RSA recently released a survey called "The Confessions Survey: Office Workers Reveal Everyday Behavior
That Places Sensitive Information at Risk." I actually like the survey, but I can’t resist making fun of the notion that presumably the details will show naughtiness in action (I suspect they called it the "confessions" survey even before the results were in). I guess to be precise, these actions all DO place sensitive information at risk (things like using wi-fi hotspots, USB flash drives, emailing sensitive information to a personal account, etc.). Of course, we knew all that. Simply owning a functional PC with sensitive information on it puts it at risk.

While the title and contents are attempting to make a case that these practices are always bad (you can tell from the questions what the "correct" answer is supposed to be), may I suggest some alternative uses? 

- Rather than asserting whether the survey results are indicative of a problem, use them as a baseline for determining your own relative risk level.

- Run the same survey in your organization and see how your organization fares compared to these results and take credit or take action based on whether you are higher or lower than average. (Some of the questions will have factual answers, such as whether your organization has wireless access in conference rooms, but let the users answer them anyway to see how well their answers match up to reality.)

- Prior to performing the survey, predict what your anticipated results are and compare to actual.

I hope RSA continues usage studies like these in the future, though I could do without the FUD factor.

[Btw, you might be surprised to find out that government organizations are "more secure" than enterprises in most cases... or they are better-trained at how to answer questions like these ]