The 2011 Survey of Information Security and Information Assurance Professionals: Findings

Introduction

Information Assurance (IA) is a highly interesting and intensively discussed discipline. Perhaps the most striking feature of IA is that everyone has different opinion about what it actually is about. A series of interview with Information Security (InfoSec) and IA practitioners revealed that they interpret the term IA differently and they have contradictory views on how IA relates to InfoSec. This perceived misunderstanding fueled a decision to employ the survey with a greater number of people with different backgrounds. It was felt that it might help to identify a commonly accepted perception of IA and to clarify the goals of the discipline.

The results of the survey were expected either to support or to challenge our initial assumptions about the lack of a generally accepted understanding of IA. Thus, the main purpose of the survey was to discover participants’ perceptions of the two disciplines under discussion – InfoSec and IA. Participants’ views on the relationship between InfoSec and IA and on the goals of each discipline were also surveyed since a comparison between the disciplines was of particular interest for this research.

According to Murrey (2005), “the formation of a questionnaire requires a clear definition of the issues under consideration, and the related concepts involved”. The questionnaire was based on the outcomes of an IA literature analysis which is presented in detail in Cherdantseva and Hilton (2013).

The literature analysis enabled us to distinguish three different approaches to IA:

• 1.

  Technical Approach: Which is concentrated on the protection of networks.

• 2.

  Business Approach: Where IA perceived as the comprehensive and systematic management of InfoSec.

• 3.

  General Approach: Where IA is considered as a way to establish a level of confidence in information.

Generally, the survey attempted to establish which of the three approaches to IA, as identified in the literature, has greater support among InfoSec and IA practitioners.

The survey consisted of 10 questions, which were split into two equal parts. In the first part, respondents were asked to:

• •

  Provide personal details: age group, country of the origin and nature of occupation (Questions 1-3).

• •

  Define their level of familiarity with each discipline (Question 4).

• •

  State the sources of their knowledge about the disciplines (Question 5).

In the second part of the questionnaire, the respondents were asked to:

• •

  Describe the relationship between InfoSec and IA (Question 6).

• •

  Choose or provide the best description of IA (Question 7).

• •

  Specify the main aim of IA (Question 8).

• •

  Indicate the goals of both disciplines (Question 9).

• •

  Provide comments (in a free form) that may clarify the respondent’s understanding (Question 10).

The survey was conducted in April – November 2011, using functionality provided at http://www.linkedin.com). In addition to the online survey, a series of interviews with InfoSec professionals was conducted at the InfoSecurity Europe 2011 event (19^th-21^st April 2011). The interviewees answered the survey questions either verbally or by filling in paper-based questionnaires. The responses received at the event were added to the database of online responses. Although the respondents were not individually selected, generally we targeted people who are competent in InfoSec, IA or related areas.