The State of Security « IT Security and Data Protection « Risk Management « Key Metrics for Risk-Based Security Management
Key Metrics for Risk-Based Security Management
The study examined the key risk-based security metrics IT security managers used most frequently to gauge the effectiveness of their organizations’ overall security efforts.
Top Metrics included: time taken to patch, policy violations, uninfected endpoints, data breaches, reduction in the cost of security, end users training, and reduction in unplanned system downtime.
The survey respondents included 749 US and 571 UK professionals in the following areas: IT security, IT operations, IT risk management, business operations, compliance/internal audit and enterprise risk management.
In the compliance arena, leading metrics included mean time-to-patch (49 percent), policy violations (33 percent), and reduction in audit findings and repeat findings (27 percent).
The study also found that only 19 percent of respondents viewed the number of records or files detected as compliance infractions, and only 16 percent identified reduction in expired certificates — including SSL and SSH keys — as an effective metric.
“There’s a strong correlation between security products and metrics,” noted Tim Erlin, director of IT and risk strategy for Tripwire.
“Organizations most often build security metrics programs from the data up, rather than the business down, resulting in metrics supported by available security products, rather than focusing on those metrics that are meaningful to the business.”
Among threat management metrics, the percentage of endpoints free of malware and viruses led with 45 percent of security managers citing it as a key metric for threat management.
Thirty-five percent consider reduction in the number of data breach incidents an effective key metrics, with another 35 percent noting that reduction in the number of known vulnerabilities is an important metric.
However, only 13 percent use the mean time-to-detect security incidents as a metric, with only 8 percent using mean time to resolve security incidents.
“In light of the maturity curve in deployment of risk-based security management, it’s not surprising that the majority of organizations are not using metrics oriented towards higher order outcomes,” said Dr. Larry Ponemon, chairman and founder of the Ponemon Institute.
“Respondents are still focused primarily on operational aspects. And, while many executives are focused on more visible outcomes, like reduction in data breaches, very few organizations are tracking more proactive metrics.”
Key metrics for cost containment included reduction in the cost of security management activities (52 percent) and reduction in unplanned system downtime (40 percent). Only 5 percent of respondents use the length of time to contain security breaches and security exploits.
Staff and employee key metrics included a number of end users receiving appropriate training, which 44 percent of respondents named a key metric in this arena. Thirty-seven percent of respondents named the reduction in the number of access and authentication violations a key metric.
The study also found that only 8 percent of security managers use user performance on security retention awareness tests as a means of measuring security effectiveness.
Spending relative to total budget is used as a key metric for security efficiency by 49 percent of respondents. Thirty-seven percent use reduction in total cost of ownership as a metric, and 36 percent of security managers use return on security technology investments as a means of measuring security efficiency.
Survey respondents averaged 10.7 years of experience and represented a wide variety of organization sizes and industries including financial services, healthcare and pharmaceutical, technology and communications, retail and the public sector.
For more information about this survey please visit: http://www.tripwire.com/ponemon/2013/#riskmetrics.