-
7/29/2019 Tripwire-Ponemon RBSM 2013 Chapter 5 Security Controls and Spending
1/15
IndependentlyConducted by
Ponemon Institute llc
2013RESEARCH REPORT
PRESENS
SECURITY CONTROLS
AND SPENDING
US UK2013
-
7/29/2019 Tripwire-Ponemon RBSM 2013 Chapter 5 Security Controls and Spending
2/15
The State o Risk-based Security Management: US & UK 2013 Research Report Ponemon Institute2
Considering costs that can result rom a single data
breacha whopping $5.4 million per data breach
in the U.S., according to the Ponemon Institute in
Te 2013 Cost of a Data Breach: Global Analysis
its easy to assume I organizations are granted generous bud-
gets in order to undertake a comprehensive risk-based security
program. For most organizations this is not the case. However,
organizations are making tangible progress when it comes to
connecting security risks with security spending.
CHAPTER 5: SECURITY CONTROLS AND SPENDING
Tis chapter o the 2013 Ponemon Institute study on risk-based
security management addresses security controls and spending in
the U.S. and U.K. Te nearly 2,000 respondents were rst asked
to identiy how well their organization accomplished the key steps
necessary to assess and prioritize security risks. Its particularly
interesting to note that 51 percent o study respondents in the U.S.
and 49 percent in the U.K. said they have identied specic con-
trols at various network layers to ensure the risks were acceptable
to the business, but only 43 percent in the U.S. and 39 percent in
the U.K. said they had implemented those controls.
TABLES 5.1a & b Rate how well your organizations accomplishes each step used to assess and prioritize risks.Fully and partially accomplished responses combined.
0 10% 20% 30% 40% 50% 60% 70% 80%
US-2012
US-2013
Monitor continuously
Implement controls
Identify controls
Assess the risks
Assess vulnerabilities
Identify threats
Categorize info
Identify key information
http://www.nymity.com/Free_Privacy_Resources/Previews/ReferencePreview.aspx?guid=688431cf-8157-4933-8c03-c732b07acb15http://www.nymity.com/Free_Privacy_Resources/Previews/ReferencePreview.aspx?guid=688431cf-8157-4933-8c03-c732b07acb15 -
7/29/2019 Tripwire-Ponemon RBSM 2013 Chapter 5 Security Controls and Spending
3/15The State o Risk-based Security Management: US & UK 2013 Research Report Ponemon Institute
0 10% 20% 30% 40% 50% 60% 70% 80%
US-2012
US-2013
Monitor continuously
Implement controls
Identify controls
Assess the risks
Assess vulnerabilities
Identify threats
Categorize information
Identify key information
I organizations generally ollow a progression o eight basic steps
when implementing a security-based risk management program.Tose steps, in order o implementation, include:
1. Identiy inormation that is key to the business
2. Categorize inormation according to its importance to the
business
3. Identiy threats to the inormation
4. Assess vulnerabilities to the systems that process the
inormation
5. Assess the security risks associated with loss o the inormation
6. Identiy security controls necessary to mitigate the risks
7. Implement the controls
8. Monitor controls continuously
Tese steps illustrate that implementing controls and continu-
ously monitoring controls ollow identication and assessment,suggesting that respondents organizations are on a path toward
risk-based security program maturity.
Responses shown in ables 5.1a & b might seem to cast the prac-
tice o continuous monitoring into a yes or no category; however,
the reality o continuous monitoring is that its implementation is
more o a spectrum. Te good newsevident in the resultsis
that even though less than hal o the organizations have adopted
continuous monitoring in 2013, many organizations are making
progress, particularly in the U.S., with 7 percent improvement
over 2012 results. Nevertheless, theres still a lot o room or
improvement in the maturity o risk-based security programs andcontinuous monitoring o controls.
-
7/29/2019 Tripwire-Ponemon RBSM 2013 Chapter 5 Security Controls and Spending
4/15
The State o Risk-based Security Management: US & UK 2013 Research Report Ponemon Institute4
0 20% 40% 60% 80% 100%
US-2012
US-2013
Security awareness training
Encryption
Software patching and updates
Network access controls
User access controls
System hardening
Malware detection/prevention
Policies and procedures
TABLES 5.2a & b. Indicate which o the ollowing preventive controls are deployed in yourorganizations current security inrastructure. Fully and partially deployed responses com-bined.
PREVENTIVE CONTROLS MOREEASILY UNDERSTOOD
Many I proessionals also view preventive controls in terms o
two black and white variables: deployed or not deployed. Tis
question asked respondents about controls that are ully and
partially deployed, which provides a broader view o preventive
practices.
-
7/29/2019 Tripwire-Ponemon RBSM 2013 Chapter 5 Security Controls and Spending
5/15The State o Risk-based Security Management: US & UK 2013 Research Report Ponemon Institute
0 20% 40% 60% 80% 100%
US-2012
US-2013
Security awareness training
Encryption
Software patching and updates
Network access controls
User access controls
System hardening
Malware detection/prevention
Policies and procedures
It is not surprising that policies and procedures, and malwareprevention are widely deployed. Many industry studies have in-
dicated a sharp rise in the success o malware as an exploit vec-
tor in 2012 and 2013, especially when combined with phish-
ing. In addition, malware detection and prevention controls
have been widely available or more than ten years and are well
understood by executives. Tese controls are relatively easy to
implement than many other security controls and are included
in many compliance standards and regulations.
Encryption was rated near the bottom (No. 7 among the eight
controls or both U.S. (56 percent) and the 50 percent in the
U.K.), despite being one o the most controls with signicantpotential to reduce risk, however encryption adoption can be
expensive and dicult, particularly or legacy systems. Encryp-
tion can also add signicant overhead on network inrastruc-
ture, and complete deployment may require heavy investment
in new network and storage systems as well as a revision o
organization procedures and workows.
Security awareness training is the lowest ranked preventivecontrol in both the U.S. and U.K. Since human error is widely
acknowledged as a signicant actor in many security breaches,
these results could be seen as an indictment o the ecacy o
existing security training programs. Limited budgets dedicated
to these programs may just reect the relative expense o these
programs compared with other more technology centric con-
trols. In addition, in some I organizations, security tools and
technology are given ar more emphasis than security aware-
ness training.
DETECTION CONTROLS:
GREATER POTENTIAL FOR SECURITYWhile preventive controls are established and relatively well
understood, detective controls are relatively new. Although
adoption has increased modestly over 2012 numbers, survey
results indicate that adoption and deployment o detective
controls still lag signicantly behind preventive controls.
-
7/29/2019 Tripwire-Ponemon RBSM 2013 Chapter 5 Security Controls and Spending
6/15
-
7/29/2019 Tripwire-Ponemon RBSM 2013 Chapter 5 Security Controls and Spending
7/15The State o Risk-based Security Management: US & UK 2013 Research Report Ponemon Institute
0
10%
20%
30%
40%
50%
60%
UK-2012UK-2013
Incident
detection
and alerting
Log
monitoring
File integrity
monitoring
Security
configuration
management
Vulnerabilty
management
Change
control
Organizations that invest in detective controls oten choose a
multi-unctional solution, even when the purchase is driven
by a single need, such as compliance or change control. Due
to limitations in stang and training, it may be dicult to
deploy and utilize the complete capabilities o these multi-
unction tools. Tis may explain why 70 percent o respon-
dents in the U.S. and 68 percent in the U.K. have implemented
change control, but only 45 percent U.S. and 40 percent U.K.
are using incident detection and alerting.
-
7/29/2019 Tripwire-Ponemon RBSM 2013 Chapter 5 Security Controls and Spending
8/15
The State o Risk-based Security Management: US & UK 2013 Research Report Ponemon Institute8
TABLES 5.4a & b. Allocate security risks in each o the six layers in atypical mutli-layered security inrastructure.
0
5%
10%
15%
20%
25%
30%
35%
40%
UK-2012UK-2013
Physical layerHost layerHuman layerNetwork layerData layerApplication layer
PERCEIVED RISK AND SPENDINGAmong the seven layers o the Open Systems Interconnection
(OSI) model (application, presentation, session, transport, net-
work, data link and physical), the application layer is associated
with the highest security risk. Respondents both in the U.S.
(36 percent) and U.K. (38 percent) agree with this assessment,
rating the application layer much higher than the other six lay-
ers in the typical multi-layered security inrastructure, which
includes the data, network, human, host and physical layers.
Application layer risks include many third party solutions
where accurate risk assessment and control is challenging.
-
7/29/2019 Tripwire-Ponemon RBSM 2013 Chapter 5 Security Controls and Spending
9/15The State o Risk-based Security Management: US & UK 2013 Research Report Ponemon Institute
0
5%
10%
15%
20%
25%
30%
35%
40%
US-2012US-2013
Physical layerHost layerHuman layerNetwork layerData layerApplication layer
Yet, while the application layer is understood to have the most
signicant security risks, the majority o security spending is
ocused on the network layer, as shown in the ollowing two
tables (ables 5.5a & b).
-
7/29/2019 Tripwire-Ponemon RBSM 2013 Chapter 5 Security Controls and Spending
10/15
The State o Risk-based Security Management: US & UK 2013 Research Report Ponemon Institute10
TABLES 5.5a & b. Allocate the level o spending incurred by your organization oreach o these six layers to lessen or mitigate security risk.
0
5%
10%
15%
20%
25%
30%
35%
40%
UK-2012UK-2013
Physical layerHost layerApplication layerHuman layerData layerNetwork layer
0
5%
10%
15%
20%
25%
30%
35%
40%
US-2012US-2013
Physical layerHost layerApplication layerHuman layerData layerNetwork layer
-
7/29/2019 Tripwire-Ponemon RBSM 2013 Chapter 5 Security Controls and Spending
11/15The State o Risk-based Security Management: US & UK 2013 Research Report Ponemon Institute
TABLE 5.6a Diference between perceived risk and spending or eachnetwork layer (U.S. respondents).
Te ollowing two charts compare the diference between
perceived risk and spending or each network layer. In the U.S.,
spending on the network layer is two times greater than its
perceived risk, and in the U.K., its almost 2.5 times greater. In
comparison, spending on the application layer is three times less
than its perceived risk in the U.S. and almost our times less in the
U.K. Perceived risk and spending on the host and physical layers
are basically in balance.
In summary, these survey results indicate that security spending
is higher on layers with lower perceived risk, such as the network
layer, or all respondents. Tis could be because many organiza-
tions are still in the early stages o managing and implementing
their risk programs, and spending on the network layer may reect
this relative level o security program maturity. Capital spending
or network layer equipment is depreciated, so it may be easier to
attain budget or network layer equipment. Organizations with
less mature security programs may have diculty reducing the
risk at the application layer because this typically involves third
party and partner organizations. Finally, during dicult economic
times, many organizations have deerred or cut back on spending,
perhaps it has now become essential.
0
5%
10%
15%
20%
25%
30%
35%
40%
Level of spending incurredSecurity risk
Physical layerHost layerHuman layerNetwork layerData layerApplication layer
-
7/29/2019 Tripwire-Ponemon RBSM 2013 Chapter 5 Security Controls and Spending
12/15
The State o Risk-based Security Management: US & UK 2013 Research Report Ponemon Institute12
0
5%
10%
15%
20%
25%
30%
35%
40%
Level of spending incurredSecurity risk
Physical layerHost layerHuman layerNetwork layerData layerApplication layer
TABLES 5.6b Diference between perceived risk and spending or eachnetwork layer (U.K. respondents).
METHODS FOR IDENTIFYINGSECURITY RISKSInsights into security and spending in this section o the study
are among the most surprising survey results. Te ollowing
two tables detail responses to questions about the methods
organizations use to identiy security risks.
-
7/29/2019 Tripwire-Ponemon RBSM 2013 Chapter 5 Security Controls and Spending
13/15The State o Risk-based Security Management: US & UK 2013 Research Report Ponemon Institute
TABLES 5.7a & b What steps does your organization take to identiy securityrisks? Check all that apply.
0 10% 20% 30% 40% 50%
US-2012
US-2013
Other
External audits
Don't know
Internal audits
Controlled self-assessments
Ongoing automated compliance monitoring
Ongoing manual compliance monitoring
Informal observations by
supervisors and managers
Penetration testing/red-teaming
Formal risk assessment
0 10% 20% 30% 40% 50%
US-2012
US-2013
Other
External audits
Don't know
Internal audits
Controlled self-assessments
Ongoing automated compliance monitoring
Ongoing manual compliance monitoring
Informal observations by
supervisors and managers
Penetration testing/red-teaming
Formal risk assessment
-
7/29/2019 Tripwire-Ponemon RBSM 2013 Chapter 5 Security Controls and Spending
14/15
The State o Risk-based Security Management: US & UK 2013 Research Report Ponemon Institute14
Inormal observations by supervisors ranked third in the
U.S. (39 percent) and rst in the U.K. (46 percent). In ad-
dition, just 49 percent in U.S. and 43 percent in U.K. use
ormal risk asses sments to identiy security risks, and only
38 percent U.S. and 31 percent U.K. use automated compli-
ance monitoring or this purpose, even though automated
security tools signicantly reduce both risks and costs.
Inormal or drive-by management assessments are surprising
because these assessments arent quantiable, ormal or repro-
ducible. Despite these obvious drawbacks, inormal eedback
and observation by management are widely used in the U.K.
Tis type o inormal assessment makes it dicult to quantiy
improvements and identiy trends in security, and these meth-
ods may contribute to the diculty many organizations ace
while trying to efectively communicate security risks to senior
executives. While low-tech, observational-based methods may
have worked in the past, automation and new technologies nowmake it possible to provide better, more consistent insight into
the rapid changes taking place in security risk intelligence.
CONCLUSIONRisk-based security management is moving in the right di-
rection, albeit slowly. At best, the results indicate that more
organizations are beginning to address their security risks
with some type o secur ity control ramework, and about
10 percent o those organizations that were in the process o
deploying security controls in the 2012 survey have ad-
vanced to a more mature approach. However, its clear that
many organizations have identied controls and conducted
the necessar y assessments but havent yet implemented
many o the controls that can be most efective at reducing
security risks.
Security practitioners and risk managers need to move away
rom a binary model o security controls and begin to evalu-
ate them in the context o their businesses. Tis approach
can efectively deliver a more nuanced and accurate asse ss-
ment o the organizations security risk and provide clearerinsights into the ecacy o specic security controls and
technologies.
-
7/29/2019 Tripwire-Ponemon RBSM 2013 Chapter 5 Security Controls and Spending
15/15
ADVANCING RESPONSIBLE INFORMATION
MANAGEMENTPonemon Institute is dedicated to independent research and
education that advances responsible information and privacy
management practices within business and government. Our
mission is to conduct high quality, empirical studies on critical
issues affecting the management and security of sensitive
information about people and organizations.
As a member of the Council of American Survey Research
Organizations (CASRO), we uphold strict data condentiality,
privacy and ethical research standards. We do not collect
any personally identiable information from individuals (or
company identiable information in our business research).
Furthermore, we have strict quality standards to ensure that
subjects are not asked extraneous, irrelevant or improper
questions
For more information about this study, please contact Ponemon
Institute by sending an email to [email protected] or
calling our toll free line at 1.800.887.3118.
For more information about this study visit
www.tripwire.com/ponemon/2013
and ollow on twitter@TripwireInc
2013 Tripwire, Inc. Tripwire is a registered trademarks of Tripwire, Inc.All other product and company names are property of their respective owners. All rights reserved.
u Tripwire is a leading global provider of risk-based security and compliance management solutions that
enable organizations to effectively connect security to the business. Tripwire delivers foundational security controls
like security configuration management, file integrit y monitoring, log and event management, vulnerability management,
and security business intelligence with per formance reporting and visualization.uu
LEARN MORE AT WWW.TRIPWIRE.COM OR FOLLOW US @TRIPWIREINC ON TWITTER.
http://www.tripwire.com/ponemon/2013http://www.tripwire.com/ponemon/2013http://www.tripwire.com/http://www.tripwire.com/http://www.tripwire.com/ponemon/2013