General and background information

Section 4 o f the questionnaire (Appendix 1) focused on the respondents and their companies’ background. Respondents were asked eight questions concerning their position, experience, qualifications, and their companies’ characteristics. The main objective o f these questions was to obtain a profile o f those who participated in the study and were useful for statistical analysis and comparisons. The background information requested from respondents includes their job titles, years o f experience in the current job, most recent educational qualification obtained, academic field o f study, and their security qualification, if obtained. In addition, respondents were asked about their companies’ industry sector, age, and number o f employees.

Respondents’ job title

In Question 4.1 o f the questionnaire, respondents were asked to state their job title. It was disclosed in Chapter 3 that the questionnaire was mailed to the IT managers o f the UK listed companies. Table 4.2 below shows that 39 percent o f respondents are IT managers, and 10 respondents (15.6 percent) are security managers, whereas other titles such as risk manager, information security analyst, etc. represent small percentages o f the respondents. It can also be seen that among the respondents, there are eight finance directors (12.5 percent). This could be because some companies depend mainly on outside service providers in most o f their IT functions that is outsourcing most IT functions; consequently, they do not have an internal IT manager to complete the questionnaire. On the other hand, because o f the nature o f the current study and its focus on AIS, the IT managers could take the view that finance directors are more knowledgeable o f the security o f these accounting systems and they are able

to provide the required data. This issue is further investigated in the next chapter using data collected in the interviews.

Table 4.2 Job title o f respondents

Job title no %

Chief information officer 4 6.3

Information technology manager 25 39

Security manager 10 15.6

Head o f information systems 3 4.7

Information security analyst 1 1.6

Risk manager 2 3

Information security architecture manager 1 1.6

Infrastructure director 3 4.7

Finance director 8 12.5

Others 7 11

Total 64 100

Years of experience in the current job

Question 4.2 o f the questionnaire asked respondents about the number o f years of experience in their current job. From Table 4.3, it can be seen that just over one third o f respondents (35.4 percent) have less than 5 years o f experience in their current job, 27 respondents (41.5 percent) have from 5 to 10 years o f experience, whereas only one respondent has more than 20 years o f experience in the current job. Regarding the managers who have less than 5 years o f experience in their current job, they still have the experience and knowledge, which qualify them to complete the questionnaire, because according to the interviews’ data, most o f these managers had more years o f experience in the same position or in equivalent positions in other companies.

Table 4.3 Years o f experience o f respondents in the current job Years o f experience in current job no %

Less than 5 years 23 35.4

5 -10 27 41.5

11-15 5 7.7

16-20 9 13.9

More than 20 years 1 1.5

Total 65 100

The most recent educational qualification

Question 4.3 o f the questionnaire asked respondents about the most recent educational qualification they have obtained. Out o f the 65 respondents, 11 respondents did not mention their most recent educational qualification. Table 4.4 shows the most recent educational qualification o f those who responded. The results reveal that 35.2 percent

of respondents had obtained a bachelors degree, three respondents (5.5 percent) a masters degree, whereas another three respondents had obtained a PhD degree.

Table 4.4 The most recent educational qualification study o f their most recent educational qualification. It can be seen from Table 4.5 that 32 percent o f respondents have a computer science degree, eight respondents have a business/management degree, 10 percent o f respondents have an accounting/finance degree, while the academic field o f study o f the other respondents includes economics, mathematics/stati sties, information security, risk management, engineering/electronics, and biochemistry/physics.

Table 4.5 The academic field o f study o f respondents Academic field o f study no %

Question 4.5 o f the questionnaire asked respondents to specify their professional security qualification if obtained. The BERR Information Security Breaches Survey (BERR 2008) stated that there has been an increased emphasis on security qualifications in the UK following the formation o f the Institute o f the Information Security Professionals, and that nearly 98 percent o f large businesses now have qualified staff. However, nearly 90 percent o f respondents in the current study do not have any professional security qualification. Out o f the 65 respondents, only seven

respondents (10.8 percent) have professional security qualification. Among these seven respondents, three respondents are Certified Information Systems Security Professionals (CISSP). In addition, one respondent has a Certificate in Information Security Management Principles (CISMP), another respondent is a Certified Information Security Manager (CISM), another respondent has the Information Systems Security Professionals (ISSP) qualification, while the other has a qualification obtained from the British Computer Society (BCS).

Table 4.6 The number o f respondents having professional security qualification Professional security qualification no %

Yes 7 10.8

No 58 89.2

Total 65 100

Industry sector

It was mentioned in Section 3.2.1.4 (Chapter 3) that there is an agreement that a company’s approach to information security depends on its industry sector.

Companies in different industry sectors tend to have different security requirements.

Based on the importance o f the industry sector in the current study, Question 4.6 of the questionnaire asked respondents to select the industry sector, which most closely corresponds to their com panies’ line o f business. Table 4.7 demonstrates that 20 percent o f respondents are from the property & construction sector, followed by insurance & financial services (16.9 percent), manufacturing (15.4 percent), energy &

utilities (13.9 percent), technology & telecommunications (12.3 percent), retail merchandising (10.8 percent) and media & entertainment (9.2 percent). However, only one respondent is from the pharmaceuticals sector, which was eliminated from further analysis due to statistical considerations.

Table 4.7 Distribution o f respondents by industry sector

Industry sector no %

Insurance & financial services 11 16.9

Manufacturing 10 15.4

Media & entertainment 6 9.2 Property & construction 13 20

Retail merchandising 7 10.8

Technology & telecommunications 8 12.3

Energy & utilities 9 13.9

Pharmaceuticals 1 1.5

Total 65 100

Age of company

Question 4.7 o f the questionnaire asked respondents about their companies’ age. It is clear from Table 4.8 below that the majority o f companies have been established for more than 20 years (89.2 percent), 9.2 percent o f companies for 11 to 20 years, with only one company for 5 to 10 years. The results reveal that nearly all the companies participating in the current study have been established for at least 10 years.

Table 4.8 The age o f the companies participating in the study Age o f company no %

5-10 1 1.5

11-20 6 9.2

More than 20 years 58 89.2

Total 65 100

Number of employees

Question 4.8 o f the questionnaire asked respondents to state the approximate number o f employees in their companies. It can be seen from Table 4.9 that 83 percent o f companies participating in the study have at least 100 employees. The results also show that 15 companies (23.1 percent) have from 1001 to 5000 employees, another 23.1 percent o f companies have from 100 to 500 employees, 11 companies have more than 10000 employees, and another 16.9 percent have fewer than 100 employees.

Table 4.9 also shows that 10.8 percent o f companies have from 501 to 1000 employees, while 9.2 percent have from 5001 to 10000 employees. The results indicate that the size o f the companies participating in the study ranges from medium (less than 100 employees), to large (100-1000) to very large (1001 - more than 10000 employees). This is important since companies in different sizes tend to handle information security differently, given that they have different levels o f resources and expertise (Chang and Ho 2006).

Table 4.9 The number o f employees in the companies participating in the study Number o f employees no %

Less than 100 11 16.9

100-500 15 23.1

501-1000 7 10.8

1001-5000 15 23.1

5001-10000 6 9.2

More than 10000 11 16.9

Total 65 100

The subsequent analysis o f the questionnaire findings is presented on the following three sections (4.5 - 4.7) based on the same sequence o f the questionnaire (Appendix 1).