Qualitative Feedback Received During Interviews 40

The following section discusses participants’ feedback to questions about the Cyber Test Bed experience. The section includes a summary of participant responses to questions regarding surprising information learned during the Test Bed, whether companies reprioritized their or their IT objectives, whether the Test Bed would be useful to other companies, and whether the federal government should be involved in funding cyber security at companies.

A majority of participants in the Test Bed (19) indicated that they were surprised by some of the things they learned during the project. Most commonly, participants said they were surprised by the number and the extent of the threats that existed. For example, one participant explained that he was

surprised by “the prevalence of threats and how it’s happening local, like right down the street where we do business and our companies live. I knew this, but this experience made it real—not just theoretical.” Participants were also surprised by the number of potential foreign threats against their company’s cyber security. Several participants, for example, said the Test Bed staff helped them identify foreign malware that had been embedded in external devices. Lastly, a few participants were surprised by some of the financial security information provided by Test Bed staff. These participants said they were previously unaware that business and consumer banking accounts did not have the same level of protections.

Participants’ responses regarding whether they reprioritized any of their company objectives based on the Test Bed experience were mixed. Most of the participants who responded to this question said they did not reprioritize any of their company objectives. A few participants did mention that after the Test Bed experience, their company heightened the priority of cyber security. Although most

participants did not make changes to company priorities after the Test Bed, one participant did share this response: “We overhauled our whole security broker to make sure they have the correct security

standards. We usually rush to get new features to market at the expense of security, so now before we roll stuff out we make sure encryption certificates and everything is set up. Security breaches result in a loss of customer confidence, which then leads to loss in revenue, so that’s what makes us do what we do.”10

More participants indicated that they reprioritized their IT security objectives than company objectives based on the Test Bed experience. In addition to increasing the priority placed on cyber

security, participants also mentioned improving network management, monitoring IP theft from inside the company, and ensuring the presence of a working network IDS/IPS.

All but one of the participants thought that other companies would benefit from the Test Bed. Participants thought all companies, particularly those that deal with online financial transactions or are in the high-tech industry, would benefit the most from the Test Bed. Some participants also thought small to mid-size companies that lacked a large budget for IT resources would benefit from the Test Bed. The one participant who felt that other companies would not benefit from the Test Bed said that the information he received during the Test Bed was not easy to distribute and explain to other individuals. He suggested that the Test Bed provide “information to emphasize that [cyber security] is something we need to worry about, and then suggest three to four things to do.”

Participants’ responses were mixed regarding whether government should pay to support the cyber security of companies or private companies should pay on their own risk tolerance. Approximately half of the participants thought that private companies should be responsible for their own cyber security. The participants explained that cyber security is part of the cost of doing business, so private companies should pay based on their own risk tolerance. One participant explained, “private companies should pay [for cyber security] based on their own risk tolerance, because it’s something that if you make a financial commitment to do, you will see it through and make the commitment.” On the other hand, approximately one-third of participants felt that both government and private companies should pay to support cyber security. Several participants, for example, thought the government should be involved in matters of

10

national security. One participant explained, “private companies should pay for their own security, but the government should pay to prevent foreign threats if they are coming from one specific country…” Many of the participants who thought a combination of private sector and government support was necessary for cyber security noted that they were unsure of where to draw the line between the two.

Most participants indicated that they were surprised by some of the information they learned during the Test Bed, particularly about the number and extent of the cyber security threats that exist. Although not many participants indicated that they reprioritized their company objectives after the Test Bed, some participants did. Lastly, a majority of participants stated that other companies, particularly those that deal with online financial transactions and those in the high-tech industry, would benefit from