Cyber Security Risk Survey 2023
Note: ISACA Member will get 1 CPE for taking Survey
Name
*
First Name
Last Name
Email
*
example@example.com
ISACA Member ID
*
(For non ISACA Mem put 0000)
In which country is your organization's head office Located?
*
Dubai
Northern Emirates
Abu Dhabi City
Abu Dhabi Region
Saudi Arabia
Bahrain
Kuwait
Qatar
Oman
Middle East Other
APAC
EMEA
Americas
Other
Which category best describes your organization type?
*
Not-for-profit
Sole trader/partnership
Private limited company
Public listed company
Local/regional government
State Government
Federal Government
Other
Which category best defines your organization's primary industry?
*
Accommodation and food services
Administrative and support services
Agriculture, forestry, and fishing
Arts and recreation services
Construction
Education and training
Electricity, gas, water and waste services
Financial and insurance services
Health care and social assistance
Information media and telecommunications
Manufacturing
Mining
Oil and Gas
Professional, scientific and technical services
Public administration and safety
Rental, hiring, and real estate services
Retail trade
Transport, postal, and warehousing
Wholesale trade
Other
Approximately what was the annual gross revenue (or operating budget) for your organization last year?
*
Do not know / would rather not say
Less than $500,000
$500,000 to $2.5 million
$2.5 million to $10 million
$10 million to $50 million
$50 million to $250 million
$250 million to $500 million
$500 million to $1 billion
More than $1 billion
Approximately how many people are employed by your entire organization?
*
Do not know / would rather not say
1 to 9
10 to 99
100 to 499
500 to 1,999
2,000 to 4,999
5,000 to 9,999
10,000 to 19,999
20,000 or more
Which job title most closely describes your role?
*
Chief Executive Officer (CEO) / Managing Director (MD)
Chief Operating Officer (COO)
Chief Financial Officer (CFO)
Chief Information Officer (CIO)
Chief Information Security Officer (CISO)
Chief Digital Officer (CDO)
Chief Privacy Officer (CPO)
Chief Risk Officer (CRO)
Information Security Manager
Information Security Analyst / Engineer
IT Manager
IT Analyst / Engineer
Network Manager
Network Analyst / Engineer
Project Manager
Internal Auditor
Other
What is the importance of the following business strategies for the success of your organization?Type a question
*
Enhancing risk management strategies
Building digital trust
Driving tech modernization
Implementing digital transformation
Planning for disruption
Building omnichannel capabilities
Back
Next
What is the particular impact that cyber brings to these initiatives?
*
Enable efficiency
Detects potential problems sooner
Improves resilience
Increase agility
Provides confidence to try new things
To what extent have your cyber security initiatives made a positive contribution in the following areas?
*
Improved confidence in tech integrity
Improved customer trust/brand impact
Improved brand reputation
Increased talent recruitment/retention impact
Improved Operational stability
Increased resiliency
Increased revenue
Type a To what extent is cyber security playing a crucial role in the following digital transformation initiatives in the next 3-5 years?
*
Cloud
Data analytics
Artificial Intelligence/Cognitive Computing
Operational Technology/Industrial Control Systems
Enterprise Resource Planning (ERP) Program
5G
Internet of Things
Metaverse
Blockchain/cryptocurrency
Quantum computing
Physical Robotics
Which of the following statements align to your organization’s investment in cyber security?
*
Consortium for information sharing
External cyber security management
Incident response scenario planning
Benchmark against other industry leaders
Regular cyber security updates to the board
Qualitative risk assessments to ensure ROI
Maturity assessments to guide cyber security investment
Risk quantification tools to measure ROI
Governing body to oversee the cyber security program
We analyze/update our cyber security plans annually
Where is cyber security making a specific impact on business initiatives?
*
Enhances trust
Enable efficiency
Detects potential
problems sooner
Improves resilience
Increase agility
Prevents bad things from happening
Provides confidence to try new things
Within your organization, how closely do you believe the cyber security capability is aligned to supporting the business objectives of the organization?
*
Do not know / would rather not say
Absolutely not
Mostly not
Almost
Mostly
Completely
How frequently does your board address cyber security related issues?
*
Every week
Every month
Every quarter
Half-yearly
Annually
On a need basis
What are the total number of significant Cyber Security incidents that happened in the previous year?
*
1-5 events
6–10 events
11–15 events
16 or above
None
What were the consequences of the cyber security incidents that happened?
*
Operational disruption (including supply chain/or partner ecosystem)
Loss of revenue
Loss of customer trust/negative brand impact
Reputational loss
Defunding of a strategic initiative
Loss of confidence in tech integrity
Negative talent recruitment/retention impact
Intellectual property theft
Drop in share price
Regulatory fines
Change in leadership
Compared to this time last year, are you more or less confident in your organization's ability to respond to a cyber security incident and recover from any associated negative impacts?
*
More confident
Less confident
No difference in confidence level
Do not know / would rather not say
Back
Next
What has contributed to your increase in confidence levels about your organization’s ability to respond to a cyber security incident and recover from any negative impacts?
*
An improved business strategy
Availability of qualified staff
Better retention of qualified staff
Clearer responsibility at senior management levels for cyber security
More available budget
More management support
More resources are available
Well defined priorities
Other
What are the greatest obstacles to improving the overall strategic effectiveness of your organization's cyber security function?
*
Lack of business strategy
Lack of management support
Lack of available budget
Lack of available resources
Lack of clear responsibilities
Too many other priorities
Cannot find qualified staff
Cannot retain qualified staff
None - it is effective enough
Other
Which statement best describes your organization's adoption of each of the following cyber security controls?
*
Already been adopted
Currently being adopted
Plan to adopt within next 12 months
Plan to adopt within next 12 to 24 months
Never intend to adopt
Do not know
IT / cyber security policy
IT / cyber security standards / baselines for third parties
Cloud security standards
Chief Information Security Officer (CISO)
Cyber security awareness program
Regular cyber security risk assessments
Third-party / vendor risk assessment
Cyber security risk reporting to the Board/executives
Process to identify critical systems and data
Identity and access management system
Privileged account management
Patch management processes
Anti-virus/malware protections
Data Loss Prevention system (DLP)
Intrusion Detection Systems (IDS)
Intrusion Prevention Systems (IPS)
Email filtering system to block suspicious emails
Website and internet filtering (Proxy server)
Mobile Device Management system (MDM)
Security Information and Event Management system (SIEM)
Application control
Threat and vulnerability scanning
Security Operations Centre (SOC)
Business Continuity Plan (BCP)
Disaster recovery plan
Cyber security incident response plan
Cyber security incident response team/capability
Cyber insurance
Real-time security risk dashboard
Back
Next
Which of the following actions is implemented on the infrastructure?
*
An operational and strategic plan to defend against cybersecurity threats
Annual cybersecurity awareness training among all employees
A cyber security incident response plan that gets updated and tested annually
Comprehensive plan to assess how we protect data in each step as to where that data is stored, processed, and transmitted
Cybersecurity risk program to monitor and track the security posture of our partners and suppliers
Action plan for continuously improving and developing the organization’s hygiene with cybersecurity and information security
Purchasing cybersecurity Insurance
Ongoing, voice-of-the customer input to cybersecurity and data privacy preferences
Does your organization currently receive cyber security threat intelligence?
*
Yes
No
Do not know / would rather not say
Which of the following types of intelligence does your organization receive?
*
Operational (i.e. 'machine-to-machine' technical threat data and indicators)
Tactical (i.e. 'human readable' content that is event, campaign or adversary-specific)
Strategic (i.e. long-term trends and insights for decision-makers)
None Of The Above
Other
Which sources does your organization typically use for threat intelligence? Select all options that apply.
*
a) Cyber security threat intelligence vendor
b) Open-source threat feeds
c) Closed source threat feeds or communities
d) This is outsourced to an MSSP
Government Agencies
How valuable is cyber security threat intelligence to your organization?
*
Completely
Mostly
Almost
Mostly not
Absolutely not
Do not know / would rather not say
Where is the reporting done seeing value from third-party cyber security services ?
*
Cyber strategy
Data protection and privacy
Cyber cloud
Infrastructure security
Application security
Emerging technologies (OT, 5G, AI, Quantum computing)
Identity and access management
Detect & Respond
Recover & Transform
Which of the third-party cyber security services are being used in your infrastructure?
*
Clyber cloud
Data protection and privacy
Application security
Infrastructure security
Cyber security strategy
Emerging technologies (OT, 5G, AI, Quantum Computing)
Identity– and access management
Detect and respond
Recover and transform what are the greatest obstacles to improving the value of cyber security threat intelligence to your organization?
*
Cannot retain qualified staff
Cannot find qualified staff
Lack of management support
Lack of available budget
Lack of available resources
Too many other priorities
Too many options in the market
Lack of clear responsibility for intelligence
Lack of strategy for intelligence
None of the Above
Other
During the last year, did your organization identify a cyber security incident that has had a detrimental impact on your organization?
*
Yes
No
Do not know / would rather not say
What type of cyber security incident(s) did your organization experience in the last year?
*
Data breach via third party provider / supplier
Data loss / theft of confidential information
Denial of service attack
Brute force attack
Email addresses or website(s) blacklisted
Malware / trojan infections
Crypto-mining malware
Phishing / targeted malicious e-mails
Ransomware
Theft of laptops or mobile devices
Unauthorised access to information by external user
Unauthorised access to information by internal user
Unauthorised modification of information
Website defacement
Accidental disclosure
Business Email Compromise
Payment Redirection Fraud
Do not know / would rather not say
Other
Back
Next
How was your organization impacted by the cyber security incidents experienced last year?
*
Access to information / systems lost for less than a day
Access to information / systems lost for several days
A data recovery exercise was required
A ransom had to be paid
Brand / business reputation damaged
Customer records compromised
Employee records compromised
Fined for non-compliance
Intellectual property / trade secrets stolen
Legal exposure / lawsuit
Notification of breaches to the privacy commissioner made
Websites taken off line
Do not know / would rather not say
Other
What were the most likely source(s) of the cyber security incident(s) your organization experienced in the last year?
*
Activists
Competitors
Customers
Cyber criminals / organised crime
Foreign governments / nation states
Former employees
Insiders / current employees
Suppliers / business partners
Third party hosting provider
Do not know / would rather not say
Other
In terms of causing the greatest concern to your organization, how do you rank the following cyber security incident(s) for the coming year? (Select 5 items ranking them in order from greatest concern to least concern)
*
In terms of causing the greatest concern to your organization, how do you rank the likely sources of cyber security incident(s) for the coming year? (Select 5 items ranking them in order from greatest concern to least concern)
*
When did your organization last test / exercise its cyber security incident response plan to ensure it was effective?
*
It has never been tested / exercised
In the last 6 months
Between 6 and 12 months ago
Between 1 and 2 years ago
More than 2 years ago
Do not know / would rather not say
How will your organization form a decision on whether or not to pay a cyber security ransom?
*
We have a plan for this which has been tested
We have a plan for this which has not been tested
We have an undocumented understanding of how to decide
We have not discussed or planned this
Do not know / would rather not say
What strategies are been taken to engage, retain, and develop existing talent?
*
Training and certification programs
Flexible/hybrid working options
Specialized career paths
Differentiated compensation models
Rotational roles/internal mobility
International mobility opportunities
Offering MBAs (or similar executive programs)
Submit
Should be Empty: