Honestly, the entire report is a bit generic and ambiguous. I am guessing they called the four items "myths" in order to get some press… I don’t know.

Here is a more detailed analysis:

• Overall: It is remarkable that Symantec has a product to solve every problem. (Doesn’t that violate Myth 3?)
• Overall: the entire report is based on an opinion survey; don’t expect real evidence of anything.

Stop here if you aren’t going to read the report. (It probably isn’t really worth it). I am not going to try too hard to get to complete thoughts without the report by your side, so be forewarned.

• Page 4: The World Economic Forum report referenced – Global Risks – has a cool chart on page 8. I’ll have to blog about the overall report at another time.
• Page 4: To suggest that compliance has its own risk is to acknowledge auditors/regulators as a threat. I say that often, but I thought I was being snarky. I am pretty sure they are serious but I suspect auditors and regulators don’t see it that way. My guess is they "want" their work to correlate directly with the reduction of "security risk" and "availability risk".
• Myth 1: anyone familiar with the entire profession around disaster recovery and business continuity (which is pretty much everyone) knows this already.
• Page 10: "survey results document emergence of a broader view" – almost certainly an artifact of the question design.
• Page 11: Thank goodness they found a way to stick data leakage in the report.
• Page 11: "Survey results show that IT professionals agree with their customers’ [sic] about the gravity of data leakage: 63 percent believe a data leak would have serious impact on their businesses"… I am at a loss here. I think they are suggesting this finding correlates to the other finding "a 2007 consumer survey on data security showed 62 percent of consumers more upset when information loss is due to negligence rather than theft." There is no correlation between these two separate studies about two separate things. (We could Google "63 percent" and see what we come up with for alternatives, I suppose).
• Page 12: Nobody told the respondents how they were supposed to answer this one, so general assertions are made to disagree with them. Respondents should have known with the answer options of the question that the frequency was supposed to be higher. There is, of course, a definitional problem here as well.
• Page 14: "The IT Policy Compliance Group examined financial impacts of IT compliance in 2007. After finding an association between compliance and lower rates of data loss and theft, the study determined that after loss and theft incidents, public companies experienced eight-percent declines in stock price, active customer base, and short-term revenues." I would love, love, love to see the supporting data for this assertion. I’ve only ever seen studies that suggest otherwise – most buried somewhere in this bibliography. And those were just for stock price. (How much you wanna bet it was a question/answer survey with no empirical evidence?)
• Page 15: all things considered, I sort of liked the "reciprocal relationship" section at the bottom.
• Page 16: the Performance impact section is interesting. The numbers are calculated about the same way that anti-spam solutions justify their products. While I don’t deny the costs, I do think there are diminishing returns to suggesting you can simply squeeze out more productivity without a whole set of assumptions and constraints that should be factored in.
• Myth 2: huh? I don’t get it at all, and I don’t think it is a myth.
• Page 20-22: All answers artifacts of the question design – not sure what to make of any of this. Filler?
• Myth 3: hmmm, I don’t know many folks that feel this way. In fact, most security pros suggest that "security is about process, not product." Now, it happens that I think technology has much more of a part to play than most of my colleagues (no, it isn’t "technology alone" but certainly when trying to scale to technology levels, humans alone will fail). So I suppose this myth could be refuting my lone voice, but I doubt that’s what they meant.
• Page 28-29 are completely lost on me. Maybe I need to read the other report to understand? (I don’t think I will.)
• Page 30: Figure 11 on root cause is an interesting tidbit, though a statement like this seems completely bizarre to me – "Process-based issues caused 53 percent of incidents. In 63 percent of these cases, no pre-defined process existed to manage the incident—in only 22 percent did an existing process fail to manage it." How can the lack of managing an incident be the cause of said incident? Wish the report were cited.
• Page 31: "While interviewing for last year’s study, we observed that several organizations were making large investments in secure application development processes…Comparing this year’s results with those, we have seen a 10 percent improvement in the number of participants rating secure application development “over 75 percent effective.” This indicates that organizations are making thoughtful, effective investments to manage IT Risk." Umm, no it doesn’t.
• Myth 4: this one is complete, utter bullshit. You heard it here first. "Rather than experiment and analysis, IT Risk Management relies on the experience accumulated by individuals and organizations as they manage their way across a changing business landscape." What a complete crock! And a copout… and completely unsupportable (though I guess that supports the claim, in a way).

I know from experience that surveys like this are problematic – someone could probably pick apart mine fairly easily – but I wish there were something other than an interest in selling products/services in this one.

I am left with no true takeaways.