Information Security Status in Organisations

2008

Anas Tawileh, Jeremy Hilton, Stephen McIntosh

Cardiff University

Outline• Methodology and Approach

• Survey Findings

• Feedback

• Summary and Discussion

Methodology and Approach• Structured approach to questionnaire design

• Based on the Information Assurance Model

• Model describes a desirable state of information assurance in organisations

• Open-ended question added to elicit feedback

Respondents’ Profile

Respondents’ Profile

Organisation Sector

Information Security Requirements

Data Backup

Privacy and Integrity

Measures Against Internal Misuse

Respondents’ Feedback

“My goals as IT supervisor and management goals are not always the same, management is worried about sales/profits, and not security.”

“It would be nice to know how many "no's" one selected out all questions to slam it in the face of those opposing any IT security.”

Respondents’ Feedback

“I am concerned. I am the one and only who is concerned. After hours, anyone who somehow got admitted into our offices could walk out with a laptop sitting on the reception desk containing practically all the confidential info we have. Refusal to invest in a steel cable.”

Summary and Discussion• A significant gap exists between large

organisations and their smaller counterparts in the adoption of information security

• Organisations seem to focus more on confidentiality and authentication

• Privacy (still) is a growing concern

Summary and Discussion• Organisations are not very well prepared to

satisfy the requirement for external collaboration

• Over-reliance on technical measures

• Little attention is paid to the human aspect of security

Thank You.