At the very end of my incident response research project, I did a quick survey on incident frequency perception. I asked one simple question: how many incidents have your organization had in the last 12 months?
Note that I did not force any particular definition of an incident on the respondents, but pointed to a couple of examples.
Here are the results:
What can we learn from this?
- The world view that “incidents are rare” (well, “1-2 a year” is rare to me) rules the roost. Does this motivate you to invest into improving your IR program capabilities?
- The shape of the curve is interesting and also rational: the popularity of the choice smoothly drops off from the most popular choice of 1-2 down to high numbers.
- There are still organizations that think they had no incidents. Have they failed to detect? Or chose not to declare an incident? Or are they incredibly lucky?
- In such a survey, respondent organization size would have been very handy; after all, 1 incident/year per 10 systems is not the same as 1 incident/year per 100,000 systems (the latter will stress my belief system beyond breaking point :-)).
There you have it!
Posts related to the same research project:
- My Incident Response Paper Publishes
- On Three IR Gaps
- Fusion of Incident Response and Security Monitoring?
- Survey: How Many Security Incidents Have You Had Over the Last 12 Months?
- Security Incidents vs “IT Problems”
- Top-shelf Incident Response vs Barely There Incident Response
- On SANS Forensics Survey
- Incident Plan vs Incident Planning?
- On Importance of Incident Response
- Is That An Incident In Your Pocket – Or Are You Just Happy to See Me?
- Time-tested Incident Response Wisdom?
- Incident Response: The Death of a Straight Line
- Alert-driven vs Exploration-driven Security Analysis
- My Next Research Area: Incident Response
- All posts tagged security incident response