ISACA Survey: 90% Say Online Privacy Is Threatened, Yet Risky Behaviors Persist


Rolling Meadows, Illinois, USA (14 November 2012) Ninety percent of U.S. consumers who use a computer, tablet PC or smartphone for work activities feel their online privacy is threatened, but many persist with actions and attitudes that put their privacy and security at risk, according to a survey by global nonprofit IT association ISACA.

These risks pose a special challenge to employers during the holiday season, since survey participants who use work-supplied devices expect to spend on average nine hours shopping on them. Those who perform work tasks on their own personal mobile devices—a practice called BYOD (bring your own device)—expect to spend on average 12 hours shopping from those devices for holiday gifts.  

According to ISACA's 2012 IT Risk/Reward Barometer survey, employees who mix the use of work-supplied and personally owned computers or mobile devices reported:

  • To get a 50 percent discount on a $100 item, 58 percent would reveal their email address, 22 percent would reveal the name of the street they grew up on and 15 percent would reveal their mother's maiden name.
  • 33 percent would be just as inclined to use their personal device for work purposes even if they knew their online activity can be tracked by their employer.
  • 15 percent have used a location-based mobile application.

"As people share more intimate details about themselves online, they are more likely to be victims of targeted fraud and social engineering attacks," said John Pironti, CISA, CISM, CGEIT, CRISC, advisor with ISACA and president of IP Architects LLC.

While more than half (53%) feel that sharing information online has become riskier over the past year, respondents to the annual survey reported engaging in potentially risky online actions:

  • 65 percent do not verify the security settings of online shopping sites.
  • 36 percent have clicked on a link on a social media site from their work device.
  • 19 percent used their work email address for personal online shopping or other non-work activities.
  • 12 percent stored work passwords on their personal device.
  • 11 percent have used a cloud service like Dropbox or Google Docs for work documents without their company's knowledge.

"The 2012 IT Risk/Reward Barometer shows a significant gap between what people believe and how they act. Despite considerable concern about their online privacy and security, consumers are simply not willing to give up behaviors that IT departments find to be high-risk. Enterprises need to balance employee reward and IT risk when it comes to mobile connectivity," Pironti commented.

According to the CTIA, the number of active smartphones and wireless-enabled PDAs in the U.S. increased 37 percent, to 130.8 million, over the past year.* Personally owned PCs or mobile devices—typically more difficult to secure than work-issued devices and often used for high-risk online activities—can increase the risk of enterprise data breaches, viruses or malware.

$15,000 in Lost Productivity from Employee Shopping Online, Predicts IT

ISACA also conducted a separate survey of more than 4,500 of its members from 83 countries, including 1,407 U.S. respondents. Enterprises will lose $15,000 or more in productivity as a result of an employee shopping online during work hours, say 37 percent of those surveyed. Close to one quarter believe that the average employee will spend more than two full days shopping online during work hours using a personal computer or smartphone.

Several of the "unsafe" actions consumers admitted taking were among the most worrisome to IT professionals. Storing passwords on personal devices and using online file-sharing services like Google Docs or Dropbox were two of the top three actions rated as high risk.

Half of the IT professionals surveyed say that the risk of BYOD outweighs the benefits; yet year over year, there has been a five-point percentage drop in enterprises that prohibit BYOD (down from 28 percent to 23 percent).

"Companies that embrace BYOD should implement security awareness training," said Robert Stroud, CGEIT, CRISC, ISACA Strategic Advisory Council member and vice president at CA Technologies.  "ISACA recommends an embrace-and-educate approach as the best way of getting the benefits of BYOD while mitigating the associated risks."

To help enterprises address this challenging issue, ISACA published Securing Mobile Devices With COBIT 5. COBIT 5 is a business framework for effective governance and management of enterprise IT and can be applied to mobile device security through this guidance. COBIT 5 also provides tools to embed security for mobile devices in a strategy for corporate governance, risk management and compliance.

Biggest Threat to Privacy Is Companies, not Fellow Internet Users

This year's Risk/Reward Barometer looked at online privacy for the first time. Results show that consumers mistrust corporations more than they do fellow Internet users. When asked to select the greatest threats to their online privacy, they chose a company's misuse of personal information they supplied online to purchase or download an item (26 percent); inadequate privacy policies on social networking sites (13 percent); and a company's use of cookies to track their web activities (10 percent).

About the 2012 IT Risk/Reward Barometer

The annual IT Risk/Reward Barometer helps gauge current attitudes and organizational behaviors related to the risk and reward associated with the blurring boundaries between personal and work devices (BYOD), cloud computing, and increased enterprise risk related to online employee behavior at peak seasonal times.

The study is based on September 2012 online polling of 4,512 ISACA members from 83 countries, including 1,407 members in the US. A separate online survey was fielded among 1,224 US consumers by M/A/R/C Research from 8–10 October 2012. At a 95 percent confidence level, the margin of error for the total sample is +/- 2.8 percent. To see the full results, visit


With more than 100,000 constituents in 180 countries, ISACA® ( is a leading global provider of knowledge, certifications, community, advocacy and education on information systems (IS) assurance and security, enterprise governance and management of IT, and IT-related risk and compliance. Founded in 1969, the nonprofit, independent ISACA hosts international conferences, publishes the ISACA® Journal, and develops international IS auditing and control standards, which help its constituents ensure trust in, and value from, information systems. It also advances and attests IT skills and knowledge through the globally respected Certified Information Systems Auditor® (CISA®), Certified Information Security Manager® (CISM®), Certified in the Governance of Enterprise IT® (CGEIT®) and Certified in Risk and Information Systems Control (CRISC) designations.

ISACA continually updates and expands the practical guidance and product family based on the COBIT® framework. COBIT helps IT professionals and enterprise leaders fulfill their IT governance and management responsibilities, particularly in the areas of assurance, security, risk and control, and deliver value to the business.

Participate in the ISACA Knowledge Center:

Follow ISACA on Twitter:

Join ISACA on LinkedIn: ISACA (Official),   

Like ISACA on Facebook:


Kristen Kessinger, +1.847.660.5512,

Marv Gellman, +1.646.935.3907,