D6.2 Stakeholder and Consumer Requirements Survey Report · Gabriela Hrasko (AS) Georgios Germanos (KEMEA ) Jart Armin (CYBE) Andreas Zalonis (NCSRD) Ethical advisor(s): Christina

Work Package WP6: Outreach, Dissemination

and Exploitation

D6.2 Stakeholder and Consumer Requirements Survey Report

This work is performed within the SAINT Project – Systemic Analyser in Network Threats – with the support of the European Commission and the Horizon 2020 Program, under Grant Agreement No 740829

Document Dissemination Level

P

CΟ

Document Due Date: 30/04/2018 Document Submission Date: 11/05/2018

Public

Confidential, only for members of the Consortium (including the Commission Services)

☒

☐


Copyright SAINT Consortium. All rights reserved. 2

Document Information

Deliverable number: D6.2

Deliverable title: Stakeholder and Consumer Requirements Survey Report

Deliverable version: 1.0

Work Package number: WP6

Work Package title: Outreach, Dissemination and Exploitation

Due Date of delivery: 30/04/2018

Actual date of delivery: 11/05/2018

Dissemination level: Public

Editor(s): Bryn Thompson (CYBE)

Contributor(s): All Partners

Reviewer(s): Edgardo de Montes (MNTMG)

Gabriela Hrasko (AS)

Georgios Germanos (KEMEA )

Jart Armin (CYBE)

Andreas Zalonis (NCSRD)

Ethical advisor(s): Christina Chalanouli (KEMEA)

Project name: Systemic Analyser in Network Threats

Project Acronym SAINT

Project starting date: 1/5/2017

Project duration: 24 months

Rights: SAINT Consortium

Version History

Version Date Beneficiary Description

0.1 20/12/2017 CYBE TOC

0.2 23/02/2018 CYBE 1st Draft

0.3 18/04/2018 CYBE Draft for review

1.0 27/04/2018 CYBE Final version



Abbreviations and Acronyms ACRONYM EXPLANATION

AI Artificial Intelligence

BYOD Bring Your Own Device

DoS (DDoS) Denial of Service (Distributed Denial of Service)

ENISA European Union Agency for Network and Information Security

FICORA Finnish Communications Regulatory Authority

GDPR General Data Protection Regulation

IoT Internet of Things

ML Machine Learning



Table of Contents

1 Introduction 6

1.1 Methodology 6

2 Results and findings 7

2.1 Survey demographics 8

2.2 Cyber security concerns 10

2.3 Cyber security awareness 11

2.4 Personal experiences of cybercrime 14

2.5 Cyber security concerns in the workplace 17

2.6 Personal online behaviour 19

2.7 Workplace practices 20

2.8 Personal cyber security 24

2.9 New technologies and security 25

2.10 Perceptions on the causes of increasing levels of cybercrime 27

2.11 Cyber security responsibilities 27

2.12 Cyber security preventions 28

2.13 Information sharing 35

2.14 Cyber risk protection 36

2.15 Perceptions on cyber security and the economy 37

3 Conclusions 41

References 43

Appendix – Initial Survey Questions 44



Table of figures

Figure 2.1.1: Age of respondent ....................................................................................................................... 8 Figure 2.1.2: Company location ........................................................................................................................ 8 Figure 2.1.3: Number of employees ................................................................................................................. 9 Figure 2.1.4: Organisation type ........................................................................................................................ 9 Figure 2.2.1: Are you concerned about cybercrime or cyber security? .......................................................... 10 Figure 2.2.2: Level of organization concern .................................................................................................... 10 Figure 2.3.1: Are you sufficiently informed about cyber security? ................................................................. 11 Figure 2.3.2: Is the risk from cybercrime greater than conventional crime? .................................................. 11 Figure 2.3.3: Company risk of exposure to cyber threats ............................................................................... 12 Figure 2.3.4: Awareness levels of cyber threats ............................................................................................. 13 Figure 2.4.1:Concerns about cyber threats .................................................................................................... 14 Figure 2.4.2: Cybercrime victimisation ........................................................................................................... 15 Figure 2.4.3: Type of cybercrime action experienced ..................................................................................... 16 Figure 2.5.1: Preventative actions at work, following a cyber attack ............................................................. 17 Figure 2.5.2: Impacts of cyber attacks at work ............................................................................................... 18 Figure 2.6.1: Internet usage ........................................................................................................................... 19 Figure 2.6.2: Device use for Internet access ................................................................................................... 19 Figure 2.7.1: Personal devices within the workplace...................................................................................... 20 Figure 2.7.2: Exposure to common risk factors at work ................................................................................. 21 Figure 2.7.3: Core online services at work ...................................................................................................... 22 Figure 2.7.4: Online services as a proportion of revenue ............................................................................... 22 Figure 2.7.5: Cyber attack preparedness in the workplace ............................................................................ 23 Figure 2.7.6: Perceptions on potential workplace losses from cyber attack .................................................. 23 Figure 2.8.1: Changes in behaviour due to cyber security concerns............................................................... 24 Figure 2.9.1: Levels of IoT-technology adoption within the workplace .......................................................... 25 Figure 2.9.2: Does AI and IOT increase security? ............................................................................................ 26 Figure 2.10.1: Causes for increasing levels in cybercrime .............................................................................. 27 Figure 2.11.1: Personal responsibility for cyber security ................................................................................ 27 Figure 2.11.2: Cyber security responsibility at work ....................................................................................... 28 Figure 2.12.1: Security capabilities of free software ...................................................................................... 28 Figure 2.12.2: Antivirus use ............................................................................................................................ 29 Figure 2.12.3: Investment in cyber security preventatives ............................................................................. 29 Figure 2.12.4: VPN usage ................................................................................................................................ 30 Figure 2.12.5: The impact of stronger law enforcement ................................................................................ 30 Figure 2.12.6: Investment and cybercrime reduction..................................................................................... 31 Figure 2.12.7: Workplace monitoring of the cost of cyber attacks ................................................................. 32 Figure 2.12.8: Under-investment in cyber security ........................................................................................ 32 Figure 2.12.9: Workplace cyber security investment ..................................................................................... 33 Figure 2.12.10: Where should investment be?............................................................................................... 33 Figure 2.12.11: The effectiveness of preventative measures ......................................................................... 34 Figure 2.13.1: Levels of information sharing with outside organisations ....................................................... 35 Figure 2.13.2: Seeking guidance on cyber security ......................................................................................... 35 Figure 2.13.3: Should there be more information sharing? ........................................................................... 36 Figure 2.14.1: Cyber insurance (personal) ...................................................................................................... 36 Figure 2.14.2: Cyber insurance (company) ..................................................................................................... 37 Figure 2.15.1: Currency of choice for subsequent answers ............................................................................ 37 Figure 2.15.2: Respondents’ perceptions on the cost of cybercrime (country of residence) ......................... 38 Figure 2.15.3: Respondents’ perceptions on the cost of cyber security (worldwide) ..................................... 38 Figure 2.15.4: Respondents’ perceptions on the cost of cyber security (country) ......................................... 39 Figure 2.15.5: Respondents’ perceptions on cyber security spend (company) .............................................. 39 Figure 2.15.6: Respondents’ perceptions on cyber security spend (personal) ............................................... 40



1 Introduction

This deliverable is a report on the findings from stakeholder and consumer surveys as an extension and

further analysis of the initial SAINT surveys as outlined in D2.3 ‘Initial Comparative Analysis of Cybercrime

Victims by Region, Country and Forecasting’.

A survey of EU-related threats, following a similar approach to the EU FP7 project CyberROAD1, was

conducted to provide high- and low-level views of the current cyber-security landscape.

A broad range of stakeholders were invited to complete the survey to maximise the analysis of evidence-

based practices. Stakeholders incorporate policy makers, governmental, legal and law enforcement,

academic researchers, industry practitioners, expert groups, service providers, commercial providers,

consumers and end-users, for example.

In D2.3 specific areas were reported on. These included sections on: 5.1 ‘Cybercrime victims’ including

metrics, 5.2 ‘The threat landscape as presented by the survey’, including place of work threats, money

invested, 5.3 ‘The technological landscape as presented by the survey’, including IoT, 5.4 ‘The social, political

and legal landscape as presented by the survey’, including the Dark Web, 5.5 ‘The economics as presented

by the survey’ including econometrics at macro and micro levels.

In this deliverable a broader picture of the landscape is given with further analysis of the remaining topics

that were not covered from the initial survey in the earlier D2.3. These include areas such as cyber security

concerns and cyber security awareness, personal and workplace experiences of cybercrime, and personal

online behaviour. Finally, the requirements for consumers is discussed within the aims of the SAINT project.

1.1 Methodology

The methodology for the SAINT survey is detailed in D2.3 ‘Initial Comparative Analysis of Cybercrime Victims

by Region, Country and Forecasting’. To briefly recap; our survey is designed following a Delphi-like method

where opinions are sought through a series of questionnaires over two or more rounds [1]. The Delphi

method for surveys has been widely adopted and is popular in science, technology or education fields [2]. A

well-known specialised online tool was used for the design and implementation of the survey,

SurveyMonkey2. The survey was added to the SAINT website with stakeholders informed about the link via

emails and general publicity on the project3. A complete set of survey questions is available in Appendix 1.

The initial survey included questions about preparedness against cyber attack, risk and cyber threats, Deep

Web activities, cyber insurance and econometrics at macro and micro levels. The survey was distributed in a

variety of formats: project website, announcements via social media, and prompting by email by consortium

partners to interested parties. A total of 2,196 respondents completed the initial survey. A second survey will

follow a similar drawdown approach with the questions devised according to the results from the initial

survey. To increase the target audience and remove cultural bias, the survey was available in six European

languages: English, French, German, Greek, Spanish and Swedish. As this is an initial report the results for all

languages have been combined, any specific differences are described. Survey demographics are depicted in

Section 2.1.

1 https://www.cyberroad-project.eu 2 https://www.surveymonkey.com/ 3 https://project-saint.eu/surveys



2 Results and findings

In part, results and findings of the initial SAINT survey are explored in D2.3 ‘Initial Comparative Analysis of

Cybercrime Victims by Region, Country and Forecasting’. The emphasis in D2.3 was to perform a comparative

analysis on publicly available data and SAINT metrics from our initial survey. It was found that performing

like-for-like comparisons with other reports is difficult when methodologies and question formats vary

between different surveys. This serves to emphasize the difficulties faced by the cyber security industry in

trying to produce metrics that are fully quantifiable, of value and have relevance to an audience, be it select

or wide.

The problem encountered is greater for research surveys, in general, than it is for benchmarking surveys.

However, a major limitation for benchmarking is sampling-frame bias, as outlined by Accenture in the “Cost

of Cybercrime Study 2017” (page 55) [3]. For the SAINT survey we tried to avoid this by making our survey

available online and without restrictions on who this would be available to. A natural bias is experienced, and

is somewhat unavoidable, as only those with a prior interest in the subject will bother to take the survey.

A major learning point to carry forward to the next round of surveys is to design questions to have a

comparative value, either to the previous round of our own surveys, which is the basis of a Delphi

questionnaire, and/or to other publicly available reports.

An ongoing theme of our research is on the impact that a general lack of quantifiable and trusted metrics has

on the perceptions of stakeholders. The evidences suggest that there are many publicly available reports,

many of which cannot be used quantifiably or comparatively against each other. This relies a confusing

picture to many. In such a situation as this, each report can only be assessed as a standalone piece of research

using its own methodology and producing results that realistically can only be used comparatively over

several years.

The cyber security industry is clearly lacking a joined-up approach to metrics. This is already an important

outcome of the SAINT project and demonstrates that little has changed since a similar finding resulted from

the CyberROAD project. This remains a major requirement for stakeholders and consumers alike.

In the following sections, we provide further results from the initial SAINT survey.



2.1 Survey demographics

Respondents were asked a series of non-identifiable questions to gain basic demographics on the

participants:

Respondents show a cross-section of ages as depicted in Figure 2.1.1:

Figure 2.1.1: Age of respondent

Figure 2.1.2, shows the business location of the respondents:

Figure 2.1.2: Company location

21.37%

35.62%

23.01%

15.89%

4.11%

What is your age?

18 to 24 25 to 34 35 to 54 55 to 64 65 +



The size of the company where the respondents work is represented in the number of employees in Figure

2.1.3:

Figure 2.1.3: Number of employees

The single largest group of employees work for a large organisation. Micro, SME or small enterprises employ

a sizeable proportion of SAINT respondents.

Figure 2.1.4 displays the spread of stakeholders across sector type. Consumers, commercial businesses and

scholarly research are highly represented in the initial SAINT survey.

Figure 2.1.4: Organisation type

18.18%

13.77%

10.47%

8.82%

14.88%

33.88%

How many employees work for your company?

1-5 6-20 21-100 101-500 501-1000 1000+

24.24%

21.49%20.94%

15.98%

10.47%

6.89%

Commercial

business

Consumer group

or end-user

Scholarly research Cyber security

practitioner,

cyber security

expert (any field)

Internet service

provider or

operator

Policy making,

government, legal

or law

enforcement

0.00%

5.00%

10.00%

15.00%

20.00%

25.00%

30.00%

Which category most closely fits your organisation type?



2.2 Cyber security concerns

Respondents indicate high levels of concern on cyber security issues. This is an expected result for a survey

on this topic.

Figure 2.2.1: Are you concerned about cybercrime or cyber security?

When asked the same question about the organisation they are employed for, Figure 2.2.2, the results show

that respondents perceive that their company has a lower concern about cyber security issues than they do.

Figure 2.2.2: Level of organization concern

55.93%

23.73%

18.08%

2.26%0.00%

Extremely

concerned

Very concerned Moderately

concerned

Not very

concerned

Not at all

concerned

0.00%

10.00%

20.00%

30.00%

40.00%

50.00%

60.00%

Are you concerned about cybercrime or cyber security issues?

40.56%

27.04%

15.49%13.52%

3.38%

Extremely high Very High Moderately high Not very high Not at all

0.00%

5.00%

10.00%

15.00%

20.00%

25.00%

30.00%

35.00%

40.00%

45.00%

How high a concern is cyber security for your organisation?



2.3 Cyber security awareness

There is an almost exact divide between respondents who feel sufficiently informed about cyber security

issues than those who do not, see Figure 2.3.1. This result is similar to the Eurobarometer public opinion

survey, “Special Eurobarometer: Europeans’ attitudes towards cyber security” where “… less than half of

respondents consider themselves to be well informed about cybercrime” [4].

Figure 2.3.1: Are you sufficiently informed about cyber security?

Figure 2.3.2 displays the concern of respondents (more than 2:1) that cybercrime presents a greater risk than

conventional crime.

Figure 2.3.2: Is the risk from cybercrime greater than from conventional crime?

49.57% 48.43%

1.99%

Yes No I don't know

0.00%

10.00%

20.00%

30.00%

40.00%

50.00%

60.00%

Do you feel sufficiently informed about cyber security issues?

68.19%

29.80%

2.01%

Yes No I don't know

0.00%

10.00%

20.00%

30.00%

40.00%

50.00%

60.00%

70.00%

80.00%

Do you think that cybercrime is now a bigger risk than 'conventional' crime?

Responses



The ratio is also more than 2:1 for respondents who do not receive regular information on the risk of exposure

to cyber threats at work than for those who do (Figure 2.3.3).

Figure 2.3.3: Company risk of exposure to cyber threats

In the initial SAINT survey respondents were asked: How informed or aware do you consider yourself to be

about each of the following…? (See Figure 2.3.4) The list provided contained the top 14 threats as published

in the latest available edition (2016) of ENISA’s series of reports on the Threat Landscape [5]. (Note: In January

2018 a further addition to the series was published. However, this was published after the initial SAINT survey

was completed [6]).

Respondents indicate high levels of confidence in their knowledge of spam, phishing of banking or website

credentials, and DoS (DDoS). The greatest lack of confidence in knowledge is on physical damage to Internet

infrastructures, cyber espionage and cyber terrorism. Both cyber espionage and cyber terrorism were the

most popular topics on which respondents would like more information along with data breaches, and Web

application / Injection attacks.

26.84%

64.12%

9.04%

Do you receive regular information about your company's

risk of exposure to the threat of a cybercriminal attack?

Yes No I don't know



Figure 2.3.4: Awareness levels of cyber threats

0.00%

10.00%

20.00%

30.00%

40.00%

50.00%

60.00%

70.00%

80.00%

How informed or aware do you consider yourself to be about each of the following:

I am well informed

Would like to be more

informed

Not informed



2.4 Personal experiences of cybercrime

Respondents were asked a series of questions on their personal experiences on cybercrime. This section

enquired about actual experiences as well as concerns about perceived threats. Figure 2.4.1 represents the

concerns of respondents in order of the perceived risk from low (Rank 1) to high (Rank 7). By far, the greatest

risk was perceived as coming from identity theft. The lowest risk on a personal level is thought to be from

DDoS.

Figure 2.4.1:Concerns about cyber threats

The concern about identity theft is mirrored in the Eurobarometer report where identity theft and discovering malicious code on their device were found to be of equal concern (69%) [7].

0.00%

20.00%

40.00%

60.00%

80.00%

100.00%

120.00%

DDoS - Denial ofservice bypreventingaccess towebsites

Identity theft -somebody

stealing yourpersonal data

andimpersonating

you, e.g.shopping under

your name

Malware /Viruses -

Discoveredmalicious

software on yourdevice

Online fraud -where goods

purchased arenot delivered,counterfeit or

not asadvertised

Phishing - Beinga victim of bankcard or onlinebanking fraudvia an email

Ransomware -Being asked for a

payment inreturn for

getting backcontrol of yourPC or mobile

device

Trackers andSpyware -

Monitoring orcontrol of whatand where you

use the Internet

Cybercrime can include many different types of criminal activity. How concerned are you personally about experiencing, or being a victim of, the

following cybercrime? Rank the following from 1 - 7 where 1 causes you the least concern and 7 causes you the

Rank 1 (Low) Rank 2 Rank 3 Rank 4 Rank 5 Rank 6 Rank 7



When asked about actual experiences of cybercrime (Figure 2.4.2), just under half had been a victim in the

last 12 months. This figure is slightly higher in comparison to other recent reports. For example, in the 2017

Norton Cyber Security Insights Report, 44% or respondents had been impacted by, or had a personal

experience of, cybercrime in the last 12 months [8]. The difference in results between the two surveys could

be due to a self-reporting bias, i.e., people who were a target of cybercriminals are more willing to respond

to our survey. The type of cybercriminal actions experienced by our stakeholders was investigated more fully

in subsequent questions.

Figure 2.4.2: Cybercrime victimisation

14.25%

23.93%

9.12%

52.71%

Have you experienced a cybercriminal action in the last 12 months?

Personal capacity At work Personally and at work No



The type of activities experienced by respondents was explored as represented in Figure 2.4.3:

Figure 2.4.3: Type of cybercrime action experienced

The most common type of activity (33.5%) in the last 12 months for respondents was to be asked for access

to their computer, logins or personal details either via an email or phone. The next most frequent activity

was finding malicious software (viruses, etc.,) on a device. Ransomware was the least encountered activity

(5.58%).

6.09%

33.50%

12.18% 11.17%

6.09% 5.58%4.06%

21.32%

0.00%

5.00%

10.00%

15.00%

20.00%

25.00%

30.00%

35.00%

40.00%

1

Have you experienced or been a victim of the following situations in the last 12 months?

Identity theft (somebody stealing your personal data and impersonating you, e.g. shopping under your name)

Received emails or phone calls fraudulently asking for access to your computer, logins or personal details(including banking or payment information)

Online fraud where goods purchased were not delivered, counterfeit or not as advertised

Not being able to access online services (e.g. banking services or public services) because of cyber attacks

Your social media or email account being hacked

Being a victim of bank card or online banking fraud

Being asked for a payment in return for getting back control of your device (i.e. ransomware)

Discovered malicious software (viruses, etc.) on your device



2.5 Cyber security concerns in the workplace

Figure 2.5.1 represents respondents’ replies when asked what did happen, or should have happened, at their

place of work following a data breach or attack. The most common activity performed, or perceived to have

been the correct course of action, was to change or update firewall/system configurations. Performing a

post-incident review was only selected by slightly more than a quarter of respondents.

Figure 2.5.1: Preventative actions at work, following a cyber attack

Changed nature of the business carried out

Nothing

Outsourced cyber security/hired an external provider

Disciplinary action

Recruited new staff

I don't know

Deployed new systems

Formal post-incident review

Penetration testing

Increased monitoring of third parties' cyber security

Created/changed backup/contingency plans

Increased spending on cyber security

Changed which users have admin/access rights

Created/changed policies/procedures

Installed/changed/updated antivirus/anti-malware software

Changed/updated firewall/system configurations

0.00% 10.00% 20.00% 30.00% 40.00% 50.00% 60.00%

In your experience at work, what preventative actions have been taken, or should have been taken, following a data breach or attack? (Select

any options that apply)



The most common choice of perceived, or actual, impact following a data breach/attack was loss of work

time, see Figure 2.5.2 where the top six choices are represented. This is an interesting selection and a

requirement for inclusion in future metrics on the cost of cybercrime/security if accurate numbers are to be

realised.

Figure 2.5.2: Impacts of cyber attacks at work

Stopped staff

from carrying out

their day-to-day

work

Loss of revenue

or share value

Reputational

damage

Prevented

provision of

goods or services

to customers

Inconvenience

0.00%

5.00%

10.00%

15.00%

20.00%

25.00%

30.00%

If you had, or would have, a data breach/attack at your place of work what was, or would be, the likely

impact? (Select multiple options)



2.6 Personal online behaviour

The extent to which the Internet has become an integral part of our daily lives is reflected in Figure 2.6.1.

Over 96% of respondents use the Internet every day. This compares to 70% reported by in the Eurobarometer

[4]. The difference may be explained by the survey type; the SAINT survey is conducted online whereas the

Eurobarometer is conducted face-to-face.

Figure 2.6.1: Internet usage

The type of devices used to access the Internet reflect societal changes and the use of multiple devices (Figure

2.6.2). The mobile market share overtook that of the desktop PC in October 20164. As of March 2018, the

worldwide market share was: mobile 51.96%, Desktop 44.27%, Tablet 4.18% [9].

Figure 2.6.2: Device use for Internet access

4 http://gs.statcounter.com/platform-market-share/desktop-mobile-tablet/worldwide/2016

96.07%

3.37% 0.56%

Daily Most days (3-6) Occasionally (<2)

0.00%

20.00%

40.00%

60.00%

80.00%

100.00%

120.00%

How often, if at all, do you use the Internet?

100.00%

80.74%

38.53%

6.80%

Computer (desktop,

laptop, netbook)

Touchscreen tablet Smartphone TV

0.00%

20.00%

40.00%

60.00%

80.00%

100.00%

120.00%

What devices do you use to access the Internet?



2.7 Workplace practices

Figure 2.7.1. reflects the wide practice of using personally-owned devices in the workplace. Almost 80% of

respondents confirmed this as the situation at their work. It is not known what percentage of the workplaces

have best practices, or policies, in place to govern the use of Bring Your Own Devices (BYOD).

Figure 2.7.1: Personal devices within the workplace

79.36%

13.08%

7.56%

Does anyone in your place of work use personally-owned devices such as smartphones, tablets, home laptops or

desktop computers to carry out regular business-related activities?

Yes No I don't know



Workplaces use a variety of web-based applications and online services during an ordinary day as displayed

in Figure 2.7.2. The operational management of such services is a determining factor in risk control.

Figure 2.7.2: Exposure to common risk factors at work

Figure 2.7.3 and Figure 2.7.4, illustrate the extent to which organisations rely on online services to provide a

core part of their services or goods. This is further reflected in the annual revenues provided by such services.

0.00%

20.00%

40.00%

60.00%

80.00%

100.00%

120.00%

Which of the following, if any, does your organisation currently have or use?

Email addresses for your organisation or its employees

A website or blog

Accounts or pages on social media sites (e.g. Facebook or Twitter)

Sensitive company data held on internal IT systems

Cloud services

Personal information about your customers held electronically

The ability for your customers to order, book or pay for products or services online

Sensitive company data held on external IT systems

An industrial control system, e.g. SCADA architecture, or software applications for monitoring systems

Don't know

None of these



Figure 2.7.3: Core online services at work

Although over 40% of the workplaces of respondents do not generate a revenue from online services (they

may be employed in research organisations, policy making, governmental or law enforcement) but,

nonetheless, a loss of Internet access would impact upon their daily functions, as indicted by usage rates

shown in Figure 2.7.4.

Figure 2.7.4: Online services as a proportion of revenue

31.21%

46.34%

15.85%

To what extent, if at all, are online services a core part of the goods or services your organisation provides? Is it…

A large extent To some extent Not at all

40.45%

23.30%22.01%

14.24%

0 >10% 10 to 50% 50 to 100%

0.00%

5.00%

10.00%

15.00%

20.00%

25.00%

30.00%

35.00%

40.00%

45.00%

Online services correspond to what proportion of annual revenues in your work?



Over 40% of respondents had faith in their company preparedness against cyber attack, Figure 2.7.5.

Figure 2.7.5: Cyber attack preparedness in the workplace

Respondents perceive that the most damaging aspect of a cyber attack would be from indirect losses, loss of

reputation, brand, trust and missed business opportunities, (Figure 2.7.6). Indirect losses are the most

difficult to quantify. If respondent’s fears are to be accepted and understood, greater effort into the

quantification of the object of their concern is required. These will enable an informed decision to be made

on the justification of these concerns.

Figure 2.7.6: Perceptions on potential workplace losses from cyber attack

44.30%

18.99%16.46% 15.19%

5.06%

Probably Probably not Yes I don't know No

0.00%

5.00%

10.00%

15.00%

20.00%

25.00%

30.00%

35.00%

40.00%

45.00%

50.00%

Do you think that your company is well-prepared against a cyber attack?

0.00% 10.00% 20.00% 30.00% 40.00% 50.00% 60.00% 70.00%

Environmental costs

Health & safety costs

Infrastructure costs

Direct financial losses & damage (money stolen fromaccounts, regulatory fees, loss of clients, business, etc)

Indirect financial losses (loss of reputation, brand, trust,missed business opportunities, etc.)

At your place of work, which of the following pose the biggest risks from

cyber threats?

I don't know Low Medium High



2.8 Personal cyber security

SAINT survey respondents indicate high levels of practicing safe cyber security (Figure 2.8.1) and high

confidence in using online banking and other online services. Respondents could choose multiple practices

that they had changed: the top eight are represented here.

Figure 2.8.1: Changes in behaviour due to cyber security concerns

0.00%

10.00%

20.00%

30.00%

40.00%

50.00%

60.00%

70.00%

80.00%

90.00%

You do notdownload

emailattachmentsunless youknow the

sender

You usedifferent

passwordsfor different

sites

You havechanged

your securitysettings (e.g.

yourbrowser,

online socialmedia,search

engine, etc.)

You are lesslikely to give

personalinformationon websites

You haveinstalledantivirussoftware

You onlyvisit

websites youknow and

trust

You do not open emails from people

you don’t know

Youregularly

change yourpasswords

Has concern about cyber security issues made you change the way

you use the Internet in any of the following ways?



2.9 New technologies and security

Note: Internet of Things (IoT) is the inter-networking of physical devices, vehicles (also referred to as

"connected devices" and "smart devices"), buildings, and other items embedded with electronics, software,

sensors, actuators, and network connectivity which enable these objects to collect and exchange data.

Adoption of smart devices or IoT technology is evolving as depicted in Figure 2.9.1. Over a third of respondents confirmed the use of this technology in their workplace.

Figure 2.9.1: Levels of IoT-technology adoption within the workplace

36.14%

44.58%

19.28%

Has your company adopted smart devices or IoT-based technology?

Yes No I don't know



The views of respondents (Figure 2.9.2) reflect a concern that adoption of the new technologies, artificial

intelligence (AI) and IoT, increases the threat risk for companies. Security predictions for the future also lay

claim to the advent of AI being used to carry out attacks [10]. Conversely, there are claims that AI will benefit

the cyber security industry through the application of Machine Learning (ML) to improve accuracy and

understanding of threat levels. ML can adapt to conditions and to self-remediate against threats. However,

it has been shown that with every new technological advance, cybercriminals use the same techniques to

their own advantage.

Figure 2.9.2: Does AI and IOT increase security?

66.67%

20.51%

12.82%

What is your view on artificial intelligence (AI) and the Internet -of-things (IoT)?

AI/IOT increases the company's exposure to cyber-attacks

AI/IOT-based devices grant better security against cyber-attacks

I don't know



2.10 Perceptions on the causes of increasing levels of cybercrime

Respondents were asked to rank their answers in order of importance (1=Low, 5=High). Figure 2.10.1

represents the choices selected as being the greatest force behind increasing levels of cybercrime Rank 5).

The main reason for the increase is believed to be economic interests. Lack of education on cyber safety for

end users was highly placed. The latter may be a more practical point from which to start to effect changes.

If the challenges posed by cybercrime are to be met then this is a necessity.

Figure 2.10.1: Causes for increasing levels in cybercrime

2.11 Cyber security responsibilities

Figure 2.11.1 depicts high levels of acceptance of responsibility for respondents own cyber security.

Figure 2.11.1: Personal responsibility for cyber security

0.00%5.00%

10.00%15.00%20.00%25.00%30.00%35.00%40.00%45.00%50.00%

Economicinterests

Lack ofeducation on

cyber safety forend users

Businessstrategies

Societial Politics

What do you think is the greatest force behind

increasing levels of cybercrime? (Rank 5= high)

95.06%

2.47% 2.47%

Yes No I don't know

0.00%

10.00%

20.00%

30.00%

40.00%

50.00%

60.00%

70.00%

80.00%

90.00%

100.00%

Do you feel responsible for your own cyber security on the Internet?



SAINT survey respondents show high levels of acceptance of shared responsibility for cyber security in their

place of work, Figure 2.11.2.

Figure 2.11.2: Cyber security responsibility at work

2.12 Cyber security preventions

The responses depicted in Figure 2.12.1 when asked if free software covers all personal and workplace

security requirements indicate an acceptance that some cost is needed to keep networks secure.

Figure 2.12.1: Security capabilities of free software

There are high levels of antivirus use by respondents, Figure 2.12.2. However, almost 10% admitted that they

have no antivirus on their PCs. A further 11% said that they use Mac or Linux and, therefore, do not need to

use anti-virus. There is a long-held belief that Mac and Linux systems are safe from malicious viruses and

87.50%

11.25%

1.25%

Yes No I don't know

0.00%

10.00%

20.00%

30.00%

40.00%

50.00%

60.00%

70.00%

80.00%

90.00%

100.00%

Do you feel you share responsibility for cyber security of your company or place of work?

13.75%

67.50%

18.75%

Do you think that free software covers all your security needs or the needs of your workplace?

Yes No I don't know



other forms of attack but recent announcements highlight that no operating system is totally safe from the

latest forms of ransonware5. Such beliefs are sometimes difficult to dispel with our research illustrating a

sizeable core of believers that Mac and Linux do not require current antivirus solutions.

Figure 2.12.2: Antivirus use

Respondents show a high level of awareness of the benefits of investing in cyber security preventative

measures as illustrated in Figure 2.12.3.

Figure 2.12.3: Investment in cyber security preventatives

5 https://www.krollontrack.co.uk/blog/the-world-of-data/are-mac-and-linux-users-safe-from-ransomware/

79.01%

9.88%

11.11%

Do you use antivirus software on your PC?

Yes No No (I use a Mac or Linux and they do not need anti-virus)

55.13%

41.03%

1.28%2.56%

They reduce the

likelihood of a

cybercriminal attack

They reduce the

expected loss from an

attack

There is no specific

reason to invest into

cyber security for my

company

I don't know

0.00%

10.00%

20.00%

30.00%

40.00%

50.00%

60.00%

What are the main reasons to invest in cyber security preventatives and/or offensive measures for your

company?



VPN use is widespread among SAINT survey respondents as seen in Figure 2.12.4. Fewer than 40% of SAINT

survey participants do not use VPN, either at home or at work. According to research from GlobalWebIndex,

25% of Internet users used VPN in the preceding month [7]. Our respondents display a higher than average

usage of VPN.

Figure 2.12.4: VPN usage

Contributors to the SAINT survey have little faith that stronger law enforcement will reduce cybercriminals’

incentives to attack, Figure 2.12.5.

Figure 2.12.5: The impact of stronger law enforcement

38.75%

27.50%

17.50%16.25%

Never Yes (at work and

home)

Yes (at home) Yes (at work)

0.00%

5.00%

10.00%

15.00%

20.00%

25.00%

30.00%

35.00%

40.00%

45.00%

Do you use a VPN to access the Internet?

48.75%

38.75%

12.50%

No Yes I don't know

0.00%

10.00%

20.00%

30.00%

40.00%

50.00%

60.00%

Do you think that stronger law enforcement mechanisms will reduce cybercriminals' incentives to commit an

attack?



The largest group of respondents do not believe that money is currently being wisely invested in the right

technologies to bring about improvements to cyber security, Figure 2.12.6. Over 27% did not have a view,

preferring to answer that they did not know.

Figure 2.12.6: Investment and cybercrime reduction

32.50%

40.00%

27.50%

Do you think money is currently being invested into the right technologies to improve cyber

security and to reduce the level of cybercrime?

Yes No I don't know



As depicted in Figure 2.12.7, the largest single group of survey contributors to this question (38.46%) did not

know if their workplace was monitoring the cost of cyber security breaches. Nearly 30% categorically stated

that breaches or attacks was not monitored at their place of work.

Figure 2.12.7: Workplace monitoring of the cost of cyber attacks

Participants were asked to rank their choice of why they think that companies may be under investing in

cyber security measures. The main reason (Rank 4) is represented in Figure 2.12.8 below. SAINT survey

contributors indicate a clear preference for increasing the cyber threat awareness of managers at their

company as this is seen as a deterrent to effective investment levels.

Figure 2.12.8: Under-investment in cyber security

32.05%

29.49%

38.46%

Is the financial cost of cyber security breaches or attacks monitored or estimated at your place of

work?

Yes No I don't know

0.00%

10.00%

20.00%

30.00%

40.00%

50.00%

60.00%

There is not sufficientawareness about cyber

threats at themanagerial level of my

company

The company's budgetis better invested

elsewhere

The cost-effectivenessof existing solutions is

too low

Cyber-criminality is nota significant threat to

business

According to you, what are the main reasons that some companies under invest in cyber security measures?



A sizeable majority of participants (78.21%) would recommend more investment in cyber security in their

place of work, Figure 2.12.9.

Figure 2.12.9: Workplace cyber security investment

The preferred choice of participants for the destination of increased investment is in a combination of safer

technology and cyber education, as illustrated in Figure 2.12.10.

Figure 2.12.10: Where should investment be?

78.21%

1.28%

20.51%

In general, would you recommend more or less investment in cyber security for your company?

More Less I don't know

15.19%

16.46%

40.51%

41.77%

Would you prefer increased investment in safer technology or cyber security education, as a means of

reducing the risks of a cyber attack?

Safer technology

Cyber education

A combination of both with stronger focus on safer technology

A combination of both with stronger focus on safer education



Survey participants selected, “Employee education on how to prevent cyber intrusion” as the most effective preventative measure, depicted in Figure 2.12.11.

Figure 2.12.11: The effectiveness of preventative measures

As reported in D3.3” Initial Analysis on Cyber-Security Failures and Requirements”, Section 2.1.3, “The role

of behavioural science”, negligence is the #1 cause of insider threats while it is also reported that in the UK,

“4 of the 5 top causes of data breaches are because of human or process error” [11], [12]. Better employee

education would seem a sensible choice as an effective preventative measure.

0.00%

20.00%

40.00%

60.00%

80.00%

100.00%

120.00%

Employeeeducation on

how to preventcyber intrusion

ManagementBoard

awarenesstraining

Stronger lawenforcement

Safer softwareand hardware

Moreinformation

sharing

Betterdefinitions and

standards

Which of the following measures do you think is the most

effective? (Rank 1-6, 1=low, 6=highest)

Rank 1 (Low) Rank 2 Rank 3 Rank 4 Rank 5 Rank 6 (High)



2.13 Information sharing

Figure 2.13.1 depicts that most respondents believes that information about cyber attacks is shared with

outside organisations. The group that answered “I don’t know” is likely to contain at least some further

positive answers which would increase the “Yes” contribution further. This is an encouraging result which is

in alliance with the following Figure 2.13.2 that depicts an even split (37.97% each) between those seeking

guidance on cyber security for work and in a personal capacity, in the last 12 months.

Figure 2.13.1: Levels of information sharing with outside organisations

Less than a quarter of respondents had not sought any advice in the last year.

Figure 2.13.2: Seeking guidance on cyber security

50.63%

20.25%

29.11%

Do you, or does someone else in your place of work, share information about cyber

events/attacks with an outside organisation?

Yes No I don't know

37.97%

37.97%

24.05%

In the last 12 months have you sought information, advice or guidance on Cyber

Security /Cybercrime / Threats / CTI?

In a personal capacity For your place of work No



There is a great belief that there should be more information sharing on cyber threats within the industry, Figure 2.13.3.

Figure 2.13.3: Should there be more information sharing?

2.14 Cyber risk protection

Cyber insurance for consumers is not as widely available as corporate policies although it is seen within the

industry as being a potential growth area with well-known insurance companies beginning to push their

customized policies [13]. SAINT results confirm that few consumers have a customised policy although Figure

2.14.1, illustrates that respondents consider that they are covered within a generic insurance package.

Figure 2.14.1: Cyber insurance (personal)

91.14%

3.80% 2.53% 2.53%

Yes Not necessarily No I don't know

0.00%

10.00%

20.00%

30.00%

40.00%

50.00%

60.00%

70.00%

80.00%

90.00%

100.00%

Would you recommend more information sharing on cyber threats within the industry?

3.80%

64.56%

8.86%

22.78%

Are you covered, in a personal capacity, by a cyber insurance policy?

Yes No Within a generic insurance package I don't know



In a work capacity, most respondents do not know if a cyber insurance policy is in place, Figure 2.14.2. This

is not an unexpected response to this question although 34.18% of the participants are confident enough to

answer that a policy is not in place at work.

Figure 2.14.2: Cyber insurance (company)

2.15 Perceptions on cyber security and the economy

Answers to the survey within this section are covered in greater detail in D2.3 “Initial Comparative Analysis

of Cybercrime Victims by Region, Country and Forecasting”, Section 5.5 “The economics as presented by the

survey”. Here, charts are included from the survey to give an overview on perceptions on cyber security and

the economy.

Respondents were asked to select a currency, Figure 2.15.1, for their answers to the questions in this section:

Figure 2.15.1: Currency of choice for subsequent answers

8.86%

34.18%

1.27%

55.70%

Does your place of work have a cyber insurance policy?

Yes No Within a generic insurance package I don't know

29.49%

70.51%

Pick a major currency for these economic questions

US$ EURO



Over two thirds of respondents selected the Euro for their answers.

Figure 2.15.2 to Figure 2.15.3, depict a lack of confidence that respondents have in their knowledge of the

cyber security economic landscape. The clear majority prefer to answer, “I don’t know” when questioned on

the cost of cybercrime to the economy of their country of residence, and to the spend on cyber security:

worldwide, to their country, and to their place of work, in 2017.

Figure 2.15.2: Respondents’ perceptions on the cost of cybercrime (country of residence)

It is perhaps reasonable that respondents may not know this type of information about their company, but

it is also a reflection on a landscape where there is a lack of readily available data and of not knowing where

to go to find trusted data.

Figure 2.15.3: Respondents’ perceptions on the cost of cyber security (worldwide)

3.80%6.33%

3.80%6.33%

31.65%

48.10%

0-25m 26m-50m 51m-100m 100m-200m 200m+ I don't know

0.00%

10.00%

20.00%

30.00%

40.00%

50.00%

60.00%

What do you think is the cost (millions) of cybercrime to the economy of your country of residence per annum?

6.33% 6.33%

18.99%

12.66%

8.86%

46.84%

1bn-10bn 11bn-25bn 26bn-100bn 100bn-200bn 201bn+ I don't know

0.00%

5.00%

10.00%

15.00%

20.00%

25.00%

30.00%

35.00%

40.00%

45.00%

50.00%

What do you think the estimated spend (billions) will be on cyber security worldwide in 2017?



Figure 2.15.4: Respondents’ perceptions on the cost of cyber security (country)

Figure 2.15.5: Respondents’ perceptions on cyber security spend (company)

9.09%

19.48%

25.97%

45.45%

Up to 25m 26m-100m 100 million+ I don't know

0.00%

5.00%

10.00%

15.00%

20.00%

25.00%

30.00%

35.00%

40.00%

45.00%

50.00%

What do you think the estimated spend (millions) will be on cyber security in your country in 2017?

2.56%

19.23%

3.85% 3.85%

7.69%

11.54%

51.28%

0.00%

10.00%

20.00%

30.00%

40.00%

50.00%

60.00%

What do you think the estimated spend ('000s ) will be on cyber security in your company / enterprise in 2017?



Figure 2.15.6: Respondents’ perceptions on cyber security spend (personal)

29.87%

42.86%

18.18%

5.19%3.90%

0 1-100 101-250 250-1000 1000+

0.00%

5.00%

10.00%

15.00%

20.00%

25.00%

30.00%

35.00%

40.00%

45.00%

50.00%

What do you think the estimated spend will be on cyber security by you personally in 2017?



3 Conclusions

SAINT respondents display high levels of personal responsibility towards their personal cyber security. They

express confidence in their knowledge of specific areas of security, mostly spam, phishing of banking or

website credentials, and DoS (DDoS). However, their greatest lack of confidence is on physical damage to

Internet infrastructures, cyber espionage and cyber terrorism. Conversely, respondents indicate that they do

not feel sufficiently informed about cyber security issues (Figure 2.15.1.). Over a half (55.93%) say that they

are extremely concerned about cyber security issues.

For the survey contributors, the rising levels of cybercrime can be attributed to economic interests while lack

of education on cyber safety was also considered to be a strong force behind this increase. As such, the latter

explanation is less complicated to tackle and should be a requirement if the challenges posed by cybercrime

are to be met.

SAINT results confirm that Internet usage is firmly integrated into our daily lives with multiple devices used

to connect online. Personally-owned devices are used extensively throughout the workplace bringing

another level of risk to the work environment if proper safeguards and protections are not in place. Mobile

malware continues to rise and should be of serious concern for the workplace when preventative measures

are not taken.

Respondents are not as confident that cyber security in the workplace is as high a concern as it is for them

personally. They admit to having changed their online behaviour in several ways due to concerns over

security. The most frequently changed behaviour (84 %) is to never download an attachment unless it is from

someone that they know, while 79% used different passwords for different sites. Almost three quarters had

changed their security settings (on their browser, social media, search engine, etc) at some point.

Personally, survey participants were mostly concerned about identity theft. In the workplace, they felt that

the greatest damage because of an attack would be in lost time from being unable to carry out normal

processes. This is classed as an indirect loss and is a classification of loss that is difficult to quantify. It is

possible to calculate this to some extent based on down-time and should be included in all future costs

calculations.

From our results it does seem that concerns over cybercrime are justified as just under half had been a victim

in the last 12 months. The most common type of activity (33.5%) in the last 12 months for respondents was

to be asked for access to their computer, logins or personal details either via an email or phone. The next

most frequent activity was finding malicious software (viruses, etc ) on a device. Ransomware was the least

encountered activity (5.58%).

The largest single group of survey contributors to this question (38.46%) did not know if their workplace was

monitoring the cost of cyber security breaches. Nearly 30% categorically stated that there was no monitoring

at their work. The situation may improve with the advent of the GDPR6 and at least half of respondents

claiming that their company already shares at least some sort of information. However, only a quarter of

respondents claim that a post-incident review has taken place, or would take place, after an attack which

indicates that information sharing within the workplace is not extensively taking place. There is a confusing

picture around the what is valuable to be known and what should be shared with whom. Unless this is to

change, cyber security will continue to be flawed and there will still be an absence of meaningful data.

6 https://www.eugdpr.org/



Adoption of smart devices or IoT technology is not yet common place although over a third of respondents

confirmed the use of this technology in their workplace. On the other hand, VPN use is widespread among

SAINT survey respondents. Fewer than 40% survey participants never use VPN, either at home or at work.

Respondents display a lack of confidence in their knowledge of the cyber security economic landscape with

most preferring to say that they don’t know what the cost of cybercrime to the economy is. This is not a

surprising result as sources on this topic are fragmented and difficult to find. This is a major requirement

going forward and a conclusion that the SAINT project will continue to support.

The second round of the surveys are underway together with a comparative survey designed for FICORA

stakeholders. These will be reported on in D2.4 “Final Comparative Analysis of Cybercrime Victims by Region,

Country and Forecasting”, due M18, October 2018, where a final overview of survey results will be

undertaken.

The advanced survey will be based on stakeholders' views from the initial survey and our analysis of the

requirements that could be fulfilled with the right actions. From our initial analysis actions needed include:

• Strengthen cyber security education across the board for companies

• Strengthen cyber security education for all users

• Ensure BYOD's are managed within the workplace

• Improve quantification of cyber security to advance ROI processes

• Improve transparency on cyber security issues within the workplace

These requirements provide a solid base for the preparation of the advanced survey.



References

[1] Wikipedia, “Delphi method,” [Online]. Available: https://en.wikipedia.org/wiki/Delphi_method. [Accessed 9 March 2018].

[2] ForLearn, “Delphi Survey,” [Online]. Available: http://forlearn.jrc.ec.europa.eu/guide/4_methodology/meth_delphi.htm. [Accessed 9 March 2018].

[3] Accenture, “Cost of Cyber Crime Study 2017,” 26 September 2017. [Online]. Available: https://www.accenture.com/gb-en/insight-cost-of-cybercrime-2017. [Accessed 17 April 2018].

[4] EU Commission, “Special Eurobarometer: Europeans’ attitudes towards cyber security,” 19 September 2017. [Online]. Available: https://ec.europa.eu/digital-single-market/en/news/special-eurobarometer-europeans-attitudes-towards-cyber-security. [Accessed 17 April 2018].

[5] ENISA, “ENISA Threat Landscape Report 2016,” 08 February 2017. [Online]. Available: https://www.enisa.europa.eu/publications/enisa-threat-landscape-report-2016. [Accessed 13 April 2018].

[6] ENISA, “ENISA Threat Landscape Report 2017,” 15 January 2018. [Online]. Available: https://www.enisa.europa.eu/publications/enisa-threat-landscape-report-2017. [Accessed 25 February 2018].

[7] Econsultancy quoting GlobalWebIndex, “10 exciting digital marketing stats we’ve seen this week,” 22 Septmeber 2017. [Online]. Available: https://econsultancy.com/blog/69445-10-exciting-digital-marketing-stats-we-ve-seen-this-week. [Accessed 16 April 2018].

[8] Symantec, “Norton Cyber Security Insights Report,” 2017. [Online]. Available: https://www.symantec.com/content/dam/symantec/docs/about/2017-ncsir-global-results-en.pdf. [Accessed 7 Feb 2018].

[9] Statcounter.com, “Desktop vs Mobile vs Tablet Market Share Worldwide - March 2018,” [Online]. Available: http://gs.statcounter.com/platform-market-share/desktop-mobile-tablet/worldwide. [Accessed 16 April 2018].

[10] Symantec, “2018 Cyber Security Predictions,” 06 December 2017. [Online]. Available: https://www.symantec.com/blogs/feature-stories/2018-cyber-security-predictions. [Accessed 16 April 2018].

[11] Forcepoint, “Insider threat negligence number one cause,” 2016. [Online]. Available: https://www.forcepoint.com/sites/default/files/resources/files/infographic_insider_threat_negligence_number_one_cause.pdf. [Accessed Jan 2018].

[12] J. Dutton, “IT Governance Blog,” 30 January 2018. [Online]. Available: https://www.itgovernance.co.uk/blog/4-of-the-5-top-causes-of-data-breaches-are-because-of-human-or-process-error/. [Accessed 16 April 2018].

[13] O. Ralph, “Should individuals buy insurance against cyber attacks?,” 8 November 2017 . [Online]. Available: https://www.ft.com/content/72e11ca6-98ad-11e7-8c5c-c8d8fa6961bb. [Accessed 17 April 2018].



Appendix – Initial Survey Questions































Documents

D6.2 Stakeholder and Consumer Requirements Survey Report · Gabriela Hrasko (AS) Georgios Germanos (KEMEA ) Jart Armin (CYBE) Andreas Zalonis (NCSRD) Ethical advisor(s): Christina