KnowBe4 2018 Security Awareness Training Deployment and Trends Survey Demographic Questions Question Title * 1. Which best describes your vertical industry? Academic (College/University) Accounting Advertising Aerospace Agriculture/Forestry Automotive Biopharma and Biosciences Business Services/Consulting Communications/Telecom Computer hardware/software/technology manufacturer Construction Consulting Education (K through 12) Energy Engineering Financial services/banking, legal, real estate Gaming Government (federal) Government (state and local) Healthcare Hotel & Hospitality Insurance IT/Technology Services Provider Law Enforcement Legal Manufacturing Marketing Media and Entertainment News Organization Non Profit Oil/Gas/Mining Pharmaceutical Retail Sales Security Software Sports Surveillance Telecommunications Transportation Travel Utilities Weather Other (please specify) OK Question Title * 2. How many servers are in your organization? 1 to 10 11 to 20 21 to 30 31 to 50 51 to 100 101 to 250 251 to 500 501 to 1,000 1,001 to 5,000 More than 5,000 OK Question Title * 3. What is your title/job function? Application Manager Architect CEO CIO CISO COO CTO Database Administrator Engineer (Systems or Network) Independent Consultant/Systems Integrator IT Manager IT Staff Network Administrator Network Manager Plant Facilities Manager Security Administrator/Manager Server Hardware Administrator Software Developer Storage Administrator Telecom Engineer Telecom Manager VP of IT VP of Security Other (please specify) OK Question Title * 4. What is your organization’s TOTAL average annual expenditure on security including hardware, software, services and training? $20+ million $10-$19.9 million $5-$9.9 million $1-$4.9 million $500,000-$999,999 $250,000-$499,999 $101,000-$249,000 $51,000 -$100,000 $25,000 - $50,000 <$25,000 We do not have a separate security budget OK Question Title * 5. Have hackers or malware been able to get on your network or computers in the last year, if even only for a short while, before detection and removal? Yes No If NO, PLEASE SKIP to Question 8 OK Question Title * 6. If Yes, what root exploit causes were involved in successful attacks or compromises within the last year Zero Days Social Engineering Unpatched Software Malware Password Attacks/Issues Data Leaks Eavesdropping/MitM Misconfiguration Denial of Service Insider/Partner/Consultant/Vendor/3rd Party Issues User Error Physical Attacks A combination Social Engineering, Malware, User Error and Password Issues/Attacks Other (Please Specify) OK Question Title * 7. If your networks or computers were compromised by Social Engineering, please specify the root cause(s) Email Browser-only Phone SMS All of the above Unsure Other (please specify) OK Question Title * 8. Do you have a security awareness training program? Yes No Not at this time, but we plan to implement one within the next six to 12 months We are considering it, but have not made a decision OK Question Title * 9. If your firm does not currently have a Security Awareness Training program and no specific plans to adopt it, what is/are the reason(s) Upper management does not consider it necessary We think it costs too much We are unsure of the benefits We think our current security safeguards, policies and procedures are adequate We are an SMB and lack the time and resources to implement security awareness training Other computer and network issues take priority A combination of all of the above issues Other (please specify) OK Question Title * 10. If your firm has a Security Awareness Training program, what does it include? Select All that Apply Videos Human trainers Seminars/Webinars with outside third parties Newsletters Email All of the above Other (please specify) OK Question Title * 11. If your firm has a security awareness training program, how often is security awareness training conducted (e.g. ad hoc, weekly, monthly, quarterly, semi-annually, annually, longer)? Ad hoc Weekly Monthly Quarterly Every six months Annually/once a year As needed/No set schedule Only in the wake of a successful attack Unsure OK Question Title * 12. If your firm conducts security awareness training, does it include simulated phishing attacks? Yes No Not currently, but we plan to do so OK Question Title * 13. If your firm does conduct simulated phishing attacks, how often does it do so? Ad hoc Weekly Monthly Quarterly Every six months Annually As needed Only in the wake of a successful phishing attack Unsure Other (Please Specify) OK Question Title * 14. If your firm conducts simulated phishing attacks, do you randomize the simulated phishing topics? Yes No Not yet but we plan to do so OK Question Title * 15. If your firm conducts simulated phishing attacks does it focus on specific groups with specific types of phishing (e.g. CEO fraud) Yes No Not currently, but we plan to do so OK Question Title * 16. Is your security awareness training automated? For example, will employees that fail a simulated phishing test be automatically sent a security awareness training component? Yes No Not currently, but we plan to do so OK Question Title * 17. How much time do the administrator(s) devote to managing security awareness training programs each year?”? 1 to 2 hours 2 to 4 hours One week Two weeks No specific amount of time Ad hoc As needed Other (Please Specify) OK Question Title * 18. How many minutes of security awareness training is required each year for employees? 15 to 30 minutes 31 to 60 minutes 1 to 2 hours 2 to 4 hours >4 hours No specific time allotted We schedule security awareness training as needed OK Question Title * 19. Has security awareness training helped your firm to identify and thwart hacks in the last six to 12 months? Yes No We have not experienced any successful or attempted hacks in the last six months Unsure OK Question Title * 20. Do you feel that security awareness training has helped decrease your firm's overall computer security risk? Yes No It’s too soon to tell OK Question Title * 21. Do you feel that security awareness training has changed your company’s computer security culture for the better? Yes No Other (please specify) OK Question Title * 22. ESSAY Question: Please provide us with your comments, insights and observations on your organization’s experiences with security awareness training. For example, how has it benefitted the Security and IT Administrators, the employees and has it been a valuable tool in making your firm more secure? Please leave your Email address so we may contact you if you win the $100 Amazon Gift Certificate. OK DONE