|
Joseph H. Schuessler Ph.D. |
Appendix 1 – Interview Protocol TemplateQ.01 Employment Duration How long have you been employed in your current organization? ____ Less than 6 months ____ 5-8 years ____ 6-12 months ____ 9-16 years ____ 1-2 years ____ 17-24 years ____ 3-4 years ____ 25 years or more Q.02 Present Position Duration How long have you been in your present position in this organization? ____ Less than 6 months ____ 5-8 years ____ 6-12 months ____ 9-16 years ____ 1-2 years ____ 17-24 years ____ 3-4 years ____ 25 years or more Q.03 How Long in the Field How long have you been in the IS field in general? ____ How long has security been a major focus of your position? ____ Q.04 Primary Role What is your primary role on in your organization? ___________________________ Q.05 Title What is your title? ___________________________ Q.06 General Deterrence Theory as Applied to the Use of Countermeasures Deterrence activities are defined as “the inhibition of criminal behavior by fear especially of punishment.” Examples of deterrent activities include: policy statements and guidelines, guidelines on legitimate use of IS assets, and so on. Q.06a Deterrence Efforts Please describe the deterrent efforts used by your organization to protect the organization’s information systems.
Prevention is defined as “a hindrance or obstacle. “ Examples of preventive efforts include: implementing security software to impede unauthorized access to and use of IS assets, designing physically secure IS facilities, locks on computer room doors, and password access controls. Q.06b Prevention Efforts Please describe the prevention efforts used by your organization to protect the organization’s information systems.
Detection is defined as “the act or process of discovery.” Examples of detective efforts include: Suspicious activity reports, system audits, and virus scanning reports. Q.06c Detection Efforts Please describe the detection efforts used by your organization to protect the organization’s information systems.
Remedy is defined as “a legal order of preventing or redressing a wrong or enforcing a right.” Examples of remedy efforts include: reprimands, warning, termination, as well as criminal or civil suits. Q.06d Remedy Efforts Please describe the remedy efforts used by your organization to protect the organization’s information systems.
Q.07 Threats as conceptualized using Loch et al.’s (1992) framework. Considering threats as originating from a source (internal or external) by a perpetrator (human or non-human), with an intent (accidental or non-accidental), discuss each threat below. Source Q.07a Internal Threats In the context of information systems security, please describe the internal threats faced by your organization. An example might be “a threat as a result of employee action or failure of an organizational process” (Loch et al., 1992, page 175).
Q.07b External Threats In the context of information systems security, please describe the external threats faced by your organization. An example might be “natural disasters: hurricanes, fires, floods, and earthquakes” (Loch et al., 1992, page 175) or hackers or competitors.
Perpetrator Q.07c Human Threats In the context of information systems security, please describe threats created by human sources to your organization. An example might be accidental entry of bad data, inadequate control over media, and so on (Loch et al., 1992).
Q.07d Non-human Threats In the context of information systems security, please describe threats created by non-human sources to your organization. An example might be natural disasters or computer viruses (Loch et al., 1992).
Intent Q.07e Accidental Threats In the context of information systems security, please describe the accidental threats faced by your organization. An example might be accidental destruction of data by an employee or accidental entry of bad data (Loch et al., 1992).
Q.07f Intentional Threats In the context of information systems security, please describe the intentional threats faced by your organization. An example might be intentional destruction of data by employees or intentional entry of bad data by employees (Loch et al., 1992).
Consequences Q.08g Disclosure In the context of information systems security, please discuss the consequences of improper disclosure of information faced by your organization (Loch et al., 1992).
Q.08h Modification In the context of information systems security, please discuss the consequences of improper data modification faced by your organization (Loch et al., 1992).
Q.08i Destruction In the context of information systems security, please discuss the consequences of improper destruction of data faced by your organization (Loch et al., 1992).
Q.08j Denial of Use In the context of information systems security, please discuss the consequences of denial of use faced by your organization (Loch et al., 1992).
Q.09 Once the respondent has discussed the various countermeasures used above, have the respondent review the list below and have them discuss whether or not they use such countermeasures and if so, how they might be classified according the GDT. (Threats identified by Whitman, 2004)
Q.10 Once the respondent has discussed the various threats
as described above, have the respondent review the list below and have them
discuss whether or not they face such threats and if so, how they might be
classified according the Loch et al. (1992).
|