A critical analysis of two 2006 information technology security surveys

Extract

[...] Trends are useful only when their expression is relevant: what is considered a relevant trend now may not be merely irrelevant within 5 years After an initial discussion involving the methodologies employed, the analysis will move to the theoretical that is, the implicit organization and presentation of the findings. The paper will conclude with commentary on the empirical findings and will attempt to situate and explain consistencies and inconsistencies in lieu of the motives, scope, and available information. Methodology (ACCSS 2006) The ACCSS 2006 survey was funded both privately and publicly (Australian government; AC Nielsen respectively). [...]

[...] This is to say equally that simply because an overwhelming number of technologies saw a decrease in utility, it does not follow that the trend reported in EYGM 2006 regarding increasing investments in information security technology is not sound, not representative, or indicative of some other management-related deficiency, such as a general misuse of funds for technological solutions. This sort of claim is motivated by the following logic: if there is more investment in information technologies, how would it also obtain that there is a general downward trend in the use of that technology? [...]

[...] The driving question here is: what are the practices necessary to achieve a sufficient risk management strategy given the integration of information technology security within core or essential business drivers? Other discrepancies can be drawn, but the difference here is rather fundamental. It is made more manifest via the explicit indication in ACCSS 2006 of a methodological limitation. In particular, ACCSS contains this explicit restriction, one that necessarily opposes what was just said about EYGM 2006: limitation of this survey is the inability to compare performance against various metrics with organizations' usage and their perceived dependence on, or the criticality of, their IT system for their core business.” EYGM 2006 posits that “information risk management is becoming integrated into overall risk management” (EYGM 2006, 12) As overall risk management is per se a necessary condition for any core business, the indication of increased integration IT risk management is inconsistent with the idea that the nature of the study forbids a comparative analysis which EYGM 2006 logically necessitates. [...]

[...] Empirical (EYGM 2006) The Ernst and Young Global Information Security (EYGM Limited, 2006) Survey has a goal-oriented approach to the organization of its findings. Reported trends are categorized according to five major conditions: the integration of information technology with more general business goals, compliance practices/standards, third-party relationship status, privacy and personal data protection, and the design and generation of information security. Globally, investments in information security technologies and standards are increasing. This includes human capital, monetary capital, and formalization (i.e. [...]

[...] EYGM 2006 included an approach more conducive to the prescriptive action that the authors characterized as an objective of the study. Empirical (ACCSS 2006) (ACCSS) One seemingly relevant trend is indicated in the finding regarding increasing disparity between internal versus externally-sourced attacks”; in particular, “internal attacks have reduced in volume and external attacks have remained high.” (ACCSS pg. 19) While this discrepancy seems might validate companies seeking to invest more in the technologies and practices that most effectively respond to externally- sourced attacks, analysts would be prudent to forego hasty advice since there are considerations which might greatly influence the utility of those practices. [...]