Verizon has published a study of 500 investigations over the last 4 years. There are some obvious flaws (pie charts are never a good sign), but it's got a lot of useful content. The industry is full of misconceptions because people don't pay attention to what's really going on out there. This report has data the answers a lot of questions.
Misconception: "the standard way to take control of someone else's computer is by exploiting a vulnerability in a software program on it"
Verizon data: Only 15% of breeches where from hacking software vulnerabilities.
Misconception: Hackers target their victims.
Verizon data: 85% of attacks were "opportunistic", the hackers didn't know who their victims were until after they broke in.
Misconception: Certified anti-virus products detect over 99% of all viruses.
Verizon data: 25% of viruses/malware were customized to their victims and undetectable with standard anti-virus.
Misconception: Hackers are smart, clever, geniuses, wizards, etc.
Verizon data: 55% where of attacks required essentially no skills, the level of "script kiddies" running automated tools. Only 17% required "advanced" skills.
Misconception: It's the insider threat. No, wait, it's outsiders. No, I mean, it's the partners.
Verizon data: 73% external, 18% internal, 39% partners. However, external breaches tended to be minor, whereas internal and partner breeches were major. Their numbers show that all three are important threats and that it's hard to measure which one is worse.
Misconception: Numbers are definitive.
Verizon data: These numbers are bit subjective. For example, they notice that "physical breaches" were rare, but that's because Verizon wouldn't be called in to investigate a physical breach.
Question: What are hackers after?
Verizon data: Credit Card data (84%), Personal identity (32%), Username/passwords (15%)
Question: How old are the vulnerability exploits hackers use?
Verizon data: 71% older than 1-year, another 19% older than 6 months.