Information systems security awareness.

(1)

Information systems

security awareness

.

“

Hacking is possible trough weakness of

software or hardware, social engineering is

possible trough weakness of wetware”.

(2)

APPENDICES

(4)

APPENDIX A:

APPENDIX A: Definitions, Acronyms and Abbreviations

Definitions, Acronyms and Abbreviations

CA = Control Assurance

CBS = Centraal Bureau Statistiek CIO = chief information officer

CISO = chief information security officer

Deloitte ERS = Deloitte Enterprise Risk Services DQI = Data quality and Integrity

DTT = Deloitte Touch Tohmatsu E&Y = Ernst & Young

ERM = Enterprise risk management

GISS = Global Information Security Survey GSS = Global Security Survey

ISSA = information systems security awareness IT = Information Technology

RuG = Rijksuniversiteit Groningen SSG = Security Services group WS = Web Services

Behaviour: Behaviour:Behaviour:

Behaviour: The aggregate of the responses or reactions or movements made by an organism in any situation.

Control: Control: Control:

Control: The policies, procedures, practices and organisational structures designed to provide reasonable assurance that business objectives will be achieved and that undesired events will be prevented or detected and corrected.

Control Objective: Control Objective: Control Objective:

Control Objective: A Control objective is a statement of the desired result or purpose to be achieved by implementing control procedures in a particular IT activity.

Enterprise Risk Management Enterprise Risk ManagementEnterprise Risk Management

Enterprise Risk Management: : : : Enterprise risk management is a process, effected by an entity’s board of directors, management and other personnel, applied in strategy setting and across the enterprise, designed to identify potential events that may affect the entity, and manage risk to be within its risk appetite, to provide reasonable assurance regarding the achievement of entity objectives.

Internal Control: Internal Control: Internal Control:

Internal Control: Internal control is a process, effected by an entity’s board of directors, management and other personnel, designed to provide reasonable assurance regarding the achievement of objectives in the following categories:

Effectiveness and efficiency of operations Reliability of financial reporting

Compliance with applicable laws and regulations

Organizational behaviour: Organizational behaviour:Organizational behaviour:

Organizational behaviour: The aggregate of the responses or reactions or movements made by an individual employee, a group of employees or all employees within an organization in any situation and work environment.

(5)

Organizational culture Organizational cultureOrganizational culture

Organizational culture: : : : The set of shared, taken-for-granted implicit assumptions that a group holds and that influences how it perceives, thinks about, and reacts to its various environments.

Reasonable Assur Reasonable AssurReasonable Assur

Reasonable Assurance: ance: ance: ance: Reasonable assurance reflects the notion that uncertainty and risk relate to the future, which no one can predict with precision.

Risk RiskRisk

Risk:::: Risk is the uncertainty of outcome, within a range of exposure, arising from a combination of the impact and probability of potential events or non-events decreased by the level of control.

Security awareness: Security awareness: Security awareness:

Security awareness: Security awareness can be defined as the understanding by people of their role in ensuring the security of information and information technology and their ability to make prudent decisions about security.

Social Engineering: Social Engineering: Social Engineering:

Social Engineering: Social engineering is generally a hacker’s clever manipulation of the natural human tendency to trust.

(6)

APPENDIX B: DELOITTE

APPENDIX B: DELOITTE TOUCHE TOHMATSU

TOUCHE TOHMATSU

DELOITTE TOUCHE TOHMATSU DELOITTE TOUCHE TOHMATSU DELOITTE TOUCHE TOHMATSU DELOITTE TOUCHE TOHMATSU

With approximately 120,000 professionals at work in nearly 150 countries, the member firms of Deloitte deliver audit, tax, consulting and financial advisory services worldwide. Revenues for the fiscal year ended May 31, 2004, were US$16.4 billion, up 8.4% from the previous year.1 2004200420042004 2003200320032003 2002200220022002 2001200120012001 2000200020002000 Revenues (US$) Revenues (US$) Revenues (US$) Revenues (US$) $16.41 _$15.1 _$12.5 _$12.4 _$11.2 People People People People 115,000 119,770 100,398 95,447 92,064 Countries Countries Countries Countries 1482 ₁₄₄ ₁₄₁ ₁₄₀ ₁₃₀ Cities Cities Cities Cities 670 656 687 708 700

1 In billions of US dollars; Deloitte fiscal year ends May 31, 2004;

2 Includes all countries where Deloitte had a physical presence through October 22, 2004

Deloitte refers to one or more of Deloitte Touche Tohmatsu, a Swiss Verein, its member firms, and their respective subsidiaries and affiliates. The member firms are legally independent of one another but operate under related names. Deloitte Touche Tohmatsu serves more than one-half of the world's largest companies, as well as large national

enterprises, public institutions, locally important clients and successful, fast-growing global growth companies. The Verein sets guidelines for the member firms and provides each member firm with exclusive privileges in its specific jurisdiction. DTT does not provide service to clients as a Verein.2

FOUNDERS FOUNDERS FOUNDERS FOUNDERS Willia

WilliaWillia

William Welch Deloittem Welch Deloittem Welch Deloittem Welch Deloitte

William Welch Deloitte was one of the fathers of the accountancy profession. A grandson of a Count de Loitte, who had fled France during the French Revolution, Deloitte started his career early. At the age of 15 he became an assistant to the Official Assignee at the Bankruptcy Court in the City of London, and there he learned the business. The fledgling accountancy profession grew from its early days in the lucrative business of sorting out the affairs of bankrupts. In 1845, at the age of 25, Deloitte opened his own office opposite the Bankruptcy Court in Basinghall Street. Three momentous

Companies Acts created joint-stock companies, laying the foundation

for modern company structures, and Deloitte was in his element. He made his name with the industry of the day — the railways — and in 1849 at the Great Western Railway, amidst a great commotion; he became the first independent auditor ever appointed. He discovered frauds on the Great North Railway, invented a system for railway accounts that protected investors from mismanagement of funds, and was to become the grand old man of the profession.

(7)

As president of the newly created Institute of Chartered Accountants, Deloitte found a site for its headquarters in 1888. In 1893 he opened offices in the United States and soonafter started to audit a growing soap and candle business. Over a century later, Procter & Gamble is still a client. In 1952, Deloitte's firm in the United States merged with Haskins & Sells.3

George Touch George TouchGeorge Touch George Touch

Were it not for the English inability to pronounce Scottish names, the name Touche would never have set its imprint on the accountancy world. When George Touch qualified as an accountant in Edinburgh in 1883 and, like so many, set off south to seek his fortune, there was no "e" on the end of his name. In fact, the end of the name was

pronounced in the same way as the Scottish "loch." "With a view to preventing the ordinary mispronunciation of my surname," he later changed it.

Financial disasters in the new and booming investment trust business

gave him his business opportunity. His reputation for flair, integrity, and expertise brought him a huge amount of work setting these trusts on the straight and narrow. A similar flair for saving doomed businesses from disaster and restructuring them led to the formation of George A. Touch & Co. in 1899. And in 1900, along with John Niven, the son of his original Edinburgh accounting mentor, he set up the firm of Touch, Niven & Co. in New York. Offices spread across the United States and Canada and were soon attracting clients like R. H. Macy. In the United Kingdom, General Electric Company was an important client — and still is.

Meanwhile Touche himself took his reputation for probity to the electors, became MP for North Islington in 1910, and was knighted in 1917. He died in 1935.4

Admiral Nobuzo Tohmatsu Admiral Nobuzo TohmatsuAdmiral Nobuzo Tohmatsu Admiral Nobuzo Tohmatsu

The Japanese practice of Tohmatsu owes its origins to Admiral Nobuzo Tohmatsu. He worked as a naval attache at the London embassy, where he had the honor of being invited to George V's silver wedding anniversary at Buckingham Palace. He had also been an instructor at the Naval Paymasters Academy. Among his students were many talented people who took an active part in the official and economic worlds after the war.

After Tohmatsu qualified as a certified public accountant at the age of 57 in 1952, he became a partner in a foreign-affiliated accounting firm

and a director of a private corporation. In 1967, he became president of the Japanese Institute of CPAs. At this time, the Japanese government wanted to see national audit corporations established, and Tohmatsu asked Iwao Tomita, a former student, to respond to that challenge. Tomita had also earned an MBA at the Wharton School in the United

States. Tohmatsu and Tomita had a common sense of purpose and were closely bound by similar experiences in the Navy. Thus, in May of 1968, Tohmatsu & Co. (formerly

Tohmatsu Awoki & Co.) was incorporated.

The key to Tohmatsu's growth was the decision to send a substantial number of partners and professional staff overseas to gain experience. From the beginning, this meant the firm was internationally focused, and it is reflected in its long-standing international clients.5

(8)

DELOITTE NETHERLANDS DELOITTE NETHERLANDSDELOITTE NETHERLANDS DELOITTE NETHERLANDS

Approximately 6,000 people are employed by Deloitte Netherlands. With a revenue of €664,854 this comes down to €106,941 per employee in fiscal year 2004/2005. As a result of significant mergers Deloitte Netherlands is the second biggest professional-, financial service provider in the Netherlands. Deloitte Netherlands delivers audit, tax, consulting and financial advisory services.

DELOITTE ERS DELOITTE ERSDELOITTE ERS DELOITTE ERS

Deloitte ERS is divided into five competence groups. These groups are:

Data Quality and Integrity (DQI) Control Assurance (CA)

Security Services Group (SSG)

Risk Management / Integrated Audit (RM/IA)

Web Services (WS)

Risk Management / Integrated Audit

Web services

Data Quality and Integrity Security Services Group Control Assurance

Process

Data

Figure: ERS Competence Groups

The five competence groups can be placed on a spectrum. From DQI to RC/IA the shift in the character of the services that they deliver goes from quantitative to a qualitative approach, from data to a more process approach. A group who has been left out of this spectrum is INVision, this group offers internal services to the other groups.

Risk Management / Integrated Audit Risk Management / Integrated AuditRisk Management / Integrated Audit Risk Management / Integrated Audit

Risk Management / Integrated Audit helps clients establish sustainable, internal capability to identify, assess, and manage risks to the achievement of their objectives, and the

integrity and effectiveness of their processes.

The participative approach develops ownership, accountability, and the enthusiastic support of each department and business unit in the organisation. It builds an end product that helps people manage risks to the achievement of their objectives within a simple-to-understand risk framework. Risk frameworks map an organisation's universe of risk and control, including strategic, operational, financial, and compliance risks.

By using the combination of structured risk frameworks, workshops, awareness programs, reporting and accountability processes, they try to engage, enthuse and enable people - from members of the Board and management, to front line employees, team leaders, and supervisors - to develop a sustainable capability to assess and manage risk and control across an organisation.

(9)

Control Assurance Control AssuranceControl Assurance Control Assurance

The mission of Control Assurance (CA) is to identify and test internal control policies and procedures. They typically provide their services to clients with significant use of computers as part of an examination of financial statements or as a stand-alone engagement.

Their is a strong conjunction with other ERS groups and consulting projects.

By providing monitoring and independent assessment, CA professionals can help determine that processes put in place to manage risk and run the business are functioning as

intended.

By pursuing a value-added audit strategy, CA professionals are able to identify new or more effective controls as a result of changes in client's system or technology, and to

identify more efficient, automated controls that are designed to eliminate or reduce manual effort.

CA services also help clients reduce their total audit effort by providing an independent report on controls for the use of the service organisations' customers.7

Security Services Group Security Services GroupSecurity Services Group Security Services Group

The Security Services Group provides customers with an end-to-end offering that addresses the organization's need to better assess and manage risks. The focus of the activities of SSG is on IT security and system security.8

Data Quality and Integrity Data Quality and IntegrityData Quality and Integrity Data Quality and Integrity

Data Quality and Integrity has stated the following mission: “to apply mathematical and statistical expertise and software skills to assist our clients in questions relating data by providing effective and efficient methods and tools”. Data quality was stated as:

“assessment and measurement of the quality of data and derived information, including root cause analysis of data quality issues and data cleansing and other corrective actions”. It is their goal to deliver the application of industry, quantitative and statistical

performance measurements, benchmarks and scoring techniques to deliver executive information systems.9

Web Services Web Services Web Services Web Services

The Web Services team is developing software for internal and external use. The innovative e-business platform Deloitte INVision was created by the team. Other products developed by the Web Services team are AuditSystem/2 which was built in cooperation with the Deloitte development team in Princeton, and the KMO Rapport Generator which generates annual statements of accounts for small and medium sized businesses.10

(10)

APPENDIX C: DTT GSS

APPENDIX C: DTT GSS’S

’S

’S AND E&Y GISS

AND E&Y GISS

AND E&Y GISS’S

’S

INTRODUCTION TO THE INTRODUCTION TO THEINTRODUCTION TO THE

INTRODUCTION TO THE DTT GSS’s DTT GSS’s DTT GSS’s DTT GSS’s

This paragraph will grandly be based in the content of the 2003, 2004 and 2005 GSS’s (Deloitte Touche Tohmatsu, 2003, 2004, 2005). DTT has executed three major global security surveys in 2003, 2004 and 2005. Every year the results are bundled in the DTT Global Security Survey report.

The GSS’s reports on the outcomes of focused discussions between DTT and DTT member firms’ Security Services professionals and Information Technology (IT) executives of top global financial services institutions (FSIs).

The purpose of the GSS 2003 was to enable companies to assess the state of information security within their organization relative to other comparable financial institutions. In the 2003 survey it was stated that the survey attempts to answer the question: “How does the

information security of my organization compare to that of my competitors?” The goal of the

2005 GSS was to help respondents assess the state of information security within their organization relative to other comparable financial institutions around the world. Overall the 2005 GSS attempts to answer nearly the same question as the 2003 GSS: “How does the

information security of my organization compare to that of my counterparts?” This slight

change in wording was already carried out in the 2004 GSS. Although both the 2004 GSS and the 2005 GSS state that, where possible questions that were asked as part of previous GSS’s have been repeated, there is no comment on the change of wording in the central question. Because the change in wording will not be of any influence on the qualitative analysis of this research and the fact that there is no comment in the GSS itself there will be no reason to go deeper into this.

Important is that where possible, questions asked in the 2003 and 2004 GSS have remained constant, thereby allowing for the collection and analysis of trend data. To make sure

questions remain relevant and timely with regard to environmental conditions, certain areas were re-examined and expanded to incorporated the ‘hot’ issues being addressed by financial institutions at a global level.

As also the subtitle of this thesis argues, one of the outcomes of the 2005 Global Security Survey was that internal information security attacks is out-growing external security attacks at world’s largest financial institutions. They concluded that financial institutions have made great progress in deploying technological solutions to protect themselves from direct external threats, however the rise and increased sophistication of attacks which target customers and internal attacks, indicate that there is a new threat that has to be addressed,” says Adel Melek, a partner in the Canadian member firm and Global Leader of I.T. Risk Management & Security Services within the Global Financial Services Industry. The GSS makes clear that, after the great progress in deploying technological solutions to protect themselves from direct external threats, the employees of these top global financial services institutions can predominantly be seen today as the weakest security link. An important factor that plays a role in this new threat is ‘information systems security awareness’.

(11)

DTT GSS 2003 DTT GSS 2003DTT GSS 2003 DTT GSS 2003 Objective ObjectiveObjective Objective

The purpose of the Global Security Survey is to enable you to assess the state of information security within your organization relative to other comparable financial institutions. Overall, the survey attempts to answer the question: How does the information security of my organization compare to that of my competitors?

Deloitte Touche Tohmatsu’s Global Security Survey for financial institutions provides insights into these and other vital questions and the answers come from the world’s leading financial institutions. Understanding the strengths and weaknesses of your organization relative to those of your competitors helps your executive group make key strategic

decisions and position your company appropriately. This Global Security Survey reports on the outcome of focused discussions between Deloitte Touche Tohmatsu’s Information

Security & Privacy Services professionals and Information Technology (IT) executives of top global financial institutions.

Discussions with representatives of these institutions were designed to identify, record, and present the state of the practice of information security in the financial services industry with a particular emphasis on levels of perceived risks, the types of risks with which financial institutions are concerned and the resources being used to mitigate these risks. The survey also identifies what technologies are being implemented to improve security and the value financial institutions are gaining from their security investments. To fulfill this objective, senior members of Deloitte Touche Tohmatsu’s Information Security & Privacy Services professionals, designed a questionnaire that probed eight aspects of strategic and operational areas of security and privacy. These eight areas, and their sub areas, are described in the section entitled Areas Covered by the Survey. Anonymous responses of participants relating to the eight areas of the questionnaire were subsequently analyzed, consolidated and presented herein in both qualitative and quantitative formats. Survey Scope

Survey ScopeSurvey Scope Survey Scope

The scope of the survey was global, and, as such, encompassed financial institutions with worldwide presence and operations in one of the following geographic regions: Europe, Middle East, Africa (EMEA); Asia Pacific (APAC); Latin America and the Caribbean (LACRO); and North America. Respondents fell into three primary industry sectors. While industry sector focus was not deemed a crucial criterion in the participant selection process, attributes such as size, global presence, and market domination were taken into

consideration. Due to the diverse focus of institutions surveyed and the qualitative format of our research, the results reported may not be representative of each identified geographic region.

Drafting of the Questionnaire Drafting of the QuestionnaireDrafting of the Questionnaire Drafting of the Questionnaire

The questionnaire was comprised of questions composed by a team made up of senior professionals from Deloitte Touche Tohmatsu’s Information Security & Privacy Services. The

questionnaire went through five iterations where each question was tested against global suitability, timeliness, and degree of value. The purpose was to identify and record the state of information security and privacy in the financial services industry.

The Data Collection Process The Data Collection ProcessThe Data Collection Process The Data Collection Process

Once the questionnaire was finalized and agreed upon by the survey team, the

(12)

assigned responsibility to senior members of their security services practice who were held accountable for attaining answers from the various financial institutions with whom they had a relationship.

Results Analysis and Validation Results Analysis and ValidationResults Analysis and Validation Results Analysis and Validation

The DeloitteDEX team was responsible for analyzing and validating the data from the survey. DeloitteDEX is a family of proprietary products and processes for diagnostic

benchmarking applications. DeloitteDEX Advisory Services, part of the DeloitteDEX team, use a variety of research tools and information databases to provide benchmarking

analyses measuring financial and/or operational performance. Clients’ performance can be measured versus that of their peer group(s). The process identifies competitive performance gaps and enables management to learn how to improve the performance of business

processes by identifying and adopting best practices on a company, industry, national or global basis, as appropriate.

The DeloitteDEX team arranged the data by geographic origin of respondents. As the respondents numbered less than 100, it was not necessary to reduce the list by counting how many times particular answers to specific questions occurred in order to build

frequency distributions. Some basic measures of dispersion were calculated from the data sets. Some answers to specific questions were not used in calculations to keep the analysis straightforward. DTT GSS 2004 DTT GSS 2004DTT GSS 2004 DTT GSS 2004 Objective ObjectiveObjective Objective

The goal of the 2004 Global Security Survey is to help participants assess the state of informafion security within their organization relative to other comparable financial institutions around the world, and against themselves year over year, to the extent they respond to the survey annually. Overall, the survey attempts to answer the question: How does the information security of my organization compare to that of my counterparts? By comparing the data collected for the 2004 survey, DTT can begin to determine

differences and similarities, identify trends and allow participants to answer more in depth questions, such as: How is the state of information security changing within my

organization? and, Are these changes aligned with the evolution of the rest of the industry? Where possible, questions that were asked as part of the 2003 Global Security Survey have been repeated, thereby allowing for the collection and analysis of trend data. To ensure that the questions remained relevant and timely with regard to environmental conditions, certain areas were re-examined and expanded to incorporate the “hot” issues being addressed by financial institutions at a global level. Two such areas were Business

Continuity Management and Privacy. To help differentiate this survey from any previously existing surveys, Deloitte subject matter experts were approached and their knowledge leveraged to identify the questions with the most impact.

The 2004 GSS reports on the outcome of focused discussions between Deloitte Touche Tohmatsu member firms’ Security Services professionals and information technology (IT) executives of top global financial services institutions (FSIs). Discussions with

representatives of these organizations were designed to identify, record and present the state of the practice of information security in the financial services industry with a particular emphasis on identifying levels of perceived risks, the types of risks with which FSIs are concerned and the resources being used to mitigate these risks. The survey also

(13)

identifies which technologies are being implemented to improve security and the value that FSIs are gaining from their security investments.

Survey Scope Survey ScopeSurvey Scope Survey Scope

The scope of the survey was global and, as such, encompassed financial institutions with worldwide presence and operations in the following geographic regions: North America; Europe, Middle East, Africa (EMEA); Asia Pacific (APAC); and Latin America and the Caribbean (LACRO). To ensure organizational consistency, and to preserve the value of the answers, the majority of financial institutions were interviewed in their country of

headquarters. The strategic focus of financial institutions spanned a variety of lines of business, including banking, securities, insurance and investment management. While industry focus was not deemed a crucial criterion in the participant selection process, attributes such as size, global presence, and market share were taken into consideration. Due to the diverse focus of institutions surveyed and the qualitative format of our research, the results reported herein may not be representative of each identified region.

Drafting of the questionnaire Drafting of the questionnaireDrafting of the questionnaire Drafting of the questionnaire

The questionnaire was comprised of questions composed by the global survey team made up of senior Deloitte Touche Tohmatsu member firms’ Security Services professionals.

Questions were selected based on their effectiveness to reflect the most important operating dimensions of a financial institutions processes or systems in relation to security and

privacy. The questions were each tested against global suitability, timeliness, and degree of value. The purpose of the questions was to identify, record, and present the state of

information security and privacy in the financial services industry. As this is the second year for the survey, and acknowledging the importance of trend data, various questions were repeated to determine if and how quickly participants were reacting to changes in the market environment and how market variables cascaded around the globe. New questions were added to reflect topics being asked about by our clients and topics written in the media.

The collection process The collection process The collection process The collection process

questionnaires were distributed to the participating regions electronically. Data collection involved gathering both quantitative and qualitative data related to the identified areas. Each participating region assigned responsibility to senior members of their security services practice who were held accountable for attaining answers from the various financial institutions with whom they had a relationship. Most of the data collection process took place through a face-to-face interview with the Chief Security Officer

(CSO/CISO) or designate, and in some instances, with the IT security management team. Results analysis and validation

Results analysis and validation Results analysis and validation Results analysis and validation

The DeloitteDEX team helped with extracting the data from the survey. DeloitteDEX is a family of proprietary products and processes for diagnostic benchmarking applications. DeloitteDEX Advisory Services, part of the DeloitteDEX team, use a variety of research tools and information databases to provide benchmarking analysis measuring financial and/or operational performance. Clients’ performance can be measured against that of their peer group(s). The process identifies competitive performance gaps and enables

management to learn how to improve the performance of business processes by identifying and adopting best practices on a company, industry, national or global basis, as

(14)

Once the DeloitteDEX team received the data, it was arranged by geographic origin of respondents. Some basic measures of dispersion were calculated from the data sets. Some answers to specific questions were not used in calculations to keep the analysis simple and straightforward.

DTT GSS DTT GSSDTT GSS DTT GSS 2005 2005 2005 2005

The goal of the 2005 Global Security Survey is to help respondents assess the state of information security within their organization relative to other comparable financial institutions around the world Overall, the survey attempts to answer the question: How does the information security of my organization compare to that of my counterparts? By comparing the 2005 data with that collected for the 2003 and 2004 surveys, we can begin to determine differences and similarities, identify trends and introduce more in-depth

questions, such as How is the state of information security changing within my

organization? and Are the changes aligned with the evolution of the rest of the industry? Where possible, questions that were asked as part of the 2003 and 2004 Global Security Surveys have remained constant, thereby allowing for the collection and analysis of trend data. So that questions remain relevant and timely with regard to environmental

conditions, certain areas were re-examined and expanded to incorporate the “hot” issues being addressed by financial institutions at a global level. Deloitte subject matter

specialists were enlisted and their knowledge leveraged to identify questions with the most impact.

The 2005 Global Security Survey reports on the outcome of focused discussions between Deloitte Touche Tohmatsu (DTT) and DTT member firms’ Security Services professionals and Information Technology (IT) executives of top global financial services institutions (FSIs). Discussions with representatives of these organizations were designed to identify, record, and present the state of the practice of information security in the financial services industry, with a particular emphasis on identifying levels of perceived risks, the types of risks with which FSIs are concerned and the resources being used to mitigate these risks. The survey also identifies which technologies are being implemented to improve security and the value FSIs are gaining from their security investments.

Survey scope Survey scope Survey scope Survey scope

The scope of the survey was global, and, as such, encompassed financial institutions with worldwide presence and head office operations in one of the following geographic regions: North America; Europe, Middle East, Africa (EMEA); Asia Pacific (APAC); and Latin America and the Caribbean (LACRO). To promote consistency, and to preserve the value of the answers, the majority of financial institutions were interviewed in their country of headquarters. The strategic focus of financial institutions spanned a variety of sectors, including, Banking, Securities, Insurance and Asset Management While industry focus was not deemed a crucial criterion in the participant selection process, attributes such as size, global presence and market share were taken into consideration. Due to the diverse focus of institutions surveyed and the qualitative format of our research, the results reported herein may not be representative of each identified region.

Drafting of the questionnaire Drafting of the questionnaire Drafting of the questionnaire Drafting of the questionnaire

The questionnaire was comprised of questions composed by the global survey team made up of senior Deloitte security services professionals Questions were selected based on their potential to reflect the most important operating dimensions of a financial institution’s

(15)

against global suitability, timeliness, and degree of value. The purpose of the questions was to identify, record, and present the state of information security and privacy in the financial services industry As this is the third year for the survey, and acknowledging the

importance of trend data, various questions were repeated to determine if, and how quickly, participants were reacting to changes in the market environment and how market

variables cascaded around the globe. New questions were also added to reflect topics being asked about by Deloitte’s clients and written about in the news.

The collection process The collection process The collection process The collection process

questionnaires were distributed to the participating regions electronically. Data collection involved gathering both quantitative and qualitative data related to the identified areas. Each participating region assigned responsibility to senior members of their security services practice who were held accountable for obtaining answers from the various financial institutions with whom they had a relationship. Most of the data collection process took place through face-to-face interviews with the Chief Information Security Officer/Chief Security Officer (CISO’CSO) or designate, and in some instances, with the security management team. For the first time, Deloitte offered pre-selected financial

institutions the ability to submit answers online using an online questionnaire managed by DeloitteDEX Advisory Services.

Results ResultsResults

Results analysis and validation analysis and validation analysis and validation analysis and validation

The DeloitteDEX team is responsible for analyzing and validating the data from the survey. DeloitteDEX is a family of proprietary products and processes for diagnostic benchmarking applications. DeloitteDEX Advisory Services, part of the DeloitteDEX team, use a variety of research tools and information databases to provide benchmarking analyses measuring financial and/or operational performance. Deloitte’s clients’ performance can be measured against that of their peer group(s). The process identifies competitive performance gaps and enables management to learn how to improve the performance of business processes by identifying and adopting leading practices on a company, industry, national or global basis, as appropriate.

INTRODUCTION TO THE E&Y GISS’s INTRODUCTION TO THE E&Y GISS’sINTRODUCTION TO THE E&Y GISS’s INTRODUCTION TO THE E&Y GISS’s

This paragraph will grandly be based in the content of the E&Y 2001, 2002, 2003 and 2004 GISS’s. (Ernst & Young, 2001, 2002, 2003, 2004) The results of these surveys bundled and made public via the GISS report.

For the 2001 and 2002 survey E&Y conducted a number of face to face and telephone interviews using a structured questionnaire among a representative sample of CIOs, IT Directors and business executives in countries across Europe. In 2001 a total of 273

interviews were completed and responses were analysed on an anonymous basis by IDA, a recognised market research agency, to produce the aggregated, tabulated results. The main survey findings have been analysed in full for each question, profiled by country and a range of industry sectors. In statistical terms, the sample achieved will provide 95% confidence limits of plus or minus four percentage points at the 50% level, on average.

(16)

For the 2003 survey the results of E&Y’s were collected with the assistance of more than 1,400 organizations whose executives completed the questionnaire over a two-month period early in 2003. For more details on the methodology refer to Appendix ?.

To ensure that the survey met the highest quality standards, for the 2004 survey the E&Y Quantitative Economics and Statistics (QUEST) Survey Team was asked to assist in designing and implementing the questionnaire. The QUEST Survey Team has used its skills to implement and analyze surveys for numerous large corporations and

organizations. After a review of the survey questions for bias and ambiguity, QUEST distributed the survey to designated E&Y professionals in each country. Since most survey results were gleaned from actual interviews, QUEST included a guideline sheet created to help minimize possible interviewer bias. During 2004 face-to-face interviews were

conducted using a structured questionnaire with chosen respondents, usually chief information officers (CIOs) and chief information security officers (CISOs). In those cases where a face-to-face interview was not possible, the survey was delivered electronically. More than 1,230 organizations participated in the survey. Among them were some of the largest and best companies in the 51 countries that were represented.

E&Y GISS 2001 E&Y GISS 2001E&Y GISS 2001 E&Y GISS 2001

During October and November 2000, Ernst & Young conducted a number of face to face and telephone interviews using a structured questionnaire among a representative sample of CIOs, IT Directors and business executives in countries across Europe. A total of 273 interviews were completed and responses were analysed on an anonymous basis by IDA, a recognised market research agency, to produce the aggregated, tabulated results. The main survey findings have been analysed in full for each question, profiled by country and a range of industry sectors. In statistical terms, the sample achieved will provide 95% confidence limits of plus or minus four percentage points at the 50% level, on average. In analysing the results, we have referred to previous Ernst &Young security surveys carried out during 1998 and 1999 with the aim of identifying trends and change rather than direct comparison.

During October and November 2001, Ernst & Young conducted a number of face-to-face and telephone interviews using a structured questionnaire among a representative sample of CIOs, ITDir ectors and business executives in countries worldwide. A total of 459

interviews in 17 regions were completed and responses were analyzed on an anonymous basis by IDA, a recognized market research agency, to produce aggregated, tabulated results. The main survey findings have been analyzed in full for each question, profiled by country and a range of industry sectors. In statistical terms, the sample achieved will provide 95 percent confidence limits of plus or minus four percentage points at the 50 percent level, on average. In analyzing the results, we have referred to Ernst & Young security surveys carried out previously with the aim of identifying trends and change rather than direct comparison.

The results of Ernst & Young’s 2003 Global Information Security Survey were gleaned from the assistance of more than 1,400 organizations whose executives completed the

questionnaire over a two-month period early in 2003.

(17)

other information technology executives. E&Y found that the response profiles of the individual countries were remarkably similar to one another.

The survey asked 40 questions on all aspects of information security. Question topics dealt with how information security is situated and directed within the organization.

To ensure that the survey met the highest quality standards, E&Y asked the E&Y Quantitative Economics and Statistics (QUEST) Survey Team to assist in designing and implementing the questionnaire. Established in 1994, QUEST has been engaged by

numerous entities to tackle difficult economic, policy, and quantitative issues. The QUEST Survey Team has used its skills to implement and analyze surveys for numerous large corporations and organizations. After a review of the survey questions for bias and

ambiguity, QUEST distributed the survey to designated E&Y professionals in each country. Since most survey results were gleaned from actual interviews, QUEST included a

guideline sheet created to help minimize possible interviewer bias. During February through June 2004, we conducted face-to-face interviews using a structured questionnaire with chosen respondents, usually chief information officers (CIOs) and chief information security officers (CISOs).

In those cases where a face-to-face interview was not possible, the survey was delivered electronically. More than 1,230 organizations participated in the survey. Among them were some of the largest and best companies in the 51 countries that were represented.

(18)

APPENDIX D: COBIT AN

APPENDIX D: COBIT AND COSO

D COSO

COBIT COBITCOBIT COBIT Initiative InitiativeInitiative Initiative

The dependence on IT systems and electronic information has become increasingly

important when supporting critical business processes. Next to that ongoing development of regulations requires stricter control over information. More and more management of IT-related risks and getting in control is understood as an essential part of the continuity of the organization. Therefore it is recognized that IT governance is becoming more and more prominent. IT governance is a structure of relationships and processes to direct and control the enterprise in order to achieve the enterprise’s goals by adding value while balancing risk versus return over IT and its processes. (COBIT, 2000)

This is the reason that the following question is the most frequently asked question of auditors: "What are the minimum controls that need to be in place for you to say it's well controlled?" The Control Objectives for Information and related Technology (COBIT)

answers this question by defining the control objectives that should be in place for all of the activities within an information systems function.

Objective ObjectiveObjective Objective

The main objective of the COBIT project is the development of clear policies and good practices for security and control in IT for worldwide endorsement by commercial,

governmental and professional organizations. It is compliant with the COSO (Committee of Sponsoring Organizations of the Treadway Commission-Internal Control—Integrated

Framework, 1992) perspective, which is first and foremost a management framework for

internal controls. The model

The modelThe model The model

COBIT defines four domains, 34 processes and a total of 318 detailed control objectives. The segmentation of processes over domains is as follows:

Planning & Organization (11 processes). Acquisition & Implementation (6 processes). Delivery & Support (13 processes).

Monitoring (4 processes).

COBIT is designed to be used by three different user groups.

Management: to help them balance risk and control investment in an often

unpredictable IT environment.

Users: to obtain assurance on the security and controls of IT services provided by

internal or third parties.

Auditors: to substantiate their opinions and/or provide advice to management on

internal controls.

The currently available control models can be divided into two different classes. First there are the models who focus on control models for IT and second there are the models who focus on business control. An example of a model which focuses on business control is COSO. This

(19)

positioned to be more comprehensive for management and to operate at a higher level than technology standards for information systems management. Nevertheless according to COBIT itself, COBIT is the model for IT governance.

COBIT is aimed at addressing business objectives. The control objectives make a clear and distinct link to business objectives in order to support significant use outside the audit community. Control objectives are defined in a process-oriented manner following the principle of business re-engineering. At identified domains and processes, a high-level control objective is identified and rationale provided to document the link to the business objectives. In addition, considerations and guidelines are provided to define and implement the IT control objective. The underpinning concept of the COBIT Framework is that control in IT is approached by looking at information that is needed to support the business

objectives or requirements, and by looking at information as being the result of the combined application of IT-related resources that need to be managed by IT processes. (COBIT, 2000)

Business orientation is the main theme of COBIT. It is designed to be employed not only by users and auditors, but also, and more importantly, as comprehensive guidance for

management and business process owners. Increasingly, business practice involves the full empowerment of business process owners so they have total responsibility for all aspects of the business process. In particular, this includes providing adequate controls. (COBIT, 2000)

For more detailed information on COBIT refer to http://www.isaca.ch/. COSO COSOCOSO COSO Initiative InitiativeInitiative Initiative

COSO is a procuction of the Committee of Sponsoring Organizations of the Treadway Commission.

Recent years have seen heightened concern and focus on risk management, and it became increasingly clear that a need exists for a robust framework to effectively identify, assess, and manage risk. In 2001, COSO initiated a project, and engaged PricewaterhouseCoopers, to develop a framework that would be readily usable by managements to evaluate and improve their organizations’ enterprise risk management. (CSOTC, 2004)

The development of the Sarbanes Oxley Act of 2002 in the United States and other legislation as the Code Tabaksblat in the Netherlands underline the long-standing requirement for public companies to maintain systems of internal control, requiring management to certify and the independent auditor to attest to the effectiveness of those systems. The COSO framework is a broadly accepted framework which can be used as assistance in satisfying these needs.

COSO is an enterprise risk management framework. Refer to paragraph ? for the definition of ERM as determined for this thesis and refer to ? for more information on the topic ERM. Objective

ObjectiveObjective Objective

Within the context of an entity’s established mission or vision, management establishes strategic objectives, selects strategy, and sets aligned objectives cascading through the enterprise. This enterprise risk management framework is geared to achieving an entity’s objectives, set forth in four categories (CSOTC, 2004):

(20)

Strategic – high-level goals, aligned with and supporting its mission

Operations – effective and efficient use of its resources

Reporting – reliability of reporting

Compliance – compliance with applicable laws and regulations

This categorization of entity objectives allows a focus on separate aspects of enterprise risk management. The underlying premise of enterprise risk management is that every entity exists to provide value for its stakeholders. All entities face uncertainty, and the challenge for management is to determine how much uncertainty to accept as it strives to grow stakeholder value. Uncertainty presents both risk and opportunity, with the potential to erode or enhance value. Enterprise risk management enables management to effectively deal with uncertainty and associated risk and opportunity, enhancing the capacity to build value. Value is maximized when management sets strategy and objectives to strike an optimal balance between growth and return goals and related risks, and efficiently and effectively deploys resources in pursuit of the entity’s objectives. (CSOTC, 2004)

The model The modelThe model The model

This framework distinguishes eight different components of Enterprise Risk Management. These components are:

Internal Environment – The internal environment encompasses the tone of an

organization, and sets the basis for how risk is viewed and addressed by an entity’s people, including risk management philosophy and risk appetite, integrity and ethical values, and the environment in which they operate.

Objective Setting – Objectives must exist before management can identify potential

events affecting their achievement. Enterprise risk management ensures that management has in place a process to set objectives and that the chosen objectives support and align with the entity’s mission and are consistent with its risk appetite.

Event Identification – Internal and external events affecting achievement of an entity’s

objectives must be identified, distinguishing between risks and opportunities. Opportunities are channelled back to management’s strategy or objective-setting processes.

Risk Assessment – Risks are analyzed, considering likelihood and impact, as a basis for

determining how they should be managed. Risks are assessed on an inherent and a residual basis.

Risk Response – Management selects risk responses – avoiding, accepting, reducing, or

sharing risk – developing a set of actions to align risks with the entity’s risk tolerances and risk appetite.

Control Activities – Policies and procedures are

established and implemented to help ensure the risk responses are effectively carried out.

Information and Communication – Relevant

information is identified, captured, and communicated in a form and timeframe that enable people to carry out their responsibilities. Effective communication also occurs in a broader sense, flowing down, across, and up the entity.

Monitoring – The entirety of enterprise risk

management is monitored and modifications made as necessary. Monitoring is accomplished through

(21)

evaluations, or both.

Figure ? gives a schematic view of the Internal Control – Integrated Framework. For this thesis it goes to deep to give full explanation about this framework. When reading the clarification about the eight interrelated components of enterprise risk management it becomes clear that information systems security awareness can not be allocated to just one component. In the ‘internal environment’ the basis is set for how risk is viewed and

addressed by an entity’s people, including risk management philosophy and risk appetite, integrity and ethical values, and the environment in which they operate. A part of ‘control activities’ are information systems controls (e.g. security access). And for example in ‘information and communication’ effective communication can positively effect information systems security awareness.

The COSO framework claims to have developed a foundation for mutual understanding, all parties will be able to speak a common language and communicate more effectively when this framework is used.

(22)

APPENDIX E: QUESTION

APPENDIX E: QUESTIONNAIRE

NAIRE

Introduction IntroductionIntroduction Introduction

Dear Sir/Madam,

We would like to ask you if you could invest 10 minutes of your time in completing a questionnaire.

The aim of this questionnaire is to create insight in the level of awareness of security

measures taken by your company to prevent sensitive information from being exposed. The target group is end-users of information systems as PC's or laptops. This questionnaire is completely anonymous and the outcomes will be processed accordingly.

Hoping for your cooperation, Jan Sneekes

GENERAL QUESTIONS: GENERAL QUESTIONS:GENERAL QUESTIONS: GENERAL QUESTIONS:

Question Question Question Question 1:1:1:1:

1 What company are you currently employed with?

Question 2: Question 2:Question 2: Question 2:

2 In what industry are you active at this moment? Technology / Media / Telecom

3Which of the following positions is most comparable to your position within this company?

Executory / Supporting

4 Could you indicate per question mentioned hereunder which option applies best to your organization? Within our company:

4a A. Risks are avoided

B. Challenges are confronted

A B Don't

(23)

B. The focus is on individual decision making

know

4c A. There is a mix of work and privat life B. There is no mix of work and privat life

A B Don't

know

4d A. New hires feel at home

B. New hires do not feel at home

A B Don't

know

4e A. Employees are aware of costs B. Employees are not aware of costs

A B Don't

know

4f A. Employees are free to show initiative to improve the result

B. Employees are supposed to act according to procedures and are not supposed to show initiative

A B Don't

know

QUESTIONS REGARDING SECURITY AWARENESS: QUESTIONS REGARDING SECURITY AWARENESS:QUESTIONS REGARDING SECURITY AWARENESS: QUESTIONS REGARDING SECURITY AWARENESS:

5Did you receive any information or training in security measures which are implemented within your company at your commencement of employment?

Yes No Don't

know

6How often do you receive information

and/or training in information security? Less Once a year More Don't know Question 7: Question 7:Question 7: Question 7:

(24)

7Do you think that the amount of information and training

you receive regarding information security is sufficient? Yes No Don't know

8In your opinion, are you jointly responsible for the safeguarding of information on your company PC or laptop? Yes No Don't know Question 9: Question 9:Question 9: Question 9:

9Are you aware of the risks resulting from not complying

with the rules regarding information security? Yes No Don't

know

10 Which form of behaviour modification will in your opinion have the best outcome in your organization?

A reward Remit a penalty Remit a reward A penalty Question 11: Question 11:Question 11: Question 11:

11 At what instance would you like to be called to account?

Immediately

After a fixed period of time Ad random Question 12: Question 12:Question 12: Question 12:

12 What will in your opinion be the contribution of each hereunder mentioned measure in increasing

(25)

end users of PC's and laptops?

12a Give training regarding information security measures to new hires

Small contribution

Large contribution

12b Mandatory training regarding information security for every employee

Small contribution

Large contribution

12c Videotape / Slideshow in which important topics regarding

information security are presented

Small contribution

Large contribution

12d Guest speaker Small

contribution

Large contribution

12e Improve communication between end-users and management

Small contribution

Large contribution

12f Point out possible risk situations to colleagues

Small contribution

Large contribution

12g Random check of PC's and laptops (e.g. on viruses)

Small contribution

Large contribution

12h Simulate an attack on the information systems of the company

Small contribution

Large contribution

12i Report and draw attention to abandoned and unblocked PC's and laptops.

Small contribution

Large contribution

(26)

12j Track down passwords left at a free accessible location (e.g. on a sticky note)

Small contribution

Large contribution

12k Track down company sensitive information in free accessible Dumpsters Small contribution Large contribution 12l An exemplary function by management Small contribution Large contribution

12mMake consequences of violating security measures part of a contractual obligation

Small contribution

Large contribution

12n Monitoring of internet and e-mail behaviour

Small contribution

Large contribution

12o Making the outcomes of monitoring behaviour part of the assessment interview

Small contribution

Large contribution

We would like to thank you for your time. Kind regards,

Jan Sneekes

(27)

APPENDIX F: DTT GSS,

APPENDIX F: DTT GSS, E&Y GISS FINDINGS

E&Y GISS FINDINGS

Finding 1: Growing recognition of Finding 1: Growing recognition of Finding 1: Growing recognition of

Finding 1: Growing recognition of the contribution of training and awarenessthe contribution of training and awarenessthe contribution of training and awarenessthe contribution of training and awareness

By listing one key finding out of each GSS it becomes clear that there is an ongoing growing trend in the recognition of the contribution of training and awareness to the organizations information security.

2003 GSS: “Respondents are recognizing the need for employee awareness and education.”

2004 GSS: “Creating an effective security awareness program for employees aids in the

identification and protection of the organization.”

2005 GSS: “Training and awareness are crucial - yet underutilized - contributors to employee vigilance surrounding an organization’s security function.”

R e co g n it io n co n tr ib u ti o n o f se cu ri ty t ra in in g a n d a w a re n e ss to i n fo rm a ti o n se cu ri ty Figure Figure Figure

Figure 1111: : : : Recognition of contribution of security training and awareness to information security

In the 2003 GSS there was a recognition of the need for employee awareness and training. It was stated that awareness and education programs which address internet and e-mail usage can go a long way to mitigating the impact of some of the problems related to

corporate governance. Furthermore it was recognized that safeguarding information assets is a vital part of corporate governance.

It was recognized that training and awareness are an important factor for mitigation some of the problems related to corporate governance, but an exact definition of those ‘problems’ could not be given.

After the recognition of training and awareness being important in the 2003 GSS, in the 2004 GSS the causes and effects of an effective security training and awareness program were identified. In this survey it is stated that raising employee awareness of data protection and security issues is a necessary component of an organization’s compliance with legislation and regulatory requirements. But additional advantages were recognized as well. Developing an effective information security awareness program is recognized as a key component of any successful information security strategy, as it provides a financial institution with a more knowledgeable workforce and it allows financial institutions to improve on other areas where they are currently lacking. Other advantages of

(28)

about their responsibility to protect sensitive information as well as to proactively identify potential threats.

In this years GSS, security training and awareness encompasses a bigger part of the survey than the previous years. Although remarked as underutilized, in the 2005 GSS security training and awareness programs are identified as crucial contributors to employee vigilance surrounding an organization’s security function.

Conclusion finding 1 Conclusion finding 1Conclusion finding 1 Conclusion finding 1

Raising employee awareness of data protection and security issues is a necessary

component of an organization’s compliance with legislation and regulatory requirements. Developing an effective information security awareness program is recognized as a key component of any successful information security strategy, as it provides a financial institution with a more knowledgeable workforce and it allows financial institutions to improve on other areas where they are currently lacking.

Furthermore employees keep informed about their responsibility to protect sensitive information as well as to proactively identify potential threats.

In the 2005 GSS security training and awareness has been recognized as a crucial contributors to employee vigilance surrounding an organization’s security function. Finding 2: Decrease in dollars spend on security training and

Finding 2: Decrease in dollars spend on security training and Finding 2: Decrease in dollars spend on security training and

Finding 2: Decrease in dollars spend on security training and awarenessawarenessawarenessawareness

In the 2004 GSS there was a positive view on the influence and importance of the people who represent the company. It was stated that for many of the respondents, building a resiliency strategy is not just about understanding the risks, options and economic trade-offs; it is about having an alignment of its people, processes, technology and functional strategies.

As respondents attempt to make their organizations more resident, they structure their human, physical and technical resources to be able to operate continuously when disaster strikes. This is reflected in the types of security measures respondents have implemented or maintained over the last 12 months before the 2004 GSS, figure ?. Nevertheless this positive trend in the 2004 GSS seems to have slipped in some organizations when looking at the 2005 GSS result.

0 10 20 30 40 50 60 70 80 90

Security po licy B usiness co ntinuity planning Security training and awareness System security to o ls

2004 2005

(29)

It can be noticed that there is a decrease in all types of security measures implemented or maintained from the 2004 GSS to the 2005 GSS. Implementation and maintenance of security training and awareness has decreased from 77% to 65%.

Conclusion 2 Conclusion 2 Conclusion 2 Conclusion 2

There has been a decrease in all types of security measures implemented or maintained from the 2004 GSS to the 2005 GSS.

Implementation and maintenance of security training and awareness has decreased from 77% to 65%.

Finding 3: Security breaches of the company information systems Finding 3: Security breaches of the company information systemsFinding 3: Security breaches of the company information systems Finding 3: Security breaches of the company information systems

As earlier discussed in chapter 1. the compromising of company information systems can be divided into three groups: internal, external and a combination of both.

In the 2003 GSS 39% of the respondents acknowledged that their information systems had been compromised in some way within that year. This amount has increased to a

significant 83% in the year 2004. For the 2005 GSS no percentage is available. This strong increase in percentage is a warning that more and more companies become the victim of unwanted access to their information systems.

The segmentation of attacks in the 2003 GSS was as follows: • 16% report attacks from an external source

• 10% report attacks from an internal source • 13% report attacks from both sources Total: 39%

The segmentation of attacks in the 2004 GSS was as follows: • 21% report attacks from an external source

• 13% report attacks from an internal source • 49% report attacks from both sources Total: 83%

It becomes clear that the combination of internal and external methods to comprise the information systems of the company has increased significant. This makes clear that the attacks become more and more sophisticated by combining internal and external methods. An increase in security breaches to company information systems can be noted over the year 2003 to 2004. The total amount of companies breached has increased from 39% to 83%. Furthermore breaches due to internal attack are on the rise. Although no figures are

available it can be stated that in the 2005 GSS for the first time the number of

organizations who have experienced internal attacks is higher than the number who have experienced them externally. Therefore it is even more interesting to note that security training and awareness dollars have decreased from the 2004 GSS to 2005 GSS (Finding 2). This contradicts with the fact that 86% of respondents indicate they are concerned about employee misconduct involving information system security awareness.

Conclusion finding 3 Conclusion finding 3Conclusion finding 3 Conclusion finding 3

The combination of internal and external methods to comprise the information systems of the company has increased significant.

(30)

The total amount of companies breached has increased from 39% to 83%. Breaches due to internal attack are on the rise.

Although 86% of respondents indicate that employee misconduct involving information system security awareness is a concern, dollars spend on security training and awareness have decreased from the 2004 GSS to 2005 GSS.

E EE

E&&&Y&YYY giss’s giss’s giss’s giss’s

The findings presented in the following paragraphs result from an analysis of all four E&Y GISS’s. During the analysis all outcomes as reported in the surveys are gone through, assessed on applicableness and contribution to the aim of this research. Outcomes of the findings are conclusions which were used as foundation for the next research step, the drawing up of the questionnaire.

Finding 1: Lack of information systems security awareness key obstacle to effective Finding 1: Lack of information systems security awareness key obstacle to effective Finding 1: Lack of information systems security awareness key obstacle to effective Finding 1: Lack of information systems security awareness key obstacle to effective information security

information securityinformation security information security

One of the key findings of the 2004 GISS was that respondents named ‘lack of security awareness by users’ as the top obstacle to effective information security. As we can see in figure ? surprisingly lack of security awareness was not listed as an obstacle in the 2003 survey, it was not even listed in the top 14 of obstacles in 2003. With 56% percent of the respondents in 2001 and 66% of the respondents in 2002 recognizing employee awareness as a key obstacle to effective information security both were ranked respectively number one and two. With the exception of the year 2003 ‘lack of security awareness by users’ been recognized as an important obstacle.

As we have seen in the DTT GSS’s and in the 2002 and 2004 GISS ‘lack of security awareness by users’ is an issue that cannot be neglected. Because we have seen the increasing significance of ‘lack of security awareness by users’ in the DTT GSS’s we can state that the fact that ‘lack of security awareness by users’ was not mentioned as a key obstacle to effective information security in the 2003 GISS can be seen as an exception. The most recent (2004) survey results underline this with the number one position for ‘lack of security awareness by users’. They state that no amount of technology can reduce the overriding impact of human complexities, inconsistencies, and peculiarities. Any strategy that overlooks this realization is inherently flawed. The recklessness or simple carelessness of a single employee can undermine even the best technological countermeasures.

Table

Table Table

Table 1111: : : : Key obstacles to effective information security awareness

Conclusion Conclusion Conclusion

Conclusion finding finding finding finding 111 1

Because no amount of technology can reduce the overriding impact of human complexities, inconsistencies, and peculiarities and despite ‘lack of security awareness by users’ was not listed as a key obstacle to effective information security in the 2003 GISS we can state that

Information systems security awareness.