Phase II: Evaluation

CHAPTER 4: EXPLORATORY DATA ANALYSIS AND DISCUSSION OF THE FINDINGS

4.7. Data Analysis – Presentation

4.7.2. Analysis of Data – Phase I: Part 2

The end-users (n=7) were questioned regarding their level of engagement in a separate interview. Since the aim of the study is to explore the role of end-users in ISIM practices, Part 2 of the questionnaire was administered, coded, and analysed separately particularly for end- users.

The data collected in response to question #1 (“Have you ever been involved in the setting of information incident security management guidelines in your organisation?”), revealed that there is limited involvement of end-users in the ISIM processes — planning, preparation, and policy formulation. It appears that the majority of organisations do not have the culture of engaging all users including end-users in ISIM and awareness practices. A case in point by Participant # B5, end-user from organisation E¹, suggests that:

“We do the information security policy with the involvement of ICT staff only and also we have agreed to share information and draft polices with ICT concerned parties.”

[Participant # B5_End-user, Organisation E¹] As the previous response was negative, no further information was collected from question #2 (“If your answer to the above question is 'YES', describe your level of participation.”).

In response to question #3 (“Have you ever participated in an information security incident awareness program?”), the end-users indicated that they were not engaged in information security policy awareness and formulation.

99

An end-user Participant #B2, from organisation B¹ indicated the following:

“I was only participated in one training session organized by the organisation about general information security and how to protect ourselves”.

[Participant # B2_End-user, Organisation B¹] One end-user, Participant #B3, from organisation C¹, indicated the participation as the following:

“Yes, I have been part of the information security awareness and training sessions”.

[Participant # B3_End-user, Organisation C¹] In response to question #4 (“If your answer to the above question is ‘YES’, describe your role with regard to communication and awareness aspects to improve information security incident management in your organisation”), one end-user from organisation C¹ (Participant B#3) described the general involvement level as the following:

“The ICT office with information security experts describes some aspects of contemporary security threats and they communicate us with papers and presentations.

And they inform us how to protect and work in our routine operation”

[Participant B #3_End-user, Organisation C¹] In response to question #5 (“If your answer to the question 3 is 'NO', what should your organisation put into practice to involve end-users and stakeholders to become aware and communicate with them, in order to improve information security incident management?”), the data revealed that an interest among end-users to be part of the processes of ISIM does exist.

The end-users stressed that they prefer to be engaged in information security incident issues for a shared understanding and up-skilling. Information security policies are framed by the top management and ICT officers. The information security policies have been developed with information security experts and managers without the notification or consultation of end- users. End-users proposed that facets such as participation, up-to-date information on incidents, communication of incidents, incident handling and collaborative discussions with all

100

stakeholders of the organisation are of importance to them. The following responses substantiate these propositions from the end-users. An end-user from Organisation A¹ indicated that the participation of end-users in the process of ISIM benefits not only the individual, but also the organisation. Cases in point:

“It would have been very good if our organisation would have provided me the opportunity to participate in information security issues that concern us to the benefit of the organisation”

[ Participant B #1_ End-User, Organisation A¹].

“I believe that end-users are part of the organisation and the primary vulnerable if incidents happen. So I believe the management should consider us in not only policy issues but also regular update information about incidents”

[Participant B #1, _End-User, Organisation A¹].

“It is good if they can involve us and provide the necessary training and communication on up- to-date security issues”

[ Participant B #4_ End-User, Organisation D¹].

“Creating awareness regarding how to handle information security issues”

[ Participant B #5_End-User, Organisation E¹].

“It would be very good if our organisation could create a routine program on awareness raising issue. Creating awareness regarding how to handle information security issues”

[Participant B #6_End-User, Organisation F¹].

101

“It is better if our organisation can create and organize different stakeholders of our organisation (end-users, managers, security experts and ICT personnel) so that they can discuss and solve information security incident problems”

[Participant B #6_ End-User, Organisation F¹].

“It is important to have up-to-date information on the existing organisational information security incident and policies”

[Participant B #3_End-User, Organisation C¹].

The responses to question #6 (“In your opinion, how can your organisation plan and prepare better information security management through awareness and communication mechanisms?”) were incidental to the investigation. Despite some end-users stating opinions that were not directly related to the question raised, issues of participation, collaboration, communication, provision of awareness protocols and training were emphasised. The following cases in point also substantiate the requirement for end-user participation in ISIM:

“I think it will be good if the organisation frequently and consistently practice information security training and awareness to all employees irrespective of their position and role. And we also need a computer-based system that alarms us that we are under threat or to aware us [sic]”

[Participant B #3_End-user, Organisation C¹].

“It is good if organisation can keep update us on information security policies, current incidents, how to combat from their responses and to collaborate us in the operational activities of the security program”

[Participant B #4_End-user, Organisation D¹].

“Besides reporting on critical incidents of the organisation, it is important to have up- to-date information on the existing organisational information security incident and policies.”

[Participant B #5_End-user, Organisation E¹].

102

“I think it would be improved if organisation could start working together with all concerned stakeholders of the organisation in terms of security threats orientation, security decisions taken and lessons learnt which can help us to learn and prevent from repeated mistakes”

[Participant B #6_End-user, Organisation F¹].

“I believe that the management and all staff should work in collaboration in order for the security policy and controls to work better”

[Participant B #2, End-user, Organisation B¹]

“It is good if they can involve us and provide the necessary training and communication on up- to-date security issues”

[Participant B #4_End-user, Organisation D¹] Thus, it was gathered from the end-user perspective that the role of communication, participation and awareness for information security incident management is a critical convention within the organisations studied.