Tripwire-Ponemon RBSM 2013 Chapter 5 Security Controls and Spending

7/29/2019 Tripwire-Ponemon RBSM 2013 Chapter 5 Security Controls and Spending

1/15

IndependentlyConducted by

Ponemon Institute llc

2013RESEARCH REPORT

PRESENS

SECURITY CONTROLS

AND SPENDING

US UK2013


2/15

The State o Risk-based Security Management: US & UK 2013 Research Report Ponemon Institute2

Considering costs that can result rom a single data

breacha whopping $5.4 million per data breach

in the U.S., according to the Ponemon Institute in

Te 2013 Cost of a Data Breach: Global Analysis

its easy to assume I organizations are granted generous bud-

gets in order to undertake a comprehensive risk-based security

program. For most organizations this is not the case. However,

organizations are making tangible progress when it comes to

connecting security risks with security spending.

CHAPTER 5: SECURITY CONTROLS AND SPENDING

Tis chapter o the 2013 Ponemon Institute study on risk-based

security management addresses security controls and spending in

the U.S. and U.K. Te nearly 2,000 respondents were rst asked

to identiy how well their organization accomplished the key steps

necessary to assess and prioritize security risks. Its particularly

interesting to note that 51 percent o study respondents in the U.S.

and 49 percent in the U.K. said they have identied specic con-

trols at various network layers to ensure the risks were acceptable

to the business, but only 43 percent in the U.S. and 39 percent in

the U.K. said they had implemented those controls.

TABLES 5.1a & b Rate how well your organizations accomplishes each step used to assess and prioritize risks.Fully and partially accomplished responses combined.

0 10% 20% 30% 40% 50% 60% 70% 80%

US-2012

US-2013

Monitor continuously

Implement controls

Identify controls

Assess the risks

Assess vulnerabilities

Identify threats

Categorize info

Identify key information
http://www.nymity.com/Free_Privacy_Resources/Previews/ReferencePreview.aspx?guid=688431cf-8157-4933-8c03-c732b07acb15http://www.nymity.com/Free_Privacy_Resources/Previews/ReferencePreview.aspx?guid=688431cf-8157-4933-8c03-c732b07acb15


3/15The State o Risk-based Security Management: US & UK 2013 Research Report Ponemon Institute

0 10% 20% 30% 40% 50% 60% 70% 80%

US-2012

US-2013

Monitor continuously

Implement controls

Identify controls

Assess the risks

Assess vulnerabilities

Identify threats

Categorize information

Identify key information

I organizations generally ollow a progression o eight basic steps

when implementing a security-based risk management program.Tose steps, in order o implementation, include:

1. Identiy inormation that is key to the business

2. Categorize inormation according to its importance to the

business

3. Identiy threats to the inormation

4. Assess vulnerabilities to the systems that process the

inormation

5. Assess the security risks associated with loss o the inormation

6. Identiy security controls necessary to mitigate the risks

7. Implement the controls

8. Monitor controls continuously

Tese steps illustrate that implementing controls and continu-

ously monitoring controls ollow identication and assessment,suggesting that respondents organizations are on a path toward

risk-based security program maturity.

Responses shown in ables 5.1a & b might seem to cast the prac-

tice o continuous monitoring into a yes or no category; however,

the reality o continuous monitoring is that its implementation is

more o a spectrum. Te good newsevident in the resultsis

that even though less than hal o the organizations have adopted

continuous monitoring in 2013, many organizations are making

progress, particularly in the U.S., with 7 percent improvement

over 2012 results. Nevertheless, theres still a lot o room or

improvement in the maturity o risk-based security programs andcontinuous monitoring o controls.


4/15


0 20% 40% 60% 80% 100%

US-2012

US-2013

Security awareness training

Encryption

Software patching and updates

Network access controls

User access controls

System hardening

Malware detection/prevention

Policies and procedures

TABLES 5.2a & b. Indicate which o the ollowing preventive controls are deployed in yourorganizations current security inrastructure. Fully and partially deployed responses com-bined.

PREVENTIVE CONTROLS MOREEASILY UNDERSTOOD

Many I proessionals also view preventive controls in terms o

two black and white variables: deployed or not deployed. Tis

question asked respondents about controls that are ully and

partially deployed, which provides a broader view o preventive

practices.



0 20% 40% 60% 80% 100%

US-2012

US-2013

Security awareness training

Encryption

Software patching and updates

Network access controls

User access controls

System hardening

Malware detection/prevention

Policies and procedures

It is not surprising that policies and procedures, and malwareprevention are widely deployed. Many industry studies have in-

dicated a sharp rise in the success o malware as an exploit vec-

tor in 2012 and 2013, especially when combined with phish-

ing. In addition, malware detection and prevention controls

have been widely available or more than ten years and are well

understood by executives. Tese controls are relatively easy to

implement than many other security controls and are included

in many compliance standards and regulations.

Encryption was rated near the bottom (No. 7 among the eight

controls or both U.S. (56 percent) and the 50 percent in the

U.K.), despite being one o the most controls with signicantpotential to reduce risk, however encryption adoption can be

expensive and dicult, particularly or legacy systems. Encryp-

tion can also add signicant overhead on network inrastruc-

ture, and complete deployment may require heavy investment

in new network and storage systems as well as a revision o

organization procedures and workows.

Security awareness training is the lowest ranked preventivecontrol in both the U.S. and U.K. Since human error is widely

acknowledged as a signicant actor in many security breaches,

these results could be seen as an indictment o the ecacy o

existing security training programs. Limited budgets dedicated

to these programs may just reect the relative expense o these

programs compared with other more technology centric con-

trols. In addition, in some I organizations, security tools and

technology are given ar more emphasis than security aware-

ness training.

DETECTION CONTROLS:

GREATER POTENTIAL FOR SECURITYWhile preventive controls are established and relatively well

understood, detective controls are relatively new. Although

adoption has increased modestly over 2012 numbers, survey

results indicate that adoption and deployment o detective

controls still lag signicantly behind preventive controls.


6/15



0

10%

20%

30%

40%

50%

60%

UK-2012UK-2013

Incident

detection

and alerting

Log

monitoring

File integrity

monitoring

Security

configuration

management

Vulnerabilty

management

Change

control

Organizations that invest in detective controls oten choose a

multi-unctional solution, even when the purchase is driven

by a single need, such as compliance or change control. Due

to limitations in stang and training, it may be dicult to

deploy and utilize the complete capabilities o these multi-

unction tools. Tis may explain why 70 percent o respon-

dents in the U.S. and 68 percent in the U.K. have implemented

change control, but only 45 percent U.S. and 40 percent U.K.

are using incident detection and alerting.


8/15


TABLES 5.4a & b. Allocate security risks in each o the six layers in atypical mutli-layered security inrastructure.

0

5%

10%

15%

20%

25%

30%

35%

40%

UK-2012UK-2013

Physical layerHost layerHuman layerNetwork layerData layerApplication layer

PERCEIVED RISK AND SPENDINGAmong the seven layers o the Open Systems Interconnection

(OSI) model (application, presentation, session, transport, net-

work, data link and physical), the application layer is associated

with the highest security risk. Respondents both in the U.S.

(36 percent) and U.K. (38 percent) agree with this assessment,

rating the application layer much higher than the other six lay-

ers in the typical multi-layered security inrastructure, which

includes the data, network, human, host and physical layers.

Application layer risks include many third party solutions

where accurate risk assessment and control is challenging.



0

5%

10%

15%

20%

25%

30%

35%

40%

US-2012US-2013


Yet, while the application layer is understood to have the most

signicant security risks, the majority o security spending is

ocused on the network layer, as shown in the ollowing two

tables (ables 5.5a & b).


10/15


TABLES 5.5a & b. Allocate the level o spending incurred by your organization oreach o these six layers to lessen or mitigate security risk.

0

5%

10%

15%

20%

25%

30%

35%

40%

UK-2012UK-2013

Physical layerHost layerApplication layerHuman layerData layerNetwork layer

0

5%

10%

15%

20%

25%

30%

35%

40%

US-2012US-2013

Physical layerHost layerApplication layerHuman layerData layerNetwork layer



TABLE 5.6a Diference between perceived risk and spending or eachnetwork layer (U.S. respondents).

Te ollowing two charts compare the diference between

perceived risk and spending or each network layer. In the U.S.,

spending on the network layer is two times greater than its

perceived risk, and in the U.K., its almost 2.5 times greater. In

comparison, spending on the application layer is three times less

than its perceived risk in the U.S. and almost our times less in the

U.K. Perceived risk and spending on the host and physical layers

are basically in balance.

In summary, these survey results indicate that security spending

is higher on layers with lower perceived risk, such as the network

layer, or all respondents. Tis could be because many organiza-

tions are still in the early stages o managing and implementing

their risk programs, and spending on the network layer may reect

this relative level o security program maturity. Capital spending

or network layer equipment is depreciated, so it may be easier to

attain budget or network layer equipment. Organizations with

less mature security programs may have diculty reducing the

risk at the application layer because this typically involves third

party and partner organizations. Finally, during dicult economic

times, many organizations have deerred or cut back on spending,

perhaps it has now become essential.

0

5%

10%

15%

20%

25%

30%

35%

40%

Level of spending incurredSecurity risk



12/15


0

5%

10%

15%

20%

25%

30%

35%

40%

Level of spending incurredSecurity risk


TABLES 5.6b Diference between perceived risk and spending or eachnetwork layer (U.K. respondents).

METHODS FOR IDENTIFYINGSECURITY RISKSInsights into security and spending in this section o the study

are among the most surprising survey results. Te ollowing

two tables detail responses to questions about the methods

organizations use to identiy security risks.



TABLES 5.7a & b What steps does your organization take to identiy securityrisks? Check all that apply.

0 10% 20% 30% 40% 50%

US-2012

US-2013

Other

External audits

Don't know

Internal audits

Controlled self-assessments

Ongoing automated compliance monitoring

Ongoing manual compliance monitoring

Informal observations by

supervisors and managers

Penetration testing/red-teaming

Formal risk assessment

0 10% 20% 30% 40% 50%

US-2012

US-2013

Other

External audits

Don't know

Internal audits

Controlled self-assessments

Ongoing automated compliance monitoring

Ongoing manual compliance monitoring

Informal observations by

supervisors and managers

Penetration testing/red-teaming

Formal risk assessment


14/15


Inormal observations by supervisors ranked third in the

U.S. (39 percent) and rst in the U.K. (46 percent). In ad-

dition, just 49 percent in U.S. and 43 percent in U.K. use

ormal risk asses sments to identiy security risks, and only

38 percent U.S. and 31 percent U.K. use automated compli-

ance monitoring or this purpose, even though automated

security tools signicantly reduce both risks and costs.

Inormal or drive-by management assessments are surprising

because these assessments arent quantiable, ormal or repro-

ducible. Despite these obvious drawbacks, inormal eedback

and observation by management are widely used in the U.K.

Tis type o inormal assessment makes it dicult to quantiy

improvements and identiy trends in security, and these meth-

ods may contribute to the diculty many organizations ace

while trying to efectively communicate security risks to senior

executives. While low-tech, observational-based methods may

have worked in the past, automation and new technologies nowmake it possible to provide better, more consistent insight into

the rapid changes taking place in security risk intelligence.

CONCLUSIONRisk-based security management is moving in the right di-

rection, albeit slowly. At best, the results indicate that more

organizations are beginning to address their security risks

with some type o secur ity control ramework, and about

10 percent o those organizations that were in the process o

deploying security controls in the 2012 survey have ad-

vanced to a more mature approach. However, its clear that

many organizations have identied controls and conducted

the necessar y assessments but havent yet implemented

many o the controls that can be most efective at reducing

security risks.

Security practitioners and risk managers need to move away

rom a binary model o security controls and begin to evalu-

ate them in the context o their businesses. Tis approach

can efectively deliver a more nuanced and accurate asse ss-

ment o the organizations security risk and provide clearerinsights into the ecacy o specic security controls and

technologies.


15/15

ADVANCING RESPONSIBLE INFORMATION

MANAGEMENTPonemon Institute is dedicated to independent research and

education that advances responsible information and privacy

management practices within business and government. Our

mission is to conduct high quality, empirical studies on critical

issues affecting the management and security of sensitive

information about people and organizations.

As a member of the Council of American Survey Research

Organizations (CASRO), we uphold strict data condentiality,

privacy and ethical research standards. We do not collect

any personally identiable information from individuals (or

company identiable information in our business research).

Furthermore, we have strict quality standards to ensure that

subjects are not asked extraneous, irrelevant or improper

questions

For more information about this study, please contact Ponemon

Institute by sending an email to [email protected] or

calling our toll free line at 1.800.887.3118.

For more information about this study visit

www.tripwire.com/ponemon/2013

and ollow on twitter@TripwireInc

2013 Tripwire, Inc. Tripwire is a registered trademarks of Tripwire, Inc.All other product and company names are property of their respective owners. All rights reserved.

u Tripwire is a leading global provider of risk-based security and compliance management solutions that

enable organizations to effectively connect security to the business. Tripwire delivers foundational security controls

like security configuration management, file integrit y monitoring, log and event management, vulnerability management,

and security business intelligence with per formance reporting and visualization.uu

LEARN MORE AT WWW.TRIPWIRE.COM OR FOLLOW US @TRIPWIREINC ON TWITTER.
http://www.tripwire.com/ponemon/2013http://www.tripwire.com/ponemon/2013http://www.tripwire.com/http://www.tripwire.com/http://www.tripwire.com/ponemon/2013

Tripwire-Ponemon RBSM 2013 Chapter 5 Security Controls and Spending

Documents