Security provider Tripwire has released a detailed study examining "The State of Risk-Based Security Management" in cooperation with the Poneman Institute.
"The study is designed to discover what organizations are doing with respect to Risk-based Security Management (RBSM), where RBSM is defined as the application of rigorous and systematic analytical techniques to the evaluation of the risks that impact an organization’s information assets and IT infrastructure. RBSM can be considered one component of a wider enterprise risk management system," the report notes.
The report is based of data collected in interviews with more than two-thousand professionals out of pool of about seventy-five thousand, all with varying degrees of responsibility for security risk management.
The respondents work in multiple industry sectors and represent a full spectrum of organizations of various sizes in the United States, the United Kingdom, the Netherlands, and Germany.
"Our goal is to provide insight into why more organizations are not progressing to a more robust and mature RBSM. According to participants, lack of resources, skilled personnel and leadership are often the barriers. However, the lack of a formal program, an enterprise-wide information risk strategy, a lag in deployment of important detective controls and poor collaboration between security and other business functions could be more significant roadblocks," the study explains.
Of note, the report found that the majority of respondents were primarily concerned with risks emanating from "malicious insiders, web application vulnerabilities and employee carelessness," a finding that was consistent with a previous Poneman study that indicated more than three-quarters of those surveyed were most concerned with "malicious or negligent employee[s]."
This finding is in stark contrast to figures reported in the Verizon 2012 Data Breach Investigation Report in which less than five percent of respondents indicated that insiders were found to be responsible for known breach events.
"A possible explanation for the difference between the findings of the Verizon report and the Ponemon study may relate to the types of breaches included in each study. The Verizon study investigates only positive incidents; in other words, breaches that have already occurred and were reported to auditors, incident response entities or government agencies. The Ponemon Institute surveyed organizations that may not have reported the incident to law authorities, but instead conducted internal investigations," the Tripwire study surmised.
Other key findings in the study include:
- All Talk, No Walk with RBSM: Over three quarters (77 percent) express significant or very significant commitment to RBSM, yet barely more than half (52 percent) have a formalized approach to it, and less than half (46 percent) have actually deployed any RBSM program activities.
- A Lack of Formalized RBSM Strategy: Around a third (30 percent) of organizations have no RBSM strategy, and close to a quarter (23 percent) only have an informal or ad hoc strategy.
- Taking a Formal Approach to RBSM Means Walking the Talk: Of those who indicate they have a formal RBSM program, almost three quarters (74 percent) report that they have partially or completely deployed some or all RBSM activities.
- Failing to Categorize What to Protect from Risk: A full 41 percent report that they do not categorize their information according to its importance to the organization—thereby missing a key step in knowing what is critical to protect.
- An Unbalanced Approach to Information and Risk Management: Between 80 to 90 percent of organizations have partially or fully deployed preventive controls, but only about 50 percent have deployed the majority of detective controls.
- No Metrics = No Success: Less than half (45 percent) have metrics to help demonstrate program success— a must if organizations are to convince leadership to allocate funding and resources.
The study goes into great detail further examining perceptions about RBSM, includes a "Security Fright Index”, an analysis of the CISO’s role in risk management, and a by-country comparison of RBSM programs.
"The findings of this report confirm that though organizations profess a commitment to RBSM, for most of them this security practice is still in its infancy. To establish an effective, more mature program, certain barriers need to be addressed. These include securing adequate resources, having employees with the necessary expertise and designating strong leaders accountable for driving the program," the researchers concluded.
The full State of Risk-Based Security Management report can be accessed at no charge here: