TSQM Overall Merged Data Analysis by Industry Analysis by Company Size July 10, 2006 Vicki Deng

TSQM

Overall Merged Data Analysis by Industry

Analysis by Company Size

July 10, 2006Vicki Deng

In-depth Analysis of Gaps

• Performance Gaps: – Current Status v. Importance

• Industry Gaps: – i.e. Healthcare v. Retail

• Company Size: – Small business v. Large Scale Enterprise

• Role Gaps: – i.e. Business Managers v. IT staff

• Inter-Enterprise Gaps: – i.e. Internal Line Manager v. Supplier

Topics & Findings

• Perceptions of Security

• Security Culture Gaps

• Why Accessibility Won’t Sell

Perceptions of Security

• Overall assessment of importance is always higher than that of a partner organization. – While it makes sense that the first priority is to make

your own organization secure within and from the outside world, it is absurd to think that security is less important for your partner organization

– It is natural to believe your own organization is better or more important, but it can create a false sense of security

• My & partner assessment is about the same. – The similar assessment seems reasonable since

responses may be biased towards security practices at their own organization.

Perceptions of Security 1 of 2

• Gaps in assessment and importance shows signs of security awareness in organizational members which is the first step towards better security – Largest gap is MI-MA followed by PI-PA

• This trend suggests that organizations may see themselves as “invincible” and thus become complacent under this illusion of safety

• The need to share certain information with business partners, suppliers, and customers over internet leaves the organization vulnerable to factors beyond their control

Perceptions of Security

Perceptions of Security 2 of 2

Security Culture Gap

• The greatest performance gap by and large is security culture.– Security culture has an average security

status assessment of 4.99 and a rated importance of 5.81

– With a gap of .82, the difference in perception is statistically significant with a 99% confidence level

– This is gap is mostly true for all types of organizations of all sizes

Security Culture Gaps 1 of 5

Security Culture (Survey QS)

• Security Practices– People in the organization are knowledgeable about

IT security tools and practices. [q08; gap=.82] – People in the organization carefully follow good

security practices. [q14; gap=1.08] Largest gap!– In the organization, people are aware of good security

practices. [q33; gap=.78] • Ethics and Trust

– People in the organization can be trusted not to tamper with data and networks. [q21; gap=.69]

– People in the organization can be trusted to engage in ethical practices with data and networks. [q26; gap=.74]


Why the Gap in Security Culture?

• Security culture may be the weakest link in the house of security since predictable and unpredictable humans factors come into play

• Few are aware of good security practices and even fewer actually follow through

• Trust and ethics factors as one of the most important aspects of security culture, but it cannot be regulated or written in a policy


Security Culture Gap

• The importance of security culture is rated 17% higher than assessment of current status – Even though this is the most crucial area to improve upon, it is

not possible without the financial & IT resources, effective security policy, and integration into business decisions

• Organizations need to assess their own security culture and determine what is holding back its members from following good security practices

• With new technology, comes new problems and a culture needs to be flexible enough to deal with change, and change when it is no longer working


Further Implications

• Large gaps in security culture could be due to a lack of:– awareness about current security practices– incentives to follow them– strong leadership– understanding about how a member’s actions fits into the larger

picture

• Gaps in security policies lags behind security culture– Policy compliance does not necessarily mean good security

culture

• Even if policies are tough, it still not enough without a proper security culture within the organization since policies tend to be reactive in nature – that is why organizations need to focus on security culture


Why Accessibility Won’t Sell

• Accessibility– Rated highest importance, but also highest

assessment of current status– Lowest MI-MA with a gap of .33, also lowest for PI-PA

with a gap of .25– MI-MA gaps of other constructs range from .50~.82

• This raises several questions– Is accessibility technology and methods already

matured or even saturated?– Does the importance of accessibility overshadow the

importance of vulnerability?

Accessibility 1 of 5

Accessibility (Survey QS)

• The organization checks the identity of users before allowing access to data and networks. [q04; gap=.26]

• The organization’s data and networks are only available to approved users. [q11; gap=.30]

• The organization provides access to data and networks to legitimate users. [q30; gap=.30]

• The organization’s data and networks are usually available when needed. [q34; gap=.44] Largest gap!


Why Accessibility Won’t Sell

• High assessment and importance in ‘accessibility’ and ‘confidentiality’ indicates that these aspects of security the perceived as one of the most crucial aspects, but only accessibility show a small gap

• The small gaps in accessibility overall, across industries, company size, etc. suggest that current technology already has the capabilities to address and meet those needs


Where is accessibility now?

• Is accessibility technology and methods already matured or even saturated?– Accessibility standards are emerging as e-commerce and other

internet transactions become commonplace– Despite good software technologies and capabilities, if people

using the software do not understand its capabilities and limits then it can’t successful

• “The organization’s data and networks are usually available when needed.” – This particular question had the largest gap within the

accessibility construct– Technology may be able to properly provide and regulate user

accessibility, but it can also hinder productivity


Accessibility v. Business Strategy

• Does the importance of accessibility overshadow the importance of vulnerability?– Sometimes more accessibility may indirectly lead to

more vulnerability, especially if “Security is a business agenda item (mostly) for top executives in the organization.” (MA=5.01 for this qs. 22)

– Business strategy & financial resources is rated as the least important, while accessibility is rated as most important

– However, it is often the case that security often loses to business needs so more emphasis should be placed on publicizing the organization's security strategy


Quick Stats on the Overall Data

• Top Gaps MA v. MI1. Security Culture (.82)

2. Financial Resources (.71)

3. Security Policy (.66)

4. Vulnerability (.66)

• Top Gaps PA v. PI1. Security Culture (.52)

2. Vulnerability (.49)

3. Financial Resources (.42)

4. Security Policy (.41)

• Highest Rated Assessment1. Accessibility (5.72)

2. Confidentiality (5.49)

3. Vulnerability (5.25)

• Highest Rated Importance1. Accessibility (6.05)

2. Confidentiality (5.99)

Merged Data 1 of 5

Average Construct Values(Merged Data)

4.0

4.5

5.0

5.5

6.0

6.5Accessibility

Vulnerability

Confidentiality

Financial Resources

IT Resources

Business Strategy

Security Policy

Security CultureMA

MI

PA

PI

Merged Data 2 of 5

Construct Gaps Absolute Values(Merged Data)

0.0

0.2

0.4

0.6

0.8

1.0Accessibility

Vulnerability

Confidentiality

Financial Resources

IT Resources

Business Strategy

Security Policy

Security Culture|MI-MA|

|PA-MA|

|PI-MI|

|PI-PA|

Merged Data 3 of 5

Average Construct Values

Constructs MA MI PA PIAccessibility 5.72449 6.05240 5.47930 5.72586Vulnerability 5.25011 5.91091 5.13422 5.63091

Confidentiality 5.48836 5.99034 5.36076 5.69117Financial Resources 4.77187 5.48372 4.87259 5.29891

IT Resources 5.22360 5.81909 5.15534 5.54188Business Strategy 4.96765 5.54223 5.02332 5.35836

Security Policy 5.03849 5.70043 5.05328 5.46604Security Culture 4.98728 5.81140 5.01713 5.53841

Construct Gaps: Absolute Values

Constructs |MI-MA| |PA-MA| |PI-MI| |PI-PA|Accessibility 0.32791 0.24519 0.32654 0.24656Vulnerability 0.66080 0.11590 0.28000 0.49669

Confidentiality 0.50197 0.12760 0.29917 0.33041Financial Resources 0.71185 0.10072 0.18481 0.42632

IT Resources 0.59549 0.06826 0.27721 0.38654Business Strategy 0.57458 0.05567 0.18387 0.33504

Security Policy 0.66194 0.01479 0.23439 0.41276Security Culture 0.82412 0.02985 0.27299 0.52128

Merged Data 4 of 5

Convergent and Discriminant Validity (Merged Data)

Reliability - Cronbach's Alpha ValuesMA MI

Accessibility 0.90758 0.93701Vulnerability 0.83714 0.91012Confidentiality 0.91808 0.94026FinancialResources 0.91878 0.92768ITResources 0.91023 0.93680BusinessStrategy 0.86877 0.89343SecurityPolicy 0.92184 0.93834SecurityCulture 0.92188 0.94296

Construct Validity - Convergent and Discriminant ValidityAccessibility Vulnerability Confidentiality FinancialResourcesITResources BusinessStrategySecurityPolicy SecurityCulture

Accessibility 0.96606 0.82730 0.86289 0.72385 0.81193 0.75817 0.75993 0.77299Vulnerability 0.82730 0.89537 0.85986 0.83791 0.88582 0.83439 0.85439 0.83308Confidentiality 0.86289 0.85986 0.97320 0.79234 0.86494 0.83070 0.85867 0.85271FinancialResources 0.72385 0.83791 0.79234 0.97366 0.88814 0.86196 0.86675 0.84406ITResources 0.81193 0.88582 0.86494 0.88814 0.96623 0.84474 0.87556 0.85137BusinessStrategy 0.75817 0.83439 0.83070 0.86196 0.84474 0.93056 0.88216 0.85515SecurityPolicy 0.75993 0.85439 0.85867 0.86675 0.87556 0.88216 0.97341 0.84505SecurityCulture 0.77299 0.83308 0.85271 0.84406 0.85137 0.85515 0.84505 0.96241

In the Construct Validity table, diagonals >0.50 indicates good convergent validity, and having the values of the columns of each construct lower than the diagonals indicates good discriminant validity.

•High values of Cronbach’s Alpha indicate the variables were a good measure of the latent constructs

•Indicates good reliability and consistency in the data set

Merged Data 5 of 5

Industry

• 6 Main Industries, Total Responses: 1259– Banking & Finance (124)– Technology Services (128)– Health & Social Assistance (495)– Tele/Communications (93)– Manufacturing (244)– Retail (175)

• Industries not included due to lack of responses – education, defense, aeronautics, etc.

Analysis by Industry

• Results from each Industry follows the trend of the overall data– Low status for accessibility– High gaps in security culture– MI > PI > MA,PA

• Banking & Finance, Communications – high MA, MI; low gap

• Health & Social Services & Technology Services – medium MA, MI; high gap

• Manufacturing & Retail – low MA, MI; high gap

Quick Stats on the Industries

Assessment & Importance (high low)

1.Banking & Finance

2.Technology Services

3.Communications

4.Health & Social Assistance

5.Manufacturing

6.Retail

• Low Gaps1. Banking & Finance

2. Communications

• High Gaps1. Technology Services

2. Health & Social Assistance

3. Manufacturing

4. Retail

Industry Data 1 of x

My Assessment by Industry

4.2

4.4

4.6

4.8

5.0

5.2

5.4

5.6

5.8

6.0

6.2

Accessibility Vulnerability Confidentiality FinancialResources

IT Resources BusinessStrategy

Security Policy Security Culture

BNK-06 COM-77 HLT-11 MNF-15 RET-25 TEC-26

My Importance by Industry

5.0

5.2

5.4

5.6

5.8

6.0

6.2

6.4

6.6



Security Policy Security Culture


My Security Gaps by Industry

0.0

0.1

0.2

0.3

0.4

0.5

0.6

0.7

0.8

0.9



Security Policy SecurityCulture

Security Constructs

Se

cu

rity

Ga

p |

MA

-MI|


BNK – Banking & Finance, COM – Tele/Communication, HLT – Healthcare & Social Assistance, MNF – Manufacturing, RET – Retail, TEC – Technology Services

Average Construct Values(Banking & Finance)

4.0

4.5

5.0

5.5

6.0

6.5

7.0Accessibility

Vulnerability

Confidentiality

Financial Resources

IT Resources

Business Strategy

Security Policy

Security CultureMA

MI

PA

PI

Industry Assessment 1 of 6


Average Construct Values(Health & Social Assistance)

4.0

4.5

5.0

5.5

6.0

6.5

7.0Accessibility

Vulnerability

Confidentiality

Financial Resources

IT Resources

Business Strategy

Security Policy

Security CultureMA

MI

PA

PI


Average Construct Values(Manufacturing)

4.0

4.5

5.0

5.5

6.0

6.5

7.0Accessibility

Vulnerability

Confidentiality

Financial Resources

IT Resources

Business Strategy

Security Policy

Security CultureMA

MI

PA

PI


Average Construct Values(Retail Trade)

4.0

4.5

5.0

5.5

6.0

6.5

7.0Accessibility

Vulnerability

Confidentiality

Financial Resources

IT Resources

Business Strategy

Security Policy

Security CultureMA

MI

PA

PI


Average Construct Values(Technology Services)

4.0

4.5

5.0

5.5

6.0

6.5

7.0Accessibility

Vulnerability

Confidentiality

Financial Resources

IT Resources

Business Strategy

Security Policy

Security CultureMA

MI

PA

PI


Average Construct Values(Communications/Telecom)

4.0

4.5

5.0

5.5

6.0

6.5

7.0Accessibility

Vulnerability

Confidentiality

Financial Resources

IT Resources

Business Strategy

Security Policy

Security CultureMA

MI

PA

PI

Construct Gaps Absolute Values(Banking & Finanace)

0.0

0.2

0.4

0.6

0.8

1.0Accessibility

Vulnerability

Confidentiality

Financial Resources

IT Resources

Business Strategy

Security Policy

Security Culture |MI-MA|

|PA-MA|

|PI-MI|

|PI-PA|

Industry Gaps 1 of 6

Construct Gaps Absolute Values(Communications/Telecom)

0.0

0.2

0.4

0.6

0.8

1.0Accessibility

Vulnerability

Confidentiality

Financial Resources

IT Resources

Business Strategy

Security Policy


|PA-MA|

|PI-MI|

|PI-PA|


Construct Gaps Absolute Values(Healthcare & Social Assistance)

0.0

0.2

0.4

0.6

0.8

1.0Accessibility

Vulnerability

Confidentiality

Financial Resources

IT Resources

Business Strategy

Security Policy


|PA-MA|

|PI-MI|

|PI-PA|


Construct Gaps Absolute Values(Manufacturing)

0.0

0.2

0.4

0.6

0.8

1.0Accessibility

Vulnerability

Confidentiality

Financial Resources

IT Resources

Business Strategy

Security Policy


|PA-MA|

|PI-MI|

|PI-PA|


Construct Gaps Absolute Values(Retail Trade)

0.0

0.2

0.4

0.6

0.8

1.0Accessibility

Vulnerability

Confidentiality

Financial Resources

IT Resources

Business Strategy

Security Policy


|PA-MA|

|PI-MI|

|PI-PA|


Construct Gaps Absolute Values(Technology Services)

0.0

0.2

0.4

0.6

0.8

1.0Accessibility

Vulnerability

Confidentiality

Financial Resources

IT Resources

Business Strategy

Security Policy


|PA-MA|

|PI-MI|

|PI-PA|


Analysis by Company Size

• Follows trend of overall data

• Assessment and importance increase with size of company

• Exception to this trend company with 50K-100K employees

Size Company Size Objects1 1-100 2442 101-1,000 2853 1,001-10,000 3334 10,001-50,000 1435 50,001-100,000 656 More than 100000 138

• Companies smaller than 10K tend to have higher gaps in security– Especially true for security

policy

Average Construct Values<Company Size 1-100 Employees>

4.0

4.5

5.0

5.5

6.0

6.5

Accessibility

Vulnerability

Confidentiality

Financial Resources

IT Resources

Business Strategy

Security Policy

Security Culture

MA

MI

PA

PI

Company Size Assessment 1 of 6

Average Construct Values<Company Size 100-1K Employees>

4.0

4.5

5.0

5.5

6.0

6.5

Accessibility

Vulnerability

Confidentiality

Financial Resources

IT Resources

Business Strategy

Security Policy

Security Culture

MA

MI

PA

PI


Average Construct Values<Company Size 1K-10K Employees>

4.0

4.5

5.0

5.5

6.0

6.5

Accessibility

Vulnerability

Confidentiality

Financial Resources

IT Resources

Business Strategy

Security Policy

Security Culture

MA

MI

PA

PI



4.0

4.5

5.0

5.5

6.0

6.5

Accessibility

Vulnerability

Confidentiality

Financial Resources

IT Resources

Business Strategy

Security Policy

Security Culture

MA

MI

PA

PI



4.0

4.5

5.0

5.5

6.0

6.5

Accessibility

Vulnerability

Confidentiality

Financial Resources

IT Resources

Business Strategy

Security Policy

Security Culture

MA

MI

PA

PI


Average Construct Values<Company Size 100K+ Employees>

4.0

4.5

5.0

5.5

6.0

6.5

Accessibility

Vulnerability

Confidentiality

Financial Resources

IT Resources

Business Strategy

Security Policy

Security Culture

MA

MI

PA

PI


Construct Gaps Absolute Values<Company Size 1-100 Employees>

0.0

0.2

0.4

0.6

0.8

1.0Accessibility

Vulnerability

Confidentiality

Financial Resources

IT Resources

Business Strategy

Security Policy


|PA-MA|

|PI-MI|

|PI-PA|

Company Size Gaps 1 of 6

Construct Gaps Absolute Values<Company Size 100-1K Employees>

0.0

0.2

0.4

0.6

0.8

1.0Accessibility

Vulnerability

Confidentiality

Financial Resources

IT Resources

Business Strategy

Security Policy


|PA-MA|

|PI-MI|

|PI-PA|



0.0

0.2

0.4

0.6

0.8

1.0Accessibility

Vulnerability

Confidentiality

Financial Resources

IT Resources

Business Strategy

Security Policy


|PA-MA|

|PI-MI|

|PI-PA|



0.0

0.2

0.4

0.6

0.8

1.0Accessibility

Vulnerability

Confidentiality

Financial Resources

IT Resources

Business Strategy

Security Policy


|PA-MA|

|PI-MI|

|PI-PA|



0.0

0.2

0.4

0.6

0.8

1.0Accessibility

Vulnerability

Confidentiality

Financial Resources

IT Resources

Business Strategy

Security Policy


|PA-MA|

|PI-MI|

|PI-PA|



0.0

0.2

0.4

0.6

0.8

1.0Accessibility

Vulnerability

Confidentiality

Financial Resources

IT Resources

Business Strategy

Security Policy


|PA-MA|

|PI-MI|

|PI-PA|


end

Documents

TSQM Overall Merged Data Analysis by Industry Analysis by Company Size July 10, 2006 Vicki Deng