List of Abbreviations
Chapter 3. Methodology
3.4 Interviews
105
critical nodes or choke points that may severely hinder network services should they be compromised. The calculations were done by writing a program in the Matlab software, and then confirming the results by hand to ensure no errors occurred. Chapter 7 contains the calculations and analysis.
3.3.5 Simulations
As with mathematical calculations, simulations can be used to analyse the impact of specific variables or scenarios. The simulations are aimed at assessing the performance of network under different loading conditions or electronic warfare performance. By investigating these characteristics of the networks, the susceptibility to certain attacks can be ascertained. The simulations provide visual representation of the results, and can be used for scenarios which are too complex to calculate by hand. The simulations are computer-based Monte-Carlo simulations, where numerous iterations of the same set-up are performed with a randomised input. The results of the iterations are averaged together to provide the final result. The specific simulation set-up is determined by the objectives and certain parameters, and will be discussed with the results and analysis of the simulations in Chapter 7.
3.3.6 Conclusions and Recommendations
The conclusions are drawn from the analysis of the gathered data, and from the outcomes of the vulnerability assessment. The recommendations follow the specific findings in the conclusion;
information from the workshop and documents analysis may also provide possible recommendations. A secondary objective of the research is to provide solutions to possible vulnerable areas; these will also form part of the final recommendations.
106
anonymity, therefore no information will be provided that can identify an individual person or an associated organisation.
It was proposed that a minimum of ten interviews should be conducted, of which at least two should be international experts. The British Educational Research Association (2006) suggests six to twelve interviews are sufficient for unstructured interviews, and should the interviews be supplementing other data sufficient respondents are required cover the range of topics in the research study. Guest, Bunce, and Johnson (2005) show that the majority (approximately 70%) of code creation in interviews occurs in the first six, then approximately another 18% in the following six. As the interviews were semi-structured and were in conjunction with additional data, the ten interviews would be sufficient to cover the topic areas and provide the required information. The international respondents were to provide an international context to the South African respondents.
Twelve interviews were achieved; this is discussed in more detail below.
The experts were identified through a combination of convenience and judgement sampling. The sample was based on convenience as many were professional contacts that the candidate had made previously, and the others had contact details that were readily available to approach them. The judgement sampling was required as the candidate needed to ascertain if the prospective respondents had the relevant experience. The judgement used was based on either the publications of the prospective respondent, or the candidate's knowledge of their professional experience. All of the prospective international respondents identified have authored a book or major report. The prospective South African respondents have published at least a conference paper, or have had professional contact with the candidate.
A modified E-Delphi method was employed; the respondents had no knowledge of other respondents or their responses, and the interviews were conducted electronically. As a number of respondents were from international locations with large time differences, email was used to communicate with them; for consistency purposes, email was also used for the South African respondents (however, they were given the option of alternate contact should they wish). The E- Delphi method usually seeks to obtain consensus from respondents through iteration, where the outcomes from previous iterations are employed to solicit additional information from the respondents (Lindqvist & Nordanger, 2007). The methodology employed in this study deviates from the E-Delphi method in that consensus of responses were not required; however, reasons for responses were requested.
107
As per the ethical requirements for the research, as described in Section 3.2.1, consent is required from the organisations where necessary, and the individual prospective participants. Where necessary, the organisations of the prospective respondents were contacted in order to get gatekeeper's permission. The letter requesting the permission is presented in Appendix E. Receiving gatekeeper's permissions was facilitated through email. Some organisations required ethical clearance prior to providing permission; therefore provisional clearance was obtained in order to receive permission from the organisations. Due to the interviews being conducted by email, the informed consent letters were sent as attachments, and in the body of the email it was stated that response to the email indicates consent; however it would be preferred if the respondents explicitly stated their consent. The letter of informed consent is presented in Appendix F.
The interview was semi-structured, in that the questions were tailored or prioritised according to the individual respondent's area of specialty. The questions were pre-tested where the candidate's colleagues checked the questions. The interview questions were designed to meet the objectives of gathering data on the information warfare and security landscape, and establish the criticality on the mobile phone communications in this context. Table 3.2 illustrates the interview questions and their relevance to the study objectives.
A total of twenty-two requests were sent, seven to international experts and fifteen to South African experts. From this, a total of fifteen initial confirmations were received, giving an initial response rate of 68%. Five of the confirmations were from international experts and ten were from South African experts. Of these, twelve completed interviews were received; all five international experts responded, and seven South African experts responded. This is a 55% response rate from the initial requests, and an 80% response rate from the initial confirmations.
The responses to questions relating to perceptions were categorised into negative, neutral, and positive responses. Categories of very negative or very positive were added; these are for cases where the respondent added emphasis. Responses regarding concerns required a range of responses, these were categorised according to the offensive and defensive information warfare models presented in Sections 2.3.2.2 and 2.3.2.1, respectively. Responses were summarised quantitatively, in that the number of responses in each category were recorded. The Nvivo software package and Microsoft Excel were used for the coding and summarising process. For questions where a range of answers were expected, such as identifying threats, the responses were divided into pre-determined categories based on the offensive and defensive models of IW, namely integrity, availability,
108
confidentiality, information theft, denial, and corruption. Individual responses were then used to provide a more detailed analysis regarding the research objectives.
Table 3.2: Interview Questions Related to the Study Objectives
Objectives:
Gather information on information security trends Gather information on mobile- related security trends Establish criticality of the mobile phone infrastructure Questions:
Are you aware of any critical information infrastructure
protection (CIIP) efforts in South Africa?
If yes:
Do you believe it is sufficient?
What do you think of SA‟s efforts compared to those internationally?
Are there any international policies that may be beneficial to South Africa?
What is the largest Information Warfare threat globally and in
South Africa? (How will this affect CIIP?)
Do you think cell phones form part of the critical information
infrastructure?
What is the biggest security threat or risk regarding cell phones,
and what should or can be done about it?
How important do you think cell phones are for:
Large businesses Small businesses Military
Government Security services
Insurgents/criminals/terrorists
How do you think SA‟s CIIP efforts are viewed internationally?
(for South African respondents only)
How do the SA efforts and policies compare to those in your
country? (for international respondents only)
Are there any policies in your country that may of benefit to SA,
or vice versa? (for international respondents only)
109