Impulsively, you might use the spectrum to see if your spending is normal. But while there is an overall average spending level ($964), there’s nothing normalized about a range that goes from as little as $100 per employee to well into the thousands.

Many factors could account for this. In some industries, the consequences of vulnerability are exponentially greater, even if personnel requirements are not. Energy utilities, for example, are exquisitely sensitive to what could happen if their security were to be breached, and the data from 72 energy respondents yielded an average security spend per capita of a little more than $7,000. On the other hand, automobile manufacturers may have less at risk. Their per capita spend came in at $220.

Despite the lack of a norm, the confidence correlation shows up here too, and starkly. The very confident companies spent nearly two and a half times more per capita than those companies that lacked confidence and one and a half times as much as the overall average. (Interestingly, the 6 percent of respondents who said they were unsure how confident they were spent just $585 per capita, even less than the least confident.)

To Do:

1. Try the per capita security expenditure calculation.

2. Compare your per capita expenditure to the average in your industry, and to the very confident and not very confident groups.

Brushfires, Not Conflagrations

Major security breaches are the exception, not the rule. Most security incidents lasted less than a day, cost less than $10,000, and most companies had 10 or fewer of these events in the past year.

What the Numbers Mean

"Terrorists Shut Down Power Grid." "Hackers Cripple Allied Inc." Both plausible headlines—or lines from security consultants trying to sell their services. But the survey data shows that information executives are not being confronted by events of that magnitude. They’re dealing instead with lots of brushfires.

The question then becomes: Are the big bang incidents rare because you’ve protected your enterprise well? Are the little hacks common because you haven’t done a good job protecting against them? Or are the big ones rare because they’re hard to pull off and you’re simply lucky to have avoided them, but not lucky enough to have avoided the easier-to-execute smaller incidents?

Howard Schmidt, vice president and CISO of eBay (and former special adviser to the White House for cyberspace security), thinks the prevalence of little bangs everywhere does not suggest that business has done a good job steeling itself against major attacks. Instead, he sees a severe lack of discipline everywhere.