Big worries: The same survey from the Enterprise Strategy Group asked the same group of IT employees to identify weak spots in their network security.

One big challenge was reflected in a 2009 cybersecurity research roadmap (PDF) produced by the U.S. Department of Homeland Security. Among other things, it found that because information technologies and attack methods are evolving so fast, organizations find it hard to determine whether their data is becoming more or less secure, whether it’s more or less secure than that of other organizations, and whether a given level of investment is worthwhile. It doesn’t help that many organizations assess basic questions about security from a short-term financial perspective—even though cost-benefit analyses are hard to make because the cost of failing to take appropriate security measures might not be apparent for years. “Decisions resulting from such analyses will frequently be detrimental to making significant security improvements in the long term,” the report says.

It complicates matters even more that when data breaches occur, companies aren’t always entirely forthcoming. (Sony took six days to warn users that their information had been exposed.) Faster responses would help victims or potential victimsindividuals or companies whose data was exposed take steps to mitigate damage.

Possible changes in government regulations could tighten the rules on how such breaches are reported and what must be revealed. In the United States, 47 state laws currently govern the disclosure of data breaches that expose personal information, but President Obama recently proposed that a single federal law should govern the process.

That would be helpful, says cryptologist Bruce Schneier, chief technologist for the global telecommunications company BT—though just how helpful depends on how thorough the law turns out to be. What’s clear now is that the aftermath of data breaches is sometimes murky. “We don’t know who had access to the data—whether they are criminals, or kids, or spies,” Schneier says. “We don’t know the vulnerability that caused the breach.” Sometimes all we know for sure is how much the damage cost.