The House of Security: Stakeholder Perceptions of Security Assessment and Importance

Abstract

Abstract In this paper we introduce a methodology for analyzing differences regarding security perceptions within and between stakeholders, and the elements which affect these perceptions. We have designed the “House of Security”, a security assessment model that provides the basic framework for considering eight different constructs of security: Vulnerability, Accessibility, Confidentiality, Technology Resources for Security, Financial Resources for Security, Business Strategy for Security, Security Policy and Procedures, and Security Culture. We designed and performed a survey of about 1500 professionals in various industries, levels, and functions resulting in a gap analysis to uncover differences (1) between the different constructs and aspects of security, (2) between different enterprise stakeholder roles, and (3) between different organizations. This paper briefly describes the development of the security constructs and some of the preliminary findings. Introduction Security is crucial for the success of any organization and many organizations have adopted stringent security policies. Though many of these security policies are valuable, an organization is limited by the amount of resources it can devote to protecting its flows of information. Security costs can be incurred monetarily (e.g., the price of a new firewall) or non-monetarily (e.g., requiring employees to use convoluted passwords or confusing software-protection programs). An organization’s goal should be to develop the most cost-effective approach to security, which is further complicated by the different priorities of the various stakeholders in the organization. In addition, as organizations evolve into extended enterprises, which includes ties with suppliers, customers, and other partners, there will be a significant increase in the number of stakeholders and thus a wider range of security requirements.