Going forward, the eight decision-making factors about countermeasures that are identified are used as the basis to create the capability model. The factors are input for the Delphi study conducted and reported in Chapter 4.
In this chapter these eight decision-making factors are found from multiple methods from multiple sources. As indicated by Seddon and Scheepers (2012), when a number of studies claim thatXcausesY, it becomes likely thatXindeed does lead toY. The decision-making
factors about countermeasures found are described as factors that do cause better information security. Therefore, the claim of this research is that the factors found do improve decision- making about security countermeasures. The claim about the improvement of decision-making by taking into account these factors holds whenever the context is information security. It is likely the claim is stronger when the context is risk management.
However, the factors identified from literature, maturity capability models and security consultants is not the only addition to this research from the exploration phase. A lot of knowledge has been gathered about previous research and the structure of already existing maturity capability models. The decision-making factors that are excluded are of major importance in the next steps as they could be of importance again in the Delphi study. The reasoning of not including the factors is vital in order to decide about the factors that are included in the capability model of this research.
Furthermore, by reviewing a number of existing maturity capability models, ideas about effective structures of those models are obtained. Especially, the CMMI-model (CMMI Product Team, 2010) and the C2M2-model (Christopher et al., 2014) have provided valuable insights to this research. The structure of CMMI has been used by a number of different maturity models and is tested and proven in practice. The C2M2-model provides a structure in which certain factors are assessed by indicators. This structure is close to what is required of the capability model of this research as well.
4
Decision-making factors from practice
„
Sometimes when you innovate, you make mistakes. It is best to admit them quickly, and get on withimproving your other innovations.
—Steve Jobs
(Former CEO of Apple Inc.)
To create the capability model about the decision-making process about security countermea- sures, both scientific sources and sources from practice are reviewed. The previous chapter looked mostly into scientific sources in order to provide a list with relevant decision-making factors. This chapter adds to this with testing these factors in practice by conducting a Delphi study.
This chapter tackles three sub-questions of this research. First, the decision-making factors are reviewed by the industry experts to answer ‘What factors should be taken into account for the decision-making process about security countermeasures?’. Then, to answer ‘How can be determined to what extent a factor, is present in the decision-making process?’, indicators are identified for each of the decision-making factors. Answers to both of these questions contribute to creating the capability model to answer the last sub-question ‘How can the capability level of the decision-making process about security countermeasures be determined using the created model?’.
A Delphi study is carried out in order to base the capability model on experience from practice. The methodology of the Delphi study is described in section 4.1. Then, in section 4.2, the results of the first round of the Delphi study are presented. The section afterwards, section 4.3, describes the results of the second round of the Delphi-study and section 4.4 presents the third and final Delphi round. Section 4.5 shows the implications of the Delphi study for this research.
4.1
Methodology
According to Linstone and Turoff (1975) “Delphi may be characterised as a method for struc- turing a group communication process so that the process is effective in allowing a group of individuals, as a whole, to deal with a complex problem.”. The Delphi method has four features: (1) anonymity, (2) iteration, (3) controlled feedback, and (4) statistical aggregation of group
response (Rowe and Wright, 1999). Making a decision is complex by definition and it does not lend itself for precise analytical techniques, but it can benefit from subjective judgements. Therefore, this research employs a wide range of people from practice to create a capability model about making decisions about security countermeasures. For this reason and reasons of different backgrounds of the participants to the study, which also makes frequent group meetings infeasible, a Delphi study is the appropriate method (Linstone and Turoff, 1975). This approach fits well with the creation of a maturity capability model as exemplified by a number of maturity capability models creation studies (De Bruin and Rosemann, 2005; Mettler, 2011; Smits and Van Hillegersberg, 2015; Van Dijk, 2017; Vermeij, 2018). Thus, a Delphi study is used to collect data from practice.
The objective of the Delphi study is to develop a technique to obtain most reliable consensus of a group of experts by a series of questionnaires with controlled opinion feedback (Dalkey and Helmer, 1963). In this research the typical Delphi process as presented by Skulmoski et al. (2007) will be used, also in a three round Delphi process. The process that is followed in this research is presented in Figure 4.1.
4.1.1
Delphi study design
This Delphi study consists of three rounds. Rowe and Wright (1999) states that the accuracy tends to increase over the Delphi rounds and therefore a greater number of rounds will be more accurate. This study is limited to three rounds because of time constraints. The focus in the first round is to verify the factors found from the exploration phase and to add to this with factors that are deemed critical by the industry experts orpanellists. In the second round the renewed list of factors is tested on their relevance and indicators for each factor are discussed. In the last round, the full capability model is presented to the panellists and is put up for evaluation. Table 4.1 presents an overview of these rounds.
Figure 4.1.: Three-round Delphi methodology