Trying To Unravel Study About IT/Employee Security Disconnect

from the too-confusing dept

Websense, a company that is trying to sell filters to IT staff, has put out a new study talking about how there's a disconnect between IT staff and employees when it comes to threats on their machines. Unfortunately, it also appears that there's a disconnect between the study, the press release about it and some reporters. Two different articles on the study present some very different numbers - and some of the conclusions in the press release seem equally questionable. Silicon Valley Business Journal says that employees claim they spend two hours a week surfing personal sites, while Wired News gives the number as 3.3 hours. Both, however, agree that IT staff believes it's more like six hours. The disconnect between IT and employees isn't surprising. Of course employees are going to play down how much time they spend surfing non-work sites, because they don't want to get in trouble. At the same time IT often has the incentive to boost those numbers to suggest they need more resources to handle the "problem". The press release shows that the number is 2 hours - but even that's a little confusing. They say that 51% of employees admit to surfing 1 to 5 hours a week, for an average of 2 hours. It's not clear if it's just those 51% who average 2 hours, or if that includes the 49% who apparently don't do personal surfing at work. The next bit of confusion is over spyware. Wired points out that 6% of employees admit to downloading spyware, but that 30% of computers are found with spyware, while the press release gives the number as 29% (just a little rounding, I guess). This isn't all that surprising, since spyware is known to install itself without people knowing. The Business Journal, however, focuses on the fact that the press release claims 92% of companies ended up with spyware - highlighting the discrepancy between the 6% and the 92%. That's misleading, since even if 1% of all employees at every company ended up with spyware, 100% of companies would have spyware. The Business Journal piece also follows the press release in saying that the study asked people if they "visited sites" that install spyware, whereas Wired News assumes the question was whether or not they knowingly "downloaded" spyware - two very different things. Finally, Wired says that 93% of IT staff claim they're adequately protected against viruses - but that two-thirds admit their company has been hit by viruses. The Business Journal phrases things a bit differently. First, they claim the number is 95% instead of 93% (the press release says "nearly 95%" so this is understandable) and instead of saying protected against viruses, they say "protected from threats such as spyware, peer-to-peer file sharing, instant messaging and maladies such as the MyDoom virus -- all potential conduits for Web-based viruses." That paints a very different picture. First off, it's a bit problematic to simply lump together things like spyware and instant messaging as global "threats," but even worse that list doesn't include email - the main source of viruses getting onto computers. The press release, however, indicates that the study simply asked if their anti-virus software was effective. Anyway, it is very likely that there's a disconnect between IT staff and employees concerning protecting computers in the work place, and better tools would probably help. However, relying on this study, or any of the articles about it, doesn't seem like a particularly useful exercise.