Tripwire’s 2013 risk-based security management study reveals key
The survey respondents included 749 US and 571 UK professionals in the following areas: IT security, IT operations, IT risk management, business operations, compliance/internal audit and enterprise risk management.
In the compliance arena, leading metrics included mean time-to-patch (49 percent); policy violations (33 percent); and reduction in audit findings and repeat findings (27 percent). The study also found that only 19 percent of respondents viewed the number of records or files detected as compliance infractions, and only 16 percent identified reduction in expired certificates — including SSL and SSH keys — as an effective metric.
“There’s a strong correlation between security products and metrics,” noted
Among threat management metrics, percentage of endpoints free of malware and viruses led with 45 percent of security managers citing it as a key metric for threat management. Thirty-five percent consider reduction in the number of data breach incidents an effective key metrics, with another 35 percent noting that reduction in the number of known vulnerabilities is an important metric. However, only 13 percent use the mean time-to-detect security incidents as a metric, with only 8 percent using mean time to resolve security incidents.
“In light of the maturity curve in deployment of risk-based security management, it’s not surprising that the majority of organizations are not using metrics oriented towards higher order outcomes,” said Dr.