Professional Documents
Culture Documents
Article information:
To cite this document:
Ernst & Young, (1996),"The Ernst & Young International Information Security Survey 1995", Information Management &
Computer Security, Vol. 4 Iss 4 pp. 26 - 33
Permanent link to this document:
http://dx.doi.org/10.1108/09685229610130486
Downloaded on: 28 April 2015, At: 19:03 (PT)
References: this document contains references to 0 other documents.
To copy this document: permissions@emeraldinsight.com
The fulltext of this document has been downloaded 450 times since 2006*
Mariana Gerber, Rossouw von Solms, Paul Overbeek, (2001),"Formalizing information security requirements", Information
Management & Computer Security, Vol. 9 Iss 1 pp. 32-37 http://dx.doi.org/10.1108/09685220110366768
Gregory R. Doddrell, (1995),"Information security and the Internet", Information Management & Computer Security, Vol.
3 Iss 4 pp. 15-19 http://dx.doi.org/10.1108/09685229510123629
Jun Sun, Punit Ahluwalia, Kai S. Koong, (2011),"The more secure the better? A study of information security readiness",
Industrial Management & Data Systems, Vol. 111 Iss 4 pp. 570-588 http://dx.doi.org/10.1108/02635571111133551
Access to this document was granted through an Emerald subscription provided by 532276 []
For Authors
If you would like to write for this, or any other Emerald publication, then please use our Emerald for Authors service
information about how to choose which publication to write for and submission guidelines are available for all. Please
visit www.emeraldinsight.com/authors for more information.
[ 26 ]
Introduction
Information technology has become an essential part of the way we do business today.
However, as organizations continue to
increase their use of IT, the security risks and
concerns associated with that technology are
growing ever more rapidly. Glamorous stories
about hackers and security breaches
frequently create media headlines, but what
are the real concerns of management and,
more importantly, how are these concerns
being addressed in practice?
This survey, of over 1,100 organizations in
the UK and 1,300 in the USA, identifies what
these concerns and practices are. By focusing
on both the UK and the USA, we provide a
fascinating comparison of the security concerns faced by management in two of the
worlds major business communities and
highlight the contrast in their approach to
dealing with them. Highlights of the UK survey are as follows.
Computer use among UK respondents was
high 60 per cent of respondents said over 80
per cent of their workforce used computer
resources of some type. Yet, while IS security
is a major concern for top-level management,
many UK organizations are failing to put
effective measures in place to deal with IS
risks and a large number are neglecting to
educate their staff in security best practices
(Figure 1).
Three-quarters of UK respondents had
established disaster recovery plans, but only
half of these companies had tested their
plans during the last two years. Our experience shows that due to the complexity of
todays computer systems and the rapid rate
of change faced by many businesses, the
effectiveness of a disaster recovery plan is
significantly reduced unless it is tested regularly.
The survey results confirm that the use of
the Internet is growing at a phenomenal rate,
and indicate that the number of UK
businesses using the Internet to exchange
Figure 3
Ongoing IS security awareness programme
Per cent
52
40
48
46
44
42
40
Figure 1
Formal corporate IS security policy
38
UK
Per cent
78
75
72
69
66
63
60
57
UK
USA
Figure 2
IS security orientation programme for new
employees
Per cent
42
40
38
36
34
32
30
28
UK
USA
USA
[ 27 ]
Figure 4
Major security hurdles (multiple responses encouraged)
Lack of budget
Lack of management awareness
Lack of tools/security solutions
Lack of human resources
Various other
70 60 50 40 30 20 10 0 10 20 30 40 50 60 70
Per cent
UK
USA
[ 28 ]
Figure 5
IS-related financial losses by UK companies
(multiple responses encouraged)
Per cent
35
30
25
20
15
10
rce
sou
ste
wn
isa
kno
tur
Na
Un
al d
vai
ma
Lac
ko
f sy
ste
ility
er r
nt
r te
lab
or
l
rna
inte
dve
Ina
ous
lici
Ma
lici
ous
act
act
ext
ern
al
Ma
Figure 6
The most commonly used back-up strategies (multiple responses encouraged)
Commercial hot site
Intercompany back-up/recovery
Cold site
Warm site
Reciprocal agreement with another
Vendor solution/replacement
None
50 40 30 20 10 0 10 20 30 40 50
Per cent
UK
USA
Although 30 per cent of UK respondents suffered a loss resulting from computer failure,
25 per cent of respondents had no business
continuity planning arrangements and, of
those who did, 52 per cent had never tested
them (Figure 7).
US organizations, on the other hand,
appear to be better prepared to deal with
disruptions to their business.
With 52 per cent of UK respondents failing
to test their back-up strategy, compared to
35 per cent in the USA, and over half of UK
respondents failing to have someone solely
dedicated to business continuity planning
(BCP), compared to 28 per cent in the USA,
the UK is behind the USA in its approach to
BCP (Figure 8).
Of those respondents who had put business
recovery plans in place, only 29 per cent in
the UK and 36 per cent in the USA had
included PCs and end-user functions as part
of their plan.
We believe that this is particularly significant, as investment in disaster recovery for
centralized computer systems is of little benefit if there is inadequate provision for business users to use systems after a disaster.
Intercompany arrangements were the most
common back-up strategy used by UK respondents, but commercial hot site, the most comprehensive computer disaster recovery plan,
was used most often in the USA with 47 per
cent of respondents indicating this as their
chosen back-up strategy, compared to 16 per
cent in the UK.
[ 29 ]
Figure 7
Areas covered within BCP (multiple responses encouraged)
Data centre (central or mainframe)
Business unit minicomputers
LANs
Network (voice and data)
End-user functions business-wide
No formal BCP
70 60 50 40 30 20 10 0 10 20 30 40 50 60 70
Per cent
UK
USA
Figure 8
Regularity of testing BCP
Figure 9
Use of the Internet for the exchange of important business information by UK companies
Annually
(23 per cent)
Not tested
(52 per cent)
Semi-annually
(18 per cent)
Not currently
but plan to
within the
next year
(29 per cent)
Every 2 years
(7 per cent)
Yes
(26 per cent)
No
(45 per cent)
UK
Figure 10
UK companies detecting break-in
Annually
(28 per cent)
Not tested
(36 per cent)
Semi-annually
(30 per cent)
Every 2 years
(6 per cent)
USA
[ 30 ]
No firewalls
(28 per cent)
Firewalls
(72 per cent)
Figure 11
Are you satisfied with Internet security?
UK
Unsure
(47 per cent)
Yes
(30 per cent)
No
(23 per cent)
USA
Yes
(32 per cent)
Unsure
(28 per cent)
No
(40 per cent)
Figure 12
Control techniques related to the Internet (multiple responses encouraged)
Encryption
Passwords
One-time (token-based) passwords
Firewalls
Virus detection software
70 60 50 40 30 20 10 0 10 20 30 40 50 60 70
Per cent
UK
USA
Controlling EDI
Implementation of direct dial-in LANs has
been delayed in part due to security concerns (survey respondent).
The most frequently noted EDI control techniques by UK respondents followed the same
trend as the USA, though on a far smaller
scale. The results were as follows: passwords
(27 per cent), a trading partner (21 per cent);
message authentication (12 per cent); application acknowledgements (11 per cent);
encryption (11 per cent), control totals (10
per cent); functional acknowledgements (8
per cent); EDI other (2 per cent) and unsure
(9 per cent).
[ 31 ]
although 40 per cent of LAN users were dissatisfied or unsure about the overall level of
security on the system (Figure 16).
The same number of UK respondents are
increasing their centralized computing facilities as are decreasing them. In the USA,
Figure 15
Changes to departmental computing over the
past year by UK companies
No change
(9 per cent)
Not applicable
(5 per cent)
Decrease
(2 per cent)
Figure 13
Threats of unauthorized information disclosure (multiple responses encouraged)
Per cent
90
Increase
(84 per cent)
80
70
Figure 16
Satisfaction with LAN security by UK
companies
60
Not applicable
(8 per cent)
40
Unsure
(10 per cent)
30
20
Yes
(52 per cent)
No
(30 per cent)
10
en
m
ve
go
e
ic
ig
rv
Fo
re
se
nt
ra
ct
ed
USA
Figure 17
Satisfaction with UNIX security by UK companies
Not applicable
(30 per cent)
Co
UK
rn
ov
pr
in
ic
bl
Pu
Key
ts
s
id
re
te
om
st
Cu
er
st
s
er
s
ee
oy
pl
Em
Co
pe
pp
tit
lie
or
rs
Su
50
Unsure
(10 per cent)
Figure 14
External parties with computer access (multiple responses encouraged)
Per cent
60
Yes
(38 per cent)
No
(22 per cent)
Figure 18
Number of employees in UK organizations
responding
50
Per cent
70
40
60
30
50
20
40
10
30
0
Customers
Key
UK
USA
[ 32 ]
Suppliers/
Various other
contractors/
service providers
None
20
10
0
1-1,000
1,001-5,000
> 5,000
Figure 19
UK industries represented
Per cent
20
18
14
12
10
8
6
4
2
r
he
ot
ta
us
Re
lo
il
gy
t
Hi
gh
Va
r
te
io
ch
in
ta
er
nt
/e
ed
ia
no
ct
se
ic
bl
Pu
st
en
or
e
ur
ct
ru
vi
fra
In
ia
nc
na
Fi
an
uf
ls
ac
er
tu
rin
ce
Figure 20
Job function of UK survey respondents
Per cent
60
50
40
30
20
10
r
he
ot
us
io
Va
r
of
i
te nfor
ch m
no ati
lo on
gy
Di
re
to ctly
he re
ad po
of r ts
IT
ad
m S
in ec
is u
tr rit
at y
No
or
nIT
ex
ch
an
ge
He
ad
16
[ 33 ]
1. Kurt Matzler, Sonja GrabnerKruter, Sonja Bidmon. 2008. Risk aversion and brand loyalty: the mediating role of brand trust
and brand affect. Journal of Product & Brand Management 17:3, 154-162. [Abstract] [Full Text] [PDF]
2. Hui-Chih Wang, John G. Pallister, Gordon R. Foxall. 2006. Innovativeness and involvement as determinants of website loyalty:
II. Determinants of consumer loyalty in B2C e-commerce. Technovation 26, 1366-1373. [CrossRef]
3. Arthur JungTing Chang, QueyJen Yeh. 2006. On security preparations against possible IS threats across industries.
Information Management & Computer Security 14:4, 343-360. [Abstract] [Full Text] [PDF]
4. Sharman Lichtenstein. 1998. Internet risks for companies. Computers & Security 17, 143-150. [CrossRef]