Press Release


 This Holiday Season, Shoppers Find It More Invasive to be Targeted In-Store than Online 

Rolling Meadows, IL, USA (25 November 2013) –ISACA’s 2013 IT Risk/Reward Barometer found that two-thirds (67%) of US consumers believe certain personalized promotional tactics are invasive when shopping at brick-and-mortar stores, while only 55% found a similar set of tactics invasive when shopping on the Web.

“Despite how much information people share online, they still cherish the concept of personal privacy,” said John Pironti, risk advisor with ISACA and president of IP Architects. “Retailers that use technology to try to save shoppers time and money without asking permission first may actually do more harm than help to their bottom line this holiday season.”

New technologies, such as facial recognition, geofencing and Bluetooth-enabled beacons, enable retailers to use more targeted marketing techniques than ever—but these capabilities come with benefits and drawbacks.

Forty-six percent of the ISACA survey respondents say they would find it invasive if a store texts them about specials as they walk past. An equal percentage would find it invasive if a store clerk they don’t know greets them by name and knows they’ve been there before. Surprisingly, older Millennials (age 25-34) are the group most likely to find these actions invasive. Among online shoppers, 35% find it invasive when a website knows their city or zip code.

The results show that consumers worry about their data online, with 90% concerned that their information will be stolen. Still, the survey found many consumers create risk through their own actions: 51% of respondents use the same 2-3 passwords across multiple sites and 4 in 10 write down their passwords to make them easier to remember.

ISACA offers the following tips to protect shoppers’ privacy and security this holiday shopping season:

  • Read privacy policies. Understand what personal information websites and mobile apps are requesting and how it will be used. If there is no privacy policy, it’s a red flag — your personal data may be sold without permission.
  • Be smart about location-based services. Don’t opt-in to beacon-type mobile apps unless you trust the retailer and their security and privacy practices.
  • Don’t shop from public wi-fi hotspots. When you surf the Internet on an open hotspot, hackers can spy on your activities and steal data such as passwords and credit card information as you enter it.
  • Beware of phishing. If you receive an e-mail asking for financial information because there is a problem with your order or account, call the retailer to confirm. Don’t reply to the email and don’t provide confidential information, like your social security number or credit card number.
  • Check it out before you check out. Before you pay, confirm that the site is secure by looking for the “s” in https:// in the site’s URL and check the lower-right corner of the page for the lock symbol.

Growth in Shopping from Work-supplied Mobile Devices or Computers

ISACA’s survey also found that holiday shopping using work-supplied devices has increased this year:

  • Close to 6 in 10 (58%) of those who use a work-supplied computer or mobile device will use it to do holiday shopping, an increase from 4 in 10 (41%) in 2012.
  • 36% of those who use a work-supplied computer or mobile device say they will spend half a work-day (4 hours) or more shopping online, compared to just 22% a year ago.

ISACA’s 2013 IT Risk/Reward Barometer polled 1,216 US consumers as part of an annual global study examining the trade-offs people make to balance risk and reward when using new technology.

“The blurring of work and personal lives—and devices—continues to grow and is often encouraged, as more companies are adopting BYOD policies,” noted Pironti. “Because the division no longer exists, it is more important than ever for companies to develop a risk-conscious and security-aware culture, so that employees minimize the risk of data breaches, viruses and malware to the corporate network.”

For full survey results, visit


About the 2013 IT Risk/Reward Barometer

ISACA’s annual IT Risk/Reward Barometer is a global indicator of trust in information. Conducted by ISACA, the Barometer polls thousands of business and IT professionals and consumers worldwide to uncover attitudes and behaviors about essential technologies and information, and the trade-offs people make to balance risk and reward. The study is based on September 2013 online polling of 2,013 ISACA members from 110 countries. Additional online surveys were fielded by M/A/R/C Research among 1,216 consumers in the US, 1,001 consumers in India, and 1,001 consumers in Mexico. The US survey ran 16–18 September 2013, and the India and Mexico surveys ran 25 September–5 October 2013. At a 90 percent confidence level, the margin of error for each individual country sample is +/- 2.8 percent. A UK survey of 1,000 employed consumers was conducted by OnePoll on 2 October 2013 with a margin of error of +/- 3.9 percentage points at the 95 percent confidence level. To see the full results, visit



With 110,000 constituents in 180 countries, ISACA ( is a global association that helps business and IT leaders maximize value and manage risk related to information and technology. Founded in 1969, ISACA is an advocate for professionals involved in information security, assurance, risk management and governance. ISACA advances and validates business-critical skills and knowledge through the globally respected Certified Information Systems Auditor (CISA), Certified Information Security Manager (CISM), Certified in the Governance of Enterprise IT (CGEIT) and Certified in Risk and Information Systems Control (CRISC) credentials. ISACA also developed and continually updates COBIT, a business framework that helps enterprises govern and manage their information and technology.

Follow ISACA on Twitter:



Kristen Kessinger,

Aaron Berger, +1.646.935.4146,