipedia.org/wiki/Delphi_method. [Accessed 9 March 2018].
[2] ForLearn, “Delphi Survey,” [Online]. Available: http://forlearn.jrc.ec.europa.eu/guide/4_methodology/meth_delphi.htm. [Accessed 9 March 2018].
[3] Accenture, “Cost of Cyber Crime Study 2017,” 26 September 2017. [Online]. Available: https://www.accenture.com/gb-en/insight-cost-of-cybercrime-2017. [Accessed 17 April 2018].
[4] EU Commission, “Special Eurobarometer: Europeans’ attitudes towards cyber security,” 19 September 2017. [Online]. Available: https://ec.europa.eu/digital-single-market/en/news/special-eurobarometer-europeans-attitudes-towards-cyber-security. [Accessed 17 April 2018].
[5] ENISA, “ENISA Threat Landscape Report 2016,” 08 February 2017. [Online]. Available: https://www.enisa.europa.eu/publications/enisa-threat-landscape-report-2016. [Accessed 13 April 2018].
[6] ENISA, “ENISA Threat Landscape Report 2017,” 15 January 2018. [Online]. Available: https://www.enisa.europa.eu/publications/enisa-threat-landscape-report-2017. [Accessed 25 February 2018].
[7] Econsultancy quoting GlobalWebIndex, “10 exciting digital marketing stats we’ve seen this week,” 22 Septmeber 2017. [Online]. Available: https://econsultancy.com/blog/69445-10-exciting-digital-marketing-stats-we-ve-seen-this-week. [Accessed 16 April 2018].
[8] Symantec, “Norton Cyber Security Insights Report,” 2017. [Online]. Available: https://www.symantec.com/content/dam/symantec/docs/about/2017-ncsir-global-results-en.pdf. [Accessed 7 Feb 2018].
[9] Statcounter.com, “Desktop vs Mobile vs Tablet Market Share Worldwide - March 2018,” [Online]. Available: http://gs.statcounter.com/platform-market-share/desktop-mobile-tablet/worldwide. [Accessed 16 April 2018].
[10] Symantec, “2018 Cyber Security Predictions,” 06 December 2017. [Online]. Available: https://www.symantec.com/blogs/feature-stories/2018-cyber-security-predictions. [Accessed 16 April 2018].
[11] Forcepoint, “Insider threat negligence number one cause,” 2016. [Online]. Available: https://www.forcepoint.com/sites/default/files/resources/files/infographic_insider_threat_negligence_number_one_cause.pdf. [Accessed Jan 2018].
[12] J. Dutton, “IT Governance Blog,” 30 January 2018. [Online]. Available: https://www.itgovernance.co.uk/blog/4-of-the-5-top-causes-of-data-breaches-are-because-of-human-or-process-error/. [Accessed 16 April 2018].
[13] O. Ralph, “Should individuals buy insurance against cyber attacks?,” 8 November 2017 . [Online]. Available: https://www.ft.com/content/72e11ca6-98ad-11e7-8c5c-c8d8fa6961bb. [Accessed 17 April 2018].
D6.2 Stakeholder and Consumer Requirements Survey Report
Copyright SAINT Consortium. All rights reserved. 44
Appendix – Initial Survey Questions
D6.2 Stakeholder and Consumer Requirements Survey Report
Copyright SAINT Consortium. All rights reserved. 45
D6.2 Stakeholder and Consumer Requirements Survey Report
Copyright SAINT Consortium. All rights reserved. 46
D6.2 Stakeholder and Consumer Requirements Survey Report
Copyright SAINT Consortium. All rights reserved. 47
D6.2 Stakeholder and Consumer Requirements Survey Report
Copyright SAINT Consortium. All rights reserved. 48
D6.2 Stakeholder and Consumer Requirements Survey Report
Copyright SAINT Consortium. All rights reserved. 49
D6.2 Stakeholder and Consumer Requirements Survey Report
Copyright SAINT Consortium. All rights reserved. 50
D6.2 Stakeholder and Consumer Requirements Survey Report
Copyright SAINT Consortium. All rights reserved. 51
D6.2 Stakeholder and Consumer Requirements Survey Report
Copyright SAINT Consortium. All rights reserved. 52
D6.2 Stakeholder and Consumer Requirements Survey Report
Copyright SAINT Consortium. All rights reserved. 53
D6.2 Stakeholder and Consumer Requirements Survey Report
Copyright SAINT Consortium. All rights reserved. 54
D6.2 Stakeholder and Consumer Requirements Survey Report
Copyright SAINT Consortium. All rights reserved. 55
D6.2 Stakeholder and Consumer Requirements Survey Report
Copyright SAINT Consortium. All rights reserved. 56
D6.2 Stakeholder and Consumer Requirements Survey Report
Copyright SAINT Consortium. All rights reserved. 57
D6.2 Stakeholder and Consumer Requirements Survey Report
Copyright SAINT Consortium. All rights reserved. 58
D6.2 Stakeholder and Consumer Requirements Survey Report
Copyright SAINT Consortium. All rights reserved. 59