Eric Goldman

The effect of acquisition decision making on security posture

Authors:

• Eric Goldman

1 Dec 2012   ::   Security   ::   #human factors #aquistion #journal article

 

This article is a pre-publication version of a paper published in Information Management & Computer Security. Please see citation and copyright information at the bottom of this page. Please cite this article using the Journal version / DOI.

---

Abstract:

Purpose

The purpose of this paper is to examine the effectiveness of decision making in IT acquisition and security, and the disparity between the two domains. The paper postulates that improving decision processes during acquisition increases decision makers’ security consciousness and security posture.

Design/methodology/approach

Semi‐structured interviews were conducted with 15 IT decision makers of small‐to‐medium sized organizations using questions derived from previous research in psychology, HCI, and MIS. Questions from the security and acquisition areas were coded based upon a predefined rubric and correlation testing was performed. The author chose to focus on small‐to‐medium sized organizations since they often lack sufficient background and resources to address IT security concerns.

Findings

Analysis suggests a significant positive correlation between the effectiveness of acquisition decision making and organizational security posture and attitudes, further suggesting that small improvements in acquisition decision making may result in substantial improvements in an organization’s security posture.

Research limitations/implications

The sample size of 15 organizations is not sufficient for population generalization. This research instead focused on analyzing the effect of certain decisions, attitudes, and behaviours on acquisition and security.

Originality/value

Increased security concerns, such as cyber‐attacks and regulation, require organizations to proactively plan for and address security requirements. Tools/software are insufficient to properly address organizational security and do not address failure or flaws in human decision making. These findings can help organizations to better understand and improve their internal decision making processes and security consciousness, and avoid common pitfalls which allow for unaddressed risk.

---

Introduction

Security software and hardware are insufficient for achieving adequate control over information security. The attitudes of IT decision makers (system administrators, chief information officers, etc.) have a sizeable impact on an organization’s information security. Disregard for security by decision makers may be unintentional, but organizations that do not understand security requirements and obligations are at risk for attack, regulatory sanctions, and business interruptions (Payne, 2008). Instead of relying on technology (e.g. firewalls), gains in security posture may be more effectively realized by investing in training, as well as by improving attitudes and processes throughout the system development lifecycle (SDLC).

In this study, we examined correlations between general acquisition decision strategies and IT security practices. Acquisition decisions are crucial to proactive IT management, which reduces the high cost of reactive, “fire-fighting,” responses to incidents and changing business requirements (Stoneburner et al., 2002; Doherty and Fulford 2006). If careful decisions are not made upfront, a system may not provide flexibility to meet changing requirements. This often results in obsolescence or degradation of multiple dependent components. More than other aspects of IT management, long-term security capabilities are affected by acquisition decisions because security is often only considered, if at all, after functional requirements. Whether or not decision criteria are security specific, poor acquisition decisions may result in future problems implementing security controls or integrating security technologies (e.g., monitoring) within existing infrastructure.

Herein, we report findings suggesting a strong relationship between the quality of general acquisition practices (even for non-security related products) and the extent of security awareness and security practices within an organization. Discussed in more detail below, quality of acquisition was determined by factors including utilization of quality research sources, weighing multiple options, and learning from previous acquisition projects. Security awareness and conscientiousness criteria included existence/maturity of policies and procedures, enforcement, user education, and an understanding of tools and controls.

We focused on smaller organizations (≈20-1000 employees) because they often lack comprehensive internal IT resources and staff, and additionally, may not be able to dedicate time or resources to security on a regular basis. Though smaller organizations may have fewer employees, customers, or business-to-business relationships, research by Ryan (2001) suggests that smaller organizations are no less likely to experience a security breach than larger organizations. While smaller organizations may view themselves as unlikely targets, they offer more desirable gain/risk and gain/difficulty ratios for attackers, relative to large organizations. Furthermore, evolving business practices (e.g., cloud-computing) have increased the use of outsourcing and co-sourcing (Jarzombek et al., 2009). As a result, information custodianship and access is extended to an increasing number of smaller partner organizations, and these small businesses must still provide the same degree of privacy and security protection (Culnan and Bies, 2003). Poor security practices in small organization can have far reaching impacts on other businesses, individuals, financial systems, and governments. We present our findings in the hope that small businesses can identify missteps in their own acquisition processes, and ultimately improve their security posture and practices.

Related Work

Human Psychology and Decision Making

Generally, humans are interested in making simple, straightforward decisions and are inclined to take the easiest route, without necessarily considering the possible consequences (Sasse et al., 2001). This leads to reliance on heuristic decision-making, which if performed ad-hoc or without structure may lead to exclusion of prime factors for reaching optimal outcomes. Besnard and Arief’s (2004) research supports this view, noting specifically that human reasoning is not based on achieving perfection, but rather an analysis of trade-offs, which results in individuals choosing a perceived optimal path. However, the trade-offs are frequently biased (e.g., anchoring), misinformed (perceived trust), or otherwise faulty (Tversky and Kahneman, 1982). Nonetheless, heuristic decision-making is necessary to expeditiously address complex problems, such as those posed in acquisition or security scenarios. Therefore ongoing process refinement and formalization (e.g., checklists, baselines) can increase the probability of success. In addition, consideration of decision-making as a process (Zeleny, 1981) and the utilization of multi-stage, multiple-perspective strategies can reduce the loss of fidelity which accompanies heuristic approaches.

Issues of Trust

Trust can be understood as a reduction in the perception of risk, resulting from relationship, analysis, or a combination of other factors that leads one to believe that one is less vulnerable (Mayer et al., 1995). In the context of acquisition, a decision maker is evaluating many possible solutions offered by different vendors. A decision maker must ultimately establish some level of trust in the product, vendor, and/or support provider. However, individuals do not always use the best criteria for establishing trust (Chu, 1997). For acquisition, reliance on sponsored reviews and research, or search engine prominence, may establish a faulty trust basis. Trust may also be gained “by association” from an existing trusted source, for example, peers or professional organizations. However, the experiences and goals from such sources may differ; furthermore, the preexisting trust between the recommender and the recommended product or vendor may itself be faulty. This may result in a herd effect where key information is suppressed or disregarded as the group converges towards popular opinion (Scharfstein and Stein, 1990). Careful checks are always necessary for establishing trust in order to counteract factors such as marketing (Swan et al., 1985), ease of availability, or brand familiarity (Delgado-Ballester, 2004).

Methodology

Our research is primarily concerned with the motivations and influencing factors in attitudes and decisions. Our focus is on the extent to which security is considered in the context of an organization’s unique needs; as such, we took a qualitative approach and do not address specific threat models. Data was collected through semi-structured, one-on-one interviews.

Data Collection

Characterization of Sample and Participants

Inclusion criteria required that each organization consist of ≈20-1000 employees (what commonly constitutes a small business which is not a sole proprietorship), where most employees’ work relies upon utilizing IT systems. Participating organizations were identified through reference from business organizations, career services professionals, and direct engagement. Each organization identified the appropriate individual(s) responsible for IT acquisition; the sample consisted of technical leads (e.g., system administrators) as well non-technical individuals such as CEOs (14 of 15 participants were managers or executives). No participating organization was involved in IT security, IT consulting, or IT audit services; such organizations were excluded to eliminate the possibility of bias or uncommon security insight. No incentives were offered, all participants complied with the informed consent request, and there were no withdrawals.

Interview Protocol

The findings presented herein focus on a subset of findings from a larger study. In full, participants were asked questions from the following sections in order: IT background and time at current organization; acquisition strategies and process (in general) (Table 1); management’s style and management involvement with IT decision making; end-user consideration and end-user involvement in acquisition; and security practices, processes and attitudes (Table 2). Some questions in the security section specifically addressed if security was considered during the acquisition phase of the SDLC. Participants were informed ahead of time that the focus would be on acquisition strategies in small businesses; no mention was made of security to avoid influencing natural responses. Interviews were conducted privately, to prevent fear of organizational reprisal, and lasted between 60-90 minutes. Scripted questions were asked in order, unless the question was sufficiently answered earlier; some questions were excluded when inappropriate (e.g., asking the CEO about how her boss communicates with her).

Data Analysis

This paper highlights the acquisition and security related findings of the study. Participants’ responses were either coded (e.g., Table 3) or served as additional information or lead-ins for coded questions. Responses (or sets of responses) were coded on an interval scale, with scores ranging from a low of 0 to maximum of (P) possible points. Coding schemes were determined a priori based upon existing literature to limit potential bias. The coding serves to group together participants/organizations with similar attitudes and strategies, rather than for grading individuals. The scoring aims to reflect attitudes and thought processes, not achievement of control objectives. Scored questions were analyzed using Pearson’s correlation tests and regression testing, which was utilized to examine if understanding and addressing security concerns can be explained by the quality of acquisition processes and decision strategies practiced by the organization.

The sample for this study consists of 15 participants. This sample size is inappropriate for statistical-population analysis. However, population characterization was not a goal of this study, the study instead focused on analyzing the effect of certain decisions, attitudes, and behaviors on acquisition and security processes. An attempt was made to group and identify individuals with common beliefs and practice, however, there may be additional confounding variables not explicitly addressed in this study, which may become evident in larger samples.

Acquisition Questions Summary

Participants were asked fifteen questions related to general acquisition strategies and practices. Specifically, we examined influences, decision criteria, and how processes evolve over time. In general, participants understood their goals and could define the necessary criteria for accomplishing a successful acquisition project. One reoccurring finding was that acquisition projects often were not planned in adequate detail to allow firm guidance to be used in the decision making process. While most organizations made annual budgetary considerations for IT spending, specific acquisition or upgrade projects were not often determined at that time and acquisition projects were initiated only after a (business) problem was identified. Participants noted that in general they were free to make the majority of their technical decisions autonomously, except in organizations under partner-management. In such organizations, participants reported that often upper-management individuals, who they believed to be external to the project, were likely to interfere.

Participants indicated that acquisition projects were usually business-driven (as opposed to the direct result of technical failure); the impetus could be users, management, or the IT team. Initiation by the non-IT sources often resulted in acquisitions being matched better to business needs. Generally, final approvals only required one step to senior management, and were often limited to financial approval, when above the organization’s threshold.

We also inquired about the frequency of performing acquisition projects. Over half noted that they perform acquisition activities multiple times per year, while only two participants commented that acquisition projects came up at intervals greater than yearly. However, there was no evidence to suggest a significant correlation between the frequency of acquisition and the quality of acquisition.

While acquisition processes were not typically standardized, most participants used a fairly regular/defined process. However, we identified that many participants often gave a boost to well known, mainstream options, without a thoughtful explanation. One participant reported that his organization’s needs were “vanilla”, and that its components were the norm for businesses of its size, though he admitted this was based more on feeling than data. When higher trust is awarded based on brand popularity, it can make it more difficult to select an option that better fits business criteria. Another participant also noted that search engine rankings returned for his criteria influenced his decision; the individual was unaware that such rankings are often professionally manipulated. Organizations can improve success in acquisition when they look beyond popular or “industry standard” solutions and instead focus on the options that provide the solutions to their own well-defined business criteria. Participants often sought advice from peer resources, such as trade/professional group and online communities, but did not recognize the possible negative consequences. Peer suggestions should not be implicitly trusted because peers likely lack a comprehensive understanding of one’s project and its goals, there is no way to determine the peer’s motivations or the trust basis for its suggestion, and/or the suggestion may be subject to the peer’s bias and experience in a dissimilar IT/business environment. Instead, prudent participants noted a reliance on specialized, objective, and /or evidence-driven resources.

Since acquisition decision-making must be efficient, and frequently heuristic, we evaluated the extent to which participants defined high-level inclusion and exclusion criteria. While each individual acquisition will have specific business requirements, participants noted common elements and vendor characteristics. Participants were generally looking for a favorable cost-benefit ratio, easily accessible and helpful support from the vendor or third-party, and the stability and reliability of the product and vendor. Participants also preferred barebones solutions, demonstrating a focus on business requirements, not supplemental features. Generally, participants were more focused on the quality of the vendor than the product, and sought a reliable and accessible partner, not just a salesman. Vendor image and quality were also top exclusion criteria, including poor support options or poor market reputation. Lack of interoperability with existing systems and customization options were also exclusion factors. Overall, preference was given to the option that could provide the desired functionality, ease and cost of management, usable operating interface, and solutions which were generally “simpler.” While not directly queried, one participant noted security concerns while the remaining participants generally did not mention security until they were asked the security specific questions; even among participants who identified security as a top business concern, security was not necessarily a deciding factor in acquisition.

Once a final selection had been made, we noted that almost all of the participants performed some degree of testing and evaluation before the component was placed in production. Even when testing/demoing was part of the initial evaluation, pre-implementation or sand-boxed testing was also common. This practice allows an organization to practice actual processes and test perceived functionality. In addition, testing helps organizations limit processes and other components from becoming dependent upon an unsuitable or troublesome component. In addition, development of customized training and documentation was another common post-acquisition activity. Less common, was the development of change plans that might include implementation timelines, process impact analyses, and policy implementations. We noted that approaching acquisition as a project in general provides greater structure to the process and consideration of more variables.

We next examined how acquisition processes were refined over time, through evaluation of acquisition failures. An acquisition is deemed failed if the selected component ceased to operate, did not provide intended functionality, or required removal or replacement before expected. The most common causes of failure reported by participants were poor communication (internal or with vendor) and lack of evaluation and testing, with the root cause often being tied back to faulty trust relationships as defined above. Examples included having to replace a consultant that came highly recommended by a peer and implementing a solution recommended by a peer that did not match internal requirements. Other events or factors that lead to failure included inferior support and vendors transferring blame to a third party that was inaccessible or otherwise problematic. Some participants noted that limited- or non-adoption of the component by users leads to failures; and the lack of adoption resulted from high complexity of use, lack of testing, or low user involvement or consideration during the selection process.

When an acquisition failed, usually it was not immediately evident. Participants believed that as a result, processes or other components had already become dependent, and therefore organizations were often unmotivated or lacked time and resources to evaluate new options. Consequently, participants reported they would continue to use faulty components and often had to re-engineer processes or develop other workarounds (often complex or inconvenient) to continue operations; such measures would often negate any advantage that could have been gained by implementing the new component. The value of partnering with vendors was cited as a major enabler for finding a workaround solution or resolving a problem to prevent a permanent failure. Participants generally expected a modicum of problems, but expected that the vendor or simple research should generally alleviate any such issues. Most of the participants did indicate that each acquisition was used as a learning experience for refining and improving their processes, though some individuals reported that their failure scenario could not be avoided and it did not lead to any process modification.

Security Questions Summary

In the security section of the interview, participants were asked eleven questions about security practices, policies, and attitudes in their organizations. The questions addressed security throughout the SDLC and in day-to-day practice. Compared to the acquisition quality focused questions, there was a greater variance in sum scores for the security consciousness questions.

Some organizations demonstrated high awareness of security needs, while others encouraged more open access to IT systems and had few established policies or controls. There was often confusion or ignorance regarding applicable regulations and any other legal or expected protections. Furthermore, some participants were unable to identify the potential risk of certain practices, even though they were implicitly accepting, instead of mitigating, the risk. The degree of security awareness and understanding had no relationship to the employee-size of the organization; however, as would be expected, participant organizations operating under audited regulations such as FDICIA or GLBA, often, but not always, demonstrated greater security consciousness. Most organizations did not have specific security staff; there was no relationship between organizational size and security staff.

To address organizational limitations (or motivations) to implement security measures, we investigated management’s awareness and attitudes towards IT security. Many participants responded that IT security was a high or increasing priority for management; the remainder believed management was at least somewhat aware of its obligation to address IT security. Participants reported an increase in management awareness and support in recent years. One participant commented that previously it was difficult to educate management about IT security, but today management has a foundational understanding. We also evaluated internal and external motivations influencing the degree of conscientiousness. Regulatory fear, passing audits, and meeting specific customer or third party audit requirements were major external influences. To a limited degree, participants noted that protection and privacy of customer data were part of their due diligence, but surprisingly there was little concern for protection of intellectual property and internal data; only one participant cited backup and business continuity concerns. Participants cited that in general it was very difficult to discover and determine if specific laws or regulations applied to them, with one participant responding that “there is no clearinghouse” or organization that provides a firm list of all specific requirements that apply to your organization. Participants negligibly addressed the role of legal counsel in determining regulatory and legal requirements; utilization of such resources, however, could help in reducing confusion and focusing security efforts.

In terms of security practices, policies, and procedures participants noted that policies were often underdeveloped and under-enforced. Current policies were cited by many as having limited scope, being difficult to understand by end-users, or otherwise unclear or poorly written. Among those with weak or non-existent policies, they reported that they had a high degree of trust in their users and did not want to be seen as “policemen”. However, findings suggest that the insider (or former insider) threat is significant and could potentially lead to more impactful breaches compared to those by autonomous external agents (Baker et al., 2011). On the other end of the spectrum, some participants reported that they actively managed security practices and awareness. Actions include explicit security training and reinforcement activities. These individuals were also more willing to implement more restrictive controls and interfaces (e.g., menu-driven) to limit undesired actions. The absence of prior security incidents was commonly provided as justification for not being a “policeman”; however, absent policy, monitoring, and enforcement there would be no evidence to prove incidents are (or are not) occurring undetected. Even if users could be unconditionally trusted, such trust would not limit accidental security breaches or exposures. Permitting poor security practices, skimping on security planning, or allowing an overly open IT environment can place an organization at significant risk from compliance enforcement or attack. Therefore, management must reconcile open access and the desire to implicitly trust their employees with true threats identified through risk assessment processes.

We found that most organizations lacked internal security specialists and that decision makers generally lacked security experience; however, there was no significant correlation between security experience and security practices or attitudes. For instance, one participant was a firewall administrator in a previous role, but encouraged an open environment, which aligned with management’s general operating attitudes. Conversely, another participant with low management support for security made special efforts to control security due to previous experience in another organization which was frequently breached. Some participant organizations maintained no internal IT resources and instead engaged support services and consultants. In such cases, participants supposed that such consultants would address security issues if needed; however, such claims were unsubstantiated and were only expectations. A thorough understanding of security or lack thereof was not demonstrated to have a directly proportional effect on security conscientiousness; rather, interest and motivation seemed to be a stronger predictor of conscientiousness.

Near the end of the interview, we asked specifically about security considerations during acquisition. Our focus was on everyday components, not specifically those with obvious security purposes. Security is gained through evaluating and managing risk; any new component, no matter how seemingly ordinary or trivial, may introduce risk. However, among participants security was not a primary concern or limiting factor during acquisition. Many participants limited security concerns to security specific tools or to perimeter defenses such as firewalls; consideration of threats at the application level or through social engineering, phishing, etc. were uncommon. If a possible selection did include security features, participants often viewed that as a possible hindrance, disregarding any potential risk mitigation or ease of management and compliance. Some participants did note that security was an important consideration, and thus they required risk analyses to be built into the business case for acquisition, and a subset had security policy requirements that dictated acquisition requirements. Interestingly, one participant reported that his company made security a selling point to their customers, but they themselves did not consider it an important factor in acquisition. This corresponds with our findings above: understanding of security does not necessarily translate into security-inclusive business practices.

In day-to-day operations, participants reported that the main methods for achieving security were passwords, encryption, and firewalls. To a lesser extent, role-based authentication, intrusion detection, and monitoring were part of participant organizations’ control environments. There was negligible interest in human factors controls such as training or rigid processes. Concerns over misuse, social engineering, etc. were secondary to measures that limited access. This perspective demonstrated that security was generally addresses only in the technical domain, without regard for risk control in accordance with business requirements. As with acquisition, all security decisions should come back to meeting business needs or addressing risks to the business.

Acquisition-Security Correlation

Our findings suggest there is a significant positive correlation between quality acquisition and higher security conscientiousness. Participants with more objective and informed acquisition processes tended to have better risk awareness and security management practices.

To address the relationship empirically statistical software was used to perform correlation and regression analysis using each participant’s sum score for acquisition quality (S_acq) and security awareness and consciousness (S_sec), which are based upon the questions in Table 2 and Table 3. The results of a Pearson’s correlation test (r = .56, p = .05) showed that as acquisition quality increased, so did security conscientiousness and that the relationships was statistically significant. Indeed, the Pearson’s test indicates that acquisition quality explained 31% of the variance in security conscientiousness. As observed in Table 4, participants as a whole in our sample scored significantly higher (as determined by paired sampled t-test, α = .05) in acquisition quality than security awareness and consciousness. To explore this relationship further, we used regression testing to model how a small improvement in S_acq would generally correspond to a larger improvement in S_sec. The resultant model of was

S_sec = ( 1.41 × S_acq ) - 0.56

with possible scores limited to 0.0 - 1.0.

We postulate several reasons why the two areas are so interrelated. Both require critical, analytical thinking; if an organization is unwilling or unable to devote time and resources to building business cases and analyzing requirements, critical information also may not be considered. As a result, an acquired component or a security process might fail to meet its business purpose or may disrupt other components or processes. Since acquisitions determine the makeup of the IT environment, decisions may affect interoperability or available configuration options, which might introduce potential risks. If an acquisition does not consider the total environment or future considerations, it may be difficult to integrate security features later (Chung and Nixon, 1995). Furthermore, if the simpler process of acquisition is performed haphazardly, it is unlikely a more rigorous approach will be taken for more complex security processes. Both activities require similar cognitive decision processes and consideration of complex inter-related factors.

Discussion

Our participants readily admitted when they had shortcomings in their security processes, but often did not know how to begin addressing the complexity and magnitude of security concerns. Unlike acquisition activities, which occur over a fixed period of time and typically have a well defined scope, security requires specialized knowledge and training. While there are numerous security products and risk assessment methodologies, a successful security management program requires ongoing attention and sincere consciousness throughout all stages of the SDLC in order to succeed in mitigating unacceptable risks (Radack, 2009). Weaknesses in security posture and programs are inherently a human, rather than technical, problem.

Based upon our findings, organizations facing the difficult task of improving their security posture should consider first improving their acquisition processes. Our regression analysis suggests that a small improvement in the quality of acquisition can have a much larger impact on security posture and consciousness. The outcomes of acquisition decisions are long lasting and often exceed the life of individual system components. because future decisions may be affected, even if the initial component was already decommissioned. Therefore, organizations should avoid performing these process ad-hoc or reactively. Instead, orderly, repeatable, and measurable procedures should be developed to guide this process. Moving from ad-hoc processes to thorough and thoughtful procedures should be initiated throughout the SDLC and in all aspects of IT management, including security. In efforts to accomplish this transition, we would recommend that organizations ensure that IT staff and decision makers obtain project management training as a key aspect of improving their IT management and security capabilities.

A deep understanding of a component’s purpose, features, and limitation at introduction can help prepare decision makers for changes in the system later in the lifecycle. Quality acquisition helps decision makers become more cognizant of their IT systems as a whole and enables more holistic decision-making. As a result, decision makers can understand where risk exists and where controls and configurations may be limited. Over time, as decision makers develop their acquisition process they will hopefully learn to build security in at inception since security is often dictated by business rules that should also drive acquisition. Successful security also depends upon the ability to limit user action and prevent circumvention. By bringing in users early during acquisition, decision makers can identify if security mechanisms will fail (by circumvention or non-enforcement) and can ensure that security controls are adaptive so that they allow business processes to function as expected. Mature project management procedures include project closure and review. As acquisitions are typically short, defined projects they provide a better opportunity to identify decision making missteps such as those identified by our participants. In addition, acquisitions deal with well-defined functional requirements whereas security is often ongoing and requires specialized knowledge. Therefore, through refinement of the acquisition process not only will practitioners better understand their systems and related risk, but also their own decision making missteps. Successful acquisition requires delving deep to bypass biases and perceptions. Acquisition decision-making teaches IT decision makers to think proactively and consider the possible chain reaction and various interdependencies that result from each option. By applying a similar approach to security problems, decision makers can address complex risk scenarios and control combinations to achieve their desired security posture and reach higher levels of security consciousness.

Conclusion

While the market continually introduces new tools and services to increase security, organizations are still ill-prepared to address the risk they face. The individual-consumer and macroeconomic effects of IT breaches in small businesses presents a real global threat. Small businesses are an integral part of the national infrastructures of most countries in all sectors including manufacturing, finances, and national security. Most small businesses do not have dedicated resources needed for managing data and operational security, and therefore security is often ignored. However, mere understanding of security and implementation of security tools is insufficient.

While the market is ripe with expensive security products they do not necessarily correlate to a positive return on investment (ROI) or actual increase in security. To proactively and economically address security challenges, small organization should first focus on the human element and look to eliminate, or prevent, rather than mitigate risk. The significant relationship observed in our study suggests that a practical path to improving security posture is by focusing first on acquisition; improvements to acquisition will result in better holistic IT understanding and more informed decision making. Improving the quality acquisition will help organizations create an environment where they can better understand their systems in whole and be better prepared to proactively address security concerns.

Investing in acquisition methodologies and providing decision makers with more time and resources for acquisition projects represents a relatively low cost for small organizations. In addition, the ROI, while difficult to quantify financially, will be evident because decisions made will be based upon better understanding of systems, business functions, and risks. Tools and software will still be needed, but the cost and complexity of effectively configuring, maintaining, and utilizing these tools will decrease. When decision makers are trained to think meaningfully and are provided with opportunity to consider the entire system and implications of their decisions they will be more likely to consider security and other non-functional requirements. As a result, small businesses that adopt this approach will better understand their risks and will effectively, and economically, increase their security posture.

Tables

Table 1: Abridged Question Coding Example

Question: Who initially decides an acquisition should be started?

Coding	Criteria
0/3	Initiation requires a technology failure
1/3	Management must have a special interest
2/3	Initiation only comes from within IT department
3/3	Any member of the organization can suggest

Rationale: IT acquisition should be tied to business objectives, IT staff alone may not be able to identify such needs. Ref: (Byrd, Cossick and Zmud, 1992)

Table 2: Acquisition Decision Quality Questions

#	Interview Question
1	To what extent are acquisition activities planned? To what extent are they reactive or "spur of the moment"?
2	Who are the people who identify the need to start acquisition activities or an acquisition project?
3	Who are the people who decide to then actual begin acquisition activities? Who are the relevant decision makers in the acquisition process?
4	How often do you do you participate in acquisition activities?
5	Please define how you start acquisition process in your organization. Identify if the process is formalized or regular in any way. Identify the activities that occur in the early stages of acquisition.
6	Define what constitutes a good (desirable) IT component in your organization.
7	Are there any constraints placed upon the IT components you consider in acquisition, either from the organization or from your own criteria.
8	Are there any common attributes in the IT components that your acquire for your organization?
9	Describe the final stages of the acquisition process within your organization. Once you have selected the IT component to acquire what else must occur before moving into implementation? Who else is involved in this stage? Are any approvals required to acquire the component?
10	During the acquisition process what factors or people inhibit the process? What, if any, are the sources for resistance of frequently occurring problems in the acquisition process?
11	Once a product has been finally selected and approved what are the final steps to close out the acquisition process or prepare/bridge to implementation?
12	Reflect upon a time when an acquisition project failed. Why do you believe the acquisition was a failure? If the IT component did not meet the specified purposes, why do you believe this occurred?
13	Reflecting upon the previous acquisition failure, please explain what was done to address the situation.
14	How have (or will you) address your acquisition process in order to limit or prevent a reoccurrence of a similar incident?
15	Who, including yourself, would decide that the acquisition process failed or that an acquired IT component was not meeting its intended purpose after implementation?

Table 3: Security Awareness and Consciousness Questions

#	Interview Question
1	Please describe management's understanding of IT security concerns and their interest in this issue.
2	In your organization, is security motivated by internal factors, external factors, or a combination? Please describe any sources of motivation to be concerned with IT security.
3	Are you aware of any laws or regulations which affect the operation of your IT systems?
4	Does your organization have formal security policies? If your organization does have formal policies, do the policies address any requirements of restrictions for components that may or may not be acquired?
5	Do either formal computer usage or end-user security policies exist? If these policies exist either formally or informally, to what extent are they monitored and enforced?
6	In terms of end-users and security, what security concerns exist in your organization? What tools or restrictions are in place to control end-user usage of IT systems?
7	Do you believe that the security policies are well written and can be understood by end-users? Are the users aware of the existence of the security policies and are they conscious of the related obligations and restrictions?
8	Do you yourself have any background or understanding of IT security? Describe your level of IT security competence. Are there other individuals besides yourself who are more focused on IT security and, if so, what role do these individuals play in IT acquisition. Do you believe that your organization would benefit from an increase in IT staff security training or personnel?
9	Describe the role that IT security plays in your acquisition projects. Is security an important consideration when you are considering new IT components or systems? In your opinion, what exactly does security mean in the context of IT component acquisition?
10	What measures beyond antivirus and firewalls do you consider fundamentally important to ensuring security of your IT systems? How does this philosophy affect software or system acquisition?
11	From your acquisition experience, can you share any insight or provide any suggestions to increase total IT system security or to limit a decrease in total IT system security? In terms of security, are there any issues or concerns of which you would advise others to be weary?

Table 4: Key Statistics Related to Coded Questions (Normalized)

Statistic	Acquisition Decision Quality Questions	Security Awareness and Consciousness Questions
Mean Participant Section Score	0.88/1.00	0.68/1.00
Median Participant Section Score	0.88/1.00	0.69/1.00
Section Score Standard Deviation	0.11	0.28
Lowest Participant Score	0.69/1.00	0.15/1.00
Highest Participant Score	1.00/1.00 (4 participants)	1.00/1.00 (2 participants)

Bibliography

Baker, W., Hutton, A., Hylender, C.D., Pamula, J., Porter, C. and Spitler, M. (2011), “2011 data breach investigations report”, Technical report, Verizon Business. available at: http://www.verizonbusiness.com/resources/reports/rp_data-breach-investigations-report-2011_en_xg.pdf (accessed 20 June 2011) .

Besnard, D. and Arief, B. (2004), “Computer security impaired by legitimate users”, Computers & Security, Vol. 23 No 3, pp. 253-264.

Byrd, T.A., Cossick, K.L. and Zmud, R.W. (1992), “A synthesis of research on requirements analysis and knowledge acquisition techniques”, MIS Quarterly, Vol. 16 No 1, pp. 117-138.

Chu, Y. (1997), “Referee: trust management for web applications”, Computer Networks and ISDN Systems, Vol. 29 No. 8-13, pp. 953-964.

Chung, L. and Nixon, B. (1995), “Dealing with non-functional requirements: three experimental studies of a process-oriented approach”, ICSE ‘95: Proceedings of the 17th international conference on Software engineering, ACM, New York, NY, USA, pp. 25-37.

Culnan, M.J. and Bies, R.J. (2003), “Consumer privacy: Balancing economic and justice considerations”, Journal of Social Issues, Vol. 59 No. 2, pp 323-342.

Delgado-Ballester, E. (2004), “Applicability of a brand trust scale across product categories: A multigroup invariance analysis”, European Journal of Marketing, Vol. 38 No. ⁵⁄₆, pp. 573-592.

Doherty, N.F. and Fulford, H. (2006), “Aligning the information security policy with the strategic information systems plan”, Computers & Security, Vol. 25. No. 1, pp. 55-63.

Gross, J.B. and Rosson, M.B. (2007), “Looking for trouble: understanding end-user security management”, CHIMIT ‘07: Proceedings of the 2007 symposium on Computer human interaction for the management of information technology, ACM, New York, NY, USA, pp. 10+.

Gupta, A. and Hammond, R. (2005), “Information systems security issues and decisions for small businesses: An empirical examination”, Information Management & Computer Security, Vol. 13 No. 4, pp. 297-310.

Jarzombek, J., Moss, M. and Bartol, N. (2009), “Mitigating risks to the enterprise through development and acquisition”, presented at the Software Engineering Process Group (SEPG) North America Conference, 23-26 March, San Jose, California, USA.

Mayer, R.C., Davis, J.H. and Schoorman, F.D. (1995), “An integrative model of organizational trust”, The Academy of Management Review, Vol. 20 No. 3, pp. 709–734.

Payne, S. (2008), “An ongoing conversation with the boss about security”, presented at Securing the eCampus 2008 (Dartmouth College), 11-12 November, Hanover, New Hampshire, USA.

Radack, S. (2009), “The System Development Lifecycle (SDLC)”, ITL Security Bulletins, National Institute of Standards and Technology, available at: http://csrc.nist.gov/publications/nistbul/april2009_system-development-life-cycle.pdf (accessed 30 May 2012).

Ryan, J. (2001), “Information security practices and experiences in small businesses”, Harvard University, Cambridge, Massachusetts, available at: http://www.pirp.harvard.edu/publications/pdf-blurb734a.html?id=493 (accessed 15 December 2011).

Sasse, M.A., Brostoff, S. and Weirich, D. (2001), “Transforming the ‘weakest link’ - a human/computer interaction approach to usable and effective security”, BT Technology Journal, Vol. 19 No. 3, pp. 122-131.

Scharfstein, D.S. and Stein, J.C. (1990), “Herd Behavior and Investment”, The American Economic Review, Vol. 80, No. 3, pp. 465-479

Stoneburner, G., Goguen, A. and Feringa, A. (2002), “NIST special publication 800-30 - risk management guide for information technology systems”, available at: http://csrc.nist.gov/publications/nistpubs/800-30/sp800-30.pdf (accessed 25 May 2011).

Swan, J.E., Trawick, I.F. and Silva, D.W. (1985), “How industrial salespeople gain customer trust”, Industrial Marketing Management, Vol. 14 No 3, pp. 203-211.

Tversky, A. and Kahneman, D. (1982), Judgment under uncertainty: Heuristics and biases, Cambridge University Press, New York, NY.

Zeleny, M.: (1981), “The decision process and its stages”, Multiple Criteria Decision Making, McGraw Hill Higher Education, New York, NY, pp. 84–95.

Citatation

Eric H. Goldman, (2012) “The effect of acquisition decision making on security posture”, Information Management & Computer Security, Vol. 20 Iss: 5, pp.350 - 363

DOI/FullText at: http://dx.doi.org/10.1108/09685221211286520

Bibtex

@article{
  doi:10.1108/09685221211286520,
  author = {Eric H. Goldman},
  title = {The effect of acquisition decision making on security posture},
  journal = {Information Management \& Computer Security},
  volume = {20},
  number = {5},
  pages = {350-363},
  year = {2012},
  doi = {10.1108/09685221211286520},
  URL = { 
    http://dx.doi.org/10.1108/09685221211286520  
  },
  eprint = { 
    http://dx.doi.org/10.1108/09685221211286520   
  }
}

Copyright and Republishing

This article is © Emerald Group Publishing and permission has been granted for this version to appear here (http://www.ericgoldman.name). Emerald does not grant permission for this article to be further copied/distributed or hosted elsewhere without the express permission from Emerald Group Publishing Limited.