Upload
amie-poole
View
217
Download
0
Tags:
Embed Size (px)
Citation preview
TSQM
Overall Merged Data Analysis by Industry
Analysis by Company Size
July 10, 2006Vicki Deng
In-depth Analysis of Gaps
• Performance Gaps: – Current Status v. Importance
• Industry Gaps: – i.e. Healthcare v. Retail
• Company Size: – Small business v. Large Scale Enterprise
• Role Gaps: – i.e. Business Managers v. IT staff
• Inter-Enterprise Gaps: – i.e. Internal Line Manager v. Supplier
Topics & Findings
• Perceptions of Security
• Security Culture Gaps
• Why Accessibility Won’t Sell
Perceptions of Security
• Overall assessment of importance is always higher than that of a partner organization. – While it makes sense that the first priority is to make
your own organization secure within and from the outside world, it is absurd to think that security is less important for your partner organization
– It is natural to believe your own organization is better or more important, but it can create a false sense of security
• My & partner assessment is about the same. – The similar assessment seems reasonable since
responses may be biased towards security practices at their own organization.
Perceptions of Security 1 of 2
• Gaps in assessment and importance shows signs of security awareness in organizational members which is the first step towards better security – Largest gap is MI-MA followed by PI-PA
• This trend suggests that organizations may see themselves as “invincible” and thus become complacent under this illusion of safety
• The need to share certain information with business partners, suppliers, and customers over internet leaves the organization vulnerable to factors beyond their control
Perceptions of Security
Perceptions of Security 2 of 2
Security Culture Gap
• The greatest performance gap by and large is security culture.– Security culture has an average security
status assessment of 4.99 and a rated importance of 5.81
– With a gap of .82, the difference in perception is statistically significant with a 99% confidence level
– This is gap is mostly true for all types of organizations of all sizes
Security Culture Gaps 1 of 5
Security Culture (Survey QS)
• Security Practices– People in the organization are knowledgeable about
IT security tools and practices. [q08; gap=.82] – People in the organization carefully follow good
security practices. [q14; gap=1.08] Largest gap!– In the organization, people are aware of good security
practices. [q33; gap=.78] • Ethics and Trust
– People in the organization can be trusted not to tamper with data and networks. [q21; gap=.69]
– People in the organization can be trusted to engage in ethical practices with data and networks. [q26; gap=.74]
Security Culture Gaps 2 of 5
Why the Gap in Security Culture?
• Security culture may be the weakest link in the house of security since predictable and unpredictable humans factors come into play
• Few are aware of good security practices and even fewer actually follow through
• Trust and ethics factors as one of the most important aspects of security culture, but it cannot be regulated or written in a policy
Security Culture Gaps 3 of 5
Security Culture Gap
• The importance of security culture is rated 17% higher than assessment of current status – Even though this is the most crucial area to improve upon, it is
not possible without the financial & IT resources, effective security policy, and integration into business decisions
• Organizations need to assess their own security culture and determine what is holding back its members from following good security practices
• With new technology, comes new problems and a culture needs to be flexible enough to deal with change, and change when it is no longer working
Security Culture Gaps 4 of 5
Further Implications
• Large gaps in security culture could be due to a lack of:– awareness about current security practices– incentives to follow them– strong leadership– understanding about how a member’s actions fits into the larger
picture
• Gaps in security policies lags behind security culture– Policy compliance does not necessarily mean good security
culture
• Even if policies are tough, it still not enough without a proper security culture within the organization since policies tend to be reactive in nature – that is why organizations need to focus on security culture
Security Culture Gaps 5 of 5
Why Accessibility Won’t Sell
• Accessibility– Rated highest importance, but also highest
assessment of current status– Lowest MI-MA with a gap of .33, also lowest for PI-PA
with a gap of .25– MI-MA gaps of other constructs range from .50~.82
• This raises several questions– Is accessibility technology and methods already
matured or even saturated?– Does the importance of accessibility overshadow the
importance of vulnerability?
Accessibility 1 of 5
Accessibility (Survey QS)
• The organization checks the identity of users before allowing access to data and networks. [q04; gap=.26]
• The organization’s data and networks are only available to approved users. [q11; gap=.30]
• The organization provides access to data and networks to legitimate users. [q30; gap=.30]
• The organization’s data and networks are usually available when needed. [q34; gap=.44] Largest gap!
Accessibility 2 of 5
Why Accessibility Won’t Sell
• High assessment and importance in ‘accessibility’ and ‘confidentiality’ indicates that these aspects of security the perceived as one of the most crucial aspects, but only accessibility show a small gap
• The small gaps in accessibility overall, across industries, company size, etc. suggest that current technology already has the capabilities to address and meet those needs
Accessibility 3 of 5
Where is accessibility now?
• Is accessibility technology and methods already matured or even saturated?– Accessibility standards are emerging as e-commerce and other
internet transactions become commonplace– Despite good software technologies and capabilities, if people
using the software do not understand its capabilities and limits then it can’t successful
• “The organization’s data and networks are usually available when needed.” – This particular question had the largest gap within the
accessibility construct– Technology may be able to properly provide and regulate user
accessibility, but it can also hinder productivity
Accessibility 4 of 5
Accessibility v. Business Strategy
• Does the importance of accessibility overshadow the importance of vulnerability?– Sometimes more accessibility may indirectly lead to
more vulnerability, especially if “Security is a business agenda item (mostly) for top executives in the organization.” (MA=5.01 for this qs. 22)
– Business strategy & financial resources is rated as the least important, while accessibility is rated as most important
– However, it is often the case that security often loses to business needs so more emphasis should be placed on publicizing the organization's security strategy
Accessibility 5 of 5
Quick Stats on the Overall Data
• Top Gaps MA v. MI1. Security Culture (.82)
2. Financial Resources (.71)
3. Security Policy (.66)
4. Vulnerability (.66)
• Top Gaps PA v. PI1. Security Culture (.52)
2. Vulnerability (.49)
3. Financial Resources (.42)
4. Security Policy (.41)
• Highest Rated Assessment1. Accessibility (5.72)
2. Confidentiality (5.49)
3. Vulnerability (5.25)
• Highest Rated Importance1. Accessibility (6.05)
2. Confidentiality (5.99)
Merged Data 1 of 5
Average Construct Values(Merged Data)
4.0
4.5
5.0
5.5
6.0
6.5Accessibility
Vulnerability
Confidentiality
Financial Resources
IT Resources
Business Strategy
Security Policy
Security CultureMA
MI
PA
PI
Merged Data 2 of 5
Construct Gaps Absolute Values(Merged Data)
0.0
0.2
0.4
0.6
0.8
1.0Accessibility
Vulnerability
Confidentiality
Financial Resources
IT Resources
Business Strategy
Security Policy
Security Culture|MI-MA|
|PA-MA|
|PI-MI|
|PI-PA|
Merged Data 3 of 5
Average Construct Values
Constructs MA MI PA PIAccessibility 5.72449 6.05240 5.47930 5.72586Vulnerability 5.25011 5.91091 5.13422 5.63091
Confidentiality 5.48836 5.99034 5.36076 5.69117Financial Resources 4.77187 5.48372 4.87259 5.29891
IT Resources 5.22360 5.81909 5.15534 5.54188Business Strategy 4.96765 5.54223 5.02332 5.35836
Security Policy 5.03849 5.70043 5.05328 5.46604Security Culture 4.98728 5.81140 5.01713 5.53841
Construct Gaps: Absolute Values
Constructs |MI-MA| |PA-MA| |PI-MI| |PI-PA|Accessibility 0.32791 0.24519 0.32654 0.24656Vulnerability 0.66080 0.11590 0.28000 0.49669
Confidentiality 0.50197 0.12760 0.29917 0.33041Financial Resources 0.71185 0.10072 0.18481 0.42632
IT Resources 0.59549 0.06826 0.27721 0.38654Business Strategy 0.57458 0.05567 0.18387 0.33504
Security Policy 0.66194 0.01479 0.23439 0.41276Security Culture 0.82412 0.02985 0.27299 0.52128
Merged Data 4 of 5
Convergent and Discriminant Validity (Merged Data)
Reliability - Cronbach's Alpha ValuesMA MI
Accessibility 0.90758 0.93701Vulnerability 0.83714 0.91012Confidentiality 0.91808 0.94026FinancialResources 0.91878 0.92768ITResources 0.91023 0.93680BusinessStrategy 0.86877 0.89343SecurityPolicy 0.92184 0.93834SecurityCulture 0.92188 0.94296
Construct Validity - Convergent and Discriminant ValidityAccessibility Vulnerability Confidentiality FinancialResourcesITResources BusinessStrategySecurityPolicy SecurityCulture
Accessibility 0.96606 0.82730 0.86289 0.72385 0.81193 0.75817 0.75993 0.77299Vulnerability 0.82730 0.89537 0.85986 0.83791 0.88582 0.83439 0.85439 0.83308Confidentiality 0.86289 0.85986 0.97320 0.79234 0.86494 0.83070 0.85867 0.85271FinancialResources 0.72385 0.83791 0.79234 0.97366 0.88814 0.86196 0.86675 0.84406ITResources 0.81193 0.88582 0.86494 0.88814 0.96623 0.84474 0.87556 0.85137BusinessStrategy 0.75817 0.83439 0.83070 0.86196 0.84474 0.93056 0.88216 0.85515SecurityPolicy 0.75993 0.85439 0.85867 0.86675 0.87556 0.88216 0.97341 0.84505SecurityCulture 0.77299 0.83308 0.85271 0.84406 0.85137 0.85515 0.84505 0.96241
In the Construct Validity table, diagonals >0.50 indicates good convergent validity, and having the values of the columns of each construct lower than the diagonals indicates good discriminant validity.
•High values of Cronbach’s Alpha indicate the variables were a good measure of the latent constructs
•Indicates good reliability and consistency in the data set
Merged Data 5 of 5
Industry
• 6 Main Industries, Total Responses: 1259– Banking & Finance (124)– Technology Services (128)– Health & Social Assistance (495)– Tele/Communications (93)– Manufacturing (244)– Retail (175)
• Industries not included due to lack of responses – education, defense, aeronautics, etc.
Analysis by Industry
• Results from each Industry follows the trend of the overall data– Low status for accessibility– High gaps in security culture– MI > PI > MA,PA
• Banking & Finance, Communications – high MA, MI; low gap
• Health & Social Services & Technology Services – medium MA, MI; high gap
• Manufacturing & Retail – low MA, MI; high gap
Quick Stats on the Industries
Assessment & Importance (high low)
1.Banking & Finance
2.Technology Services
3.Communications
4.Health & Social Assistance
5.Manufacturing
6.Retail
• Low Gaps1. Banking & Finance
2. Communications
• High Gaps1. Technology Services
2. Health & Social Assistance
3. Manufacturing
4. Retail
Industry Data 1 of x
My Assessment by Industry
4.2
4.4
4.6
4.8
5.0
5.2
5.4
5.6
5.8
6.0
6.2
Accessibility Vulnerability Confidentiality FinancialResources
IT Resources BusinessStrategy
Security Policy Security Culture
BNK-06 COM-77 HLT-11 MNF-15 RET-25 TEC-26
My Importance by Industry
5.0
5.2
5.4
5.6
5.8
6.0
6.2
6.4
6.6
Accessibility Vulnerability Confidentiality FinancialResources
IT Resources BusinessStrategy
Security Policy Security Culture
BNK-06 COM-77 HLT-11 MNF-15 RET-25 TEC-26
My Security Gaps by Industry
0.0
0.1
0.2
0.3
0.4
0.5
0.6
0.7
0.8
0.9
Accessibility Vulnerability Confidentiality FinancialResources
IT Resources BusinessStrategy
Security Policy SecurityCulture
Security Constructs
Se
cu
rity
Ga
p |
MA
-MI|
BNK-06 COM-77 HLT-11 MNF-15 RET-25 TEC-26
BNK – Banking & Finance, COM – Tele/Communication, HLT – Healthcare & Social Assistance, MNF – Manufacturing, RET – Retail, TEC – Technology Services
Average Construct Values(Banking & Finance)
4.0
4.5
5.0
5.5
6.0
6.5
7.0Accessibility
Vulnerability
Confidentiality
Financial Resources
IT Resources
Business Strategy
Security Policy
Security CultureMA
MI
PA
PI
Industry Assessment 1 of 6
Industry Assessment 2 of 6
Average Construct Values(Health & Social Assistance)
4.0
4.5
5.0
5.5
6.0
6.5
7.0Accessibility
Vulnerability
Confidentiality
Financial Resources
IT Resources
Business Strategy
Security Policy
Security CultureMA
MI
PA
PI
Industry Assessment 3 of 6
Average Construct Values(Manufacturing)
4.0
4.5
5.0
5.5
6.0
6.5
7.0Accessibility
Vulnerability
Confidentiality
Financial Resources
IT Resources
Business Strategy
Security Policy
Security CultureMA
MI
PA
PI
Industry Assessment 4 of 6
Average Construct Values(Retail Trade)
4.0
4.5
5.0
5.5
6.0
6.5
7.0Accessibility
Vulnerability
Confidentiality
Financial Resources
IT Resources
Business Strategy
Security Policy
Security CultureMA
MI
PA
PI
Industry Assessment 5 of 6
Average Construct Values(Technology Services)
4.0
4.5
5.0
5.5
6.0
6.5
7.0Accessibility
Vulnerability
Confidentiality
Financial Resources
IT Resources
Business Strategy
Security Policy
Security CultureMA
MI
PA
PI
Industry Assessment 6 of 6
Average Construct Values(Communications/Telecom)
4.0
4.5
5.0
5.5
6.0
6.5
7.0Accessibility
Vulnerability
Confidentiality
Financial Resources
IT Resources
Business Strategy
Security Policy
Security CultureMA
MI
PA
PI
Construct Gaps Absolute Values(Banking & Finanace)
0.0
0.2
0.4
0.6
0.8
1.0Accessibility
Vulnerability
Confidentiality
Financial Resources
IT Resources
Business Strategy
Security Policy
Security Culture |MI-MA|
|PA-MA|
|PI-MI|
|PI-PA|
Industry Gaps 1 of 6
Construct Gaps Absolute Values(Communications/Telecom)
0.0
0.2
0.4
0.6
0.8
1.0Accessibility
Vulnerability
Confidentiality
Financial Resources
IT Resources
Business Strategy
Security Policy
Security Culture |MI-MA|
|PA-MA|
|PI-MI|
|PI-PA|
Industry Gaps 2 of 6
Construct Gaps Absolute Values(Healthcare & Social Assistance)
0.0
0.2
0.4
0.6
0.8
1.0Accessibility
Vulnerability
Confidentiality
Financial Resources
IT Resources
Business Strategy
Security Policy
Security Culture |MI-MA|
|PA-MA|
|PI-MI|
|PI-PA|
Industry Gaps 3 of 6
Construct Gaps Absolute Values(Manufacturing)
0.0
0.2
0.4
0.6
0.8
1.0Accessibility
Vulnerability
Confidentiality
Financial Resources
IT Resources
Business Strategy
Security Policy
Security Culture |MI-MA|
|PA-MA|
|PI-MI|
|PI-PA|
Industry Gaps 4 of 6
Construct Gaps Absolute Values(Retail Trade)
0.0
0.2
0.4
0.6
0.8
1.0Accessibility
Vulnerability
Confidentiality
Financial Resources
IT Resources
Business Strategy
Security Policy
Security Culture |MI-MA|
|PA-MA|
|PI-MI|
|PI-PA|
Industry Gaps 5 of 6
Construct Gaps Absolute Values(Technology Services)
0.0
0.2
0.4
0.6
0.8
1.0Accessibility
Vulnerability
Confidentiality
Financial Resources
IT Resources
Business Strategy
Security Policy
Security Culture |MI-MA|
|PA-MA|
|PI-MI|
|PI-PA|
Industry Gaps 6 of 6
Analysis by Company Size
• Follows trend of overall data
• Assessment and importance increase with size of company
• Exception to this trend company with 50K-100K employees
Size Company Size Objects1 1-100 2442 101-1,000 2853 1,001-10,000 3334 10,001-50,000 1435 50,001-100,000 656 More than 100000 138
• Companies smaller than 10K tend to have higher gaps in security– Especially true for security
policy
Average Construct Values<Company Size 1-100 Employees>
4.0
4.5
5.0
5.5
6.0
6.5
Accessibility
Vulnerability
Confidentiality
Financial Resources
IT Resources
Business Strategy
Security Policy
Security Culture
MA
MI
PA
PI
Company Size Assessment 1 of 6
Average Construct Values<Company Size 100-1K Employees>
4.0
4.5
5.0
5.5
6.0
6.5
Accessibility
Vulnerability
Confidentiality
Financial Resources
IT Resources
Business Strategy
Security Policy
Security Culture
MA
MI
PA
PI
Company Size Assessment 2 of 6
Average Construct Values<Company Size 1K-10K Employees>
4.0
4.5
5.0
5.5
6.0
6.5
Accessibility
Vulnerability
Confidentiality
Financial Resources
IT Resources
Business Strategy
Security Policy
Security Culture
MA
MI
PA
PI
Company Size Assessment 3 of 6
Average Construct Values<Company Size 10K-50K Employees>
4.0
4.5
5.0
5.5
6.0
6.5
Accessibility
Vulnerability
Confidentiality
Financial Resources
IT Resources
Business Strategy
Security Policy
Security Culture
MA
MI
PA
PI
Company Size Assessment 4 of 6
Average Construct Values<Company Size 50K-100K Employees>
4.0
4.5
5.0
5.5
6.0
6.5
Accessibility
Vulnerability
Confidentiality
Financial Resources
IT Resources
Business Strategy
Security Policy
Security Culture
MA
MI
PA
PI
Company Size Assessment 5 of 6
Average Construct Values<Company Size 100K+ Employees>
4.0
4.5
5.0
5.5
6.0
6.5
Accessibility
Vulnerability
Confidentiality
Financial Resources
IT Resources
Business Strategy
Security Policy
Security Culture
MA
MI
PA
PI
Company Size Assessment 6 of 6
Construct Gaps Absolute Values<Company Size 1-100 Employees>
0.0
0.2
0.4
0.6
0.8
1.0Accessibility
Vulnerability
Confidentiality
Financial Resources
IT Resources
Business Strategy
Security Policy
Security Culture|MI-MA|
|PA-MA|
|PI-MI|
|PI-PA|
Company Size Gaps 1 of 6
Construct Gaps Absolute Values<Company Size 100-1K Employees>
0.0
0.2
0.4
0.6
0.8
1.0Accessibility
Vulnerability
Confidentiality
Financial Resources
IT Resources
Business Strategy
Security Policy
Security Culture|MI-MA|
|PA-MA|
|PI-MI|
|PI-PA|
Company Size Gaps 2 of 6
Construct Gaps Absolute Values<Company Size 100-1K Employees>
0.0
0.2
0.4
0.6
0.8
1.0Accessibility
Vulnerability
Confidentiality
Financial Resources
IT Resources
Business Strategy
Security Policy
Security Culture|MI-MA|
|PA-MA|
|PI-MI|
|PI-PA|
Company Size Gaps 3 of 6
Construct Gaps Absolute Values<Company Size 100-1K Employees>
0.0
0.2
0.4
0.6
0.8
1.0Accessibility
Vulnerability
Confidentiality
Financial Resources
IT Resources
Business Strategy
Security Policy
Security Culture|MI-MA|
|PA-MA|
|PI-MI|
|PI-PA|
Company Size Gaps 4 of 6
Construct Gaps Absolute Values<Company Size 100-1K Employees>
0.0
0.2
0.4
0.6
0.8
1.0Accessibility
Vulnerability
Confidentiality
Financial Resources
IT Resources
Business Strategy
Security Policy
Security Culture|MI-MA|
|PA-MA|
|PI-MI|
|PI-PA|
Company Size Gaps 5 of 6
Construct Gaps Absolute Values<Company Size 100-1K Employees>
0.0
0.2
0.4
0.6
0.8
1.0Accessibility
Vulnerability
Confidentiality
Financial Resources
IT Resources
Business Strategy
Security Policy
Security Culture|MI-MA|
|PA-MA|
|PI-MI|
|PI-PA|
Company Size Gaps 6 of 6
end