Question
Asked 15th Jul, 2019
Pieter van de Griend
Pieter van de Griend

How do security capability maturity and risk level correlate?

Intuitively one would be inclined to think that improving organizational security capabilities would increase overall organizational security maturity. As maturity increases, better controls/risk mitigations would be designed and implemented, leading to lower residual risk levels. This would suggest a negative correlation between maturity and risk.
Assume there is a maturity scale of 1 to 5 and a risk scale of 0 to 100.
Does anybody know how risk and maturity would relate and/or how much correlation would be reasonable to expect?
Mitigation
Risk Reduction Behavior
Security
Capability Approach
Security Risk Management

Most recent answer

18th Jul, 2019
Michael Ahern
Worcester Polytechnic Institute
You're welcome Pieter! I'll be curious about your findings.
Cite

Top contributors to discussions in this field

Dariusz Prokopowicz
Dariusz Prokopowicz
D A Gayan Nayanajith
D A Gayan Nayanajith
Emmanuel V Murray
Emmanuel V Murray
Md Bokhtiar Hasan
Md Bokhtiar Hasan
Martin McKie
Martin McKie

All Answers (8)

15th Jul, 2019
Mark Sitkowski
Design Simulation Systems Ltd
I think you're confusing theory with the real world.
What happens in practice, is that a company will never upgrade its security systems unless they have a bad scare, or an actual breach. When this happens, they spend as little as possible to mitigate the chance of its happening again.
Take as an example, what happened at Target in 2014. A vulnerability in an FTP server allowed hackers to infiltrate the network and plant screen-scraping malware on all the POS terminals.
When the breach finally came to light, did Target make the POS terminals proof against screen scrapers? No, that would cost too much. They improved the security of FTP servers.
You only have to follow the news of data breaches (I do, but I'm in the security business) to see that each one only results in a short-term Band-Aid solution to the immediate problem.
Cite
1 Recommendation
16th Jul, 2019
Zeyad Mohammad
Al-Zaytoonah University of Jordan
The security capability maturity evolves with the time and risk level comes from the creative hackers then we need to develop the security capability.
Cite
1 Recommendation
17th Jul, 2019
Pieter van de Griend
Philips
Thank you Mark Sitkowski and Zeyad Mohammad for your contributions.
Allow me to add further thought to my, admittedly, theoretical question.
What I am looking for is any support for the shape of the curve that depicts the relationship between maturity and risk level. In the image that I have attached there are two options that I would think plausible, i.e. a linear relationship and a non-linear S-curve shape. In both cases there are differences in correlations.
What I am looking for is any published research to corroborate such a shape.
Cite
18th Jul, 2019
Michael Ahern
Worcester Polytechnic Institute
As an organization's security capability matures, it reduces its risk as it masters the basics of cyber hygiene, gains expertise in intrusion detection, and adds capabilities to detect and stop data exfiltration.
That said, the hackers are also maturing their capabilities and increasing operating risk for their potential target organizations. The analogy is that as defenders build higher fences, attackers get longer ladders.
To reduce net security risk, organizations need to mature defensively faster than hackers mature offensively.
Cite
1 Recommendation
18th Jul, 2019
Pieter van de Griend
Philips
Michael Ahern
Thank you for this perspective on defender-attacker interaction.
I agree that there is a kind of maturity contest between defenders and attackers. Driving that view to a conclusion ultimately means that defenders must try to mature faster than their counterpart attackers.
My experience indicates that the interaction behaves more like an arms race during which the cost for the attackers are maximized against a minimization of defender costs. The actual drive, however, is largely information-based, as in: who knows what when.
In that respect agile attackers appear to possess an advantage over large organizations in that they can adapt faster to a changed environment.
Translating your observation would result in an oscillating curve with a, preferably, downward trend - as indicated in the attached figure.
Cite
18th Jul, 2019
Michael Ahern
Worcester Polytechnic Institute
Hello Peter,
I like the shape you’be drawn. To quantify it, you might use statistics from the annual Verizon Breach report and/or similar sources (e.g. U.S. FBI). I think you’ll find that basic cyber hygiene will eliminate about 80% of the risk.
Best,
Mike
Cite
1 Recommendation
18th Jul, 2019
Pieter van de Griend
Philips
Michael Ahern
Indeed, as you alluded, basic system hygiene, such as application patching and addressing known database and network components' vulnerabilities, significantly improves security posture. Alas, when it comes to actual implementation, it is a quite different story. The main challenge remains knowing which assets can be found where. Next hurdle is finding somebody with time and a sense of responsibility to implement and test the patch.
Thanks for suggesting mapping statistics from security reports against risk and maturity models.
Cite
18th Jul, 2019
Michael Ahern
Worcester Polytechnic Institute
You're welcome Pieter! I'll be curious about your findings.
Cite

Similar questions and discussions

Is the difference between machine-learning technique and deep-learning technique obvious when being employed in tackling with the security problems?
Question
6 answers
  • Asked 29th Feb, 2020
  • Weijie HanWeijie Han
Nowdays, the machine learning techniques and deep learning techniques have been employed in tackling with various of kinds of security problems, such as malware mitigation. Is the difference of their performance obvious? Which is better?
Recommended procedure for DNSSEC Algorithm Rollover ?
Question
3 answers
  • Asked 3rd Oct, 2021
  • Chamara DisanayakeChamara Disanayake
DNSSEC is the security extension of DNS and it is recommended to enable DNSSEC in all zones to mitigate DNS cache poisoning attacks. KSK (Key signing key) and ZSK (zone signing key) are used to generate RRSIGs of the zone records and the algorithms used to generate KSK/ZSK is very important in generating strong RRSIGs. Some of the zones has used SHA-1 as the security algorithm for KSK and ZSK. As the SHA-1 is an outdated algorithm, it is required to change the key algorithm in those zones. Anyone having any experiences in DNSSEC key algorithm roll over process, please let me know.
Thanks
Are there currently developed systems for information security risk management gathered in Big Data database systems?
Discussion
21 replies
  • Asked 7th May, 2019
  • Dariusz ProkopowiczDariusz Prokopowicz
Security of data collected in Big Data database systems is currently a priority issue for the development of this technology of gathering and advanced information processing. Taking into account the dynamic development of Big Data database systems as well as building and developing these systems by various business entities, the importance of information security issues gathered in Big Data database systems is growing. In addition, the analysis of the risk of cybercriminal attacks on Big Data database systems is growing, and therefore information security management systems collected in Big Data database systems should be built and permanently improved. Every business entity that has built its Big Data database system should also have its own information security management system stored in Big Data database systems.
Do you agree with my opinion on this matter?
In view of the above, I am asking you the following question:
Are there currently developed and developed systems for information security risk management gathered in Big Data database systems?
Please reply
I invite you to the discussion
Thank you very much
Dear Colleagues and Friends from RG
The key aspects and determinants of applications of data processing technologies in Big Data database systems are described in the following publications:
I invite you to discussion and cooperation.
Best wishes
How do you deal with data security in virtual organizations?
Question
19 answers
  • Asked 10th Jun, 2014
  • Reiner CreutzburgReiner Creutzburg
If different parties have different security policies, how do I harmonize them?
Is there any Security Risk Management model in Elearning environment?
Question
5 answers
  • Asked 29th Apr, 2019
  • Sushila MadanSushila Madan
There are risks and security concerns exist in literature but no framework to mitigate in Elearning environment.
Is there literature on consolidating File-based spatial data?
Question
6 answers
  • Asked 26th Feb, 2022
  • Pankajeshwara SharmaPankajeshwara Sharma
I am writing a paper that focuses on the importance of centralizing file-based spatial that exist in data silos currently fragmented in file servers, email servers, web servers, document management systems, etc. Most of the solutions that consolidate spatial data are for database-based spatial data. However, much spatial data still exists in files and are unconsolidated.
One description missing from the paper is how enterprise spatial organisations are currently handling security of these spatial files, especially those that exist in data silos (fragmented in file servers, email servers, web servers, document management systems, etc).
Unfortunately, I do not know anyone in the enterprise GIS organisations and therefore its hard to know how these organisations store and handle the security of these data. Could anyone with an industry background please guide me.
  • Are these files normally stored in data silos?
  • Are there any movements towards consolidating these file data?
  • Are there any software solutions that enable consolidating these spatial files?
Any online document/paper that describes this issue which I can cite would be well appreciated.
Which tool does one use for simulating DDoS attack in Cloud?
Question
5 answers
  • Asked 1st Oct, 2014
  • Kirtesh AgrawalKirtesh Agrawal
I am new to cloud and want to know about some tools as my research part. My aim is to mitigate or prevent the cloud by DDoS attack but which tools I should use to simulate DDoS Attack in cloud
Why many organizations don't take cyber-security seriously?
Question
8 answers
  • Asked 22nd Feb, 2016
  • Mohammad S. JalaliMohammad S. Jalali
Despite the potential increase in both incidents and risks, many organization still don't take cyber-security seriously and as a result not much is invested in cyber-security capability development. I would like to hear your thoughts on this issue, particularly on the 'causes/reasons' that managers don't take cyber-security seriously.
PS: I'm developing a model with a sub component of cyber-security capability development and your information helps me better understand this issue.
Mitigating Ransomware Attacks, are current perimeter-based network security strategies enough to STOP Ransomware attacks towards the education sector?
Question
23 answers
  • Asked 13th Nov, 2021
  • Atiff Abdalla MahmoudAtiff Abdalla Mahmoud
According to a survey conducted by Sophos, 2020 was a tough year for education, with the sector experiencing the highest level of ransomware attacks of all industries. Ransomware attacks have been on the top list of dangerous threats to information systems for over a decade. The threats of ransomware attack do not seem to go away or rather slow down BUT seems to get more complicated.
Are the current mitigation techniques well designed to prevent the attacks? What are your thoughts?

Related Publications

Security Risk Management - Driving Down the Costs
Presentation
Full-text available
  • Oct 2022
I accentuate that security risk management comprises a system of people, processes and technology (PPT), which enables an organisation (private or public) to operate in line with shared values and risks. In discussing ways of mitigating the cost of security risk management, I note the need to make it people-oriented by ensuring that persons in an o...
View
Towards agile security risk management in RE and beyond
Conference Paper
Full-text available
  • Sep 2011
Little attention has been given so far to the process of security risk management at the early stages of system development. Security has been addressed by isolated security assurance practices, some of which consider risks and mitigations but they do not provide an overview of the overall security state of the system being developed. This paper ta...
View
IT Security Risk Management: Perceived IT Security Risks in the Context of Cloud Computing
Book
  • Nov 2012
This book provides a comprehensive conceptualization of perceived IT security risk in the Cloud Computing context that is based on six distinct risk dimensions grounded on a structured literature review, Q-sorting, expert interviews, and analysis of data collected from 356 organizations. Additionally, the effects of security risks on negative and p...
View
Got a technical question?
Get high-quality answers from experts.
Ask a question