Information Management & Computer Security

The Ernst & Young International Information Security Survey 1995

Ernst & Young

Article information:
To cite this document:
Ernst & Young, (1996),"The Ernst & Young International Information Security Survey 1995", Information Management &
Computer Security, Vol. 4 Iss 4 pp. 26 - 33
Permanent link to this document:
http://dx.doi.org/10.1108/09685229610130486
Downloaded on: 28 April 2015, At: 19:03 (PT)
References: this document contains references to 0 other documents.
To copy this document: permissions@emeraldinsight.com
The fulltext of this document has been downloaded 450 times since 2006*

Users who downloaded this article also downloaded:

Downloaded by Telkom University At 19:03 28 April 2015 (PT)

Mariana Gerber, Rossouw von Solms, Paul Overbeek, (2001),"Formalizing information security requirements", Information
Management & Computer Security, Vol. 9 Iss 1 pp. 32-37 http://dx.doi.org/10.1108/09685220110366768
Gregory R. Doddrell, (1995),"Information security and the Internet", Information Management & Computer Security, Vol.
3 Iss 4 pp. 15-19 http://dx.doi.org/10.1108/09685229510123629
Jun Sun, Punit Ahluwalia, Kai S. Koong, (2011),"The more secure the better? A study of information security readiness",
Industrial Management & Data Systems, Vol. 111 Iss 4 pp. 570-588 http://dx.doi.org/10.1108/02635571111133551

Access to this document was granted through an Emerald subscription provided by 532276 []

For Authors
If you would like to write for this, or any other Emerald publication, then please use our Emerald for Authors service
information about how to choose which publication to write for and submission guidelines are available for all. Please
visit www.emeraldinsight.com/authors for more information.

About Emerald www.emeraldinsight.com

Emerald is a global publisher linking research and practice to the benefit of society. The company manages a portfolio of
more than 290 journals and over 2,350 books and book series volumes, as well as providing an extensive range of online
products and additional customer resources and services.
Emerald is both COUNTER 4 and TRANSFER compliant. The organization is a partner of the Committee on Publication
Ethics (COPE) and also works with Portico and the LOCKSS initiative for digital archive preservation.
*Related content and download information correct at time of download.

The Ernst & Young International Information Security

Survey 1995

Downloaded by Telkom University At 19:03 28 April 2015 (PT)

Ernst & Young

Summarizes the results from

a survey of 1,100 UK organizations and 1,300 US organizations. Disaster recovery
plans have been established
by most but not tested. Internet security is seen as a
significant weakness. Errors
were the main source of
financial losses for securityrelated incidents. Virus
attacks have not caused high
loss. Data security risks are
increasing.

This extract from the

Information Security Survey
is published with the permission of Ernst & Young,
Press Office, Becket House,
1 Lambeth Palace Road,
London SE1 7EU.
Full copies of this report are
available from David Grant
in London. Tel: 44 (0)171
928 2000.

Information Management &

Computer Security
4/4 [1996] 2633
MCB University Press
[ISSN 0968-5227]

[ 26 ]

Introduction
Information technology has become an essential part of the way we do business today.
However, as organizations continue to
increase their use of IT, the security risks and
concerns associated with that technology are
growing ever more rapidly. Glamorous stories
about hackers and security breaches
frequently create media headlines, but what
are the real concerns of management and,
more importantly, how are these concerns
being addressed in practice?
This survey, of over 1,100 organizations in
the UK and 1,300 in the USA, identifies what
these concerns and practices are. By focusing
on both the UK and the USA, we provide a
fascinating comparison of the security concerns faced by management in two of the
worlds major business communities and
highlight the contrast in their approach to
dealing with them. Highlights of the UK survey are as follows.
Computer use among UK respondents was
high 60 per cent of respondents said over 80
per cent of their workforce used computer
resources of some type. Yet, while IS security
is a major concern for top-level management,
many UK organizations are failing to put
effective measures in place to deal with IS
risks and a large number are neglecting to
educate their staff in security best practices
(Figure 1).
Three-quarters of UK respondents had
established disaster recovery plans, but only
half of these companies had tested their
plans during the last two years. Our experience shows that due to the complexity of
todays computer systems and the rapid rate
of change faced by many businesses, the
effectiveness of a disaster recovery plan is
significantly reduced unless it is tested regularly.
The survey results confirm that the use of
the Internet is growing at a phenomenal rate,
and indicate that the number of UK
businesses using the Internet to exchange

important business correspondence will

more than double in the next year. However,
concerns about the security of the Internet
remain significant, preventing many businesses from utilizing it further.
The popularity of decentralized computing
continues to grow, with almost 80 per cent of
UK respondents reporting an increase in the
use of departmental computing. However,
dissatisfaction with the security of departmental computing resources was high.
The key survey findings are detailed, followed by a more in-depth breakdown of the
results.

Key survey findings

Findings from the survey include the
following:
Eighty-three per cent of UK respondents
said that data security risks had increased
over the last five years and 28 per cent felt
that security risks were rising faster than
computing growth.
Thirty-seven per cent of UK respondents
did not have a security policy, 65 per cent
did not have a security orientation programme for new employees (Figure 2) and
56 per cent did not have an ongoing security
awareness programme for employees (Figure 3).
Over half of those surveyed were not familiar with BS 7799, a Code of Practice for
Information Security Management.
The main barrier to addressing security
concerns for 65 per cent of UK respondents,
and 66 per cent in the USA, was lack of
human resources, making this the most
important obstacle to overcome in both
countries (Figure 4).
Fifty-six per cent of US respondents felt
that another major barrier to security was
the lack of tools, whereas those in the UK
did not rate this barrier as high (31 per
cent).
Inadvertent errors by employees and external parties has been the main source of

The Ernst & Young International Information Security

Survey 1995
Information Management &
Computer Security
4/4 [1996] 2633

security-related financial losses over the

past two years (34 per cent UK, 43 per cent
USA) followed closely by the nonavailability of computer systems or networks (30 per cent UK, 32 per cent USA
(see Figure 5)).
Although malicious virus attacks have been
widespread, they have not generally caused
significant financial or operational loss.
Thirty per cent of UK respondents suffered
a loss resulting from computer failure.
On the other hand, 25 per cent of respondents had no back-up strategy in place for
business continuity and, of those who did,

Figure 3
Ongoing IS security awareness programme
Per cent
52
40
48
46
44
42

Downloaded by Telkom University At 19:03 28 April 2015 (PT)

40
Figure 1
Formal corporate IS security policy

38
UK

Per cent
78
75
72
69
66
63
60
57
UK

USA

Figure 2
IS security orientation programme for new
employees
Per cent
42
40
38
36
34
32
30
28
UK

USA

USA

52 per cent had never actually tested them

(Figure 6).
Business use of the Internet is growing
rapidly with 29 per cent of UK respondents
planning to use the Internet next year to
exchange business correspondence with
external users. Yet 52 per cent of UK respondents remain dissatisfied or unsure about
the level of security on the Internet.
Both UK and US respondents indicated that
while centralized computing facilities had
increased in their organizations over the
past year, departmental computing had
accelerated at a much faster rate.

Management must commit further

to IS security
The lack of sufficient human resources
interferes with the ability to stay abreast of
the latest technologies and to be proactive in
our mission (survey respondent).

As the business world increasingly depends

on the use of technology, 83 per cent of UK
respondents said that data security risks had
increased over the past five years and 28 per
cent felt that security risks were rising even
faster than computer growth.
However, 37 per cent of UK respondents did
not have a security policy, over half of those
surveyed were not familiar with BS 7799, a
Code of Practice for Information Security
Management and, in the employment of
security techniques, the UK tended to use
fewer security techniques than the USA.
With 63 per cent of UK respondents, almost
the same proportion as in the USA, reporting

[ 27 ]

The Ernst & Young International Information Security

Survey 1995
Information Management &
Computer Security
4/4 [1996] 2633

Figure 4
Major security hurdles (multiple responses encouraged)
Lack of budget
Lack of management awareness
Lack of tools/security solutions
Lack of human resources
Various other

Downloaded by Telkom University At 19:03 28 April 2015 (PT)

70 60 50 40 30 20 10 0 10 20 30 40 50 60 70
Per cent
UK
USA

that the senior management of their organization rated information/data security as

either important (40 per cent) or extremely
important (23 per cent), security concerns are
becoming a key issue for senior management
globally. Furthermore, nearly half of UK
respondents had a senior security person
who reported directly to the head of IS, a
greater percentage than in the USA. These
trends indicate that security awareness is
growing among senior IS executives.
However, when it came to implementing
security measures, the UK lagged behind the
USA, both in terms of employee awareness
and the number of security techniques
employed: 37 per cent of UK respondents did
not have a formal corporate security policy;
65 per cent did not have a security orientation
programme for new employees; and 56 per
cent did not have an ongoing security awareness programme for employees. Therefore,
many businesses are not only failing to
demonstrate management commitment, but
are undermining their investment in IS tools
by neglecting to provide guidance to users.
With 34 per cent of UK respondents suffering
financial losses due to inadvertent errors by
their employees and external parties, the
consequences of this lack of security
training are proving very costly for some
organizations.
Both the UK and USA had similar concerns
about the major IS security risks, highlighting network security and winning top management commitment as their main priorities. The most common obstacle for addressing these concerns was reported as lack of
human resources, with other major hurdles
including lack of budget and lack of tools

[ 28 ]

the latter being given second priority in the

USA.
The number of security techniques
employed by UK respondents was less than
US utilization. The most popular techniques
employed regularly in both countries were
virus detection, utilized by over 90 per cent of
respondents in both the UK and USA, PC
access control, employed by 65 per cent in the
UK and 62 per cent in the USA, and
minimum/mainframe access control used by
62 per cent in the UK and 80 per cent in the
USA.
The greater use of security techniques by
US companies is illustrated by the fact that
newer security techniques, such as single
sign-on software and firewalls, are used in the
USA by 25 per cent and 50 per cent of respondents respectively, but are yet to create a big
impact in the UK with only 17 per cent (single
sign-on) and 25 per cent (firewalls) of respondents currently using them regularly.

Inadvertent errors are the major

cause of security-related losses
Inadvertent errors by employees or external
parties have been the main cause of securityrelated financial losses over the past two
years, followed closely by the non-availability
of computer systems or networks. Although
malicious virus attacks have been
widespread, they have not generally caused
significant financial or operational loss.
Thirty-four per cent of respondents in the
UK and 42 per cent in the USA had suffered
financial losses as a result of inadvertent
errors by employees or external parties,
including eight respondents in the UK who
suffered a loss between 100,000 and 250,000.

The Ernst & Young International Information Security

Survey 1995
Information Management &
Computer Security
4/4 [1996] 2633

Figure 5
IS-related financial losses by UK companies
(multiple responses encouraged)
Per cent
35
30
25
20
15
10

Business continuity planning

needs further development in many
businesses

rce
sou

ste

wn

isa
kno

tur
Na

Un

al d

vai
ma

Lac

ko

f sy

ste

ility

er r
nt
r te

lab

or

l
rna
inte

dve
Ina

ous
lici
Ma

lici

ous

act

act

ext

ern

al

Ma

Downloaded by Telkom University At 19:03 28 April 2015 (PT)

be at greater risk from internal problems such

as computer failures.
A large percentage of respondents have
encountered a malicious virus attack within
the last year (65 per cent UK; and 67 per cent
USA), but only 5 per cent of those experiencing a virus indicated a financial or operational loss. Even though many companies
reported that viruses only caused disruption
rather than loss, we believe that this owes
much to the use of anti-virus software in over
90 per cent of companies. Without this, losses
could have been much more significant.

However, only a small minority experienced

losses through malicious acts by their
employees.
Lack of systems availability was the second
major source of financial loss, affecting 30 per
cent of UK respondents, including five organizations which incurred a loss between 100,000
and 250,000, and two companies which suffered a loss greater than 250,000. Only 9 per
cent of losses were due to natural disasters.
Since the amounts lost through natural disasters were of similar size to those noted above,
this demonstrates that, while natural disasters
may cause the most publicity, companies may

Figure 6
The most commonly used back-up strategies (multiple responses encouraged)
Commercial hot site
Intercompany back-up/recovery
Cold site
Warm site
Reciprocal agreement with another
Vendor solution/replacement
None
50 40 30 20 10 0 10 20 30 40 50
Per cent
UK
USA

After what our company went through

following the disaster, I would stress that
other businesses should give high priority
to the implementation and regular testing
of a business continuity plan (survey
respondent).

Although 30 per cent of UK respondents suffered a loss resulting from computer failure,
25 per cent of respondents had no business
continuity planning arrangements and, of
those who did, 52 per cent had never tested
them (Figure 7).
US organizations, on the other hand,
appear to be better prepared to deal with
disruptions to their business.
With 52 per cent of UK respondents failing
to test their back-up strategy, compared to
35 per cent in the USA, and over half of UK
respondents failing to have someone solely
dedicated to business continuity planning
(BCP), compared to 28 per cent in the USA,
the UK is behind the USA in its approach to
BCP (Figure 8).
Of those respondents who had put business
recovery plans in place, only 29 per cent in
the UK and 36 per cent in the USA had
included PCs and end-user functions as part
of their plan.
We believe that this is particularly significant, as investment in disaster recovery for
centralized computer systems is of little benefit if there is inadequate provision for business users to use systems after a disaster.
Intercompany arrangements were the most
common back-up strategy used by UK respondents, but commercial hot site, the most comprehensive computer disaster recovery plan,
was used most often in the USA with 47 per
cent of respondents indicating this as their
chosen back-up strategy, compared to 16 per
cent in the UK.

[ 29 ]

The Ernst & Young International Information Security

Survey 1995
Information Management &
Computer Security
4/4 [1996] 2633

Use of the Internet grows but

critical security concerns remain
Attaching an Internet server to the network
has been delayed until a firewall is implemented and network security has improved
(survey respondent).

Downloaded by Telkom University At 19:03 28 April 2015 (PT)

The Internet has no security. The things that

can be done are not defined. Its an open
forum to do whatever you want (survey
respondent).

Business use of the Internet is growing

rapidly, with 29 per cent of UK respondents
planning to use the Internet next year to
exchange important business correspondence with external users (Figure 9). Yet 52
per cent of UK respondents remain dissatisfied or unsure about the level of security on
the Internet.

Figure 7
Areas covered within BCP (multiple responses encouraged)
Data centre (central or mainframe)
Business unit minicomputers
LANs
Network (voice and data)
End-user functions business-wide
No formal BCP
70 60 50 40 30 20 10 0 10 20 30 40 50 60 70

Per cent
UK

USA
Figure 8
Regularity of testing BCP

Although half of all UK respondents provided e-mail Internet services to internal

users, UK businesses were still using the
Internet less than those in the USA. Survey
respondents indicated that usage was on the
increase, with 26 per cent currently using
the Internet for exchange of important business correspondence or information with
external users, rather than just for mundane
e-mail, and 29 per cent planning to do so next
year.
One of the stumbling blocks to increased
usage are fundamental security concerns: 23
per cent of UK respondents were dissatisfied
with Internet security and 30 per cent were
unsure about it. US respondents were even
more concerned, with 40 per cent of respondents indicating that they were unhappy with
it. The majority of UK respondents (71 per
cent) said that their organization would
increase use or begin to use the Internet for
important business transactions if security
improved.
Forty-three per cent of UK respondents
admitted that they would be unable to detect
somebody breaking into their system via the
Internet, and, of those respondents indicating
that they would be able to detect a break-in, 10
per cent had discovered a break-in or an
attempted break-in to their system. However,
only one respondent had suffered a financial
or operational loss as a result.
Of those UK companies which detected an
attempted break-in, 72 per cent were using
firewalls as their security technique, even
though, overall, only 32 per cent of UK

Figure 9
Use of the Internet for the exchange of important business information by UK companies
Annually
(23 per cent)

Not tested
(52 per cent)

Semi-annually
(18 per cent)

Not currently
but plan to
within the
next year
(29 per cent)

Every 2 years
(7 per cent)

Yes
(26 per cent)

No
(45 per cent)

UK
Figure 10
UK companies detecting break-in
Annually
(28 per cent)

Not tested
(36 per cent)

Semi-annually
(30 per cent)

Every 2 years
(6 per cent)
USA
[ 30 ]

No firewalls
(28 per cent)
Firewalls
(72 per cent)

The Ernst & Young International Information Security

Survey 1995
Information Management &
Computer Security
4/4 [1996] 2633

Figure 11
Are you satisfied with Internet security?
UK
Unsure
(47 per cent)

Yes
(30 per cent)

No
(23 per cent)

USA

Downloaded by Telkom University At 19:03 28 April 2015 (PT)

Yes
(32 per cent)

Unsure
(28 per cent)

No
(40 per cent)
Figure 12
Control techniques related to the Internet (multiple responses encouraged)
Encryption
Passwords
One-time (token-based) passwords

External access capabilities are increasing

all the time 25 per cent of UK survey
respondents said that more than 20 per cent
of their employees had the opportunity to
dial-in, and a number of organizations had
granted access to their customers and vendors. With the current trend towards mobile
computing set to continue, the UK figures
look likely to rise, matching a pattern already
established in the USA.
UK respondents were less likely to grant
access to external parties than those in the
USA. Forty-three per cent of US respondents
indicated that customers had direct access to
their computer systems, compared to 23 per
cent in the UK, and 53 per cent of US respondents said that they had granted access to
their suppliers and contractors, 8 per cent
more than in the UK (Figure 12).
The perceived level of threat of unauthorized information disclosure from customers
and vendors was broadly similar between the
UK and the USA; (customers: 53 per cent
UK, 57 per cent USA and contracted service
providers: 58 per cent UK, 70 per cent USA
(see Figure 13).
With the growth in both mobile computing
and external access in the UK, it is to be
expected that businesses should increase
security awareness among their employees,
while keeping access to a strictly need to
know basis for external parties, a trend that
has been observed in the USA (Figure 14).

Firewalls
Virus detection software
70 60 50 40 30 20 10 0 10 20 30 40 50 60 70

Per cent
UK

USA

Internet users reported using firewalls.

Therefore firewalls appear to be an effective
security technique and organizations not
using firewalls are almost certainly suffering
undetected break-ins (Figure 10).
US organizations are employing more Internet security techniques than companies in
the UK and yet are still less satisfied with
security, which may imply a lack of awareness regarding Internet security by UK organizations (Figure 11).

Remote access increases for

employees, customers and suppliers
We want to be able to do everything
remotely that you can do on site (survey
respondent).

Controlling EDI
Implementation of direct dial-in LANs has
been delayed in part due to security concerns (survey respondent).

The most frequently noted EDI control techniques by UK respondents followed the same
trend as the USA, though on a far smaller
scale. The results were as follows: passwords
(27 per cent), a trading partner (21 per cent);
message authentication (12 per cent); application acknowledgements (11 per cent);
encryption (11 per cent), control totals (10
per cent); functional acknowledgements (8
per cent); EDI other (2 per cent) and unsure
(9 per cent).

The trend towards decentralized

computing is growing
While both UK and US respondents indicate
that centralized computing has increased in
their organizations over the past year, departmental computing has accelerated at a much
faster rate (Figure 15).
LAN systems are being utilized more than
UNIX systems by survey respondents,

[ 31 ]

although 40 per cent of LAN users were dissatisfied or unsure about the overall level of
security on the system (Figure 16).
The same number of UK respondents are
increasing their centralized computing facilities as are decreasing them. In the USA,

The Ernst & Young International Information Security

Survey 1995
Information Management &
Computer Security
4/4 [1996] 2633

Figure 15
Changes to departmental computing over the
past year by UK companies
No change
(9 per cent)
Not applicable
(5 per cent)

Decrease
(2 per cent)

Figure 13
Threats of unauthorized information disclosure (multiple responses encouraged)
Per cent
90

Increase
(84 per cent)

80
70

Figure 16
Satisfaction with LAN security by UK
companies

60

Not applicable
(8 per cent)

40

Unsure
(10 per cent)

30
20

Yes
(52 per cent)

No
(30 per cent)

10

en
m
ve

go

e
ic
ig

rv
Fo

re

se
nt

ra

ct

ed
USA

Figure 17
Satisfaction with UNIX security by UK companies

Not applicable
(30 per cent)

Co

UK

rn

ov
pr

in
ic
bl
Pu

Key

ts

s
id

re
te

om
st
Cu

er

st

s
er

s
ee
oy
pl
Em

Co

pe

pp

tit

lie

or

rs

Su

Downloaded by Telkom University At 19:03 28 April 2015 (PT)

50

Unsure
(10 per cent)

Figure 14
External parties with computer access (multiple responses encouraged)
Per cent
60

Yes
(38 per cent)

No
(22 per cent)

Figure 18
Number of employees in UK organizations
responding

50

Per cent
70

40

60

30

50
20
40
10
30
0
Customers
Key
UK
USA
[ 32 ]

Suppliers/
Various other
contractors/
service providers

None

20
10
0
1-1,000

1,001-5,000

> 5,000

contrary to popular perception, respondents

noted a net increase in the use of centralized
computing facilities. The majority of growth
in both the UK and the USA, however, is in
the trend towards decentralized computing,
with 84 per cent of UK respondents and 90
per cent of US respondents noting an
increase.

The Ernst & Young International Information Security

Survey 1995
Information Management &
Computer Security
4/4 [1996] 2633

Figure 19
UK industries represented
Per cent
20
18

14
12
10
8
6

Survey methodology and

demographics

4
2

r
he
ot

ta

us

Re

lo

il

gy

t
Hi

gh

Va
r

te

io

ch

in
ta
er

nt
/e

ed

ia

no

ct
se
ic

bl
Pu

st

en

or

e
ur
ct
ru

vi
fra
In

ia
nc

na
Fi

an

uf

ls

ac

er

tu

rin

ce

Figure 20
Job function of UK survey respondents
Per cent
60
50
40
30
20
10

r
he
ot
us
io
Va
r

of
i
te nfor
ch m
no ati
lo on
gy
Di
re
to ctly
he re
ad po
of r ts
IT
ad
m S
in ec
is u
tr rit
at y
No
or
nIT
ex
ch
an
ge

He
ad

Downloaded by Telkom University At 19:03 28 April 2015 (PT)

16

The trend towards decentralized computing

was further confirmed by the fact that 79 per
cent of UK respondents reported processing
important financial or operational data on
LAN and 58 per cent on UNIX.
Considering this trend towards increased
use of both LAN and UNIX, there remains a
large number of users dissatisfied with LAN
and UNIX security (Figures 16 and 17) 30 per
cent and 22 per cent respectively. The main
contributing factor to the dissatisfaction with
LAN security appears to be inadequate implementation. UNIX dissatisfaction, however,
appears to relate to the actual security features or lack of them, within the operating
system.
Half of UK respondents had maintained
centralized security administration, 12 per
cent had decentralized it and 38 per cent had
used both. US results were similar. Given
this, it is of concern that 34 per cent of those
using decentralized security administration
were dissatisfied with its effectiveness.

The first annual Ernst & Young/Business

& Technology International Information
Security Survey was conducted between
November and December 1995. In the UK,
the survey questionnaire was sent to 11,000
subscribers to Business & Technology,
representing a whole range of organizations
in a cross-section of industries (Figures 18
and 19).
Responses received and analysed numbered 1,168: 62 per cent were from organizations with up to 1,000 employees and 77 per
cent of respondents were either IS heads or
reported to IS heads (Figure 20). The main
industries represented were manufacturing,
financial services, high technology and public sector.
In the USA, a similar survey was conducted
between August and September 1995, with
the questionnaire being sent out to 13,000
Information Week subscribers in North America, representing mostly larger organizations
in a cross-section of industries. Over 1,300
responses were received, 73 per cent of them
from either IS heads or reporting directly to
IS heads.
Feedback from targeted organizations validated our findings and was combined with
the survey responses to form the basis of this
report. The cross-comparison of the results
provides an international picture of attitudes,
practices and procedures affecting information security.

[ 33 ]

This article has been cited by:

Downloaded by Telkom University At 19:03 28 April 2015 (PT)

1. Kurt Matzler, Sonja GrabnerKruter, Sonja Bidmon. 2008. Risk aversion and brand loyalty: the mediating role of brand trust
and brand affect. Journal of Product & Brand Management 17:3, 154-162. [Abstract] [Full Text] [PDF]
2. Hui-Chih Wang, John G. Pallister, Gordon R. Foxall. 2006. Innovativeness and involvement as determinants of website loyalty:
II. Determinants of consumer loyalty in B2C e-commerce. Technovation 26, 1366-1373. [CrossRef]
3. Arthur JungTing Chang, QueyJen Yeh. 2006. On security preparations against possible IS threats across industries.
Information Management & Computer Security 14:4, 343-360. [Abstract] [Full Text] [PDF]
4. Sharman Lichtenstein. 1998. Internet risks for companies. Computers & Security 17, 143-150. [CrossRef]