It's raining IT security surveys

If it feels like you're getting bombarded with surveys about network security threats, that's because you are. Leading security vendors, looking to scare up interest in their products, pumped out more than twice as many of these surveys last year as in 2004, and this year are on an even more aggressive pace.

Such surveys have shown that 25% of corporate e-mail users send personal messages, that there were 2.9 million phishing attacks in February and that 65% of ISPs consider distributed denial-of-service (DoS) attacks a main concern. The factoids go on and on and on.

Too many surveys? Discuss
Also see: When surveys collide.

According to our informal review of 20 leading security vendors, they made public 34 such surveys last year, most of which were conducted by third parties on behalf of the vendors. In addition, the vast majority of them issued reports - some as frequently as monthly - derived from information that their products collect regarding distributed DoS attempts, spam blasts, phishing attacks and the like. While vendors say these surveys and reports are meant to alert IT professionals to growing security threats and to help vendors determine what sorts of products customers need, in fact they're creating a thick layer of fear, uncertainty and doubt, or FUD, that helps sell products in a market that IDC says totaled $32.6 billion last year and is headed toward $38.4 billion this year.

For example, a survey of 603 consumers conducted last October by Momentum Research Group on behalf of RSA Security showed the French are more fearful than Germans about the possibility of fraudulent access to personal information at banking sites. But when it comes to fear of identity theft, no one beats Americans; nine out of 10 have heard of it, as compared with only one in three in France and Germany.

RSA, which provides products and services for authentication and anti-phishing, says in its press release about the survey: "The key to online confidence lies at the door of the business community - meaning that it is imperative for online vendors to be seen taking appropriate measures to protect their customers' interests."

"There's always a self-serving aspect to anything a vendor releases," says Keith Crosley, director of market development with messaging security vendor Proofpoint, which does a few surveys per year. "But we really are trying to educate markets and share interesting data that helps people make really intelligent decisions about their technology investments."

It's not surprising that vendors use survey results to help sell their products, often paying tens of thousands of dollars per survey with the hopes the results will support the need for their offerings. (Those that contracted professional firms said they did so because the size and quality of each sample would be superior to what the vendor itself could come up with, and therefore produce more accurate results that would be less likely perceived as biased.) But security vendors seem to be particularly fond of publicizing surveys these days, perhaps because there are very few ways to gauge just how secure a PC or network is - the FUD created by survey results sends the message that you're never secure enough.