Survey On Security Investment Trends

whoisjoe writes "Information Security Magazine has an interesting article (although it's in PDF) on the trends and effects of security spending by organizations. Basically, organizations tend to spend less per machine as they grow, and the effectiveness of their investment tends to depend more on the share of the IT budget than the absolute amount."

Don't read too much into it

[Clovert+Agent]

You can overanalyse data and get anything out of it. Stats are useful, but only in perspective. I wouldn't make any big decisions based on this survey.

For a start, 200+ does not an authoritative respondent base make. That's a relatively tiny survey, especially when you bear in mind that "2,196 practitioners completed some portion of the survey. The statistics in this report reflect responses from 215 qualified respondents"

So, 90% of respondents were invalidated. Why? Didn't fit the curve? Sure, you clean survey data, but when you're left with so few discrete results, any anomaly will look like a trend.

One other thought (or this'll turn into an essay): of _course_ security spending per user decreases with the size of the organisation. That's what "economy of scale" means!

The point that organisations tend to underspend IS true, but the predetermined conclusions of surveys like these aren't doing much to dispell FUD.

I'm not impressed. ISM should be doing a lot better than this. It's not all bad, but it's far from realistic.