Gartner Blog Network

Security Incident Response Survey Results

by Anton Chuvakin  |  October 22, 2013  |  6 Comments

At the very end of my incident response research project, I did a quick survey on incident frequency perception. I asked one simple question: how many incidents have your organization had in the last 12 months?

Note that I did not force any particular definition of an incident on the respondents, but pointed to a couple of examples.

Here are the results:


What can we learn from this?

  • The world view that “incidents are rare” (well, “1-2 a year” is rare to me) rules the roost. Does this motivate you to invest into improving your IR program capabilities?
  • The shape of the curve is interesting and also rational: the popularity of the choice smoothly drops off from the most popular choice of 1-2 down to high numbers.
  • There are still organizations that think they had no incidents. Have they failed to detect? Or chose not to declare an incident? Or are they incredibly lucky?
  • In such a survey, respondent organization size would have been very handy; after all, 1 incident/year per 10 systems is not the same as 1 incident/year per 100,000 systems (the latter will stress my belief system beyond breaking point :-)).

There you have it!

Posts related to the same research project:

Additional Resources

View Free, Relevant Gartner Research

Gartner's research helps you cut through the complexity and deliver the knowledge you need to make the right decisions quickly, and with confidence.

Read Free Gartner Research

Category: incident-response  security  

Anton Chuvakin
Research VP and Distinguished Analyst
8 years with Gartner
19 years IT industry

Anton Chuvakin is a Research VP and Distinguished Analyst at Gartner's GTP Security and Risk Management group. Before Mr. Chuvakin joined Gartner, his job responsibilities included security product management, evangelist… Read Full Bio

Thoughts on Security Incident Response Survey Results

  1. Matthew Gardiner says:

    In my anecdotal experience (talking to many dozens of organizations over the past couple of years) the # of incidents detected is directly proportional to the level of looking. If you don’t look, you won’t see. If you look a little, you see a little. If you look deeply, you will see a lot. Most incidents of course aren’t that dangerous, but how do you know which are the dangerous ones if you don’t look?

  2. Matt, thanks for the insightful comment! Indeed, if you “look with your eyes closed” you find NO incidents – or “The Big One” (that 1 per year) that comes and kicks you in the balls. Everything else is invisible.

    So, all the invisible but bad stuff likely stays invisible until the time comes for it to explode…

  3. Erik Mintz says:

    I would love to see an overlay the same question directed to third party CERT teams with org size data. Commercial and/or state sponsored IR teams in an oversight role should be eye opening to self policing organizations.

  4. Indeed, I’d love to see such data and compare/contrast to enterprise own data

  5. Yes, I’ve seen this vendor-conducted survey; and picked a few interesting (if not unexpected) things from it.

Comments are closed

Comments or opinions expressed on this blog are those of the individual contributors only, and do not necessarily represent the views of Gartner, Inc. or its management. Readers may copy and redistribute blog postings on other blogs, or otherwise for private, non-commercial or journalistic purposes, with attribution to Gartner. This content may not be used for any other purposes in any other formats or media. The content on this blog is provided on an "as-is" basis. Gartner shall not be liable for any damages whatsoever arising out of the content or use of this blog.