Survey of Victoria Police Information Security … of Victoria Police Information Security Culture – Survey Results Commissioner for Law Enforcement Data Security November 2012 2

Survey of Victoria Police Information Security Culture

– Survey Results

Commissioner for Law Enforcement Data Security

November 2012

Survey of Victoria Police Inform

ation Security Culture – Survey Results

C

omm

issioner for Law Enforcem

ent Data Security

Survey of Victoria Police Information Security Culture

– Survey Results

Commissioner for Law Enforcement Data Security

November 2012

2

This report was prepared for the Commissioner for Law Enforcement Data Security by Sandra Beanham. Sandra Beanham is the founder and principal of Sandra Beanham & Associates (SBA), a Melbourne-based business consultancy. SBA works primarily with large scale clients in both the public and private sectors and provides a broad range of business, marketing and market research consultancy services. The focus of the consulting practice is to assist clients in the development of smarter business strategies underpinned by superior market insights.

Connect with Sandra Beanham, Principal Consultant: Tel +61 3 8808 6600

Published by:

The Commissioner for Law Enforcement Data Security PO Box 5199 South Melbourne Victoria 3205

November 2012

© Copyright State of Victoria, 2012

3

ContentsIntroduction 7

Section 1 Method & Sample 9

1 Orientation & Plan 12

1.1 Project Orientation 12

1.2 CLEDS Benchmark Research 13

1.3 Research Plan 13

2 Qualitative Pilot Study 17

3 On-line Survey of Sworn Members 18

Survey Publicity Plan 18

Survey Timing 18

Survey Sample 19

Survey Hosting and Data Processing 20

Survey Report 20

Section 2 Detailed Findings 21

Part 1 Sources of Guidance on the Management of Law Enforcement Data 23

Part 2 Incidence and Frequency of Typical Breaches of Law Enforcement Data Security 26

Part 3 Use of Personal Technology 29

3.1 Technology Use 29

3.2 Personally Owned versus Victoria Police Provided Equipment 30

3.3 Main Reasons for Using Personal Technology 32

3.3.1 Overview 32

3.3.2 Mobile Phone 33

3.3.3 Smart Phone 34

3.3.4 USB 35

3.3.5 Laptop Computer 36

3.3.6 Desktop Computer 37

3.3.7 Digital Camera 38

Part 4 Beliefs and Attitudes with Respect to Law Enforcement Data Security 40

4.1 Introduction 40

4.2 Risk Analysis 41

4.2.1 Likelihood of Typical Breaches and Perceived Seriousness 41

4.2.2 Perceived Seriousness and Observed Frequency 43

4

4.3 Scenario 1: Holding Law Enforcement Data on Personally Owned Devices – Sergeant K’s Murder Scene Photos 45

Part 1 Take Photos of a Crime Scene with a Personal Smart Phone 45

Part 2 Storing Crime Scene Photos on Personal Smart Phone 45

Part 3 Observed Frequency (Q6) 46

4.4 Scenario 2: Temporarily Located in Office on Unsecured Floor. Taskforce Linebacker Leaves The Door Unlocked. 47

Part 1 Task Force on Unsecured Floor 47

Part 2 Leaving a Door Unlocked to a Secure Area 47


4.5 Scenario 3: Inspector M Gives an Informant's Address Over the Phone in a Public Area While Investigating an Outlaw Motorcycle Gang. 49

Part 1 Giving Information Over the Phone in a Public Area 49


4.6 Scenario 4: Transferring Electronic Files to/from Potentially Unprotected Environments. Constable P Works on Her Personally Owned Computer at Home. 50

Part 1 Working at Home on a Personal Computer 50

Part 2 Emailing Information from Work Address to Home Address 50


4.7 Scenario 5: Losing/Misplacing Law Enforcement Data. Supt R’s Memory Stick Goes Missing. 52

Part 1 Memory Stick Holds Law Enforcement Information 52

Part 2 Losing a Memory Stick Holding Law Enforcement Data 52


4.8 Scenario 6: Disclosing Unauthorised Information. Constable T Talks to the Media. 54

Part 1 Releasing Unauthorised Information 54


4.9 Scenario 7: Holding Law Enforcement Data for Personal Records. Constable F is Involved in a Police Pursuit. 55

Part 1 Recording Interviews with an Offender on a Mobile Phone 55

Part 2 Keeping a Personal Record of Law Enforcement Data to Corroborate Any Future Investigation 55


5

Part 5 Awareness and Role of CLEDS 57

5.1 Current Status 57

5.2 Incidence of Information Security Training 58

Appendices 59

Appendix 1 List of Tables 61

Appendix 2 List of Graphs 63

Appendix 3 Online Questionaire 64

Appendix 4 Additional Tables for Q4 – Detailed Reasons for Using Own Device 73

6

7

IntroductionThe CLEDS I-Project was a quantitative research project designed to assess the attitudes and behavior of Victoria Police officers in relation to law enforcement data security. It took the form of an anonymous survey of all sworn members of Victoria Police. The survey aimed to provide an evidence base that could be used to better understand the current information security culture of Victoria Police and its members’ use of personal electronic equipment for law enforcement purposes. It was also designed to provide us with a wider variety of measurement tools and indicators to assist in assessing information security trends and developments within Victoria Police.

The following research questions guided the development of the research methodology:

1. Do Victoria Police information management and data security policies and practices align with the CLEDS Standards for Victoria Police Law Enforcement Data Security?

2. What is the nature of the information management and data security culture within Victoria Police?

3. Why do police officers obtain, receive and hold information on personally-owned electronic devices?

The survey took place in March 2012 and was sent to all sworn members of Victoria Police. It achieved a 20.6% response rate, which makes for robust and reliable results.

The need for such research grew out of the findings of a number of reviews we have undertaken over the last few years beginning with a 2008 Personal Holdings review that found a relatively high incidence of police holding law enforcement data off-site, typically at home. The 2008 review was undertaken before the market for sophisticated mobile personal computing devices like iPhones grew. Anecdotal evidence obtained during follow-up activities indicated that police were increasingly using personal electronic equipment (notably mobile phones and recording devices) to capture and store law enforcement data. The widespread adoption and use of these personal devices by police to record information – typically in the form of audio files, photos and videos – meant that significant quantities of law enforcement data were not being included in official Victoria Police data repositories and were being kept insecurely.

In parallel, reviews of information governance within Victoria Police that we undertook in 2009 and in 2011 highlighted shortcomings in Victoria Police’s information security and management culture. The 2009 review found varying levels of understanding about information management and security across Victoria Police and emphasized the need for communicating the value of better information practices to Victoria Police staff, as well as monitoring and addressing issues of non-compliance. It identified weak links between information management and security and Victoria Police’s performance management framework. It highlighted the need for information security training and awareness for all police personnel, not just new recruits or for those seeking promotion. It recommended a broad cultural change program to address these issues.

The 2011 review found that these recommendations had not been implemented and, as a consequence, made further recommendations. Victoria Police was asked to develop a detailed report on its current information management and security culture and its readiness for change and provide it to us for approval by 31 March 2012. Based on those findings, it recommended that Victoria Police produce a cultural change strategy by 31 May 2012. As at mid-July 2012, Victoria Police has yet to complete this work.

Introduction

8

Introduction

The key survey findings are:

1. For Victoria Police, the main guide (52% of respondents) to the way in which officers manage and secure law enforcement data is common sense. Only 6% said their managers were the key guide. Very few mentioned Victoria Police policy as a source of guidance.

This finding suggests that improved information management and security policies alone are relatively ineffective tools for improving Victoria Police’s information management/security practices. It also suggests a significant lack of expertise in these issues at a supervisor/manager level. It follows that Victoria Police should significantly strengthen its investment in information management and security training, education and awareness.

2. The use of electronic equipment (computers, mobile phones, data sticks, digital cameras) is central to day-to-day policing. However, 76% of members use at least one personally-owned such device in an average week to capture and/or store law enforcement data. Personally-owned smart phones are being used by 45% of members. The reasons given for members using personal devices are principally that Victoria Police-issue devices are either unavailable or not provided.

This problem is not unique to Victoria Police. Law enforcement agencies across the world are grappling with the proliferation of personal mobile computing and storage devices. That said, the practice of using personal devices for operational policing is largely unmanaged and uncontrolled and poses significant information management and security risks.

3. Police perception of what constitutes a serious information security breach indicates a preoccupation with the physical security priorities of a paper-based information environment, rather than the reality of the electronic environment in which they work.

CLEDS’ intention is that this initial survey is the first phase of longitudinal research to track changes in Victoria Police information security culture, particularly as a means of assessing the effectiveness of Victoria Police’s information security cultural change program and the education awareness programs.

This project could not have been undertaken without the cooperation of Victoria Police. We wish to record our thanks for the assistance provided by the Chief Commissioner, the Victoria Police Human Research Ethics Committee and to the Police Association. Most importantly, we are grateful that so many of Victoria’s police officers took time out of their operational duties to complete the survey.

David Watts Commissioner for Law Enforcement Data Security

9

Section 1

Method & Sample

10

Method & Sample

11

Method & Sample

Key research stages included:

Orientation and Plan

• Stakeholder briefings/ input on research design

• Literature search for relevant benchmarks/methodologies

Qualitative Pilot Test of on-line Questionnaire

• Feedback on survey questionnaire design

On-line survey of Sworn Members

• Preceded by survey publicity and personal briefings

12

Method & Sample

1 Orientation & Plan1.1 Project Orientation

The purpose of the orientation phase was to determine whether any existing research had been conducted in the area of personal holdings of law enforcement data and/or law enforcement data security. This could then inform the development of the CLEDS research program.

An extensive literature search was carried out and discussions were held with a range of academics and researchers working on policing and police processes. This review indicated that there were no specific benchmark studies relating to personal holdings of law enforcement data other than CLEDS own small scale research conducted in 2008 (see below).

Published articles focused on the following topics with respect to the capture and storage of law enforcement data:

1. General

• The need for records management systems to integrate physical and electronic records

• Increasing provision of portable devices including USB’s and PDA’s to frontline officers

• Public concern with security breaches of personal/identifiable data (UK Case Study)

• Need for security measures e.g. strong encryption

• ‘Rule of thumb’ test – if data information was put on the internet – would it be a problem?

• High numbers of mobile phones, laptops, and other devices which are stolen/mislaid.

2. USB’s

• Concern regarding “life expectancy” and loss of data due to ‘wear and tear’

• ‘Rule of thumb’ – maximum 2 year life expectancy.

3. Police Force Needs/Expectations

• Easy access to data

• Easy sharing of data

• Support for work policies involving

• Flexible work practices

• Home working, i.e. secure, remote access

• Concern with ‘user-friendliness’ of encryption ‘products’.

13

Method & Sample

1.2 CLEDS Benchmark Research

As noted earlier, CLEDS conducted a small scale study in 2008 – ‘Personal Holdings of Law Enforcement Data’. It was a paper based questionnaire and included a convenience sample of n = 50 respondents – all sworn members of Victoria Police. The main findings of the survey were:

• 74% of respondents personally held some form of law enforcement data, 66% at their homes

• Many members keep personal holdings regardless of rank or years of service

• The majority held more than one kind of data, predominantly day book notes and official diaries, 48% held briefs of evidence

• 12% stated they held original briefs, investigation files or criminal histories

• The main reasons for holding the information were in case of an ESD or OPI investigation or possible civil litigation

• 21% held data at home purely for reasons of personal interest.

Specifically the study identified the following:

• 11% hold the equivalent of more than five archive boxes of material and 49% hold the equivalent of at least one box

• 62% of respondents hold data which is more than five years old and 19% hold data that is more than 10 years old

• 73% of members with personal holdings stated that they did not access the data at all, 16% accessed the data at least monthly.

It is believed that the situation has been exacerbated by the widespread ownership and use of personal, portable electronic devices such as mobile phones, USB’s, etc.; together with a police culture which allows the use (and potential abuse) of law enforcement data captured and stored by those devices.

1.3 Research Plan

The key components of the research plan were therefore to conduct an initial benchmark study, with annual updates to monitor changes in attitudes and behaviour with respect to law enforcement data security.

14

Method & Sample

Each survey would use the following protocol, as outlined below and approved by the Victoria Police Human Research Ethics Committee (VPHREC):

Source: Methodology Report submitted to VPHREC, with dates updated as necessary

Research Design

The research will be conducted using a repeated measures, cross-sectional design, allowing CLEDS to measure change in population attitudes and behaviours over time. The project will run for three years and include annual data collection waves starting with a benchmark in 2012 and updated in 2013 and 2014. At the conclusion of each wave of data collection, CLEDS will analyse and report on the survey results to Victoria Police and other stakeholders.

Sample

All sworn members of Victoria Police will be invited to participate in the survey. This inclusive and transparent approach that targets the entire population facilitates CLEDS’ goal to use the survey as a tool to stimulate cultural change. This approach does not require a sampling frame.

The research design provides very little ability to control or stimulate responses within key population segments (e.g. gender and rank). While the researchers will be able to monitor responses in key segments while the survey is in the field and issue emails to encourage greater response rates, no targeted approaches to key population segments will be made. Consideration should be given to post weighting the results using the police profile published by Victoria Police. Care will need to be taken to generate similar samples in data collection waves two and three. It is important that successive samples are representative of the same population.

In 2008/09, there were 11,293 sworn Police Officers in Victoria Police (Victoria Police Annual Report 2008/09). A response rate of between 10 and 20% will return between 1,129 and 2,259 completed surveys.

Participation in the research is voluntary, and participation in the first wave of data collection does not require participation in subsequent waves.

15

Method & Sample

Informed Consent

An Informed Consent Statement will be appended to the front of the survey. The Informed Consent Statement outlines the goals of the research, research method, potential harms associated with participation, confidentiality and participant rights. While participants are not required to sign and return the Informed Consent Statement, the completion of the survey indicates the individual’s consent to participate in the research.

Survey Development

In order to not over burden police officers and promote completion of the survey, the Project Team decided to limit the time required to complete the survey to 10 minutes. Shorter surveys are more likely to be completed and elicit more reliable responses. Respondents answering long or complex surveys may ‘flat line’ rating scales rather than completing thoughtfully, or ‘donkey vote’ by clicking the first answer irrespective of their view. Sweeney Research will identify and exclude completed surveys that fit such patterns.

A decision was also made to use a combination of scales and scenarios, and avoid open-ended questions.

Survey Pretesting

In 2011, the survey will be piloted to determine whether the survey is the appropriate length, survey instructions are clear and survey items are relevant. It will be especially important to test the relevance and clarity of the scenarios used in the survey.

The pilot will involve the selection of a small group (n=8) of sworn Victoria Police Officers, securing a cross-section of key population segments (e.g. gender and rank) where possible. Pilot participants will be asked to complete the online survey without assistance. Participants will then be brought together in a focus group to review each survey item. Where appropriate and necessary, survey instructions and items will be modified to improve readability, relevance and clarity.

Survey Administration

The survey will be conducted online. All sworn officers will receive an email requesting their participation in the research. Through this email, participants will be referred to a CLEDS-branded portal, hosted by Sweeney Research.

Hard copies of the survey (including reply paid, addressed envelopes) will be made available to those who do not wish to complete the survey online (or can be printed out by the officer). Completed hard copy surveys will be integrated into the dataset.

16

Method & Sample

Survey Administration (cont.)

The survey will be administered in the following way:

• Sweeney Research will generate an ID LINK database. The database will contain unique identifiers (one per respondent). Survey respondents will require an ID LINK to access the survey site.

• CLEDS will forward the ID LINK database to Victoria Police.

• Victoria Police will merge their employee database with the ID LINK database so that each sworn officer is allocated a unique ID LINK _

• Victoria Police will email the invitation incorporating the ID LINK to each employee.

• When sworn officers access the link they will be directed to the survey which is held on a dedicated Sweeney Research server.

• Respondents do not include their name or any other personal ID when completing the online survey.

At the conclusion of each wave of data collection, Sweeney Research will provide a clean dataset to CLEDS. CLEDS, or a consultant acting for CLEDS, will analyse and report on survey results, as well as significant changes over time (in 2012 and 2013) where trends are available.

Confidentiality

All information gathered during the study will remain confidential. Datasets used for analysis will not contain any identifiable information. Respondents will not provide their name, nor details that may enable the researchers to identify them through other means. Further, analyses will be conducted on an aggregate level and no attempt will be made to analyse changes over time at the individual or participant level.

Communication of Results

At the conclusion of each wave of data collection, CLEDS will analyse and report on the survey results to Victoria Police. Reports will be made available to all members of Victoria Police.

Approvals

Project and questionnaire approvals were obtained from Victoria Police Human Research Ethics Committee (VPHREC).

Police Checks

All project team members, and in the case of SBA and Sweeney Research, employees participating in the project execution, were required to have current Police Checks.

17

Method & Sample

2 Qualitative Pilot StudyThe Pilot Study was conducted in July 2011. A total of seven sworn Members participated including a cross-section of rank and responsibilities.

The Pilot Study consisted of two parts:

• Individual completion of the on-line survey, on provided PC’s

• Group discussion of the study, the questionnaire and any issues concerning participation, completion or question ambiguities.

The draft questionnaire had been programmed for on-line use, so that participants completed the survey individually on-screen under normal on-line survey conditions.

The key actions from the Pilot Study were that:

• Due to the voluntary nature of the survey, significant strategies be in place to promote survey participation

• The questionnaire length be reduced considerably (pilot questionnaire averaged 15–20 minutes to complete, compared to a target of 10 minutes)

• Measures of attitudes and behaviour be based on observations of what “other” members do, rather than individual’s own behaviour, due to privacy concerns (despite confidentiality assurances).

Following extensive revisions the updated questionnaire was submitted to the Research Committee for final approval.

18

Method & Sample

3 On-line Survey of Sworn Members Survey Publicity Plan

In conjunction with the Police Association and the Victoria Police Internal Communications Unit, the Publicity Plan was designed to create awareness of the survey before launch and with subsequent reminders before the survey close.

The publicity schedule was as follows:

Week Commenced

Feb 13th Feb 20th Feb 27th Mar 5th Mar 12th Mar 19th Mar 26th

SurveyMar 12th/13th

Survey Launch

Mar 26th Survey Closes

Police Association In Brief

Copy Deadline March Issue

Police Gazette Mar 12th Issue

Emails to Members

Mar 12th/13th Survey Launch

Emails to Officer in Charge (for Daily Muster)

Mar 12th/13th Survey Launch

Mar 19th Reminder

Email

Mar 26th Last day

Bulletin Board Mar 12th/18th Mar 19th/22th Mar 23th/26th

Corporate News Mar 14th

Survey Timing

Personal emails were sent to all sworn members on March 14th, with a survey close of midnight Monday March 26th.

These dates were chosen in order to avoid:

• Labour Day Long Weekend (March 12th)

• Easter holiday break (commencing April 6th)

19

Method & Sample

Survey Sample

The survey achieved a final sample of 2,589 sworn members. This represents a response rate of 20.6% based on the current headcount of 12,557 (Workforce at a Glance, December 2011).

The sample profile compares to the Workforce Profile as follows:

Workforce Profile (n = 12,557)

%

Total (n = 2,589)

%

S1 Gender

Male 75.2 78

Female 24.8 22

S2 Age

25 or under NA 5

26 to 30 NA 10

31 to 35 NA 12

36 to 40 NA 16

41 to 45 NA 22

46 to 50 NA 17

51 to 55 NA 13

56 or over NA 6

S3 Rank

Constable to Leading Senior Constable 75.4 66

Sergeant to Senior Sergeant 21.6 30

Other 3.0 4

The achieved sample is therefore slightly overweighted in terms of representation of:

• Males

• Sergeant to Senior Sergeant rank.

Based on the level of these statistical skews, it was felt that the data is sufficiently representative not to require any further weighting.

Depending upon the sample profiles of subsequent waves of research, this issue may need to be addressed to harmonise data between waves.

20

Method & Sample

Survey Hosting and Data Processing

Sweeney Research

• Programmed the questionnaire for online use

• Hosted the survey

• Carried out data processing and prepared the tabular output to specifications provided by SBA.

Survey Report

The Summary report of findings has been prepared by Sandra Beanham, Principal Consultant of SBA.

21

Section 2

Detailed Findings

22

23

Detailed Findings

Part 1 Sources of Guidance on the Management of Law Enforcement Data

For the majority of police officers, Common Sense mostly guides decisions about law enforcement information management (52%) followed by reference to Victoria Police Standards (36%).

Graph 1 Sources of Guidance on Information Management

0

10

20

30

40

50

60

CommonSense

CLEDSStandards

Managers Peers Other

52

36

6

24

% m

entio

ns m

ostly

gui

des

There were few mentions of Victoria Police’s own policy in relation to information management held in the VPM (Victoria Policy Manual).

Even when combining both Mostly and Other sources of guidance, Common Sense is still the key driver.

Table 1 Sources of Guidance on Information Management

Mostly Guides (n = 2,589)

%

Other (n = 2,589)

%

Total (n = 2,589)

%

Common Sense 52 34 87

Standards for Victoria Police Law Enforcement Data Security 36 38 74

Information provided by managers 6 38 44

Information provided by peers 2 19 21

Other 4 6 6

Not established – <1 <1

Q1a As a police officer, you routinely handle law enforcement information. Different types of information present different levels of risk if the security of the information is compromised. What mostly guides your decisions regarding how best to use, store and dispose of law enforcement information?

Q1b Please indicate what else guides your decisions regarding how best to use, store and dispose of law enforcement information.

24

Detailed Findings

Interestingly age, rank, years of experience and type of experience impact the relative emphasis on Common Sense. Specifically, the younger and less experienced police officer is more likely to use Common Sense rather than reference to Standards. There was very little difference by gender.

Graph 2 Influence of Age on Use of Common Sense as Main Guide to Information Management

Common Sense Standards Manager Peer

25 or Under 26 – 40 41 – 55

Age in years

56 and Over

58

61

27

8

2

48

42

5

1 1

34

58

17139

0

10

20

30

40

50

60

70

% m

entio

ns

Similar findings are observed when considering Experience variables such as Rank and Service Years.

Graph 3 Influence of Rank on Use of Common Sense as Main Guide to Information Management

Common Sense Standards Manager Peer

Constable/Senior Constable/ Leading Constable

Sergeant/Senior Sergeant Other

57

31

7 5

32 1

44

55

45

32

0

10

20

30

40

50

60

0

% m

entio

ns

25

Detailed Findings

Table 2 Main Sources of Guidance on Information Management – by Years of Service and Work Area

Years of Service Work Area

Less than 5 (n = 472)

%

5 – 20 years (n = 1006)

%

21 years or more

(n = 1111) %

Specialist e.g. Crime,

Intelligence, etc

(n = 494) %

Other (n = 2095)

%

Common Sense 58 57 45 42 53

Standards for Victoria Police Law Enforcement Data Security 24 32 45 46 35

Information provided by managers 11 7 4 8 6

Information provided by peers 6 1 1 2 2

Other 2 1 4 2 4

TOTAL 100 100 100 100 100

Q1a As a police officer, you routinely handle law enforcement information. Different types of information present different levels of risk if the security of the information is compromised. What mostly guides your decisions regarding how best to use, store and dispose of law enforcement information?

Q1b Please indicate what else guides your decisions regarding how best to use, store and dispose of law enforcement information.

DISCUSSION

The nature of the survey does not identify whether the emphasis on Standards with increased experience as a police officer is due to:

• Actual use of these Standards

OR

• A response to the survey on what ‘should’ be the correct source of guidance.

Follow up investigation may be undertaken with stakeholders to validate this finding.

26

Detailed Findings

Part 2 Incidence and Frequency of Typical Breaches of Law Enforcement Data Security

The most frequently reported breaches (once per week or more often) are:

• Data left unattended on desks (30%)

• Data left unattended on computer screens (21%).

The least likely breaches to occur are breaches of physical security such as leaving doors to secure areas unlocked, or leaving cabinets unlocked.

Table 3 Incidence and Frequency of Typical Breaches of Information Security

A

Leave law enforcement

data unattended on desks

B Leave law

enforcement data

unattended on computer

screens

C

Not remove law

enforcement data from

whiteboards

D

Fail to lock cabinets

containing classified

information

E

Fail to lock doors to

secure areas

Very often (at least once a week) 30 21 14 14 8

Often (about once every 2 – 4 weeks) 18 14 11 8 6

Occasionally (about once every 2 – 6 months)

18 17 16 10 11

Rarely (about once every 7 – 12 months) 12 15 16 13 14

SUB TOTAL Observed in last 12 months

77* 67* 57 44* 46*

Very rarely (less than once every 12 months) 15 20 20 22 28

Have never seen this occur 8 13 23 34 32

Mean times per year 19.67 14.06 10.16 9.27 6.28

* Rounding

Q2a In your opinion, how often do Sworn Police Officers in your work unit… (A, B, C, D, E – above)?

It is however significant that all breaches listed in the survey were reported as occurring at some stage – but with lower incidence and frequency for the least likely breaches.

27

Detailed Findings

Graph 4 Average Frequency of Typical Breaches of Information Security

0

5

10

15

20

14.06

10.169.27

6.28

19.67

Ave

rage

Frq

uenc

y (m

ean

times

per

yea

r)

Data UnattendedOn Desks

Rarely/Never 23% 33% 43% 56% 60%

Data UnattendedOn Computer

Screens

Data Left OnWhite Boards

Leave CabinetsUnlocked

Leave DoorsUnlocked

There are substantial differences reported depending upon Work Area. Specialist areas such as Intelligence report both lower incidence and frequency of breaches. Crime, Other (representing all other non-specialist Work Areas) and to a lesser extent Ethical Standards, have similar higher breach levels (see below).

28

Detailed Findings

Table 4 Incidence and Average Frequency of Information Security Breaches by Work Area

Data on desks

Data on screens

Data on Whiteboards

Unlocked cabinets

Unlocked doors

Crime

Incidence* 85% 68% 63% 43% 39%

Average Frequency^ 19.51 14.51 12.65 9.04 5.95

Intelligence

Incidence* 35% 32% 25% 20% 16%


Ethical Standards

Incidence* 62% 62% 40% 39% 14%


Forensic

Incidence* 49% 44% 26% 17% 14%


State Emergency

Incidence* 51% 37% 25% 23% 21%


Other

Incidence* 79% 69% 59% 46% 43%


* At least once per year ^ Mean times per year

Discussion

Reported incidence and frequency of typical breaches of law enforcement data security suggest a general lack of awareness and/or commitment to rigorous security procedures.

Crime and Other (the largest segment of police officers) represent the Work Areas with the highest incidence and frequency and therefore the Work Areas which represent priority targets for improvement. Specific strategies might include a mandatory ‘clean desk’/‘clean screen’/‘clean whiteboard’ policy, in line with defined Standards.

Such a policy would need to be accompanied by appropriate office systems in order for officers to realistically achieve such an objective.

29

Detailed Findings

Part 3 Use of Personal Technology

3.1 Technology Use

Mobile Phones (regular or ‘smart’ phones) and computers (either laptops or desktops) are now standard technology in the armoury of a police force.

Graph 5 Technology Used Regularly, 1+ times a week

90

4946

0

20

40

60

80

100

% u

sing

tech

nolo

gy

Mobile Phone(any)

Smart Phone(any)

Memory Stick/USB

Computer(any)

Digital Camera

97

71

30

Detailed Findings

3.2 Personally Owned versus Victoria Police Provided Equipment

In an average week, three (3) in four (4) sworn members (76%) will use at least one personally owned device while carrying out their duties as a police officer. The most frequently mentioned items are mobile phones (no internet access) – 50% and ‘smart’ mobile phones – 45%.

Table 5 Technology Used – Personal versus Victoria Police Provided

Use Regularly, 1+ times a week

(n = 2,589) %

Do not use Regularly (n = 2,589)

%

Don’t Know (n = 2,589)

%

A Victoria Police provided mobile phone (no internet access) 58 39 2

My own mobile phone (no internet access) 50 46 4

A Victoria Police provided ‘smart’ mobile phone (with internet access, e.g. iPhone, Blackberry) 5 80 15

My own ‘smart’ mobile phone (with internet access, e.g. iPhone, Blackberry) 45 47 8

A Victoria Police provided portable data storage device/flash drive/memory stick/USB 22 69 9

My own portable data storage device/flash drive/memory stick/USB 30 64 6

A Victoria Police provided laptop computer 22 69 8

My own laptop computer 11 78 11

A Victoria Police provided desk top computer 92 7 1

My own desk top computer 11 78 10

A Victoria Police provided digital camera 61 36 3

My own digital camera 26 65 8

Net: Use any Victoria Police provided equipment 99 – –

Net: Use any personal equipment 76 – –

Q4a Technology plays an increasing role in policing. Which of these devices do you use regularly (at least once per week or more often) in your role as a Police Officer?

Not surprisingly younger members of the force (under 40 years) both males and females tended to have higher propensity to use their own technology than other members.

31

Detailed Findings

Graph 6 Incidence of Personal Technology Usage by Age/Gender

0

20

40

60

80

100

% u

sing

per

sona

lly o

wne

d te

chno

logy

in ro

le a

s po

lice

offic

er

25 or Under 26–40 41–55 56 and Over

87

80

87

65 63

88

71

50

Males Females

Age in years

Lower ranked members also tended to have a higher propensity to use their own technology – and this is correlated with the younger age skew.

Graph 7 Incidence of Personal Technology Usage by Rank

Constable/Senior Constable/Leading Constable

Sergeant/Senior Sergeant

Other

81

71

46

0

20

40

60

80

100

% u

sing

per

sona

lly o

wne

d te

chno

logy

in ro

le a

s po

lice

offic

er

32

Detailed Findings

3.3 Main Reasons for Using Personal Technology

3.3.1 Overview

Irrespective the type of device the main reason for using a personally owned device was that Victoria Police equipment was either unavailable, not provided or not enough provided. (full details in Appendix)

Table 6 Main Reason Used Personally Owned Technology

Main Reason Used

Device

Mobile Phone

(n = 1297) %

Smart Phone

(n = 1170) %

USB (n = 767)

%

Laptop Computer (n = 283)

%

Desktop Computer (n = 295)

%

Digital Camera (n = 684)

%

Unavailable, not provided, not enough provided 60 56 76 46 34 55

Familiar with own device 17 18 12 13 9 19

Victoria Police equipment outdated/not working/unreliable

14 17 7 19 15 17

Personal Use (while on duty) 3 1 <1 3 13 2

Complete work at home/out of hours 2 <1 – 6 20 <1

Not a ‘smart’ device/ lacks features 1 6 – 1 – –

Convenience 1 1 1 1 3 1

Not sure <1 <1 1 1 – 1

Other 1 1 3 5 3 3

33

Detailed Findings

3.3.2 Mobile Phone

Apart from lack of availability, Victoria Police provided mobile phones were rejected for being outdated and/or unreliable or not working. As with ‘smart phones’ there was also a preference to working with a familiar device.

Graph 8 Main Reason for Using Personal Technology – Mobile Phone

Unavailable/Not Provided/Not Enough Provided

Familiar With Own Device

Personal Use

Convenience

Not Secure

Other

None

Outdated/Not Working/Unreliable

Complete Work At Home/Out Of Hours

Not A Smart Device/Lacks Features

60

17

14

3

2

1

1

<1

1

0

3

4

1

1

1

1

22

29

46

3

73%

36%

32%

3%

3%

4%

1%

1%

5%

NetMain Reason (n=1297) Other Reason (n=1297)

% mentioned

0 10 20 30 40 50 60

Q4b. Please indicate why you use a personally owned (DEVICE).

34

Detailed Findings

3.3.3 Smart Phone

After availability, the next most important reason for using a personal ‘smart’ mobile phone, was being familiar with the features of their own device.

Graph 9 Main Reason for Using Personal Technology – Smart Phone



Personal Use

Convenience

Not Secure

% mentioned

Other

None




0 10 20 30 40 50 60

56

18

17

6

2

1

1

<1

<1

<1

1

1

6

4

1

1

4

17

29

50

Main Reason (n=1170) Other Reason (n=1170)

73%

37%

29%

9%

2%

2%

1%

<1%

6%

Net


35

Detailed Findings

3.3.4 USB

Despite the fact that nearly one (1) in two (2) police officers regularly use a USB/Memory Stick at least once a week (46%), nearly two thirds use a personally owned USB. The main reason – mentioned by a net 84% of those using a personally owned USB – is unavailability of a Victoria Police device. This is the highest number of mentions for any device.

Graph 10 Main Reason for Using Personal Technology – USB



Personal Use

Convenience

Not Secure

Other

None


76

12

1

1

1

1

7

<1

3

0

8

5

3

9

25

54

Main Reason (n=767) Other Reason (n=767)Net

0 10 20 30 40 50 60 70 80

% mentioned

84%

30%

14%

2%

4%

1%

10%


36

Detailed Findings

3.3.5 Laptop Computer

Reasons for using personally owned laptop computers are similar to other devices – unavailability (60%), familiarity with own laptop (33%), outdated/unreliable Victoria Police equipment (30%). There was also some mention of out-of-hours work requirement (8%).

Graph 11 Main Reason for Using Personal Technology – Laptop Computer

% mentioned

None

46

13

19

6

2

1

1

1

3

<1

5

1

11

3

1

2

3

18

25

40


0 10 20 30 40 50



Convenience

Not Secure

Personal Use

Other




60%

33%

30%

8%

3%

2%

4%

1%

14%

Net


37

Detailed Findings

3.3.6 Desktop Computer

Unlike laptop computers, there was significantly higher mention of completing work out of hours – mentioned by 24% of those using their own desktop computer.

Graph 12 Main Reason for Using Personal Technology – Desktop Computer

% mentioned

34

20

15

17

9

13

0

3

2

3

1

4

15

0

5

20

7

29


0 5 10 15 20 25 30 35

None


Personal Use


Not Secure

Convenience

Other



47%

24%

28%

15%

22%

3%

2%

6%

Net


38

Detailed Findings

3.3.7 Digital Camera

Apart from availability, preference for using one’s own digital camera was strongly driven by being familiar with the device. This was mentioned by 46% of personal digital camera users – and was the highest mention than for any other device.

Graph 13 Main Reason for Using Personal Technology – Digital Camera



Personal Use

Convenience

Not Secure

Other

None




55

19

17

2

1

1

<1

0

3

0

3

4

<1

2

0

0

22

37

38

0


% mentioned

0 10 20 30 40 50 60

68%

46%

34%

2%

1%

2%

<1%

<1%

6%

Net


39

Detailed Findings

Discussion

As hypothesised, the use of personally owned technology is widespread among the police force – particularly among those under 40. Three (3) in Four (4) police officers regularly use at least one personally owned electronic device at least once per week.

The main reasons for using personally owned equipment point to systemic problems with Victoria Police provided items. Specifically:

• The devices are either unreliable/not provided/not enough provided

AND/OR

• Devices outdated/not working/unreliable.

These findings indicate that any policy which makes the use of Victoria Police equipment the only approved equipment for use by police officers, is unlikely to be successful without major improvements in the quantity and quality of provided devices.

The other major issue is that many officers are more comfortable with the familiarity of the features on their personally owned device – whether it is a smart phone, a laptop computer or a digital camera. In a workplace where efficiency and a reliable/predictable outcome is a priority, it is understandable that a familiar device would be preferred.

However, in order for there to be an acceptable level of information security, a common digital platform across each type of device with appropriate security and encryption protocols becomes an important consideration.

If the use of Victoria Police equipment were to become mandatory, this would require intensive training with the launch of any new equipment and regular ‘refresher’ programs to ensure that skills are retained and reinforced.

40

Detailed Findings

Part 4 Beliefs and Attitudes with Respect to Law Enforcement Data Security

4.1 Introduction

Scenarios were used in the questionnaire as a projective technique. This allowed respondents to provide their views and perceptions of various actions involving law enforcement data without having to identify any of their own actions.

The specific scenarios were chosen to evaluate the following:

• Using personally owned equipment to capture law enforcement data

• Using personally owned equipment to store law enforcement data

• Operating out of unsecured offices

• Leaving doors to an unsecured area unlocked, as an example of a secure area left unprotected

• Unintentionally disclosing sensitive information

• Using personal equipment for police work off-site

• Electronically transferring police files to/from unprotected sites

• Losing/misplacing law enforcement data

• Disclosing unauthorised information

• Recording an interview on a personal mobile phone

• Keeping a copy of an interview for personal records.

In each case, respondents were asked to assess:

• Likelihood of the event happening

• The potential seriousness of the action(s) on information security

• Frequency of the event occurring.

The analysis looks at the scenarios in a consolidated matrix in order to determine general perceptions of law enforcement data issues, as well as a specific analysis of each scenario.

41

Detailed Findings

4.2 Risk Analysis

4.2.1 Likelihood of Typical Breaches and Perceived Seriousness

There would appear to be a general acceptance that there are at least regular (and acceptable) occurrences of information security breaches and in most cases the perceived seriousness is low. These include:

• Personal holdings of data

• Using personal devices.

(Refer Graph 14 on next page for risk analysis)

Table 7 Likelihood of Typical Breaches and Perceived Seriousness

Likelihood of occurring*

Perceived Seriousness^

Take photos of a crime scene with a personal smart phone 1.77 1.42

Store crime scene photos on a personal smart phone 1.94 1.64

Task force located on unsecured floor 1.86 1.67

Leaving a door unlocked to a secure area 1.76 1.73

Giving information over the phone in a public area 2.09 1.43

Working at home on a personal computer 2.08 1.33

Email information from work email address to home address 2.14 1.44

Law enforcement information held on (personal) memory stick 2.47 0.98

Losing a memory stick holding law enforcement data 1.95 1.29

Releasing unauthorised information 2.04 1.40

Recording interviews on a personal mobile phone 1.77 0.98

Keeping a personal record of law enforcement data to corroborate any future investigation 2.42 0.95

* Likelihood is a weighted mean based on a 4 point scale where 4 = Very High Likelihood, through to 1 = Very Low Likelihood.

^ Perceived Seriousness based on a weighted mean where 2 = Very Serious, 1 = Serious, 0 = Not Serious.

42

Detailed Findings

Graph 14 Likelihood of Typical Breaches and Perceived Seriousness

VerySerious – 2

NotSerious – 0

Serious – 1

1Very Low

Take photos on (personal) smart phonesCrime data on personal phoneSecure area not providedSecure area unprotectedUnintentional disclosureWork at home on own PC

Transferring electronic filesHolding data on personal deviceLosing dataRelease unauthorised dataCapturing data on personal devicePersonal holdings of data

2Low

3High

4Very High

General acceptance of regular occurance and low seriousness of holding data on personal devices and keeping personal records of data

Info

rmat

ion

man

agem

ent s

ecur

ity–

perc

eive

d se

rious

ness

Likelihood of typical breaches

These are seen as the most serious security risks

43

Detailed Findings

4.2.2 Perceived Seriousness and Observed Frequency

In an ideal world, all potential breaches of data security would be rated 2 (on a seriousness scale of 0 – 2 where 2 in Very Serious) and observed frequency would be close to 0.

In analysing these two criteria, police officers have effectively generated three segments of breaches:

• Segment 1: High Seriousness, High Frequency Such as leaving secure areas unprotected.

• Segment 2: Low Seriousness, High Frequency Such as personal holdings of law enforcement data.

• Segment 3: Serious, Low Frequency Includes a range of data management and disclosure issues.

Segments 1 and 2 (High Frequency) represent targets for cultural change.

Table 8 Perceived Seriousness and Observed Frequency

Perceived Seriousness

to information management

security*

Average observed frequency

in past year

Storing law enforcement data on personally owned electronic devices 1.64 3.21

A secure area being left unprotected 1.73 8.04

Unintentionally disclosing sensitive law enforcement information in the presence of external parties 1.43 3.26

Transferring electronic files to/from potentially unprotected environments 1.44 4.54

Losing/misplacing law enforcement data 1.29 2.56

Disclosing, inadvertently, unauthorised information 1.40 1.50

Keeping a personal record of law enforcement data to corroborate any future investigation 0.95 7.38

* Perceived Seriousness based on a weighted mean where 2 = Very Serious, 1 = Serious, 0 = Not Serious

44

Detailed Findings

Graph 15 Perceived Seriousness and Observed Frequency

VerySerious – 2

NotSerious – 0

Serious – 1

10

Crime data on personal phoneSecure area unprotectedUnintentional disclosureTransferring electronic filesLosing dataRelease unauthorised dataPersonal holdings of data

2 3 4 5 6 7 8 9

Info

rmat

ion

man

agem

ent s

ecur

ity–

perc

eive

d se

rious

ness

Average observed frequency in past year (times)

SeriousLow Frequency

Low SeriousnessHigh Frequency

High SeriousnessHigh Frequency

45

Detailed Findings

4.3 Scenario 1: Holding Law Enforcement Data on Personally Owned Devices – Sergeant K’s Murder Scene PhotosPart 1 Take Photos of a Crime Scene with a Personal Smart Phone

Table 9a Scenario 1: Part 1 – Likelihood of Occurrence

Likelihood – Q5aTotal

(n = 2,589) %

Very High (4) 6

High (3) 17

Low (2) 19

Very Low (1) 50

Don’t Know 8

Mean 1.77

Table 9b Scenario 1: Part 1 – Seriousness of Occurrence

Seriousness of Action – Q5b

Total (n = 2,589)

%

Very Serious (2) 51

Serious (1) 36

Not Serious (0) 10

Don’t Know 3

Mean 1.42

Part 2 Storing Crime Scene Photos on Personal Smart Phone

Table 9c Scenario 1: Part 2 – Likelihood of Occurrence

Likelihood – Q5cTotal

(n = 2,589) %

Very High (4) 7

High (3) 21

Low (2) 19

Very Low (1) 40

Don’t Know 13

Mean 1.94

Table 9d Scenario 1: Part 2 – Seriousness of Occurrence

Seriousness of Action – Q5d

Total (n = 2,589)

%

Very Serious (2) 66

Serious (1) 29

Not Serious (0) 3

Don’t Know 2

Mean 1.38

Q What is the likelihood of the scenario occurring within Victoria Police?

Q And how would you rate the seriousness of these actions to information management security?

46

Detailed Findings

Part 3 Observed Frequency (Q6)

Table 9e Scenario 1: Part 3 – Observed Frequency

Observed – Q6Total

(n = 2,589)%

Not at all 43

Once 4

Two or Three Times 21

Four or Five Times 9

Six to Ten Times 5

Over Ten Times 19

Mean 3.21

Q6 Thinking now about secure data storage, how many times in the last year have you heard about other police officers in your unit or division storing law enforcement data on personally-owned electronic devices? (One response only)

47

Detailed Findings

4.4 Scenario 2: Temporarily Located in Office on Unsecured Floor. Taskforce Linebacker Leaves The Door Unlocked.

Part 1 Task Force on Unsecured Floor



(n = 2,589) %

Very High (4) 6

High (3) 12

Low (2) 19

Very Low (1) 34

Don’t Know 29

Mean 1.86



Total (n = 2,589)

%

Very Serious (2) 66

Serious (1) 25

Not Serious (0) 3

Don’t Know 6

Mean 1.67

Part 2 Leaving a Door Unlocked to a Secure Area



(n = 2,589) %

Very High (4) 5

High (3) 12

Low (2) 21

Very Low (1) 40

Don’t Know 22

Mean 1.76



Total (n = 2,589)

%

Very Serious (2) 72

Serious (1) 22

Not Serious (0) 2

Don’t Know 4

Mean 1.73



48

Detailed Findings




(n = 2,589) %

Never 24

Less Often (than once a year) 35

Once every twelve months 7

Once every six months 6

Once every three months 6

About once a month 9

At least once a week 12

Mean 8.04

Q8 Thinking now about security procedures for secure areas, how often do you notice that a secure area has been left unprotected? (One response only)

49

Detailed Findings

4.5 Scenario 3: Inspector M Gives an Informant's Address Over the Phone in a Public Area While Investigating an Outlaw Motorcycle Gang.Part 1 Giving Information Over the Phone in a Public Area



(n = 2,589) %

Very High (4) 7

High (3) 20

Low (2) 22

Very Low (1) 28

Don’t Know 22

Mean 2.09



Total (n = 2,589)

%

Very Serious (2) 53

Serious (1) 28

Not Serious (0) 12

Don’t Know 6

Mean 1.43



Part 3* Observed Frequency (Q10)

*No Part 2 in this scenario


(n = 2,589) %

Never 31







Mean 3.26

Q10 Thinking now about the unintentional disclosure of sensitive information, how often do you hear that other police officers in your unit or division have unintentionally disclosed sensitive law enforcement information in the presence of parties external to Victoria Police? (One response only)

50

Detailed Findings

4.6 Scenario 4: Transferring Electronic Files to/from Potentially Unprotected Environments. Constable P Works on Her Personally Owned Computer at Home.

Part 1 Working at Home on a Personal Computer



(n = 2,589) %

Very High (4) 7

High (3) 21

Low (2) 26

Very Low (1) 29

Don’t Know 16

Mean 2.08



Total (n = 2,589)

%

Very Serious (2) 42

Serious (1) 42

Not Serious (0) 11

Don’t Know 5

Mean 1.33

Part 2 Emailing Information from Work Address to Home Address



(n = 2,589) %

Very High (4) 9

High (3) 23

Low (2) 26

Very Low (1) 28

Don’t Know 14

Mean 2.14



Total (n = 2,589)

%

Very Serious (2) 51

Serious (1) 38

Not Serious (0) 7

Don’t Know 3

Mean 1.44



51

Detailed Findings




(n = 2,589) %

Never 35







Mean 4.54

Q12 How frequently do you hear about other police officers in your unit or division transferring electronic files to or from potentially unprotected environments? (One response only)

52

Detailed Findings

4.7 Scenario 5: Losing/Misplacing Law Enforcement Data. Supt R’s Memory Stick Goes Missing.

Part 1 Memory Stick Holds Law Enforcement Information



(n = 2,589) %

Very High (4) 9

High (3) 24

Low (2) 14

Very Low (1) 13

Don’t Know 40

Mean 2.47



Total (n = 2,589)

%

Very Serious (2) 25

Serious (1) 39

Not Serious (0) 27

Don’t Know 9

Mean 0.98

Part 2 Losing a Memory Stick Holding Law Enforcement Data



(n = 2,589) %

Very High (4) 4

High (3) 15

Low (2) 28

Very Low (1) 26

Don’t Know 27

Mean 1.95



Total (n = 2,589)

%

Very Serious (2) 41

Serious (1) 42

Not Serious (0) 13

Don’t Know 4

Mean 1.29



53

Detailed Findings




(n = 2,589) %

Never 30







Mean 2.56

Q14 Thinking now about misplacing data, how frequently do you hear that other police officers in your unit or division have lost or temporarily misplaced law enforcement data? (One response only)

54

Detailed Findings

4.8 Scenario 6: Disclosing Unauthorised Information. Constable T Talks to the Media.

Part 1 Releasing Unauthorised Information



(n = 2,589) %

Very High (4) 3

High (3) 23

Low (2) 37

Very Low (1) 25

Don’t Know 12

Mean 2.04



Total (n = 2,589)

%

Very Serious (2) 43

Serious (1) 50

Not Serious (0) 3

Don’t Know 3

Mean 1.40



Part 3* Observed Frequency (Q16)

*No Part 2 in this scenario

Table 14c Scenario 6: Part 3 – Observed Frequency


(n = 2,589) %

Never 32







Mean 1.5

Q16 Thinking now about disclosing unauthorised information, how frequently have you heard that other police officers in your unit or division have inadvertently released law enforcement data in the past? (One response only)

55

Detailed Findings

4.9 Scenario 7: Holding Law Enforcement Data for Personal Records. Constable F is Involved in a Police Pursuit.

Part 1 Recording Interviews with an Offender on a Mobile Phone



(n = 2,589) %

Very High (4) 4

High (3) 16

Low (2) 22

Very Low (1) 44

Don’t Know 14

Mean 1.77



Total (n = 2,589)

%

Very Serious (2) 25

Serious (1) 42

Not Serious (0) 28

Don’t Know 6

Mean 0.98

Part 2 Keeping a Personal Record of Law Enforcement Data to Corroborate Any Future Investigation



(n = 2,589) %

Very High (4) 11

High (3) 34

Low (2) 19

Very Low (1) 21

Don’t Know 15

Mean 2.42



Total (n = 2,589)

%

Very Serious (2) 24

Serious (1) 40

Not Serious (0) 29

Don’t Know 7

Mean 0.95



56

Detailed Findings


Table 15c Scenario 7: Part 3 – Observed Frequency


(n = 2,589) %

Never 28







Mean 7.38

Q18 Thinking now about holding law enforcement data for personal interest, how frequently have you heard that other police officers in your unit or division have held information to corroborate their accounts of policing interactions? (One response only)

57

Detailed Findings

Part 5 Awareness and Role of CLEDS

5.1 Current Status

Only 1 in 10 police officers feel confident that they know a lot about CLEDS and its functions/role. Of concern, are the 44% of police officers who have either not heard of CLEDS or don’t know what CLEDS does. (see below)

Table 16 Claimed Awareness of CLEDS and Its Role

TOTAL (n = 2,589)

%

I have never seen or heard of CLEDS before today 22

I’ve seen or heard the name before but don’t really know what they do 22

I know broadly about CLEDS and that they are trying to improve the standard of law enforcement data security at Victoria Police 47

I know a lot about CLEDS and specific standards or protocols for the security and integrity of law enforcement data 10

TOTAL AWARE 78

TOTAL AWARE & KNOW WHAT THEY DO 57

TOTAL 100

Q19 This survey is being conducted on behalf of the Commissioner for Law Enforcement Data Security – CLEDS, for short. Which of these statements best describes your familiarity with CLEDS? (One response only)

The following demographic and other segments over index in their claimed knowledge of CLEDS:

Table 17 Know a Lot About CLEDS

Know a lot about CLEDS %

Police officers over 40 14

Male officers over 40 15

Higher ranked officers – Sergeant – Above Sergeant

19 39

In specialist work areas (excluding Crime and Other) 31

Those who have had Information Security Training 12

58

Detailed Findings

5.2 Incidence of Information Security Training

Approximately three (3) in four (4) respondents claimed to have received Information Security training. This was similar across all demographics – though there was some evidence of higher rates among:

• Those with less than five (5) years service (83%)

• Those of higher ranks (85%)

• Those aware and knowledgeable about CLEDS (89%).

Table 18 Incidence of Ever Receiving Information Security Training

Total (n = 2,589)

%

Male (n = 2,019)

%

Female (n = 570)

%

Yes 77 77 77

No 15 16 13

Don’t Know 8 7 10

Total 100 100 100

Q3 In your role as a police officer, have you ever received training on information security?

59

Appendices

1. List of Tables2. List of Graphs3. On-line Questionnaire4. Additional Tables for Q.4

60

Appendices

61

Appendices

Appendix 1 List of TablesTable 1 Sources of Guidance on Information Management 23

Table 2 Main Sources of Guidance on Information Management – by Years of Service and Work Area 25

Table 3 Incidence and Frequency of Typical Breaches of Information Security 26

Table 4 Incidence and Average Frequency of Information Security Breaches by Work Area 28

Table 5 Technology Used – Personal versus Victoria Police Provided 30

Table 6 Main Reason Used Personally Owned Technology 32

Table 7 Likelihood of Typical Breaches and Perceived Seriousness 41

Table 8 Perceived Seriousness and Observed Frequency 43

Table 9a Scenario 1: Part 1 – Likelihood of Occurrence 45

Table 9b Scenario 1: Part 1 – Seriousness of Occurrence 45

Table 9c Scenario 1: Part 2 – Likelihood of Occurrence 45

Table 9d Scenario 1: Part 2 – Seriousness of Occurrence 45

Table 9e Scenario 1: Part 3 – Observed Frequency 46


















Table 14c Scenario 6: Part 3 – Observed Frequency 54

62

Appendices





Table 15c Scenario 7: Part 3 – Observed Frequency 56

Table 16 Claimed Awareness of CLEDS and Its Role 57

Table 17 Know a Lot About CLEDS 57

Table 18 Incidence of Ever Receiving Information Security Training 58

63

Appendices

Appendix 2 List of GraphsGraph 1 Sources of Guidance on Information Management 23

Graph 2 Influence of Age on Use of Common Sense as Main Guide to Information Management 24

Graph 3 Influence of Rank on Use of Common Sense as Main Guide to Information Management 24

Graph 4 Average Frequency of Typical Breaches of Information Security 27

Graph 5 Technology Used Regularly, 1+ times a week 29

Graph 6 Incidence of Personal Technology Usage by Age/Gender 31

Graph 7 Incidence of Personal Technology Usage by Rank 31

Graph 8 Main Reason for Using Personal Technology – Mobile Phone 33

Graph 9 Main Reason for Using Personal Technology – Smart Phone 34

Graph 10 Main Reason for Using Personal Technology – USB 35

Graph 11 Main Reason for Using Personal Technology – Laptop Computer 36

Graph 12 Main Reason for Using Personal Technology – Desktop Computer 37

Graph 13 Main Reason for Using Personal Technology – Digital Camera 38

Graph 14 Likelihood of Typical Breaches and Perceived Seriousness 42

Graph 15 Perceived Seriousness and Observed Frequency 44

64

Appendices

Appendix 3 Online Questionaire

65

Appendices

66

Appendices

67

Appendices

68

Appendices

69

Appendices

70

Appendices

71

Appendices

72

Appendices

73

Appendices

Appendix 4 Additional Tables for Q4 – Detailed Reasons for Using Own Device

Main Reason

Other Reason

Total Reasons

Q4b/c. Summary – Mobile Phone 1297 1297 1297

1. Nett Unavailable/Not Provided/Not Enough Provided 60 46 73

I was unable to access the Victoria Police issued DEVICE when I needed to 51 15 66

Not provided by Victoria Police 6 2 8

Device not always available 1 1 2

Don't have access to use device/sargeant only/not for uniformed members 1 1 3

Office only have an allocated number of DEVICES/we have to share/not enough available to wear 1 2 3

2. Nett Familiar with Own Device 17 29 36

I am more familiar with the features and operation of my DEVICE 12 16 28

I like to avoid using more than one DEVICE 5 8 13

3. Nett Outdated/Not Working/Unreliable 14 22 32

Victoria Police issued DEVICE are out-dated 13 17 30

Device broken/batteries flat/card full/lack of coverage/quality/unreliable 1 1 2

Equipment too slow 0 * *

Victoria Police do not use DEVICE 0 * *

4. Nett Personal Use 3 1 3

Use my own for personal use 2 * 2

Use the work DEVICE for work related matters and my DEVICE for personal matters * * 1

Can't use work DEVICE for personal use * * *

5. Nett Complete Work at Home/Out of Hours 2 1 3

Complete work out of hours/home 2 1 3

6. Nett Not a Smart Device/Lacks Features 1 1 1

Police DEVICES don't have access to the internet/maps/have a camera 1 1 1

7. Nett Convenience 1 3 4

Convenience NFI 1 1 2

My DEVICE is reliable/with me all the time/has a camera 1 1 2

Forget to take the Victoria Police DEVICE * * *

8. Nett Not Secure * 1 1

I am not confident that the Victoria Police issued DEVICE is secure * 1 1

74

Appendices

Main Reason

Other Reason

Total Reasons

Q4b/c. Summary – Mobile Phone 1297 1297 1297

9. Nett Other 1 4 5

Other 1 3 4

Don't use DEVICE * * *

To save time as police calls need to be logged * * *

Use both * * *

10. Nett None 0 3 3

None 0 3 3

* <1%

75

Appendices

Main Reason

Other Reason

Total Reasons

Q4b/c. Summary – Smart Phone 1170 1170 1170



Victoria Police do not use DEVICE 12 5 17




Office only have an allocated number of DEVICES/we have to share/not enough available to wear * * 1

Not supplied due to cost/budget issues * 0 *






Device broken/batteries flat/card full/lack of coverage/quality/unreliable * 1 1

Equipment too slow 0 * *

4. Nett Not a Smart Device/Lacks Features 6 4 9

Police DEVICES don't have access to the internet/maps/have a camera 6 3 9


Use my own for personal use 1 1 1

Use the work DEVICE for work related matters and my DEVICE for personal matters * * *

Cant use work DEVICE for personal use * 0 *


Convenience NFI * 1 1

Forget to take the Victoria Police DEVICE * 0 *

My DEVICE is reliable/with me all the time/has a camera * 1 1

7. Nett Not Secure * 1 1

I am not confident that the Victoria Police issued DEVICE is secure * 1 1

8. Nett Complete Work at Home/Out of Hours * * *

Complete work out of hours/home * * *

76

Appendices

Main Reason

Other Reason

Total Reasons

Q4b/c. Summary – Smart Phone 1170 1170 1170

9. Nett Other 1 6 6

Other 1 4 5

Don't use DEVICE * 0 *

Use both * 0 *

Necessary for work * 1 1

Buy my own 0 1 1

10. Nett None 1 4 5

No other reason 0 0 0

None 1 4 5

* <1%

77

Appendices

Main Reason

Other Reason

Total Reasons

Q4b/c. Summary – USB Device 767 767 767




Don't have access to use device/sargeant only/not for uniformed members * 2 2

Not supplied due to cost/budget issues * 1 1



2. Nett Familiar With Own Device 12 25 30







Convenience NFI * 1 1

Forget to take the Victoria Police DEVICE * 0 *

My DEVICE is reliable/with me all the time/has a camera * 1 1

5. Nett Not Secure 1 3 4

I am not confident that the Victoria Police issued DEVICE is secure 1 3 4

6. Nett Personal Use * 1 1

Use my own for personal use * 1 1

7. Nett Other 3 8 10

Buy my own 1 1 2

Necessary for work 1 1 2

Other 1 4 6

Instructed to get rid of data from hard drive * * 1

Use both 0 * *

8. Nett None 0 5 5

None 0 5 5

* <1%

78

Appendices

Main Reason

Other Reason

Total Reasons

Q4b/c. Summary – Laptop Computer 283 283 283







2. Nett Familiar With Own Device 13 25 33



Familiar with own device/easy to use * 0 *



Equipment too slow 1 1 2


Police DEVICES unreliable/unuseable/cameras poor quality 0 * *

4. Nett Complete Work at Home/Out of Hours 6 3 8


Use RSA to connect remotely 1 0 1


Convenience NFI 1 * 1

Internet research/Victoria Police access is restricted/slow * 1 2

My DEVICE is reliable/with me all the time/has a camera 0 * *

Have remote access token/do not need to transport DEVICE 0 * *




Use my own for personal use? 3 * 4

8. Nett Not a Smart Device/Lacks Features 1 * 1

DEVICES don't have the right programs to view footage 2 1 3

Police DEVICES don't have access to the internet/maps/have a camera 1 * 1

79

Appendices

Main Reason

Other Reason

Total Reasons

Q4b/c. Summary – Laptop Computer 283 283 283

9. Nett Other 5 11 14

Other 4 7 11

Don't use DEVICE 1 0 1

Buy my own 1 2 2

10. Nett None 1 3 5

None 1 3 5


* <1%

80

Appendices

Main Reason

Other Reason

Total Reasons

Q4b/c. Summary – Desktop Computer 295 295 295





2. Nett Complete Work At Home/Out Of Hours 20 7 24




Internet research/Victoria Police access is restricted/slow 3 0 3

DEVICES don't have the right programs to view footage 1 3 3

DEVICE compact to carry/does the job of two devices 1 0 1

Can control storage of images/files/call logs from own device/security * 0 *

Equipment too slow 0 1 1

Device broken/batteries flat/card full/lack of coverage/quality/unreliable 0 * *






Familiar with own device/easy to use 1 1 2


Have remote access token/do not need to transport DEVICE 4 1 5



8. Nett Other 3 4 6

Other 3 3 6

Use both 0 * *

9. Nett None 1 15 17

I do not own one/use one 1 0 1

None 1 15 17


* <1%

81

Appendices

Main Reason

Other Reason

Total Reasons

Q4b/c. Summary – Digital Camera 684 684 684




Don't have access to use device/sargeant only/not for uniformed members * 0 *

Office only have an allocated number of DEVICES/we have to share/not enough available to wear * * 1

Not provided by Victoria Police 0 * *




Familiar with own device/easy to use * * 1




Can control storage of images/files/call logs from own device/security 1 1 1

Police DEVICES unreliable/unuseable/cameras poor quality * 4 4

Police DEVICES don't have access to the internet/maps/have a camera 0 * *

4. Nett Personal Use 2 * 2


5. Nett Convenience 1 * 1

Easier to use own DEVICE/always in your pocket/better quality/reliable/camera 2 4 6

Convenience NFI 1 * 1

DEVICE compact to carry/does the job of two devices * 1 1

Less to sign out * 0 *

My DEVICE is reliable/with me all the time/has a camera 0 * *



7. Nett Complete Work at Home/Out of Hours * 0 *

Complete work out of hours/home * 0 *

8. Nett Not a Smart Device/Lacks Features 0 * *

9. Nett Other 3 4 6

Buy my own 2 * 2

Other 1 3 4

Don't use DEVICE 0 * *

82

Appendices

Main Reason

Other Reason

Total Reasons

Q4b/c. Summary – Digital Camera 684 684 684

10. Nett None 0 3 3

None 0 3 3


* <1%

83

This page is intentionally left blank.

84

This page is intentionally left blank.

Documents

Survey of Victoria Police Information Security … of Victoria Police Information Security Culture – Survey Results Commissioner for Law Enforcement Data Security November 2012 2