Tripwire commissioned the Ponemon Institute to question more than 1300 risk-based security professionals in the US and UK on whether risk-based security is an art or a science. For the purposes of the study, art was defined as “analysis and decision-making based on intuition, expertise and a holistic view of the organization,” where intuition is the key. Science was defined as “analysis and decision-making based on objective, quantitative measures,” where objectivity is the key.
Overall – especially in the US – it is evenly balanced: 49% of respondents say it is an art, while 51% say it is a science. In the UK, there is more of a bias towards science: 58% say science and 42% say science. However, when based on function within risk-based security, the results showed a marked difference between management and operations. Two-thirds of enterprise risk managers and 62% of US business operations respondents believe that it is an art. But 62% of IT security and 56% of US IT operations believe it is a science.
The conclusion is inescapable, suggests Tripwire. “Business operations and risk managers tend to view risk management as more of an art because they don’t feel a precise answer is needed to be able to make a decision,” explained Dwayne Melancon, CTO at Tripwire. “People in these roles are looking for directional information to guide their decisions. On the other hand, IT operations and IT security departments tend to view security risk management as a math problem that has a very precise answer.” Both sides are talking about the same thing, but using a different language, “which can,” warns Melancon, “make it difficult to come to a mutually agreed point of view.”
Dr. Larry Ponemon, chairman and founder of the Ponemon Institute, agrees that this difference in attitude and language can lead to problems in execution. “The majority of organizations surveyed continue to be committed to the values risk-based security management can deliver, but differences of opinion on how to approach the problem complicate the communication and collaboration necessary to derive maximum benefit from it.”