520 likes | 733 Views
TSQM. Overall Merged Data Analysis by Industry Analysis by Company Size July 10, 2006 Vicki Deng. In-depth Analysis of Gaps. Performance Gaps: Current Status v. Importance Industry Gaps: i.e. Healthcare v. Retail Company Size: Small business v. Large Scale Enterprise Role Gaps:
E N D
TSQM Overall Merged Data Analysis by Industry Analysis by Company Size July 10, 2006 Vicki Deng
In-depth Analysis of Gaps • Performance Gaps: • Current Status v. Importance • Industry Gaps: • i.e. Healthcare v. Retail • Company Size: • Small business v. Large Scale Enterprise • Role Gaps: • i.e. Business Managers v. IT staff • Inter-Enterprise Gaps: • i.e. Internal Line Manager v. Supplier
Topics & Findings • Perceptions of Security • Security Culture Gaps • Why Accessibility Won’t Sell
Perceptions of Security • Overall assessment of importance is always higher than that of a partner organization. • While it makes sense that the first priority is to make your own organization secure within and from the outside world, it is absurd to think that security is less important for your partner organization • It is natural to believe your own organization is better or more important, but it can create a false sense of security • My & partnerassessmentis about the same. • The similar assessment seems reasonable since responses may be biased towards security practices at their own organization. Perceptions of Security 1 of 2
Perceptions of Security • Gaps in assessment and importance shows signs of security awareness in organizational members which is the first step towards better security • Largest gap is MI-MA followed by PI-PA • This trend suggests that organizations may see themselves as “invincible” and thus become complacent under this illusion of safety • The need to share certain information with business partners, suppliers, and customers over internet leaves the organization vulnerable to factors beyond their control Perceptions of Security 2 of 2
Security Culture Gap • The greatest performance gap by and large is security culture. • Security culture has an average security status assessment of 4.99 and a rated importance of 5.81 • With a gap of.82, the difference in perception is statistically significant with a 99% confidence level • This is gap is mostly true for all types of organizations of all sizes Security Culture Gaps 1 of 5
Security Culture (Survey QS) • Security Practices • People in the organization are knowledgeable about IT security tools and practices. [q08; gap=.82] • People in the organization carefully follow good security practices. [q14; gap=1.08] Largest gap! • In the organization, people are aware of good security practices. [q33; gap=.78] • Ethics and Trust • People in the organization can be trusted not to tamper with data and networks. [q21; gap=.69] • People in the organization can be trusted to engage in ethical practices with data and networks. [q26; gap=.74] Security Culture Gaps 2 of 5
Why the Gap in Security Culture? • Security culture may be the weakest link in the house of security since predictable and unpredictable humans factors come into play • Few are aware of good security practices and even fewer actually follow through • Trust and ethics factors as one of the most important aspects of security culture, but it cannot be regulated or written in a policy Security Culture Gaps 3 of 5
Security Culture Gap • The importance of security culture is rated 17% higher than assessment of current status • Even though this is the most crucial area to improve upon, it is not possible without the financial & IT resources, effective security policy, and integration into business decisions • Organizations need to assess their own security culture and determine what is holding back its members from following good security practices • With new technology, comes new problems and a culture needs to be flexible enough to deal with change, and change when it is no longer working Security Culture Gaps 4 of 5
Further Implications • Large gaps in security culture could be due to a lack of: • awareness about current security practices • incentives to follow them • strong leadership • understanding about how a member’s actions fits into the larger picture • Gaps in security policies lags behind security culture • Policy compliance does not necessarily mean good security culture • Even if policies are tough, it still not enough without a proper security culture within the organization since policies tend to be reactive in nature – that is why organizations need to focus on security culture Security Culture Gaps 5 of 5
Why Accessibility Won’t Sell • Accessibility • Rated highest importance, but also highest assessment of current status • Lowest MI-MA with a gap of .33, also lowest for PI-PA with a gap of .25 • MI-MA gaps of other constructs range from .50~.82 • This raises several questions • Is accessibility technology and methods already matured or even saturated? • Does the importance of accessibility overshadow the importance of vulnerability? Accessibility 1 of 5
Accessibility (Survey QS) • The organization checks the identity of users before allowing access to data and networks. [q04; gap=.26] • The organization’s data and networks are only available to approved users. [q11; gap=.30] • The organization provides access to data and networks to legitimate users. [q30; gap=.30] • The organization’s data and networks are usually available when needed. [q34; gap=.44] Largest gap! Accessibility 2 of 5
Why Accessibility Won’t Sell • High assessment and importance in ‘accessibility’ and ‘confidentiality’ indicates that these aspects of security the perceived as one of the most crucial aspects, but only accessibility show a small gap • The small gaps in accessibility overall, across industries, company size, etc. suggest that current technology already has the capabilities to address and meet those needs Accessibility 3 of 5
Where is accessibility now? • Is accessibility technology and methods already matured or even saturated? • Accessibility standards are emerging as e-commerce and other internet transactions become commonplace • Despite good software technologies and capabilities, if people using the software do not understand its capabilities and limits then it can’t successful • “The organization’s data and networks are usually available when needed.” • This particular question had the largest gap within the accessibility construct • Technology may be able to properly provide and regulate user accessibility, but it can also hinder productivity Accessibility 4 of 5
Accessibility v. Business Strategy • Does the importance of accessibility overshadow the importance of vulnerability? • Sometimes more accessibility may indirectly lead to more vulnerability, especially if “Security is a business agenda item (mostly) for top executives in the organization.” (MA=5.01 for this qs. 22) • Business strategy & financial resources is rated as the least important, while accessibility is rated as most important • However, it is often the case that security often loses to business needs so more emphasis should be placed on publicizing the organization's security strategy Accessibility 5 of 5
Top Gaps MA v. MI Security Culture (.82) Financial Resources (.71) Security Policy (.66) Vulnerability (.66) Top Gaps PA v. PI Security Culture (.52) Vulnerability (.49) Financial Resources (.42) Security Policy (.41) Highest Rated Assessment Accessibility (5.72) Confidentiality (5.49) Vulnerability (5.25) Highest Rated Importance Accessibility (6.05) Confidentiality (5.99) Quick Stats on the Overall Data Merged Data 1 of 5
Convergent and Discriminant Validity (Merged Data) • High values of Cronbach’s Alpha indicate the variables were a good measure of the latent constructs • Indicates good reliability and consistency in the data set Merged Data 5 of 5
Industry • 6 Main Industries, Total Responses: 1259 • Banking & Finance (124) • Technology Services (128) • Health & Social Assistance (495) • Tele/Communications (93) • Manufacturing (244) • Retail (175) • Industries not included due to lack of responses – education, defense, aeronautics, etc.
Analysis by Industry • Results from each Industry follows the trend of the overall data • Low status for accessibility • High gaps in security culture • MI > PI > MA,PA • Banking & Finance, Communications – high MA, MI; low gap • Health & Social Services & Technology Services – medium MA, MI; high gap • Manufacturing & Retail – low MA, MI; high gap
Quick Stats on the Industries Assessment & Importance (high low) • Banking & Finance • Technology Services • Communications • Health & Social Assistance • Manufacturing • Retail • Low Gaps • Banking & Finance • Communications • High Gaps • Technology Services • Health & Social Assistance • Manufacturing • Retail Industry Data 1 of x
BNK – Banking & Finance, COM – Tele/Communication, HLT – Healthcare & Social Assistance, MNF – Manufacturing, RET – Retail, TEC – Technology Services
Analysis by Company Size • Follows trend of overall data • Assessment and importance increase with size of company • Exception to this trend company with 50K-100K employees • Companies smaller than 10K tend to have higher gaps in security • Especially true for security policy