Академический Документы
Профессиональный Документы
Культура Документы
“
the expert panel via e-mail with a cover letter that explained the industries and in various capacities. IT professionals, rather than
proposed research project and that asked the regular employees, were chosen
following questions:3 A debate exists within for the research because they are
• Is the content of the questionnaire appropriate for the IT community more aware of IT security issues
the audience? and are a more homogeneous
regarding the
• Are the survey items clear, and do they make sense? group. Presenting the survey
• Are any of the survey items intrusive, invasive, potentially measurement of to the random public would
embarrassing or of a sensitive nature? perceived security have likely resulted in more
”
Feedback was received via e-mail and incorporated into the inconclusive findings because
effectiveness.
survey as deemed appropriate; for the most part, changes were of the heterogeneity of such a
minor. large group. By the same token,
Reliability of the survey was measured using a test-retest limiting the survey to one industry or organization would have
sequence administered to a pilot study panel of nine ISACA limited the scope of the research.
members who did not participate in the expert panel. The As Knapp points out in his research, a debate exists
pilot study occurred during the period of 24 November 2009 within the IT community regarding the measurement of
and 12 January 2010. The survey was loaded into an online perceived security effectiveness. The elusive nature of the term
survey web site, and members of the pilot study were randomly “effectiveness,” coupled with the sensitive nature of asking
assigned a number from one to nine. The panel was then sent an organization to measure its security, poses a challenge to
an e-mail that instructed the participants to complete the survey developing a common industry definition.4 Richard A. Caralli
on the online survey web site. The first phase of the test-retest elaborates on the challenging aspect of defining security
sequence occurred between effectiveness by pointing out that security is contextual and
24 November 2009 and 3 December 2009. The content and not an isolated discipline; it depends on the organization and
wording of the questions were not altered for the retest phase, its operations. Furthermore, effective security “must take into
but the questions were randomly reordered. On 21 December account the dynamically changing risk environment within
2009, another e-mail was sent to the panel, instructing which most organizations are expected to survive and thrive.”5
participants to complete the survey again. The final phase As such, Knapp did not attempt to establish a definition for
of the pilot study was completed on 12 January 2010. The security effectiveness for his research. Instead, the perceived
results were downloaded into Statistical Package for the Social effectiveness variable in his study was “based on the subjective
Sciences (SPSS) software for analysis. The expected outcome judgment of security professionals.”6 As this research extended
of the test-retest sequence was that there would be little or Knapp’s, it also based security effectiveness on the subjective
no significant difference between the results of test and retest judgment of security professionals.
data. One question did show significant difference and was,
therefore, removed from the final survey.
The ISACA Journal is published by ISACA. Membership in the association, a voluntary organization serving IT governance professionals, entitles one to receive an annual subscription
to the ISACA Journal.
Opinions expressed in the ISACA Journal represent the views of the authors and advertisers. They may differ from policies and official statements of ISACA and/or the IT Governance
Institute® and their committees, and from opinions endorsed by authors’ employers, or the editors of this Journal. ISACA Journal does not attest to the originality of authors’ content.
Instructors are permitted to photocopy isolated articles for noncommercial classroom use without fee. For other copying, reprint or republication, permission must be obtained in
writing from the association. Where necessary, permission is granted by the copyright owners for those registered with the Copyright Clearance Center (CCC), 27 Congress St.,
Salem, MA 01970, to photocopy articles owned by ISACA, for a flat fee of US $2.50 per article plus 25¢ per page. Send payment to the CCC stating the ISSN (1526-7407), date,
volume, and first and last page number of each article. Copying for other than personal use or internal reference, or of articles or columns not owned by the association without
express permission of the association or the copyright owner is expressly prohibited.
www.isaca.org