Appendix 2 – Survey Instrument
General Deterrence Theory: Assessing Information System Security Effectiveness in Large Versus Small Businesses
Thank you for taking the time to respond to this survey. The Association of Information Technology Professionals (AITP) partners with educational institutions and others in order to provide information that advances the knowledge of IT professionals. The purpose of this research study is to compare and contrast how small versus large sized businesses and address their information systems security concerns. The approximate time to complete this survey is 10-20 minutes. You must be 18 years of age or older to participate in this study. If you choose not to participate in this study there will be no adverse consequences and your consent is provided by completing the survey instrument. No individual responses will be reported and data will be reported on a group basis only. As compensation for your efforts, you will be provided with immediate feedback by being directed to a website that contains your responses along with a summary of the responses of others who have participated in this research study. Please remember, no identifying information will be reported. Additionally, the AITP will be provided with an executive summary of the findings for dissemination to the membership. If you wish, you may complete part of the survey and continue again at a later time without losing your responses. Simply re-click the link in the email and follow the on-screen instructions. However, only after submitting the completed survey will you be directed to the site containing the results of the survey. If you have questions regarding this study, please contact Joseph H. Schuessler at joseph.schuessler@unt.edu or 940-565-3128 in the ITDS department of the College of Business. Alternatively, you may contact Dr. John Windsor at john.windsor@unt.edu or 940-565-4147 in the ITDS department of the College of Business. This project has been reviewed and approved by the University of North Texas Institutional Review Board (940)565-3940. You are welcome to print this page for your records.
Using the definitions below, please
rate on a scale of 1 to 7 (1 being for the least effective and 7 for being the
most effective) the effectiveness of your organization's efforts in protecting
it's Information System assets.
Deterrence is defined as “the inhibition of criminal behavior by fear,
especially of punishment.” In other words, deterrence activities provide
disincentives for would-be computer abusers. Examples of deterrent efforts
include “administrative policies, employee training, and visible security
functions”
Prevention is defined as a hindrance or an obstacle. These can include physical
obstacles such as guards, locked doors, and so on and/or software tools such as
authentication devices and firewalls.
Detection is defined as the act or process of discovery. As it relates to
information systems (IS), it is the process of attempting to discover security
breaches within an organization by examining system logs, monitoring suspicious
activity reports, and so on.
Remedy is defined as “a legal order of preventing or redressing a wrong or
enforcing a right.” Remedies serve as a way for an organization to seek
restitution in some fashion, whether through internal sanctions such as
reprimands or termination, or externally through legal or regulatory systems.
|
Least Effective (1) |
2 |
3 |
4 |
5 |
6 |
Most Effective (7) |
|
|
Overall deterrent effect |
|
|
|
|
|
|
|
|
Overall preventive effect |
|
|
|
|
|
|
|
|
Overall detection effect |
|
|
|
|
|
|
|
|
Overall remedy effect |
|
|
|
|
|
|
|
|
Effect in protecting hardware |
|
|
|
|
|
|
|
|
Effect in protecting software |
|
|
|
|
|
|
|
|
Effect in protecting computing services |
|
|
|
|
|
|
|
|
Effect in protecting data |
|
|
|
|
|
|
|
The information security function is primarily viewed as:
|
an administrative
job focused on granting user access and establishing degrees of
privilege. |
The senior information security manager is:
|
a part-time
position with the duties to implement technical solutions to
authentication and authorization issues and physically secure the
computing resources. |
Please indicate the frequency of top management’s participation in information security planning:
|
almost always |
Please indicate the frequency of user participation in information security planning:
|
almost always |
The performance criteria for the information security function are:
|
long-term impact on
the organization and support of organizational goals and objectives. |
The development or implementation of information security controls is primarily triggered by:
|
perceived need on
the part of the information security manager. |
The senior information security manager is __________ levels below the CEO:
|
One |
Please indicate the frequency of the senior information security manager’s participation in business planning:
|
almost always |
Please indicate by selecting the appropriate number the extent to which you agree or disagree with the following statements as they relate to your organization's portfolio of existing information systems (1 meaning strongly disagree and 7 meaning strongly agree).
|
Strongly Disagree (1) |
2 |
3 |
4 |
5 |
6 |
Strongly Agree (7) |
|
|
IS is used to offer significant new features to the existing product line |
|
|
|
|
|
|
|
|
IS is not vital to our organization. |
|
|
|
|
|
|
|
|
IS is looked at as a competitive resource |
|
|
|
|
|
|
|
|
IS breakdown for extended periods will affect organizational activities severely |
|
|
|
|
|
|
|
|
Our company relies heavily on IS for efficient operation |
|
|
|
|
|
|
|
|
IS breakdown will critically affect one or more functional departments |
|
|
|
|
|
|
|
|
IS breakdown will affect our database access |
|
|
|
|
|
|
|
|
IS breakdown will affect overall coordination within our organization |
|
|
|
|
|
|
|
Please indicate by selecting the appropriate number the significance of the following items as components of your portfolio of planned system development projects (1 being least significant and 7 being most significant).
|
Least Significant (1) |
2 |
3 |
4 |
5 |
6 |
Most Significant (7) |
|
|
Projects involving applications of new technologies |
|
|
|
|
|
|
|
|
Projects involving development of new areas of application |
|
|
|
|
|
|
|
|
Projects involving cost displacement or cost reduction |
|
|
|
|
|
|
|
|
Projects focusing on routine maintenance to meet evolving business needs, new regulatory or legal requirements |
|
|
|
|
|
|
|
|
Projects focusing on existing systems enhancements |
|
|
|
|
|
|
|
|
Projects whose primary benefit is providing new decision support information to top management |
|
|
|
|
|
|
|
|
Projects whose primary benefit is providing new decision support information to middle and lower levels of management |
|
|
|
|
|
|
|
|
Projects which will allow the company to develop and offer new products or services for sale |
|
|
|
|
|
|
|
|
Projects which enable development of new administrative control and planning process |
|
|
|
|
|
|
|
|
Projects which offer significant tangible benefits through improved operational efficiencies |
|
|
|
|
|
|
|
|
Projects which appear to offer new ways for company to compete |
|
|
|
|
|
|
|
Please rate on a scale of 1 to 7 (1 being the lowest degree and 7 being the highest degree) the degree to which each potential threat listed below has on your organization's information system.
|
Lowest Degree (1) |
2 |
3 |
4 |
5 |
6 |
Highest Degree (7) |
|
|
Accidental entry of bad data |
|
|
|
|
|
|
|
|
Accidental destruction of hardware |
|
|
|
|
|
|
|
|
Accidental destruction of data |
|
|
|
|
|
|
|
|
Failure to follow policies and procedures |
|
|
|
|
|
|
|
|
Technical software failures or errors |
|
|
|
|
|
|
|
|
Forces of nature |
|
|
|
|
|
|
|
|
Acts of human error or failure |
|
|
|
|
|
|
|
|
Disgruntled employees |
|
|
|
|
|
|
|
|
Pandemics |
|
|
|
|
|
|
|
|
Social engineering |
|
|
|
|
|
|
|
|
Deliberate software attacks |
|
|
|
|
|
|
|
|
Deliberate acts of espionage or trespass (unauthorized access and/or data collection) |
|
|
|
|
|
|
|
|
Deliberate acts of theft |
|
|
|
|
|
|
|
|
Quality of service deviations from service providers such as electricity, Internet, and so on. |
|
|
|
|
|
|
|
Please indicate whether your organization:
|
Yes |
No |
|
|
Has an information systems security policy |
|
|
|
Has scheduled, periodic reviews of the information systems security policy |
|
|
|
Has a management framework to initiate and control implementation of IS security |
|
|
|
Has an accounting of all information, software, and physical assets |
|
|
|
Reinforces information security responsibilities to employees throughout their career |
|
|
|
Has a formal reporting procedure for identified security incidents and weaknesses |
|
|
|
Has a formal reporting procedure for identified software malfunctions |
|
|
|
Has established physical and environmental security controls for hardware assets |
|
|
|
Has established incident management procedures for information system security incidents |
|
|
|
Plans for procurement of new information systems when capacity dictates |
|
|
|
Has formal acceptance criteria for new information systems acquired |
|
|
|
Has a formal policy requiring compliance with software licenses |
|
|
|
Has a formal policy to protect against risks associated with obtaining files from unauthorized sources |
|
|
|
Has installed and regularly updates anti-viral software |
|
|
|
Conducts regular reviews of systems that contain identifiable patron information, and the presence of any unapproved files or unauthorized amendments is investigated |
|
|
|
Checks any electronic mail attachment for malicious software before use |
|
|
|
Has a management procedure to deal with reporting and recovering from viral infections |
|
|
|
Backs-up copies of essential information and software on a scheduled basis |
|
|
|
Has a written access control policy that dictates authorized information system privileges |
|
|
|
Has set user access management policies on each system, including password requirements |
|
|
|
Has a system policy on password selection and use |
|
|
|
Has a system requirement for password expiration |
|
|
|
Has a password requirement for password length and complexity |
|
|
|
Has a requirement that no passwords are stored in any automated log-on process |
|
|
|
Has a system requirement that controls the access rights of users |
|
|
|
Has a written policy on appropriate network use, authorization procedures, and management controls |
|
|
|
Limits menu and submenu items on terminals |
|
|
|
Has a system requirement that prevents unlimited network roaming |
|
|
|
Has a system requirement that enforces specified application systems and/or security gateways for external network users |
|
|
|
Has a system requirement that requires source to destination communications via security gateways (firewalls) |
|
|
|
Has a system requirement that allows access only to specified network ports |
|
|
|
Has a system requirement that does not display system or application identifiers until a user has successfully logged on |
|
|
|
Has a system requirement that displays a general warning notice that the computer should only be accessed by authorized users |
|
|
|
Has a system requirement that does not display help messages during the logon procedure that would aid an unauthorized user |
|
|
|
Has a system requirement that logs both the system and security events |
|
|
|
Has procedures for monitoring both system and security logs |
|
|
|
Has a system requirement for clock synchronization |
|
|
|
Has a business continuity plan |
|
|
|
Has established and implemented policies to ensure compliance with copyright law |
|
|
|
Regularly audits the information systems for compliance with security standards |
|
|
Countermeasures are defined as an array of organizational devices
to deter, prevent, or detect security breaches. With this in mind, please
consider the following question:
Please rate on a scale of 1 to 7 (1 being little or no use and 7 being used
extensively) your organization's use of each countermeasure listed below.
|
Little or no use (1) |
2 |
3 |
4 |
5 |
6 |
Used extensively (7) |
|
|
Suspicious activity reports generated from intrusion detection systems |
|
|
|
|
|
|
|
|
Alarm systems to protect from intrusion and fire |
|
|
|
|
|
|
|
|
Penetration/Vulnerability testing |
|
|
|
|
|
|
|
|
Audit of various system logs |
|
|
|
|
|
|
|
|
Encourage violations reporting |
|
|
|
|
|
|
|
|
Warning signs informing violators of possible protective measures and civil/legal remedies |
|
|
|
|
|
|
|
|
Use of cameras to demonstrate monitoring of sensitive areas |
|
|
|
|
|
|
|
|
Consistently apply organization's security policy |
|
|
|
|
|
|
|
|
Plan for various contingencies |
|
|
|
|
|
|
|
|
Drill to make sure contingency plans are effective |
|
|
|
|
|
|
|
|
Perform background checks as condition of employment or promotion |
|
|
|
|
|
|
|
|
Manage patch and update procedures |
|
|
|
|
|
|
|
|
Use of redundant assets and facilities |
|
|
|
|
|
|
|
|
Use of auto account lock/logoff |
|
|
|
|
|
|
|
|
Use of rights management to control access to workstation/network resources |
|
|
|
|
|
|
|
|
User (re)training/(re)education |
|
|
|
|
|
|
|
|
Use of firewalls |
|
|
|
|
|
|
|
|
Media backup |
|
|
|
|
|
|
|
|
Password policies that enforce strength and frequency of change |
|
|
|
|
|
|
|
|
Physical area security |
|
|
|
|
|
|
|
|
Publish formal standards |
|
|
|
|
|
|
|
|
Use of virus protection software |
|
|
|
|
|
|
|
|
Work with external legal and regulatory entities to enforce and protect the organization's interests |
|
|
|
|
|
|
|
|
Use internal measures such as verbal warnings, reprimands, and termination to enforce and protect the organization's interests |
|
|
|
|
|
|
|
Please indicate your organization's primary industry affiliation.
|
ACCOMMODATION AND
FOOD SERVICES |
Average number of employees in your entire organization?
|
0-100 |
Average annual receipts of your organization (in millions of dollars)?
|
$0
- $0.75 |
$11.6
- $12.0 |
$23.1
- $23.5 |
Are your organization's financial assets (as reported on your organization's annual finanical statements) worth over $165 million dollars?
|
Yes |
What portion of your IT budget is spent on IT security?
|
Less
than 1% |
How long have you been employed by your organization (in years)?
Format: 99
What is your occupational role in your organization?
What is your AITP membership classification?
Gender
|
Male |
What is your age?
|
|
What is the highest level of education you have attained to date?
|
High
school graduate or less |
Thank you for completing
the survey. Your responses will help academicians and practitioners alike in
assessing information systems security effectiveness as well as the
relationships between various threats and countermeasures. Should you have any
questions, please feel free to contact Joseph H. Schuessler at
joseph.schuessler@unt.edu or at 940-565-3128. Again thank you for your time
and responses.
Please note, when you click the submit button below, you will be redirected to a
site providing you with immediate feedback about your answers as well as those
provided by others taking this survey. Please save the URL as a bookmark or
favorite so that you may revisit the site as more surveys are received.
The password for the site is "GDT" without the quotes.