Skip to content ↓ Skip to navigation ↓

The State of Risk-Based Security 2013

The State of Risk-Based Security Management is an in-depth study conducted by Ponemon Institute and sponsored by Tripwire. The study is designed to reveal how organizations are applying rigor­ous and systematic analytical techniques in order to quantify and evaluate the security risks that impact an organization’s information assets and IT infrastructure.

Download Full Report

The State of Risk Based Security 2013 (PDF)

Ponemon Institute surveyed 1,320 professionals in IT security, information risk management and IT operations in the United States and the United Kingdom.

Below is a breakdown of the report findings by chapter:

Is Risk-Based Security Management an Art or Science?

Is risk-based security management an art or science? Responses from 1,320 professionals

Analysis by Job Title

Role Art Science
Enterprise Risk Management 63 37
IT Risk Management 59 41
Business Operations 57 43
Compliance/Internal Audit 43 57
IT Operations 40 60
IT Security 37 63

Analysis by Industry

Role Art Science
Health & Pharma 48 52
Tech & Communications 47 53
Financial Services 47 53
Retail 46 54
Education & Research 45 55
Public Sector 44 56
Services 42 58
Industrial 41 59
     

Analysis by Organization Size

Role Art Science
< 100 45 55
100 to 500 55 45
501 to 1,000 56 44
1,001 to 5,000 44 56
5,001 to 25,000 41 59
> 25,000 39 61

Risk-Based Security Management Maturity & Governance


In this section of the study, we evaluate the maturity of risk-based security management programs in organizations. To do that we surveyed 749 U.S. and 571 U.K. security and risk professionals, and collected quantitative and qualitative information about their strategy and governance programs.

Specifically, we examine respondents’ views on risk-based security (including organizational commitments), and the program’s impact on the business. We also review specific actions related to risk-based security programs, as well as key barriers to program success or growth.

Download Now

 

The value of risk-based security metrics


This section of the study was designed to understand the importance that security metrics playin security programs. It also reveals insights into the effectiveness of communicating security risk and posture to business leaders and executive teams.

Download Now

 

Key metrics for risk-based security

This section of the study asks respondents about the relative efficacy of the metrics they use to measure risk-based security efforts in their organizations. It analyzes several useful indicators of how and where security managers are improving their use of security metrics—and where room for improvement remains.

Download Now

 

Risk-based security controls and spending

This chapter of the 2013 Ponemon Institute study on risk-based security management addresses security controls and spending in the U.S. and U.K. It’s particularly interesting to note that 51 percent of study respondents in the U.S. and 49 percent in the U.K. said they have identified specific controls at various network layers to ensure the risks were acceptable to the business, but only 43 percent in the U.S. and 39 percent in the U.K. said they had implemented those controls.

Download Now

Risk-based security collaboration, communication and culture

In this chapter, we dig deeper into the disconnect between an organization’s commitments to risk-based security management and its ability to develop the collaboration, communication styles and culture necessary to make risk-based security programs effective across the organization.

Download Now

 

Industry Specific Reports

Ponemon Retail Sector Data

Your organization uses penetration testing/red-teaming to identify security risks

   
Yes 41%
No 59%

The reduction in access and authentication violations to assess helps your organization measure employee risk management competence

   
Yes 34%
No 66%

In the context of your organization's current security infrastructure, file integrity monitoring is fully or partially deployed

   
Yes 44%
No 56%

Communicating the state of security risk to senior executives is not effective because negative facts are filtered before being disclosed to senior executives and the CEO

   
Yes 62%
No 38%

Ponemon Public Sector Data

 

Risk-based security management creates an environment and culture of informed choice

   
Survey Average 48%
Public Sector 55%

Risk-based security management is based on analysis of frequency of threats and vulnerabilities

   
Survey Average 52%
Public Sector 58%

Spending level relative to total budget measures security efficiency

   
Survey Average 47%
Public Sector 39%

Security metrics are not well understood by senior executives because the information is too technical to be understood by non-technical management

   
Survey Average 56%
Public Sector 49%

A willingness to invest is one of the top three features most critical to the success of a risk based security management approach

   
Survey Average 30%
Public Sector 36%

The risk management of minimizing non-compliance with laws and regulations helps meet certain business objectives

   
Survey Average 81%
Public Sector 86%

Does your organization have fully or partially deployed security configuration management?

   
Survey Average 49%
Public Sector 54%

Does your organization sector use the number of records or files detected as compliance infractions to assess the effectiveness of compliance management efforts?

   
Survey Average 50%
Public Sector 55%

Communicating the state of security risk to senior executives is not effective because negative facts are filtered before being disclosed to senior executives and the CEO

   
Survey Average 55%
Public Sector 50%

Communicating the state of security risk to senior executives is not effective because communications occur at too low a level

   
Survey Average 62%
Public Sector 70%

Risk-based security management is cyclical and provides a vehicle for continuous learning about the organization’s security posture

   
Survey Average 63%
Public Sector 58%

The inherent security risk score of the the application layer

   
Survey Average 37%
Public Sector 42%

Security metrics at my organization are not effective because they're only communicated to senior executives when there is an actual incident

   
Survey Average 41%
Public Sector 46%

Proactivity in addressing risk is one of the top three features most critical to the success of a risk based security management approach

   
Survey Average 59%
Public Sector 54%

Ponemon Industrial Sector Data

Does your organization sector use formal risk assessments to identify security risks?

   
Survey Average 46%
Industrial Sector 51%

Do you believe minimizing non-compliance with laws and regulations helps meet certain business objectives?

   
Survey Average 81%
Industrial Sector 86%

Does your organization measure the reduction in unplanned system downtime to assess the effectiveness of cost containment management efforts?

   
Survey Average 38%
Industrial Sector 43%

Is the flow of upstream communications one of the top three features most critical to the success of a risk based security management approach?

   
Survey Average 46%
Industrial Sector 52%

Does your organization have fully or partially deployed security confirmation management?

   
Survey Average 49%
Industrial Sector 40%

Does your organization have fully or partially deployed system hardening?

   
Survey Average 80%
Industrial Sector 75%

Communicating the state of security risk to senior executives is not effective because communications are contained in one department or line of business.

   
Survey Average 63%
Industrial Sector 69%

Communicating the state of security risk to senior executives is not effective because communications occur at too low a level

   
Survey Average 62%
Industrial Sector 67%

Is the openness to challenge assumptions one of the top three features most critical to the success of a risk based security management approach?

   
Survey Average 62%
Industrial Sector 56%

Does risk-based security management reduce uncertainty and eliminate conjecture?

   
Survey Average 71%
Industrial Sector 76%

Ponemon Health and Pharmaceutical Sector Data

Communicating the state of security risk to senior executives is not effective because communications are contained in one department or line of business.

   
No 30%
Yes 70%

Does your organization use formal risk assessments to identify security risks?

   
No 48%
Yes 52%

Does your organization have fully or partially deployed security configuration management?

   
No 42%
Yes 58%

Does your organization have fully or partially deployed change control management?

   
No 42%
Yes 58%

Does your organization use the use the number of end users receiving appropriate training to measure staff and employee competence?

   
No 52%
Yes 48%

An openness to challenge assumptions is one of the top three features most critical to the success of a risk based security management approach

   
No 44%
Yes 56%

Agree or disagree: risk-based security management integrates well with the way business managers make decisions.

   
Disagree 33%
Agree 67%

Does your organization have fully or partially deployed network access controls?

   
No 17%
Yes 83%

Does your organization have fully or partially deployed lab monitoring?

   
No 52%
Yes 48%

Does your organization use the return on security technology investments (ROI) to measure security efficiency?

   
No 60%
Yes 40%

Approximately, what percentage of the 2013 IT security budget will go to risk-based security management activities?

   
>50% 1%
41% to 50% 6%
31% to 40% 9%
21% to 30% 25%
11% to 20% 28%
6% to 10% 16%
<5% 15%

Approximately, what percentage of the 2014 IT security budget will go to risk-based security management activities?

   
>50% 2%
41% to 50% 6%
31% to 40% 12%
21% to 30% 35%
11% to 20% 20%
6% to 10% 15%
<5% 11%

Ponemon Education and Research Sector Data

Does your organization have fully or partially deployed change control management?

   
Survey Average 64%
Education and Research Sector 75%

Communicating the state of security risk to senior executives is not effective because communications occur at too low a level

   
Survey Average 62%
Education and Research Sector 72%

Spending level relative to total budget measures security efficiency

   
Survey Average 47%
Education and Research Sector 55%

The inherent security risk score of the the application layer

   
Survey Average 37
Education and Research Sector 44

The Methodology document provides information on how the data for this survey was collected, the sampling of individuals that participated in this study, and methods employed for the analysis of data.