I started to review the recently published Black Hat Attendee Survey. This study primarily focused on the concerns of practitioners, including how they actually spent their times and the losses that they incurred.
Link: Black Hat survey reveals a disconnect between losses and security program focus