VITC's 2000 Security Survey Results and Analysis
Vermont Information Security Coordination Center (VISCC)
Market Validation Study

BACKGROUND: In March of 2000, Gary Kessler proposed creating a Vermont Information Security Coordination Center, or VISCC (see www.viscc.org/VISCC.html for the recently updated version). He based this proposal on his experience and expertise in the information security (Infosec) field, and the fact that no such resource existed to serve Vermonters.

This new Infosec center was recognized as a potentially key addition to the newly formed Vermont Information Technology Center (VITC), and David Binch, VITC Director, requested a study to validate the market for the services the VISCC might offer. In June, Gary contracted JLJ Consulting Services as an independent third-party to conduct this study and analyze the results. From early August through mid-September 2000, the VITC Web site posted this survey online.

OBJECTIVES: The primary objectives of the study were as follows:

1. To validate the market for a VISCC
2. To gather key information regarding
   1. What the VISCC mission should be
   2. Synergies with VITC
   3. The best ways to serve the intended audience

APPROACH: The study consisted of four basic steps:

1. Document the hypothesis suggesting the need for a VISCC (see Attachment)
2. Design appropriate survey instruments to test the hypothesis
3. Gather data
4. Analyze results, document conclusions, and make recommendations

SURVEY RESULTS: Thirty-five questionnaires were submitted. This is far below the number of responses required to ascribe statistical significance to the results. There are a number of possible explanations for the low number of responses, including the resistance people have to answering surveys, the fact that surveys posted on web sites tend to become invisible, much like banner ads, or lack of interest in the subject. The author believes the main reason for the low number of responses was the 'banner ads become invisible' phenomenon. A secondary reason is that while the subject is of key importance to everybody once they understand it, many people have the 'it won't happen to me' attitude. For example, people typically become very concerned about computer viruses after they have had one.

1. Is information security an issue that concerns you?
   100% of respondents said yes, and identified the following areas of concern:
   1. 94% of respondents said viruses
   2. 77% of respondents said hackers
   3. 69% of respondents said hardware
   4. 63% of respondents said network
   
   
2. Estimate the cost to your business (lost opportunities, aggravation, repair technicians, personnel time, impact on credibility, etc.) of having your computer network down for one business day.
   1. 11% of respondents said less than $100/day
   2. 23% of respondents said between $100 and 1000/day
   3. 34% of respondents said between $1000 and 10,000/day
   4. 29% of respondents said more than $10,000/day
   
   
3. What was the last security item you bought?
   1. 29% of respondents identified an anti-virus item
   2. 26% of respondents identified a firewall item
   
   
4. Why did you buy it?
   Most respondents mentioned protection from viruses.
   
   
5. How satisfied are you with the value you get for your information security expenditures?
   1. 6% of respondents said very satisfied
   2. 81% of respondents said satisfied
   3. 13% of respondents said unsatisfied
   
   
6. What are your sources of information on new information security issues?
   1. 77% of respondents said internet/web sites
   2. 66% of respondents said news media
   3. 49% of respondents said company IT department
   4. 46% of respondents said books/trade magazines and journals
   5. 37% of respondents said friends
   6. 23% of respondents said classes/seminars
   7. 9% of respondents said trade shows
   8. 9% of respondents said business advisor/accountant
   9. 6% of respondents said retail stores
   
   
7. Have you experienced loss of service or data due to a security incident (e.g., virus, hacker attack, hardware failure, or etc)?
   1. 70% of respondents said yes
   2. 30% of respondents said no
   
   If yes, please describe the incident and approximate the cost:
   Several respondents provided data on the cost of the incident:
   1. 8 identified costs ranging from $500 to $10,000
   2. 4 identified the cost in IT hours, ranging from 'several' to 40
   3. 4 identified the length of time their systems were shut down, ranging from 3 hours to 2 days
   
   
8. To learn more about various aspects of information security, would you be interested in:
   1. 80% of respondents said web site
   2. 69% of respondents said seminars
   3. 54% of respondents said newsletters
   4. 54% of respondents said subscribing to a VT service
   5. 23% of respondents said taking college courses
   
   
9. How much would you be willing to spend annually for a mix of the opportunities described in question 8?
   1. 48% of respondents did not respond or said less that $50/yr
   2. 34% of respondents said between $100 and $250/yr
   3. 17% of respondents said more than $250/yr
   
   
10. What computer security procedures, services, hardware, and/or software do you currently use and approximately how much do you spend annually on each?
    1. 24 respondents said they use anti-virus software, with annual expenditures ranging from $25 to $5000
    2. 14 respondents said they use a firewall with annual expenditures ranging from $200 to $20,000
    3. 8 respondents said they use help desk services from a computer or software vendor with annual expenditures ranging from $100 to $20,000
    4. 4 respondents said they use help desk/repair services from an IT service firm with annual expenditures ranging from $500 to $1500
    5. 4 respondents said they forced changing of passwords periodically at annual expenditures ranging up to $1000
    6. 4 respondents said they used one-time password systems or a token with annual expenditures ranging up to $3000
    7. 5 respondents said they used intrusion detection software with annual expenditures ranging up to $7500
    8. 3 respondents said they used vulnerability testing software with annual expenditures ranging up to $2500
    9. 7 respondents said they used log analysis software with annual expenditures ranging up to $5000
    10. 16 respondents said they used backup network server files with annual expenditures ranging up to $30000
    11. 50respondents said they used a system of backing up individual computer files with annual expenditures ranging up to $5000
    12. 1 respondent said they used a disaster recovery service with an annual expenditure of $100
    13. 9 respondents said they used written security policies for users with annual administrative expenditures ranging up to $2000
    14. 7 respondents said they used written security policies for IT staff with annual expenditures ranging up to $1000
    15. 5 respondents said they used audits of their security plan by a professional with annual expenditures ranging up to $8000
    
    
11. Please indicate the approximate size of your business.
    1. 7 respondents said 0-5 employees
    2. 3 respondents said 6-15 employees
    3. 1 respondent said 16-30 employees
    4. 6 respondents said 31-50 employees
    5. 16 respondents said more than 50 employees

ANALYSIS OF SURVEY RESULTS: As discussed earlier, the small sample size and the number of larger companies reporting, suggest the need for caution when drawing conclusions based on the data.

Does the data support the hypothesis (Attachment) that suggests all segments of Internet users have needs for help on Infosec and are using (and paying for) various approaches to satisfy those needs? The decision to eliminate sending the questionnaire to a broad audience minimized the chance to test the hypothesis in every market segment.

• No data was gathered from the home user-non-business market segment
• No data was gathered from the Work@Home segment
• Responses from the small, medium and large office segments provide clear support for this notion

Regarding the question of whether Infosec is a matter of interest and/or concern (i.e., is there a market?), the results are compelling:

• In question 1, all respondents said it was a concern and identified specific areas of concern
• In question 2, they indicated awareness of the cost to their businesses resulting from losing their computer networks. More than half identified significant costs of more than $1000 per day.
• In addition, their actions and expenditures back up their words
  • In questions 6 and 8 they indicate using a wide variety of sources of information, as well as an as interest in new sources
  • In questions 3 and 10 they report spending significant sums of money purchasing a wide variety of Infosec hardware and software
• In question 7, 70% of the respondents reported experiencing a security incident with significant financial impact

Regarding what the VISCC mission should be, the data supports an educational mission with a mix of seminars, newsletters and a web site (see Question 8). There is nothing concrete in the survey results to suggest any element of the proposed VISCC mission should be changed. Indeed, one could interpret the statistical and written comments as support.

Regarding possible synergies with VITC, more than half of the respondents indicated an interest in subscribing to a Vermont service providing current information and help. So, given the broad VITC mission to support all information technology areas, the fit is logical. There is no data from this survey to address the question of whether or not the VISCC should be a separate center or have its own web identity. The only reference to information security the author could find on the current VITC web site was this questionnaire.

Regarding the best ways to serve the intended audience, the survey provides some clues:

• In question 6, 77% of respondents reported using the Internet as a source of information and 23% reported classes or seminars. This suggests creating a VISCC focused web site is a high priority
• In question 8, significant interest in a web site and seminars was reported
• The responses to questions 1, 3, and 4 suggest an initial focus might on viruses and protection against hackers

The survey also suggested that there is a willingness to pay for inforsec services:

• Question 10 documents significant actual expenditures
• Question 7 documents significant actual losses (that may have been preventable)
• In question 2, the respondents place a high value on avoiding computer network downtime
• In question 9, 51% of the respondents stated a willingness to pay more than $100/yr for a mix of Infosec services.

However, in question 5, 87% indicated they were either satisfied or very satisfied with the value received for their current Infosec expenditures. This suggests the VISCC must deliver a high quality product and focus on underserved segments of the market. The noted preference for a Vermont service is an asset to VISCC.

OTHER SOURCES OF DATA:

Regarding the growth of the Internet: This is significant because everybody who is on the Internet is a potential customer for the VISCC. Furthermore, new users are arguably less sophisticated and therefore more in need of the sort of help and advice VISCC could provide. Therefore, if the number of Internet users is growing, the market for VISCC is also growing.

• It is well documented that the Internet is the fastest growing disruptive technology in the history of the world.
• Vermonters are increasingly using the Internet. This is well documented in Vermont-specific studies conducted by Senator Leahy, VTAC, the Department of Public Service, and others.
• E-government and Work@Home are gaining momentum in VT and will accelerate this growth.

Regarding the need Vermont small businesses have for Infosec information: As described in the Attachment, help on Information Security is a subset of IT support needs that are provided by IT departments in virtually every large and most medium sized businesses. The significant difference between general IT support, and Infosec support is that the consequence of inadequate Infosec practices by a single user can impact the entire corporation, e.g., a virus is spread. In addition to a growth in sheer volume, the risks and vulnerabilities are also increasing as reported by experts in the field at the recent Information Security Roundtable:

• Always on, always connected, 24X7 connections are a major vulnerability
• Wireless connections are a major vulnerability
• PDA's (such as Palm Pilots) are a major vulnerability
• Work@Home presents a major vulnerability as potentially unsecured connections are provided to corporate networks
  • Putnam Investments has chosen to avoid a VPN arrangement that could result in cost savings due to security concerns
• Learning at home presents similar risks

All of the above are key to VT's economic vitality, but as a byproduct, add to the need for Infosec support.

Regarding how Infosec needs of VT small businesses are currently being met: Given the well documented fact that VT has a large and growing population of small businesses and DBA's who frequently do not have an IT department to support them, the question is where do they go for help? Some of the places we know of include: