Survey: Public Sector Risk-Based Security Management Deployments More Mature Than Private Sector

PORTLAND, OREGON — October 1, 2013  Tripwire, Inc., a leading global provider of risk-based security and compliance management solutions, today announced the results of research comparing risk-based security management in the public sector to that in the private sector.

The survey, conducted in April 2013 with the Ponemon Institute®, evaluates the attitudes of 1,320 respondents from IT security, IT operations, IT risk management, business operations, compliance/internal audit and enterprise risk management. One hundred eighty-nine public sector respondents from the U.S. and U.K. participated in the public sector portion of the survey.

“This data indicates that we’re beginning to see real results from government efforts toward better risk management,” said Dwayne Melancon, chief technology officer for Tripwire. “As more agencies implement the National Institute of Standards and Technology’s Risk Management Framework, we should continue to see public sector organizations realize more value from their investments in risk management. This in turn should drive the use of risk assessment data to alter security investment decisions. The public sector is often seen as a laggard in cybersecurity, but these results clearly indicate that is a misconception.”

Key findings include:

  • 55 percent of the public sector agreed that risk-based security management creates an environment and culture of informed choice, a 7 percent increase over the private sector.
  • Only 39 percent of the public sector used the spending level relative to total budget to measure security efficiency, differing from 47 percent in the private sector.
  • 54 percent of the public sector believes they have fully or partially deployed security configuration management, compared with 49 percent of the private sector.
  • 65 percent of the public sector said risk-based security methods help security professionals align the security mission with business objectives, compared with 60 percent in the private sector.
  • 56 percent of the private sector respondents believe security metrics are too technical for senior executives, compared with 49 percent of the public sector respondents.
  • 55 percent of private sector respondents negative facts are filtered when communicating security risk to senior executives and the CEO, compared with 50 percent of the public sector respondents.

The study also revealed that the public sector was less effective than the private sector in communicating relevant facts about security to senior executives. Findings included:

  • 70 percent of public sector respondents said communications occur at too low a level. This differed from the private sector average of 62 percent.
  • 46 percent of the public sector only communicates with senior executives when there is an actual incident. This differed from the private sector average of 41 percent.

“The communication challenges public sector IT professionals face may be the result of the more compartmentalized, hierarchical structure of public sector organizations, combined with the use of more indirect methods to report data up the chain,” commented Melancon. “As public sector organizations are able to ‘unleash’ more risk assessment data and provide greater visibility into security risks, communication with executives should become more effective.”  

For more information about this survey please visit:


About the Ponemon Institute

The Ponemon Institute© is dedicated to advancing responsible information and privacy management practices in business and government. To achieve this objective, the Institute conducts independent research, educates leaders from the private and public sectors, and verifies the privacy and data protection practices of organizations in a variety of industries.

About Tripwire

Tripwire is a leading global provider of risk-based security and compliance management solutions, enabling enterprises, government agencies and service providers to effectively connect security to their business. Tripwire provides the broadest set of foundational security controls including security configuration management, vulnerability management, file integrity monitoring, log and event management. Tripwire solutions deliver unprecedented visibility, business context and security business intelligence allowing extended enterprises to protect sensitive data from breaches, vulnerabilities, and threats. Learn more at or follow us @TripwireInc on Twitter.