The summary below has been adapted from "Does size matter?" by Andrew Briney and Frank Prince as published in Information Security magazine, September 2002.
"Does size matter?" describes the sizes of the organizations (categorized as small, medium, large and very large) and the information security issues they face. The information security problems that come along with the size of the organization and how the organization allocate the IT human resource to handle these problems had also been explained.
Small-sized organizations
- Size: 10 - 100 computers
- IT Organization: Simple, centralized
- IT Security budget:
- Spends disproportionately more on security (average about 20% of total IT budget)
- Spends more per user than medium- and large-sized organizations
- Staffing: 1 security staff (if full-time) but usually an additional duty to one of the IT Staffers
- "More than two-thirds of small organizations say all or most of their security decisions are guided by management-approved policies, and 57 percent say that all or most of their responses to incidents were guided by a predefined IR plan."
Medium-sized organizations
- Size: 100 - 1000 computers
- IT Organization: Simple, centralized
- IT Security budget:
- Smaller budget - about 11% of total IT budget
- Staffing:
- Same like small-sized organizations but with larger need than the small organization
- Need to depend on IT staff to help in carrying out security plans and practices
- "Their ability to set policy, handle incidents in a regular manner and effectively allocate resources are, overall, worse than any other group. Considering their size, the number of incidents they recognize is sky rocketing. Some 70 percent of them had damages from security breaches, a 48 percent increase over small organizations."
Large-sized organizations
- Size: 1000 - 10,000 computers
- IT Security budget:
- Spends substantially less on security - about 5% or total IT budget
- Issues across the organization due to the low budget spent, especially in the "people" areas
- "eight in 10 organizations say at least some of their security decisions are guided by them."
Very large-sized organizations
- Size: More than 10,000 computers
- IT Security budget:
- Large information security budgets, which grow faster than IT budgets
- Average amount per user is still less than in any other type of organization
- "Where small organizations spend more than $5000 per user on security, very large organizations spend about one-eighteenth of that, roughly $300 per user," or approximately 6 percent of the the total IT budget. The very large organization does a better job in the policy and resource management areas, although "only a third of organizations in this demographic handled incidents according to an IR plan."
