A new Ponemon Institute study examined the key risk-based security metrics IT security managers used most frequently to gauge the effectiveness of their organizations’ overall security efforts.
Top Metrics included: time taken to patch, policy violations, uninfected endpoints, data breaches, reduction in the cost of security, end users training and reduction in unplanned system downtime.
The survey respondents included 571 UK professionals in the following areas: IT security, IT operations, IT risk management, business operations, compliance/internal audit and enterprise risk management.
In the compliance arena, leading metrics included mean time-to-patch (51 percent); reduction in audit findings and repeat findings (25 percent); and policy violations (21 percent). The study also found that only 16 percent of respondents viewed the number of records or files detected as compliance infractions, and only 21 percent identified reduction in expired certificates — including SSL and SSH keys — as an effective metric.
“There’s a strong correlation between security products and metrics,” noted Tim Erlin, director of IT and risk strategy for Tripwire. “Organizations most often build security metrics programs from the data up, rather than the business down, resulting in metrics supported by available security products, rather than focusing on those metrics that are meaningful to the business.”
Among threat management metrics, percentage of endpoints free of malware and viruses led with 38 percent of security managers citing it as a key metric for threat management. Thirty-one percent consider reduction in the number of data breach incidents an effective key metrics, with another 30 percent noting that reduction in the number of known vulnerabilities is an important metric. However, only 17 percent use the mean time-to-detect security incidents as a metric, with only 13 percent using mean time to resolve security incidents.
“In light of the maturity curve in deployment of risk-based security management, it’s not surprising that the majority of organizations are not using metrics oriented towards higher order outcomes,” said Dr. Larry Ponemon, chairman and founder of the Ponemon Institute. “Respondents are still focused primarily on operational aspects. And, while many executives are focused on more visible outcomes, like reduction in data breaches, very few organizations are tracking more proactive metrics.”
Key metrics for cost containment included reduction in the cost of security management activities (46 percent) and reduction in unplanned system downtime (35 percent). Only 12 percent of respondents use the length of time to contain security breaches and security exploits.
Staff and employee key metrics included a number of end users receiving appropriate training, which 40 percent of respondents named a key metric in this arena. Thirty-four percent of respondents named the reduction in the number of access and authentication violations a key metric. The study also found that only 6 percent of security managers use user performance on security retention awareness tests as a means of measuring security effectiveness.
Spending relative to total budget is used as a key metric for security efficiency by 44 percent of respondents. Thirty-four percent use reduction in total cost of ownership as a metric, and 33 percent of security managers use return on security technology investments as a means of measuring security efficiency.
Survey respondents averaged 11.2 years of experience and represented a wide variety of organization sizes and industries including financial services, healthcare and pharmaceutical, technology and communications, retail and the public sector.