10.2 Before the Workshop: Consolidate Information from Processes 1 to 3

Before you can analyze the practice-related information that you collected during processes 1 to 3, you need to compile and format the data. The consolidation activities for process 8 do require some interpretation of the data, so you want to make sure that you involve a couple of members of your analysis team in those activities.

This section outlines the following data consolidation steps:

• Compilation of survey results

• Consolidation of protection strategy information

Step 1: Compile Survey Results

In this activity, you compile the results of the surveys that you asked participants to complete during the workshops in processes 1 to 3. Remember that the surveys asked the respondents to consider whether certain security-related practices were used by the organization. Specifically, respondents were asked to give one of three possible answers for each practice:

We suggest that you tabulate the survey results for each question according to organizational level and then convert the results to percentages, based on the number of overall respondents from that organizational level for that question.

Let's look at how the results were compiled in our sample organization. The analysis team at MedSite created a spreadsheet that automatically compiled the survey results. Figure 10-1 shows the results for senior management responses to practices related to Security Awareness and Training.

Once you have calculated the percentages, you will need to interpret the numbers. We suggest that you use the following guidelines when examining the data:

• A strong majority of respondents from an organizational level believe that the practice is used by the organization. This is an indication of a current security practice that is most probably used by your organization.

• A strong majority of respondents from an organizational level believe that the practice is not used by the organization. This indicates that the practice is most probably not used by the organization. This is a strong indication of an organizational vulnerability.

• The opinions of the respondents give no strong indication that a practice is used or not used by the organization. Thus, the practice may be used by some individuals but is not an organizationwide security practice. This is also an indication of an organizational vulnerability.

You are probably wondering how to define "a strong majority of respondents." You need to select a threshold that indicates a strong preference for a response. When we work with organizations, we usually recommend using 75 percent as a threshold. One word of caution is warranted here. Typically, you have only a few respondents from each organizational level. Thus, you will not have enough responses to be able to draw definitive conclusions, but you can use the numbers as indicators of preference. Compile the results for all organizational levels (senior management, operational area management, staff, and information technology staff).

At MedSite the analysis team decided to use the following guidelines when interpreting the survey results:

• Yes— 75 percent or more of respondents replied "yes." The percentage of respondents stating that a practice was used by the organization was high enough to indicate that the practice is most likely used by the organization.

• No— 75 percent or more of respondents replied "no." The percentage of respondents stating that a practice was not used by the organization was high enough to indicate that the practice is most likely not used by the organization.

• Unclear— Neither of the first two criteria was met. If the percentages of "yes" and "no" responses do not meet the 75 percent threshold, it is unclear whether the practice is present or not. It may be that some people use the practice while others don't.

The analysis team used these guidelines when interpreting the senior managers' survey results for security awareness and training (see Figure 10-1). The team decided that the first statement indicated that the senior managers believe that staff members understand their security roles and responsibilities. All of the managers indicated that this practice is currently used by MedSite. On the other hand, it was unclear whether the second and third statements indicated the presence of practices in the organization. The results show no strong indication whether the managers believe that the practices are or are not currently being used at MedSite. The analysis team interpreted the results for all of the organizational levels. Figure 10-2 shows the results for security awareness and training for all organizational levels.

Notice that there is little agreement among the organizational levels and that the number of "unclear" responses is high. Section 10.4 discusses how to use this type of information.

Step 2: Consolidate Protection Strategy Information

In this activity you compile contextual information about security practices that you recorded during the knowledge elicitation workshops of processes 1 to 3. Recall that you conducted a facilitated discussion about current security practices in the organization after participants completed the surveys, using the surveys as a point of departure for a discussion about organizational security practices. The facilitated discussions produced information about current security practices and organizational vulnerabilities according to the perspectives of the participants. You recorded this information for each workshop group.

In this activity you group each security practice and organizational vulnerability identified during the knowledge elicitation workshops according to the practice area to which it is most related. As in the previous activity, we suggest that you compile the information by organizational level. Since you are transcribing information, be sure to record the information as it was originally documented.

Let's examine how the analysis team at MedSite consolidated this information. The team grouped each security practice and organizational vulnerability according to the security practice areas as defined in the catalog of practices. They then added this information to the survey results. Figure 10-3 shows the results for security awareness and training, and Appendix A presents the results for all of the practice areas.

This completes the data consolidation for process 8A. We now move on to the first activity of the process 8A workshop, Review Risk Information.