Information Assurance Market Research June 2009. Executive Summary Small response rate (n=43) General low awareness of information security controls and.

Information Assurance Market Research

June 2009

Executive Summary• Small response rate (n=43)• General low awareness of information security controls

and legislation• 42% of organisations surveyed currently have an

information security policy in place• Only 6% of those who don’t currently have a policy, have

plans to introduce one• Training in information security viewed with average, or

increasing importance amongst respondents• 12% currently interested in training or support with

information risk management, 23% would potentially be interested in the future.

• Low awareness of potential funding available

Survey Sample• E-survey sent to following distribution lists:

– Business School contact list (n~ 270)– Midlands Excellence contact list (n~ 300)– BDO contact list (n~ 20)

• 43 Responses received

• Response rate estimated at 9%

Demographics• Size of organisation

– Micro (<11 employees)- 35%– Small (11- 49 employees)- 19%– Medium (50- 249 employees)- 19%– Large (250+ employees)- 26%

• Over 50% of respondents had ultimate or shared responsibility for information security compliance within their organisation

Industry Sector (n=43)

16%

21%

5%2%

16%

5%2%

7%9%

2%5% 5%

0%

5%

10%

15%

20%

25%

Pu

blic

Se

cto

r

Ch

ari

tab

le/

no

t-fo

r-p

rofit

Org

an

isa

tion

Fin

an

cia

lS

erv

ice

s

Ed

uca

tion

Ma

nu

fact

ori

ng

Ba

nki

ng

&F

ina

nce

Co

nst

ruct

ion

& P

rop

ert

y

Su

pp

ort

Se

rvic

es

Te

chn

olo

gy

Tra

inin

g

Ma

rke

ting

Ma

na

ge

me

nt

Co

nsu

ltan

cy

Industry sector

Pe

rce

nta

ge

of

res

po

nd

en

ts

Is your organisation ISO9001 Compliant? (n=43)

26%

37%

16%

Yes

No

Don't Know

Are you aware of the BS7799 quality standard? (n= 43)

A set of information security controls for an organisation's processes derived by the British Standards Institute

23%

37%

16% Yes

No

I have a limitedawareness of it

Are you aware of the ISO27001 quality standard? (n= 43)

Internationalisation of the British standard on information security

16%

44%

19%Yes

No

I have a limitedawareness of it

Have any supply chain partners or potential partners asked you whether you are ISO27001 certified or working towards

certification? (n=43)

7%

58%

14%

Yes

No

I don't recall

Are you aware of the credit card companies PCI DSS (Payment Card Industry Data Security

Standard) regulations? (n=43)

28%

47%

Yes

No

Are you aware of the recent changes to the Data Protection Act in 2008, which make anything defined therein as "reckless handling" of data to be an offence for which imprisonment is a potential outcome?

(n=43)

33%

47%

Yes

No

Information Security Policy and Procedures

42%26%

12%

Yes

No

I don't know

42% of respondents currently have an information security policy in place in their organisation (n=43)

Please tell us a little about the process you went through in implementing your information security policy and how you

put it into practice.• Reviewed best practice guidelines and adapted policy of a larger organisation to suit our operation

• Developed by head of knowledge management

• Discussed with Business Link and used their templates.

• We involved an IT Security Consultant and wrote the Information Security Policy based upon the guidelines in BS ISO/IEC: 17799. We also developed a shorter document that summarises the security policies and this is signed by all new members of staff using the IT systems.

• Via outside consultancy

• We reviewed guidance from National Government, Cabinet Office, the Information Commission and BS 7799 before creating an IT policy that contained statements covering each of these areas.

• Made people aware of how the internet, networks and PCs can be both tools and security threats. Provided examples of how companies and individuals suffered through lax security. Put in place safeguards against these threats: a single station and telephone line for internet use, unattached to any other computing equipment. refused to allow any unauthorised software or files from third parties to be loaded on to systems. Made these conditions part of the employment contract, with disciplinary sanctions for transgressors.

• Written taking best practice from 27001 and the wider IT sector plus personal experience.

How do you communicate your information security policy to your employees? (n= 18)

28%

14% 12%

5%9%

0%5%

10%15%20%25%30%

The policy isavailable in a

shared place foremployees to view

(e.g. intranet,shared network,

employeehandbook)

Training wasprovided on the

policy at the timeof implementation

Line managersactively promote

the policy

Regular trainingupdated areprovided oninformationassurance

Remedial actionis taken upon

those who breechthe policy

How do you detect breaches of the information security policy? (n=18)

16%

23%

7%

2%

0%

5%

10%

15%

20%

25%

Customer complaints Computer networkalerts

Contact from officialpublic authority

Contact from theInformation

Commissioner

Do you keep a record of security policy breaches? (n=18)

21%

9% 9%

0%

5%

10%

15%

20%

25%

Yes No I don't know

What action do you take when information security breaches are identified?

Responses included:

• Disciplinary action including dismissal • Have not identified any as yet• Investigate, review information and decide how

to ameliorate breach and prevent repetition through revisions to security processes

• Of the 26% (16) of respondents who currently didn’t have an information security policy in place in their organisation, only 6% (1) had any plans to introduce one in the future

6%

50%

25%

0%

10%

20%

30%

40%

50%

60%

Yes, at some point in thefuture

No I don't know

• When asked to consider who they would look to for assistance in implementing an information security policy, the most popular response was a specialist information security company (38%,6), closely followed by an internal IT Department (31%, 5). 6% (1) of respondents would consider a University for this.

• Respondents were only prepared to invest a very small proportion of their time in implementing such a policy (50% 1 day or less)

Information Risk Management Training

How important do you consider training in information risk management to be? (n=43)

9%

16%

21%

19%

0%

5%

10%

15%

20%

25%

Not very important Of average importance Increasingly important Extremely important

• 21% of respondents had participated in risk management training in the past. – In the majority of cases these were internal

courses. – External courses mentioned were BSI

Information Security Best Practice BS 7799 and as part of a Chartered Manager impact submission

• 42% of respondents had never participated in risk management training

Would you be interested in training concerning risk management? (n=43)

12%

28%

23%

0%

5%

10%

15%

20%

25%

30%

Yes No Probably in the future

In which of the following areas of information risk management might you be interested in external

support with? (n=19)

11%

26% 26% 26%

11%

0%

5%

10%

15%

20%

25%

30%

Policy writing andimplementation

Providing aframework for

compliance withthe principles of

ISO27001

Setting upcontrols for ease

of systematicrecording

Guidance andsupport withISO27001

certification

Bespokeconsultancy

service/ supportwith

implementation ofany of the above

What format of training would you prefer? (n=16)

6%

25%

13%

25%

31%

0%

5%

10%

15%

20%

25%

30%

35%

Classroom basedlearning

An in-companycourse

Distance learningcourse

Online course A combination ofthese methods

How much time would you be prepared to invest in information security training?

(n=12)

25% 25%

0%

50%

0%

10%

20%

30%

40%

50%

60%

1 day 2- 3 days 1 week Ongoing support overa longer period

Are you aware of any of the following funding opportunities which may make you eligible to receive financial assistance

towards training?

12%

9%

0%

2%

4%

6%

8%

10%

12%

14%

Director Development Programme Index Vouchers

Recommendations• Generally little awareness of, or interest in, information assurance matters

from respondents, therefore concerns regarding product viability in its current conception and would benefit by further research into specific market barriers and leverage points.

• The focus group will thus be ‘held in reserve’ for a suitable event with a relevant target audience with whom future products/packages could be ‘road tested’

• To progress product scoping, in-depth one-to-one research interviews with interested respondents could be utilised to:

– reveal insights as to potential recognition strategies towards increasing awareness

– help to ascertain why companies are not more concerned about information security issues

• Subject matter expert to identify niche SME market attributes, prior to future product development using specialist knowledge of companies most ‘at risk’ from information security issues. This phase could facilitate the development of a stronger business case behind product design.