Reference no.
Security Incident Reporting Delphi Study - Round One - Instructions
Section One - Identification of respondent and relevant business sector
This survey will be conducted in strict confidence and your responses anonymised. I will be the only person analysing the responses. All responses will be
collated, analysed and any emerging consensus will be sent to you again by email for further comment. As stated in my letter it is likely that only three
iterations will be issued, each one taking less time than the previous. You can either complete as a pdf form or, as sometimes there are
compatibility issues, print it out, complete by hand, scan and return. If you do not want to email your response but post it instead the address for posting replies
is: Mike Humphrey Standards and Security PO Box 8000 London SE11 5EN. My e mail address for the survey responses is [email protected]
You can withdraw from the survey at any time and after the completion of the survey I am happy to provide a de-brief on the results.
Please be assured all responses will be treated with strict confidentiality and the final analysis and any reporting will not identify individuals or
companies.
Section Two – Suggested Possible Critical Success Factors to Improve Reporting of Security Incidents
This section contains a suggested list of elements considered to be important to the effective reporting of incidents. Against each one can you state ‘yes’ or ‘no’
if you believe if it is relevant to information security incident reporting. Then the same again for whether you believe it could be considered a Critical Success
Factor (CSF). The elements listed can be very important but not necessarily a Critical Success Factor. CSF’s have been described as 1:
“Important to achieving overall corporate goals and objectives,
Measurable and controllable by the organisation to which they apply,
Relatively few in number – not everything can be critical,
Expressed as things that must be done not the end point of the process,
Applicable to all companies in the industry with similar objectives and strategies and hierarchical in nature.”
Please rank your view of the importance of each of various elements from 1 to 5. With 1 being highly important to 5 being highly unimportant. Finally if you
wish you may comment on your answer. If you feel any others are missing please add them and score appropriately on page 7. Any additional elements
identified may be incorporated in the second or third round to seek consensus.
1
Freund, Y,. Planners Guide - Critical Success Factors (1988, p.20)
1
SECTION 1 – About you and/or your organisation
About you or some detail regarding the industry (Govt/ Private Sector/Academia etc.) you work in to assist in identifying any possible differences in these
groups. *Note. If self- employed or retired, your experience and views are still invaluable. Some questions in Section One are not easily answered or
applicable. Therefore please indicate in the box below if you are self- employed/retired and also which sector your answers are based on from previous
experience or consultancy. ALL RESPONSES WILL BE TREATED WITH COMPLETE CONFIDENTIALITY
Name
Role
Organisation
Tel/ Mobile
E mail
Please note: To be involved in subsequent rounds in the survey I will need to know how to send it so please include a reply to email or postal address
To assist in analysis of the information can you please complete the following which will assist in identifying the sector or size of your organisation and
whether this is reflected in any responses?
Staff size of your organisation;
0-500
501-1000
1001-5000
5001-10000
10000 +
*Self-employed/retired
Which Sector do you work in?
(If one of the boxes below does not describe your sector please tick other and add a description)
Public Sector
Central Govt
Local Govt
Health
Law Enforcement
Military
Other (please specify)
2
(If one of the boxes below does not describe your sector please tick other and add a description)
Private Sector
Finance
Retail
Consulting
Transport
Manufacturing
Service industry
Communications
Energy
Insurance
Other (please specify)
Academia
Other sector (please specify)
1.1 Where is your organisation based? Tick all that apply
UK
Europe
Elsewhere
(please specify below) Select other options as below
1.2 If your organisation is multi-based do you feel your answers given may be different according to the country where the incident occurred?
Yes
No
Add any additional explanation below
Which Community of Interest did you receive this survey from?
IISP
CISP
Police
IAAC
Other
please specify below
3
SECTION 2 Survey Round 1
List of elements to improve
Incident reporting
Is it relevant to
information
security
incidents -
Select as
appropriate or
Circle the Yes
or No
1. Separation of collection,
and analysis from any
discipline or regulatory
process
2. Collection of reports of
‘near misses’ as well as
actual incidents
3. Rapid, useful, accessible
and intelligible feedback to
the reporting community
Is this a
possible
Critical
Success
Factor -
Rank the importance of the element to
improve incident reporting by selecting or
circling as appropriate one of the below
numbers as applicable to the key below;
Select as
appropriate
or Circle the
Yes or No
Comment (if any)
1. Highly important
2. Important
3. Neither Important/unimportant
4. Unimportant
5. Highly unimportant
Select from below list
YES
NO
YES
NO
1
2
3
4
5
4
5
4
5
4
5
Select from below list
YES
NO
YES
NO
1
2
3
Select from below list
YES
NO
YES
NO
4. Ease of making a report
1
2
3
Select from below list
YES
NO
YES
NO
1
2
3
4
List of elements to improve
Incident reporting
5. Standardised reporting
systems within
organisations
6. A working assumption that
individuals should be
thanked for reporting
incidents rather than being
automatically blamed for
what has gone wrong
Is it relevant to
information
security
incidents -
Is this a
possible
Critical
Success
Factor -
Rank the importance of the element to
improve incident reporting by selecting or
circling as appropriate one of the below
numbers as applicable to the key below;
Select as
appropriate or
circle the Yes
or No
Select as
appropriate
or Circle the
Yes or No
1. Highly important
2. Important
3. Neither Important/unimportant
4. Unimportant
5. Highly unimportant
Select from below list
YES
NO
YES
NO
1
2
3
4
5
4
5
4
5
4
5
Select from below list
YES
NO
YES
NO
7. Mandatory reporting
1
2
3
Select from below list
YES
8. Standardised risk
assessment (to determine
the impact of the incident)
Comment (if any)
NO
YES
NO
1
2
3
Select from below list
YES
NO
YES
NO
1
2
3
5
List of elements to improve
incident reporting
9.
A common understanding
of what factors are
important in determining
risk
10. A mechanism or process
for confidential reporting
11. A recognition by senior
management that incidents
will happen
12. Incident reporting systems
that are designed
appropriately to ensure
learning is possible
13. Incident analysis that
considers root causes and
wider systems/processes
and not just the initial
impact assessment
Is it relevant to
information
security
incidents -
Is this a
possible
Critical
Success
Factor -
Rank the importance of the element to
improve incident reporting by selecting or
circling as appropriate one of the below
numbers as applicable to the key below;
Select as
appropriate or
circle the Yes
or No
Select as
appropriate
or Circle the
Yes or No
Comment (if any)
1. Highly important
2. Important
3. Neither Important/unimportant
4. Unimportant
5. Highly unimportant
Select from below list
YES
NO
YES
NO
1
2
3
4
5
4
5
4
5
4
5
4
5
Select from below list
YES
NO
YES
NO
1
2
3
Select from below list
YES
NO
YES
NO
YES
NO
YES
NO
1
2
3
Select from below list
1
2
3
Select from below list
YES
NO
YES
NO
1
2
3
Thank you for completing this questionnaire. Please go to page 7 for details of returning the form
6
You can add any factor that you think has not been considered and feel worthy of inclusion. It may be included in the next round for your fellow professionals to consider.
Additional suggested elements
to improve incident reporting
Please add any in the format below and score as previous advised
Is it relevant to Is this a
Rank the importance of the element to
information
possible
improve incident reporting by selecting or
security
Critical
circling as appropriate one of the below
incidents numbers as applicable to the key below
Success
Factor –
1. Highly important
2. Important
Select as
Select as
appropriate or appropriate 3. Neither Important/unimportant
circle the Yes
or circle the 4. Unimportant
or No
Yes or No
5. Highly unimportant
14.
Comment (if any)
Select from below list
YES
NO
YES
NO
15.
1
2
3
4
5
4
5
4
5
Select from below list
YES
NO
YES
NO
16.
1
2
3
Select from below list
YES
NO
YES
NO
1
2
3
Thank you for your time. Please e mail your completed form to [email protected] Alternatively if you wish to post it please send to
Mike Humphrey Standards and Security PO Box 8000 London SE11 5EN
c:\users\mike\documents\phd\thesis commenced feb 2013\chapter 3 methodology\delphi questionnaire amended following peer review oct 2015 final form style word.docx
7