At the very end of my incident response research project, I did a quick survey on incident frequency perception. I asked one simple question: how many incidents have your organization had in the last 12 months?
Note that I did not force any particular definition of an incident on the respondents, but pointed to a couple of examples.
Here are the results:
What can we learn from this?
- The world view that “incidents are rare” (well, “1-2 a year” is rare to me) rules the roost. Does this motivate you to invest into improving your IR program capabilities?
- The shape of the curve is interesting and also rational: the popularity of the choice smoothly drops off from the most popular choice of 1-2 down to high numbers.
- There are still organizations that think they had no incidents. Have they failed to detect? Or chose not to declare an incident? Or are they incredibly lucky?
- In such a survey, respondent organization size would have been very handy; after all, 1 incident/year per 10 systems is not the same as 1 incident/year per 100,000 systems (the latter will stress my belief system beyond breaking point :-)).
There you have it!
Posts related to the same research project:
- My Incident Response Paper Publishes
- On Three IR Gaps
- Fusion of Incident Response and Security Monitoring?
- Survey: How Many Security Incidents Have You Had Over the Last 12 Months?
- Security Incidents vs “IT Problems”
- Top-shelf Incident Response vs Barely There Incident Response
- On SANS Forensics Survey
- Incident Plan vs Incident Planning?
- On Importance of Incident Response
- Is That An Incident In Your Pocket – Or Are You Just Happy to See Me?
- Time-tested Incident Response Wisdom?
- Incident Response: The Death of a Straight Line
- Alert-driven vs Exploration-driven Security Analysis
- My Next Research Area: Incident Response
- All posts tagged security incident response
Comments or opinions expressed on this blog are those of the individual contributors only, and do not necessarily represent the views of Gartner, Inc. or its management. Readers may copy and redistribute blog postings on other blogs, or otherwise for private, non-commercial or journalistic purposes, with attribution to Gartner. This content may not be used for any other purposes in any other formats or media. The content on this blog is provided on an "as-is" basis. Gartner shall not be liable for any damages whatsoever arising out of the content or use of this blog.