Tripwire, a leading global provider of IT security solutions, and the Ponemon Institute recently announced the results of “The State of Risk-Based Security Management (RBSM) Study.” This international study included data from 2,145 individuals from organizations of different sizes and types in the United States, United Kingdom, Germany and the Netherlands. This study evaluates how […]
Tripwire, a leading global provider of IT security solutions, and the Ponemon Institute recently announced the results of “The State of Risk-Based Security Management (RBSM) Study.” This international study included data from 2,145 individuals from organizations of different sizes and types in the United States, United Kingdom, Germany and the Netherlands.
This study evaluates how organizations view their risk-based security management (RBSM) and how they address their RBSM through formal programs, deployment of specific controls and how they measure program effectiveness.
The report details the current state of risk management and perceptions about the benefits to organizations as well as provides guidance on how to strengthen an organization’s security practices and add value to the business through a risk-based approach. The report also provides recommendations for mitigating risks, protecting data and detecting cyber attacks and data breaches accurately and efficiently.
Click through for findings from a global survey on risk-based security management, conducted by Tripwire and the Ponemon Institute.
Although organizations profess a strong commitment to RBSM, they are taking little action.
In the U.S., over three quarters (77 percent) express significant or very significant commitment to RBSM, yet barely more than half (52 percent) have a formalized approach to it, and less than half (46 percent) have actually deployed any RBSM program activities.
A vast majority of U.K. organizations (72 percent) claim a significant or very significant commitment to RBSM. Even though most organizations are committed to and have a formal RBSM approach, more than half in the U.K. still don’t have formal strategies or procedures in place. Among the companies that do have strategies in place, most are not implementing all elements of a strong RBSM structure creating potential risks for businesses moving forward.
Many organizations lack a formal approach to RBSM.
In the U.S., around a third (30 percent) of organizations have no RBSM strategy and close to a
Most organizations implement the appropriate preventative controls, but neglect to implement sufficient detective controls.
According to survey results, allocated spending is not aligned to perceived risk. In the U.K. organizations are making excellent progress with preventive controls, yet they are lacking when it comes to implementing detective controls resulting in an inability to identify, implement and continuously monitor controls.
In the U.S., between 80 to 90 percent of organizations have partially or fully deployed preventative controls, but only about 50 percent have deployed the majority of detective controls. For best results organizations need to ensure the appropriate balance of preventive and detective controls.
No Metrics = No Success.
Survey results show the U.K. gauges success of RBSM programs by proving cost reduction of the program. Such a metric can encourage the wrong behavior and actually increase the risk, according to the Ponemon Institute. U.K. organizations must establish and use better metrics to demonstrate program success such as configuration quality, effectiveness of security controls and security program progress. Without these good metrics, organizations will be unable to demonstrate program success.
Perceptions of RBSM differ in the U.S., U.K., Germany and the Netherlands.
In the U.S. 71 percent of organizations say they are concerned about malicious insiders. In the UK that number drops to 49 percent, 32 percent in Germany and only 16 percent in the Netherlands.
The go-to resource for IT professionals from all corners of the tech world looking for cutting edge technology solutions that solve their unique business challenges. We aim to help these professionals grow their knowledge base and authority in their field with the top news and trends in the technology space.
Property of TechnologyAdvice. © 2025 TechnologyAdvice. All Rights Reserved
Advertiser Disclosure: Some of the products that appear on this site are from companies from which TechnologyAdvice receives compensation. This compensation may impact how and where products appear on this site including, for example, the order in which they appear. TechnologyAdvice does not include all companies or all types of products available in the marketplace.
