Cybersecurity signals: Connecting controls and incident outcomes

There is constant pressure on security leaders to decide which controls deserve the most attention and budget. A new study offers evidence on which measures are most closely linked to lower breach risk and how organizations should think about deploying them.

Marsh McLennan’s Cyber Risk Intelligence Center (CRIC) analyzed thousands of organizations’ responses to its Cyber Self-Assessment and compared them with claims data. The findings highlight which controls matter most for lowering breach likelihood.

Incident response planning

Incident response planning ranked near the top of the study’s findings. Organizations that conduct tabletop exercises and red-team tests consistently showed better outcomes than those that did not. CRIC notes that response planning may have secondary benefits, since the process of running exercises often drives investment in other parts of the program.

“What our latest research confirms is that thoughtful planning also drives secondary benefits like positive security behaviors and strong control implementations, which help build more organizational resilience and reduce breach incidents,” said Tom Reagan, Global Cyber Practice Leader, Marsh.

Endpoint detection and response

Endpoint detection and response (EDR) tools remain a strong signal of reduced breach likelihood. The research found that benefits increase as deployment expands. Each 25 percent increase in endpoint coverage correlated with additional risk reduction, with full deployment across all laptops and workstations showing the strongest results. Researchers also observed that using EDR in blocking mode further decreased breach likelihood.

Multi-factor authentication

Multi-factor authentication (MFA) has reached near-universal adoption, which has made it less of a differentiator than in the past. The report emphasizes that effectiveness now depends on scope and strength of deployment. Organizations that enforce phishing-resistant MFA across all accounts achieve stronger outcomes than those using basic implementations.

Security operations centers

Having a security operations center (SOC) is valuable, but the report stresses that capabilities are the key factor. Features such as 24×7 monitoring, active threat intelligence, and continuous process improvement increase signal strength. Researchers also highlighted the role of security information and event management (SIEM) platforms, noting that organizations that actively refine and tune SIEM rules gain more value than those that do not.

Cyber awareness training

User training remains important, but quality appears to matter more than frequency. Updated content that reflects new social engineering tactics, along with realistic phishing simulations, correlated more strongly with improved outcomes than the number of training sessions. The report suggests that employees are already aware of common cyber risks and need more advanced preparation to spot and respond effectively.

Vulnerability management and patching

Patching and vulnerability management continue to be foundational. The analysis showed that higher patching frequency is linked with stronger outcomes, but relying on CVSS scores alone provided weaker signals. Regular assessments, penetration testing, and automated patch management processes showed higher impact. Automation in particular stood out for reducing risk by removing manual steps.