I recently had the pleasure of attending and presenting at the Ponemon Institute’s Responsible Information Management (RIM) Renaissance Event, an annual invitational event that brings together a great mix of esteemed security and privacy professionals to discuss emerging topics. This was my first year in attendance and I got to participate in discussions around big data ethics, security measurability, EU privacy regulations, communicating security risks, and concerns around smart cities.

I was fortunate enough to present some of my emerging research on Diffusion of Innovation and its application in the adoption of security activities, as well as lead a workshop on IT security decision making with approximately 40 esteemed participants. I was especially impressed that there was an artist on hand, capturing my presentation and the discussion!

For the workshop, I asked participants to think about the factors they consider before choosing an IT security control or solution. I asked them to individually brainstorm for a few minutes and then after that, as groups. Finally, I led them in a discussion about what they believed were the most important factors.

The feedback they provided was both abundant and detailed, which I was hoping for.  While I’m still carefully analyzing the results of the discussion, I did have some preliminary findings:

  • A majority of participants had professional experience in choosing and adopting IT security control.

  • Of the participants that chose to answer, they had 0 to 34 years of security or privacy experience, with a mean of 18 years, and a median of 16 years. So the feedback I was getting was from seasoned and informed participants.

  • I expected participants to primarily identify similar factors to each other, but was pleasantly surprised by the number of diverse and unique factors they identified. This makes it more difficult to consolidate factors.

  • Unsurprisingly, cost was a very common factor, specifically the total cost of ownership for a proposed IT security control including the acquisition costs and operating (maintenance/support) costs. Participants identified a number of supporting factors that could affect cost, such as vendor reputation and relationship, budget considerations, and internal operational expertise.

  • Regulatory and legal factors were also common both in requiring the security control, as well as potentially prohibiting it. It was considered positive if one security control could fulfil multiple regulatory obligations.

  • Efficacy/effectiveness of the control was not as common as I thought it would be, potentially due to the recognized difficulties of measuring security. To counter the challenges the participants proposed collecting benchmarks from vendors, setting explicit success/failure criteria, and trying proof of concepts.
  • The second most common factor was interoperability and variations of it. The frequency of this factor surprised me, as I didn’t expect it to be considered that much. However, many of the participants come from executive level backgrounds and seemed used to dealing with the integration and operations of many departments.

At the conclusion of the session, we did a straw poll to see if the participants felt that IT security adoption decisions were drastically different from other IT adoption decisions. The vast majority felt they were similar. It’s likely that security IT solutions, like other IT solutions, are driven primarily by overall business need. IT solutions primarily exist to enable the business, which is why interoperability was so important to the participants. So, while the factors might be similar, the weights given to the factors still might be different between general IT decisions and IT security decisions.

My next steps are to more closely analyze the data by using qualitative data analysis software to code and examine it. Using these codes, I hope to better understand the decision making process around security where my findings will likely influence next steps in my PhD dissertation research.  I committed to sharing my results with the participants at RIM Renaissance and will share them here too, when available.