AIS security policy

4.5.2 Security training and awareness program 4.5.3 Risk assessment

4.5.4 Incident response, disaster recovery and business continuity plan 4.5.5 Security budget

4.5.6 Security standards and certification 4.5.7 AIS security effectiveness

4.5.1 AIS security policy

There is wide agreement in the literature that the security policy is the starting point o f security management. W hitman (2003) argued that the security policy is a company’s first and most important layer o f security. In addition, Wiant (2005) stated that the first step towards achieving good information security within a company is to ensure that the security policy at hand is followed, maintained, and updated. David (2002) also indicated that only through the implementation and enforcement o f policy could proper security be realised. Moreover, Fulford and Doherty (2003) argued that effective information security management is predicated on the formulation and utilisation o f a security policy. While Poore (1999) stated that the lack o f a security policy could result in the company subjecting IS and information to undue risks and

increasing the potential for unacceptable loss, liability or harm to the company and to other relevant parties.

Due to the importance o f the AIS security policy, this section presents the questionnaire results on the existence and the frequency by which this security policy is updated. This section is concerned with testing Hypothesis 1.1 (Section 3.2.4 in Chapter 3). This hypothesis can be expressed as follows:

Hi r. There are no significant differences among UK companies in different industry sectors concerning the existence o f an AIS security policy and the frequency of updating this policy.

In order to test this hypothesis, respondents were asked two questions (Section 1.1 o f the questionnaire). Question 1.1.1 addressed the existence o f an AIS security policy within the respondents’ companies, whereas Question 1.1.2 focused on the frequency o f updating this policy. Table 4.10 demonstrates that the majority o f companies (77.4 percent) revealed that they have a security policy. This result is consistent with results of earlier surveys. In their study, Fulford and Doherty (2003) revealed that 76 percent o f UK companies have a documented security policy. The results o f the BERR Information Security Breaches Survey (BERR 2008) also indicated that nearly 87.5 percent o f large UK businesses have a security policy.

Table 4.10 Cross-tabulation o f existence o f an AIS security policy by industry sector

Insurance

Q 1.1.1 Does your company have a written security policy covering its AIS?

In addition, the analysis by industry sector reveals that 72.7 percent o f the insurance

& financial services have an AIS security policy, while only 55.6 percent of manufacturing companies have a security policy in place. These results are again consistent with the results o f the BERR Information Security Breaches Survey (BERR

2008) which revealed that over three quarters o f financial services companies have a security policy, while the manufacturing companies are less likely to have a security policy in place. The results in Table 4.10 also show that all respondents from media &

entertainment reported that their companies have a security policy; however, this result is not consistent with the result o f the BERR survey, which indicated that entertainment companies are the least likely to have a security policy.

Regarding the frequency o f updating the security policy, Table 4.11 demonstrates that 58.7 percent o f companies believed that they updated their AIS security policy every remainder updated the policy every six months or more frequently.

Table 4.11 Cross-tabulation o f frequency o f updating AIS security policy by industry sector

Insurance

Q 1.1.2 If yes, approximately how often is this policy updated?

In addition, in order to test the hypothesis and to investigate the differences among industry sectors regarding the existence and frequency o f updating their AIS security policies, the chi-square test o f independence, and the Kruskal-Wallis tests were

conducted. However, in order to meet the requirements o f the chi-square test, the seven industry sectors in Table 4.10 were combined in Table 4.12.

Table 4.12 Cross-tabulation o f existence o f an AIS security jolicy by industry sector

Insurance &

Note: Industry sectors are combined for some statistical considerations in using the chi-square test (Section 4.3.4)

The results o f the chi-square test (Table 4.12), given that the chi-square value %2 - 3.039, d f = 3, and the p-value = 0.386 (p > 0.05), reveal that there is no significant association between the different industry sectors that responded and the existence of an AIS security policy. In addition, regarding the frequency o f updating AIS security policy, the results o f the Kruskal-Wallis test (Table 4.13) do not provide any evidence o f the existence o f statistically significant differences, at the 0.05 level o f significance, among the seven industry sectors, given that p-value = 0.876 (p > 0.05).

Table 4.13 Results o f Kruskal-Wallis test regarding the frequency o f updating AIS security policy

Industry sectors N Mean Rank

Insurance & financial services 7 27.57

Manufacturing 5 18.40

The above results, therefore, do not provide any evidence to suggest that the existence and the frequency o f updating AIS security policies are in any way related to the industry sectors that responded. Consequently, H u cannot be rejected.

Overall, the results indicate that an AIS security policy has now been adopted in the majority o f companies that responded regardless o f the industry sector. However, the term “security policy” has different meanings to different companies. The BERR Information Security Breaches Survey (BERR 2008) indicated that a security policy could vary from a one-page policy to hundreds o f pages o f detailed standards. This

issue is further investigated in more details in the follow-up interviews (Chapter 5).

However, having a security policy alone cannot improve security awareness among employees. The companies, therefore, should take some steps to raise employees’

security awareness.