Related Stories

Top 5 Stories


Most Organizations Don't Assess Time to Incident Detection as Key Security Metric

25 July 2013

When it comes to risk-based security and compliance management, IT security managers rely on a set of security metrics to gauge the effectiveness of their organizations’ overall security efforts. For most, those include: time taken to patch, policy violations, uninfected endpoints, data breaches, reduction in the cost of security, end users training and reduction in unplanned system downtime. But according to a survey from the Ponemon Institute, a full 83% don’t assess time taken to detect security incidents.

“There’s a strong correlation between security products and metrics,” noted Tim Erlin, director of IT and risk strategy for Tripwire, which sponsored the survey. “Organizations most often build security metrics programs from the data up, rather than the business down, resulting in metrics supported by available security products, rather than focusing on those metrics that are meaningful to the business.”

For example, among threat management metrics, the percentage of endpoints free of malware and viruses led with 38% of security managers citing it as a key indicator. About 31% consider reduction in the number of data breach incidents an effective key metric, with another 30% noting that reduction in the number of known vulnerabilities is an important evaluator. However, only 17% use the mean time-to-detect security incidents as a metric, and only 13% using mean time to resolve security incidents.

“In light of the maturity curve in deployment of risk-based security management, it’s not surprising that the majority of organizations are not using metrics oriented towards higher order outcomes,” said Larry Ponemon, chairman and founder of the Ponemon Institute, in a statement. “Respondents are still focused primarily on operational aspects. And, while many executives are focused on more visible outcomes, like reduction in data breaches, very few organizations are tracking more proactive metrics.”

In the compliance arena, leading metrics included mean time-to-patch (51%); reduction in audit findings and repeat findings (25%); and policy violations (21%). The study also found that only 16% of respondents viewed the number of records or files detected as compliance infractions, and only 21% identified reduction in expired certificates  including SSL and SSH keys  as an effective metric.

Key metrics for cost containment included reduction in the cost of security management activities (46%) and reduction in unplanned system downtime (35%). Only 12% of respondents use the length of time to contain security breaches and security exploits.

Staff and employee key metrics included the number of end users receiving appropriate training, which 40% of respondents named as useful in this arena. Thirty-four percent of respondents named the reduction in the number of access and authentication violations a key metric. The study also found that only 6% of security managers employ user performance on security retention awareness tests as a means of measuring security effectiveness.

Spending relative to total budget is used as a key metric for security efficiency by 44% of respondents. Thirty-four percent use reduction in total cost of ownership as a metric, and 33% of security managers use return on security technology investments as a means of measuring security efficiency.

This article is featured in:
Business Continuity and Disaster Recovery  •  Industry News  •  Internet and Network Security  •  IT Forensics  •  Malware and Hardware Security


Comment on this article

You must be registered and logged in to leave a comment about this article.

We use cookies to operate this website and to improve its usability. Full details of what cookies are, why we use them and how you can manage them can be found by reading our Privacy & Cookies page. Please note that by using this site you are consenting to the use of cookies. ×