10.2 Before the Workshop: Consolidate Information from Processes 1 to 3Before you can analyze the practice-related information that you collected during processes 1 to 3, you need to compile and format the data. The consolidation activities for process 8 do require some interpretation of the data, so you want to make sure that you involve a couple of members of your analysis team in those activities. This section outlines the following data consolidation steps:
Step 1: Compile Survey ResultsIn this activity, you compile the results of the surveys that you asked participants to complete during the workshops in processes 1 to 3. Remember that the surveys asked the respondents to consider whether certain security-related practices were used by the organization. Specifically, respondents were asked to give one of three possible answers for each practice:
We suggest that you tabulate the survey results for each question according to organizational level and then convert the results to percentages, based on the number of overall respondents from that organizational level for that question. Let's look at how the results were compiled in our sample organization. The analysis team at MedSite created a spreadsheet that automatically compiled the survey results. Figure 10-1 shows the results for senior management responses to practices related to Security Awareness and Training. Figure 10-1. Survey Results from Senior Managers for Security Awareness and TrainingOnce you have calculated the percentages, you will need to interpret the numbers. We suggest that you use the following guidelines when examining the data:
You are probably wondering how to define "a strong majority of respondents." You need to select a threshold that indicates a strong preference for a response. When we work with organizations, we usually recommend using 75 percent as a threshold. One word of caution is warranted here. Typically, you have only a few respondents from each organizational level. Thus, you will not have enough responses to be able to draw definitive conclusions, but you can use the numbers as indicators of preference. Compile the results for all organizational levels (senior management, operational area management, staff, and information technology staff). At MedSite the analysis team decided to use the following guidelines when interpreting the survey results:
The analysis team used these guidelines when interpreting the senior managers' survey results for security awareness and training (see Figure 10-1). The team decided that the first statement indicated that the senior managers believe that staff members understand their security roles and responsibilities. All of the managers indicated that this practice is currently used by MedSite. On the other hand, it was unclear whether the second and third statements indicated the presence of practices in the organization. The results show no strong indication whether the managers believe that the practices are or are not currently being used at MedSite. The analysis team interpreted the results for all of the organizational levels. Figure 10-2 shows the results for security awareness and training for all organizational levels. Figure 10-2. Survey Results for Security Awareness and TrainingNotice that there is little agreement among the organizational levels and that the number of "unclear" responses is high. Section 10.4 discusses how to use this type of information. Step 2: Consolidate Protection Strategy InformationIn this activity you compile contextual information about security practices that you recorded during the knowledge elicitation workshops of processes 1 to 3. Recall that you conducted a facilitated discussion about current security practices in the organization after participants completed the surveys, using the surveys as a point of departure for a discussion about organizational security practices. The facilitated discussions produced information about current security practices and organizational vulnerabilities according to the perspectives of the participants. You recorded this information for each workshop group. In this activity you group each security practice and organizational vulnerability identified during the knowledge elicitation workshops according to the practice area to which it is most related. As in the previous activity, we suggest that you compile the information by organizational level. Since you are transcribing information, be sure to record the information as it was originally documented. Let's examine how the analysis team at MedSite consolidated this information. The team grouped each security practice and organizational vulnerability according to the security practice areas as defined in the catalog of practices. They then added this information to the survey results. Figure 10-3 shows the results for security awareness and training, and Appendix A presents the results for all of the practice areas. Figure 10-3. Practice Information for Security Awareness and TrainingThis completes the data consolidation for process 8A. We now move on to the first activity of the process 8A workshop, Review Risk Information. |