For the second time, ibi Research at Regensburg University has examined the state of information security policies in the enterprise. This year, the survey added a section on risk management. Working in collaboration with the SecuMedia Verlag and Germany’s Federal Office for Information Security, ibi surveyed 260 participants, making this one of the most comprehensive studies of its kind. The results show that while there is widespread awareness of the importance of information security and risk management standards, most companies see plenty of room for improvement in their current policies.
Only 1/3 Rank Risk Management as Very Good
A decisive 70.4 percent of respondents rank the importance of information security in the enterprise as very high. Nearly half (48.1 percent) give the same level of importance to risk management. Despite this, only 50 percent say the quality of their existing information security standards is very good. And only 33 percent say that their risk management policy is very good.
In the two most represented industries in the survey (financial institutions; and public administration, defense, and social security), the numbers are even worse. Surprisingly, despite the numerous legal and regulatory provisions in the finance sector, a solid third of respondents from this industry rated their existing policies as only satisfactory. And in the public sector, almost 20 percent feel their risk management is inadequate.
While it’s apparent that existing information security policies aren’t what you would call ideal, the survey makes it clear that quality risk management is especially lacking. Researchers don’t have an explanation for this disparity. But what exactly is the difference between these two policies?
Information security vs. Risk management
Information security is a set of standards and processes to ensure confidentiality and integrity during the exchange of information. Risk management is a process in which an enterprise tries to identify potential risks and find ways to reduce or avoid them. For example, a company might ask itself: What’s the likelihood of a cyber attack? What would be the impact on the enterprise if that happened? What can we do to prevent those consequences, or diminish them?