KnowBe4 2018 Security Awareness Training Deployment and Trends Survey

Demographic Questions

Question Title

* 1. Which best describes your vertical industry?

Academic (College/University)

Accounting

Advertising

Aerospace

Agriculture/Forestry

Automotive

Biopharma and Biosciences

Business Services/Consulting

Communications/Telecom

Computer hardware/software/technology manufacturer

Construction

Consulting

Education (K through 12)

Energy

Engineering

Financial services/banking, legal, real estate

Gaming

Government (federal)

Government (state and local)

Healthcare

Hotel & Hospitality

Insurance

IT/Technology Services Provider

Law Enforcement

Legal

Manufacturing

Marketing

Media and Entertainment

News Organization

Non Profit

Oil/Gas/Mining

Pharmaceutical

Retail

Sales

Security

Software

Sports

Surveillance

Telecommunications

Transportation

Travel

Utilities

Weather

Other (please specify)

Question Title

* 2. How many servers are in your organization?

1 to 10

11 to 20

21 to 30

31 to 50

51 to 100

101 to 250

251 to 500

501 to 1,000

1,001 to 5,000

More than 5,000

Question Title

* 3. What is your title/job function?

Application Manager

Architect

CEO

CIO

CISO

COO

CTO

Database Administrator

Engineer (Systems or Network)

Independent Consultant/Systems Integrator

IT Manager

IT Staff

Network Administrator

Network Manager

Plant Facilities Manager

Security Administrator/Manager

Server Hardware Administrator

Software Developer

Storage Administrator

Telecom Engineer

Telecom Manager

VP of IT

VP of Security

Other (please specify)

Question Title

* 4. What is your organization’s TOTAL average annual expenditure on security including hardware, software, services and training?

$20+ million

$10-$19.9 million

$5-$9.9 million

$1-$4.9 million

$500,000-$999,999

$250,000-$499,999

$101,000-$249,000

$51,000 -$100,000

$25,000 - $50,000

<$25,000

We do not have a separate security budget

Question Title

* 5. Have hackers or malware been able to get on your network or computers in the last year, if even only for a short while, before detection and removal?

Yes

If NO, PLEASE SKIP to Question 8

Question Title

* 6. If Yes, what root exploit causes were involved in successful attacks or compromises within the last year

Zero Days

Social Engineering

Unpatched Software

Malware

Password Attacks/Issues

Data Leaks

Eavesdropping/MitM

Misconfiguration

Denial of Service

Insider/Partner/Consultant/Vendor/3rd Party Issues

User Error

Physical Attacks

A combination Social Engineering, Malware, User Error and Password Issues/Attacks

Other (Please Specify)

Question Title

* 7. If your networks or computers were compromised by Social Engineering, please specify the root cause(s)

Browser-only

Phone

SMS

All of the above

Unsure

Other (please specify)

Question Title

* 8. Do you have a security awareness training program?

Yes

Not at this time, but we plan to implement one within the next six to 12 months

We are considering it, but have not made a decision

Question Title

* 9. If your firm does not currently have a Security Awareness Training program and no specific plans to adopt it, what is/are the reason(s)

Upper management does not consider it necessary

We think it costs too much

We are unsure of the benefits

We think our current security safeguards, policies and procedures are adequate

We are an SMB and lack the time and resources to implement security awareness training

Other computer and network issues take priority

A combination of all of the above issues

Other (please specify)

Question Title

* 10. If your firm has a Security Awareness Training program, what does it include? Select All that Apply

Videos

Human trainers

Seminars/Webinars with outside third parties

Newsletters

All of the above

Other (please specify)

Question Title

* 11. If your firm has a security awareness training program, how often is security awareness training conducted (e.g. ad hoc, weekly, monthly, quarterly, semi-annually, annually, longer)?

Ad hoc

Weekly

Monthly

Quarterly

Every six months

Annually/once a year

As needed/No set schedule

Only in the wake of a successful attack

Unsure

Question Title

* 12. If your firm conducts security awareness training, does it include simulated phishing attacks?

Yes

Not currently, but we plan to do so

Question Title

* 13. If your firm does conduct simulated phishing attacks, how often does it do so?

Ad hoc

Weekly

Monthly

Quarterly

Every six months

Annually

As needed

Only in the wake of a successful phishing attack

Unsure

Other (Please Specify)

Question Title

* 14. If your firm conducts simulated phishing attacks, do you randomize the simulated phishing topics?

Yes

Not yet but we plan to do so

Question Title

* 15. If your firm conducts simulated phishing attacks does it focus on specific groups with specific types of phishing (e.g. CEO fraud)

Yes

Not currently, but we plan to do so

Question Title

* 16. Is your security awareness training automated? For example, will employees that fail a simulated phishing test be automatically sent a security awareness training component?

Yes

Not currently, but we plan to do so

Question Title

* 17. How much time do the administrator(s) devote to managing security awareness training programs each year?”?

1 to 2 hours

2 to 4 hours

One week

Two weeks

No specific amount of time

Ad hoc

As needed

Other (Please Specify)

Question Title

* 18. How many minutes of security awareness training is required each year for employees?

15 to 30 minutes

31 to 60 minutes

1 to 2 hours

2 to 4 hours

>4 hours

No specific time allotted

We schedule security awareness training as needed

Question Title

* 19. Has security awareness training helped your firm to identify and thwart hacks in the last six to 12 months?

Yes

We have not experienced any successful or attempted hacks in the last six months

Unsure

Question Title

* 20. Do you feel that security awareness training has helped decrease your firm's overall computer security risk?

Yes

It’s too soon to tell

Question Title

* 21. Do you feel that security awareness training has changed your company’s computer security culture for the better?

Yes

Other (please specify)

Question Title

* 22. ESSAY Question: Please provide us with your comments, insights and observations on your organization’s experiences with security awareness training. For example, how has it benefitted the Security and IT Administrators, the employees and has it been a valuable tool in making your firm more secure? Please leave your Email address so we may contact you if you win the $100 Amazon Gift Certificate.