Detmar W. Straub, Jr., "Effective IS Security: An Empirical Study ", Information Systems Research, Sep, 1990, Vol. 1, No. 3, pp 255-276.
Detmar Straub, "Validating Instruments in MIS Research ", MIS Quarterly, June, 1989, Vol 13, No 2, pp 147-169.
INTRODUCTORY EXPLANATION
Computer abuse is measured by items: 25, 37, 38 and 39. Item 26 is
another possible dependent variable.
Deterrent (to computer abuse) certainty is measured by items: 10, 11,
12, 14b, 15, 22 and (number of months rendered: as 13 minus 35 or number
of months rendered as: 13 minus 28 minus 36).
Deterrent (to computer abuse) severity is measured by: total number of
choices checked under item 18, total number of choices checked under
item 19, and by item 22.
Rival explanations (for computer abuse) are measured by items: 16 and 17
(preventives); 29, 30, 31 and 32 (motivational factors); and 21 and 24
(environmental factors).
_____________________________
Section 1.
Computer Abuse Questionnaire
______________________________
____________________
Personal Information
____________________
1. YOUR POSITION:
[ ] President/Owner/Director/Chairman/Partner
[ ] Vice President/General Manager
[ ] Vice President of EDP
[ ] Director/Manager/Head/Chief of EDP/MIS
[ ] Director/Manager of Programming
[ ] Director/Manager of Systems & Procedures
[ ] Director/Manager of Communications
[ ] Director/Manager of EDP Operations
[ ] Director/Manager of Data Administration
[ ] Director/Manager of Personal Computers
[ ] Director/Manager of Information Center
[ ] Data Administrator or Data Base Administrator
[ ] Data/Computer Security Officer
[ ] Senior Systems Analyst
[ ] Systems/Information Analyst
[ ] Chief/Lead/Senior Applications Programmer
[ ] Applications Programmer
[ ] Chief/Lead/Senior Systems Programmer
[ ] Systems Programmer
[ ] Chief/Lead/Senior Operator
[ ] Machine or Computer Operator
[ ] Vice President of Finance
[ ] Controller
[ ] Director/Manager Internal Auditing or EDP Auditing
[ ] Director/Manager of Plant/Building Security
[ ] EDP Auditor
[ ] Internal Auditor
[ ] Consultant
[ ] Educator
[ ] User of EDP
[ ] Other (please specify) _______________________
2. YOUR IMMEDIATE SUPERVISOR'S POSITION:
[ ] President/Owner/Director/Chairman/Partner
[ ] Vice President/General Manager
[ ] Vice President of EDP
[ ] Director/Manager/Head/Chief of EDP/MIS
[ ] Director/Manager of Programming
[ ] Director/Manager of Systems & Procedures
[ ] Director/Manager of Communications
[ ] Director/Manager of EDP Operations
[ ] Director/Manager of Data Administration
[ ] Director/Manager of Personal Computers
[ ] Director/Manager of Information Center
[ ] Data/Computer Security Officer
[ ] Senior Systems Analyst
[ ] Chief/Lead/Senior Applications Programmer
[ ] Chief/Lead/Senior Systems Programmer
[ ] Chief/Lead/Senior Machine or Computer Operator
[ ] Vice President of Finance
[ ] Controller
[ ] Director/Manager Internal Auditing or EDP Auditing
[ ] Director/Manager of Plant/Building Security
[ ] Other (please specify) _______________________
3. NUMBER OF TOTAL YEARS EXPERIENCE IN/WITH INFORMATION SYSTEMS?
[ ] More than 14 years
[ ] 11-14 years
[ ] 7 to 10 years
[ ] 3 to 6 years
[ ] Less than 3 years
[ ] Not sure
__________________________
Organizational Information
___________________________
4. Approximate ASSETS and annual REVENUES of your organization:
ASSETS REVENUES
At all At this At all At this
Locations Location Locations Location
[ ] [ ] .......Over 5 Billion.......... [ ] [ ]
[ ] [ ] .....1 Billion-5 Billion....... [ ] [ ]
[ ] [ ] ....250 Million-1 Billion...... [ ] [ ]
[ ] [ ] ...100 Million-250 Million..... [ ] [ ]
[ ] [ ] ....50 Million-100 Million..... [ ] [ ]
[ ] [ ] ....10 Million-50 Million...... [ ] [ ]
[ ] [ ] .....5 Million-10 Million...... [ ] [ ]
[ ] [ ] .....2 Million-5 Million....... [ ] [ ]
[ ] [ ] .....1 Million-2 Million....... [ ] [ ]
[ ] [ ] ......Under 1 Million.......... [ ] [ ]
[ ] [ ] ..........Not sure............. [ ] [ ]
5. NUMBER OF EMPLOYEES of your organization:
At all At this
Locations Location
10,000 or more ................................... [ ] [ ]
5,000 - 9,999 .................................... [ ] [ ]
2,500 - 4,999 .................................... [ ] [ ]
1,000 - 2,499 .................................... [ ] [ ]
750 - 999 ........................................ [ ] [ ]
500 - 749 ........................................ [ ] [ ]
250 - 499 ........................................ [ ] [ ]
100 - 249 ........................................ [ ] [ ]
6 - 99 ........................................... [ ] [ ]
Fewer than 6 ..................................... [ ] [ ]
Not sure ......................................... [ ] [ ]
6. PRIMARY END PRODUCT OR SERVICE of your organization at this location:
[ ] Manufacturing and Processing
[ ] Chemical or Pharmaceutical
[ ] Government: Federal, State, Municipal including Military
[ ] Educational: Colleges, Universities, and other Educational
Institutions
[ ] Computer and Data Processing Services including Software
Services, Service Bureaus, Time Sharing and Consultants
[ ] Trade: Wholesale and Retail
[ ] Finance: Banking, Insurance, Real Estate, Securities, and
Credit
[ ] Medical and Legal Services
[ ] Petroleum
[ ] Transportation Services: Land, Sea and Air
[ ] Utilities: Communications, Electric, Gas and Sanitary Services
[ ] Construction, Mining and Agriculture
[ ] Other (please specify) _______________________
Are you located at Corporate Headquarters: Yes [ ] No [ ]
7. CITY (at this location?) ___________ STATE? ____________
8. TOTAL NUMBER OF EDP (Electronic Data Processing) EMPLOYEES at this
location (excluding data input personnel):
[ ] More than 300 [ ] 50 - 99
[ ] 250 - 300 [ ] 10 - 49
[ ] 200 - 249 [ ] Fewer than 10
[ ] 150 - 199 [ ] Not sure
[ ] 100 - 149
9. Approximate EDP BUDGET per year of your organization at this location:
[ ] Over $20 Million [ ] $2 - $4 Million
[ ] $10 - $20 Million [ ] $1 - $2 Million
[ ] $8 - $10 Million [ ] Under $1 Million
[ ] $6 - $8 Million [ ] Not sure
[ ] $4 - $6 Million
_________________________________________________________________
Computer Security, Internal Audit, and Abuse Incident Information
__________________________________________________________________
A Computer Security function in an organization is any purposeful activity
that has the objective of protecting assets such as hardware, programs,
data, and computer service from loss or misuse. Examples of personnel
engaged in computer security functions include: data security and systems
assurance officers. For this questionnaire, computer security and EDP
audit functions will be considered separately.
Computer EDP
Security Audit
10. How many staff members are working ___(number ___(number
20 hours per week or more in these (of persons) (of persons)
functions at this location?
11. How many staff members are working ___(number ___(number
19 hours per week or less in these of persons) (of persons)
functions at this location?
12. What are the total personnel hours ___(total ___total
per week dedicated to these hours/wk) hours/wk)
functions?
13. When were these functions initiated? ___/___ ___/___
____________________________________________________________________
If your answer to the Computer Security part of question 12 was zero,
please go directly to question 25. Otherwise, continue.
____________________________________________________________________
14. Of these total computer security personnel hours per week
(question 12), how many are dedicated to each of the following?
A. Physical security administration, disaster,
recovery, and contingency planning... ____(hours/week)
B. Data security administration.............. ____(hours/week)
C. User and coordinator training.............. ____(hours/week)
D. Other...................................... ____(hours/week)
(please specify):_____________________________________________
15. EXPENDITURES per year for computer security at this location:
Annual computer security personnel salaries:... $___________
Do you have insurance (separate policy or rider) specifically for
computer security losses?
[ ] Yes [ ] No [ ] Not sure
If yes, what is the annual cost of such insurance: $___________
16. SECURITY SOFTWARE SYSTEMS available and actively in use on the
mainframe(s) [or minicomputer(s)] at this location:
Number of Number of
available systems
systems? in use?
Operating system access control facilities.. _________ _________
DBMS security access control facilities..... _________ _________
Fourth Generation software access control
facilities............................... _________ _________
17. Other than those security software systems you listed in question 16,
how many SPECIALIZED SECURITY SOFTWARE SYSTEMS are actively in use?
(Examples: ACFII, RACF):
(number of specialized security software systems actively in use)
Of these, how many were purchased from a vendor? __________
(number purchased from a vendor)
... and how many were developed in-house? __________
(number developed in-house)
18. Through what INFORMATIONAL SOURCES are computer system users made
aware OF THE APPROPRIATE AND INAPPROPRIATE USES OF THE COMPUTER
SYSTEM?
(Choose as many as applicable).
[ ] Distributed EDP Guidelines
[ ] Administrative program to classify information by sensitivity
[ ] Periodic departmental memos and notes
[ ] Distributed statements of professional ethics
[ ] Computer Security Violations Reports
[ ] Organizational meetings
[ ] Computer Security Awareness Training sessions
[ ] Informal Discussions
[ ] Other (please specify) ____________________________________
19. Which types of DISCIPLINARY ACTION do these informational sources
mention (question 18) as consequences of purposeful computer abuse?
(Choose as many as applicable)
[ ] Reprimand
[ ] Probation or suspension
[ ] Firing
[ ] Criminal prosecution
[ ] Civil prosecution
[ ] Other (please specify) ________________________________________
In questions 20-24, please indicate your reactions to the following
statements:
Strongly Not Strongly
Agree Agree Sure Disagree Disagree
20. The current computer
security effort was
in reaction in large
part to actual or
suspected past incidents
of computer abuse at this
location. [ ] [ ] [ ] [ ] [ ]
21. The activities of computer
security administrators
are well known to users
at this location. [ ] [ ] [ ] [ ] [ ]
22. The presence and activities
of computer security
administrators deter anyone
who might abuse the computer
system at this location. [ ] [ ] [ ] [ ] [ ]
23. Relative to our type of
industry computer security
is very effective at this
location. [ ] [ ] [ ] [ ] [ ]
24. The overall security
philosophy at this location
is to provide very tight
security without hindering
productivity. [ ] [ ] [ ] [ ] [ ]
25. How many SEPARATE UNAUTHORIZED AND DELIBERATE INCIDENTS OF
COMPUTER ABUSE has your organization at this location experienced in
the 3 year period, January 1, 1983 - January 1, 1986.
____ (number of incidents)
(Please fill out a separate "Computer Abuse Incident Report"
[Blue-colored Section II] for each incident).
26. How many incidents do you have reason to suspect other than those
numbered above in this same 3 year period, January 1, 1993 -
January 1, 1986?
____ (number of suspected incidents)
27. Please briefly describe the basis (bases) for these suspicions.
_______________________________________________________________
_______________________________________________________________
_______________________________________________________________
_______________________________________________________________
________________________
Section II
Computer Abuse Incident Report
(covering the 3 year period, January 1, 1983 - January 1, 1986)
_______________________________________________________________
Instructions: Please fill out a separate report for each incident of
computer abuse that has occurred in the 3 year period, January 1,
1983 - January 1, 1986.
28. WHEN WAS THIS INCIDENT DISCOVERED?
Month/Year _____/_____
29. HOW MANY PEOPLE WERE INVOLVED in committing the computer abuse in
this incident?
____ (number of perpetrators)
30. POSITION(S) OF OFFENDER(S):
Main Second
Offender Offender
Top Executive .............................. [ ] [ ]
Security Officer ........................... [ ] [ ]
Auditor .................................... [ ] [ ]
Controller ................................. [ ] [ ]
Manager, Supervisor ........................ [ ] [ ]
Systems Programmer ......................... [ ] [ ]
Data Entry Staff ........................... [ ] [ ]
Applications Programmer .................... [ ] [ ]
Systems Analyst ........................... [ ] [ ]
Machine or Computer Operator ............... [ ] [ ]
Other EDP Staff ........................... [ ] [ ]
Accountant ................................ [ ] [ ]
Clerical Personnel ......................... [ ] [ ]
Student .................................... [ ] [ ]
Consultant ................................ [ ] [ ]
Not Sure ................................... [ ] [ ]
Other ...................................... [ ] [ ]
(please specify): (Main) ____________________________________
(Second)___________________________________
31. STATUS(ES) OF OFFENDER(S) when incident occurred:
Main Second
Offender Offender
Employee ................................... [ ] [ ]
Ex-Employee ................................ [ ] [ ]
Non-Employee ............................... [ ] [ ]
Not Sure ................................... [ ] [ ]
Other ...................................... [ ] [ ]
(please specify): (Main) ____________________________________
(Second)___________________________________
32. MOTIVATION(S) OF OFFENDER(S):
Main Second
Offender Offender
Ignorance of proper professional
conduct ..................... [ ] [ ]
Personal gain ...................... [ ] [ ]
Misguided playfulness .............. [ ] [ ]
Maliciousness or revenge ........... [ ] [ ]
Not sure ........................... [ ] [ ]
Other .............................. [ ] [ ]
(please specify): (Main) ____________________________________
(Second)___________________________________
33. MAJOR ASSET AFFECTED or involved:
(Choose as many as applicable)
[ ] Unauthorized use of computer service
[ ] Disruption of computer service
[ ] Data
[ ] Hardware
[ ] Programs
34. Was this a one-time incident or had it been going on for a
period of time?
(Choose one only)
[ ] one-time event
[ ] going on for a period of time
[ ] not sure
35. If a one-time incident, WHEN DID IT OCCUR?
Month ____________________ Year ____________________
36. If the incident had been going on for a period of time, how long
was that?
____________________ years ____________________ months
37. In your judgment, how serious a breach of security was this incident?
(Choose one only)
[ ] Extremely serious
[ ] Serious
[ ] Of minimal importance
[ ] Not sure
[ ] Of negligible importance
38. Estimated $ LOSS through LOST OPPORTUNITIES (if measurable):
(Example: $3,000 in lost business because of data corruption)
$___________________
(estimated $ loss through lost opportunities)
39. Estimated $ LOSS through THEFT and/or RECOVERY COSTS from abuse:
(Example: $12,000 electronically embezzled plus $1,000 in salary to
recover from data corruption + $2,000 in legal fees = $15,000)
$___________________
(estimated $ loss through theft and/or recovery costs)
40. This incident was discovered...
(Choose as many as applicable)
[ ] by accident by a system user
[ ] by accident by a systems staff member or an internal/EDP
audit
[ ] through a computer security investigation other than an
audit
[ ] by an internal/EDP audit
[ ] through normal systems controls, like software or procedural
controls
[ ] by an external audit
[ ] not sure
[ ] other (please specify):
__________________________________________________________________
41. This incident was reported to....
(Choose as many as applicable)
[ ] someone inside the local organization
[ ] someone outside the local organization
[ ] not sure
42. If this incident was reported to someone outside the local
organization, who was that?
(Choose as many as applicable)
[ ] someone at divisional or corporate headquarters
[ ] the media
[ ] the police
[ ] other authorities
[ ] not sure
43. Please briefly describe the incident and what finally happened to
the perpetrator(s).
__________________________________________________________________
__________________________________________________________________
__________________________________________________________________
__________________________________________________________________
__________________________________________________________________
__________________________________________________________________
__________________________________________________________________