Application of Q methodology in critical success factors of information security risk management
1. APPLICATION OF Q-METHODOLOGY IN CRITICAL SUCCESS FACTORS OF INFORMATION SECURITY RISK MANAGEMENT Master’s Thesis Defense Candidate Sohel M. Imroz Advisors Dr. Leah R. Pietron Dr. Dwight A. Haworth April 2, 2009
2.
3.
4.
5.
6.
7.
8.
9.
10.
11.
12.
13.
14.
15.
16.
17.
18.
19.
20.
21.
22.
23.
24.
25.
26.
27.
28.
29.
30.
Hinweis der Redaktion
Every year for the last 13 years, Computer Security Institute conducts a nation-wide survey on Computer Crime and Security statistics. The survey asks several hundred security professionals all over the country to find out the type of incidents that affected the organizations. This table shows the type of incidents, and the % of participants acknowledging their organization being affected by each incident type between 2004 and 2008. All these types of incidents show a decrease in the numbers, except few: unauthorized access, misuse of web application, and DNS attack, but these numbers are still quite significant. The survey finds that the decrease in these numbers can be explained by increasing awareness of information security in the organizations. Why the numbers are still significant can be understood by the study of Partida and Ezingeard (2007). They found a lack of strategic investment in information security. More reactive and tactical, instead of being more proactive and strategic. So how can we make things better? Partida and Ezingeard stress that what we need is a solid understanding of the benefits of a well-developed approach to information security, and an understanding of the critical success factors to achieve those benefits. Past studies have attempted to address this need by identifying a list of general critical success factors by means of interviews, case studies, and large surveys, involving qualitative data. However, none of those studies attempted to study the subjectivity or viewpoint of those participants regarding those critical success factors. That’s exactly the focus of our research.
So, what motivated us for this research? The study of human subjectivity has been successfully conducted in various disciplines including nursing, veterinary medicine, public health, transportation, education, etc. The research on human subjectivity is yet to gain popularity in the field of information security. This point is evident by the fact that vast majority of the past researches on critical success factors of information security are based on qualitative data only, as mentioned earlier. With more organizations undertaking information security initiatives, there is increasing awareness among the IT professionals on issues like risk management, risk assessment, vulnerability analysis, etc. These are subjective areas that can be better studied using a research tool that combines the strengths of both qualitative and quantitative research. That’s where Q-methodology comes into picture. Within Q methodology, participants are given a question, and a deck of stimulating statements. Participants are asked to rank-order those statements (aka Q-sort), which are then inter-correlated and subjected for factor analysis. In this way, groups of individuals holding similar viewpoints or opinions are identified. The factors are then interpreted to provide understanding of their underlying subjectivities. So, the motivating element of our research is to explore the theoretical principles of Q-methodology and its application as a research method in the field of information security.
The concept of critical success factors was first presented by John Rockart in 1979 when he wrote an article in Harvard business Review called “Chief executives define their own data needs”. The focus of his CSF analysis was on management. Although such a concept was introduced almost 30 years ago, there’s still not many scholarly literature on CSF affecting information security risk management. There’s also a lack of experimental research in the field of risk management. So how did we address this gap? We addressed this gap by consulting the literature and identified the items that may affect successful implementation of information security practices, such as risk management and risk assessment. 24 such items were identified for our study. We call these 24 items as Q-set.
These are the first 6 of these 24 statements.
These are item numbers 7 through 12.
13 through 18.
And finally, from 19 through 24.
Discuss difference between associates and senior associates . This distinction was based on the seniority of the title/position of the participants, not based on their length of service.
Prep work includes sending initial communication to an organization asking for participants for this study. We had to explain the purpose of the study, brief description of what is expected from the participants, and confirmation of their confidentiality throughout the study. Once the participants are identified, then we meet each person in person to conduct the Q-sort exercise. Give them 1 card with the research question written on it. Give them 5 cards, each indicating a pile or “degree of agreement”. Give them 24 cards for 24 statements. After a participant is done finishing the Q-sort exercise, then result looks like this picture:
The first step of data analysis is constructing the correlation matrix between the Q-sorts. This is the Pearson product-moment correlation (r ). Sub01 correlates highly with sub29 (.87), and correlates weakly with sub20 (.04). One key point to mention here is the fact that the purpose of Q methodology is not finding out how closely two participants correlate. Therefore, correlation matrix is simply an intermediate step before the data is used for factor analysis.
The first step of data analysis is constructing the correlation matrix between the Q-sorts. This is the Pearson product-moment correlation (r ). Sub01 correlates highly with sub29 (.87), and correlates weakly with sub20 (.04). One key point to mention here is the fact that the purpose of Q methodology is not finding out how closely two participants correlate. Therefore, correlation matrix is simply an intermediate step before the data is used for factor analysis.
Next, the factor analysis is performed in order to search for resemblance among the Q-sorts. How does that work? Factor analysis takes the correlations between these variables, and reduce the multivariate data down to a small number of factors. Thus, factor analysis helps in analysis and interpretation of the data. You can see that 50 variables have been reduced to 8 factors by PQMethod software which calculated the factor analysis values. An important part of factor analysis is computing the eigenvalues. Eigenvalues reflect the amount of variance accounted for by each factor . Eigenvalues can also be used to determine the importance of each factor. You can see that factor 1 accounts for 28% of variance. Eigenvalues are expressed by the greek letter Lambda and are frequently used in matrix algebra. Eigenvalues are computed by performing a summation of all the squared values in the column of a factor matrix . A(ik) = factor loading of variable I on factor k. m = number of variables. From here, the next step is to determine the optimal number of factor. We choose 3 factors according to skree value. Skree value is the number of factor at which the eigenvalues kind of levels off.
The next steps are to perform a varimax rotation and determine the factor loading values for each Q-sort. Varimax rotation is a statistical technique in which the relation between q-sorts can be examined from different angles. The factor loading values display the extent to which a Q-sort is associated with the viewpoint of a particular Factor . The q-sort that loads significantly on a factor is marked by an X. PQMethod software automatically does that for you. You can see that 12 q-sorts loaded significantly in factor 1, 13 q-sorts loaded significantly on factor 2, and 13 q-sorts loaded significantly on factor 3. 12 q-sorts did not significantly load on any factor. That’s because there may be an error in understanding the statements, or their viewpoints are idiosyncratic with respect to other participants. These 12 q-sorts are left out from further analysis.
The next step is to calculate the factor scores based on the defining sorts for each factor. Each q-sort is given a factor score in terms of the original values used in the Q-sort (-2 for Definitely Not, -1 for probably not, 0 for neutral, 2 for definitely, etc.) The factor scores illustrate how each statement agrees within a factor, thus, helps to determine the areas of agreement.
The consensus statement does not mean that all the respondents considered competence of the team members as unnecessary. It simply means that the participant’s thinking on the subject did not distinguish it from the others.