Most companies are not confident about (or possibly afraid of) quantifying the potential financial impact of a security breach, according to McAfee's State of Security report published this week.

McAfee's latest research is intended to demonstrate how IT managers and decision-makers view the present challenges of securing sensitive information in a highly regulated and increasingly complex global business environment.

The alarming problem appears to be that there are still too many businesses that would rather not worry about security breaches until they happen, leaving them quite vulnerable to many kinds of attacks.

Researchers found that approximately one-third of the organizations surveyed have either not purchased or not yet implemented many of the next-generation security technologies designed to address current-day threats.

Yet, more than 80 percent of these businesses identified malware, spyware and viruses as major security threats.

So obviously they know the threats are out there, but either they are in some state of denial or can't afford security upgrades -- or some combination of the two.

McAfee outlined four levels of "maturity" when it comes to IT security, ranging from "reactive" (event-driven policies and actions) to "optimized" (strict policies already in place).

Curiously, only 9 percent of the companies surveyed were placed in the reactive category. Most of them fell into the "proactive," third-tier stage, which was defined as "follows standardized policies, has centralized governance, and has a degree of integration across some security solutions."

So the takeaway here would be then that many of these businesses have some sort of strategy, but they need to build upon these protocols to truly handle evolving threats.

For reference, the State of Security report is based on 495 interviews with IT decision-makers at companies with 1,000 or more employees worldwide.

Related: