Most U.S. businesses are all talk and no walk when it comes to risk-based security management, according to the results of “The State of Risk-Based Security Management Study” from IT security solutions provider Tripwire and the Ponemon Institute.

This international study included data from 2,145 individuals from organizations of different sizes and types in the United States, United Kingdom, Germany and the Netherlands, according to a press release from Marketwire.

This study compares how organizations view their Risk-Based Security Management (RBSM) and how they actually address their RBSM through formal programs, deployment of specific controls and how they measure program effectiveness, the release says.

The report also details the current state of risk management and perceptions about the benefits to organizations as well as provides guidance on how to strengthen an organization's security practices and add value to the business through a risk-based approach.

Highlights from this report include:

  • Although organizations profess a strong commitment to RBSM, they are taking little action. Over three quarters (77 percent) express significant or very significant commitment to RBSM, yet barely more than half (52 percent) have a formalized approach to it, and less than half (46 percent) have actually deployed any RBSM program activities.
  • Those organizations with a formal approach to RBSM tend to walk the talk. Around a third (30 percent) of organizations have no RBSM strategy and close to a quarter (23 percent) only have informal or ad hoc strategy.
  • Most organizations implement the appropriate preventative controls, but neglect to implement sufficient detective controls. Between 80 to 90 percent of organizations have partially or fully deployed preventative controls, but only about 50 percent have deployed the majority of detective controls.
  •  Perceptions of RBSM differ in the U.S., U.K., Germany and the Netherlands. In the U.S. 71 percent of organizations say they are concerned about malicious insiders. In the UK that number drops to 49 percent, 32 percent in Germany and only 16 percent in the Netherlands.

Key findings from this study conclude that although a majority of organizations have high commitment levels towards RBSM, only half of these organizations have a formal program, function or set of activities dedicated to RBSM and most of these are only partially implemented, the press release says.

The report also provides recommendations for mitigating risks, protecting data and detecting cyber attacks and data breaches accurately and efficiently.