Management versus security specialists: an empirical study on security related perceptions

The purpose of this study is to explore the rationale that governs implementation of information systems and network security expenditures through a case study approach.

The research method took the form of a mixed‐method assessment of the perceptions of persons of authority in the management and the network security areas of an organization that has implemented network security protocols. Two stages of the research process were completed in order to gather the necessary data for the study. The first stage of the study was the administration of a Likert‐type questionnaire in which respondents answered 30 unique items on network security. In the second phase of the study, a number of responders were contacted to further expand upon the themes presented in the Likert‐type questionnaire.

Empirical evidence gathered justifies theoretical claims that personnel from general management have different perspectives towards network security than personnel from the network security management. In particular, the study indicates that such differences are demonstrated on a number of areas such as the effectiveness and the efficiency of the networked system; control of network security; security‐related decision‐making processes; and users of the network. The latter being the most controversial issue with one side indicating that users should be allowed to use the network in an efficient manner, and the other side emphasizing that users pose one of the greatest security risks to the system.

The limitations of the study are found in its focus on a specific company and on its perception‐centred nature of risk and risk analysis. No two persons identify and frame risk in an identical manner. This creates potential conflict of interest when the participants within a risk assessment process approach the issues and present their arguments as to how to best identify and respond to risks.

Through comparing and contrasting the perspectives of the two sample populations, the research assists in demonstrating how, why, and to what extent specific problems are recognized by those within management and those within network security. This allowed the analysis of how these problems are defined and what steps can be taken that would help to reduce or eliminate its impact in the organization used in our case study.

It has been argued in the literature that there is lack of empirically based research to explore and effectively analyze the perceptions held by management and by security specialists within organizations with respect to security. This paper presents the results of the application of a novel two‐stage framework on an empirical case study focused on a large national bank. The work allowed the identification of the various perceptions held by management and by security specialists, and the degree to which these perceptions are similar.