This paper presents findings from a qualitative survey of 22 IT managers and administrators drawn from two organizations, examining their companies' information technology security practices, cloud computing adoption, and risk management frameworks. Using a mixed open-ended and closed-question instrument, the study applies phenomenological eidetic reduction to identify recurring themes. Key findings reveal significant gaps between perceived and actual security preparedness, a lack of organizational leadership around IT security, widespread ambivalence toward risk, and limited vendor communication. The paper also assesses cloud computing knowledge levels, service adoption preferences, and attitudes toward associated security and privacy concerns, concluding with recommendations for improvement and directions for future research.
A total of 60 surveys were sent to IT professionals, with 22 respondents returning completed questionnaires. The questions were qualitative in nature, and the responses varied substantially β not surprisingly, given that some questions were open-ended. Overall, the questionnaire was a mixture of open-ended and closed questions, which provided basic data on respondents and their practices, combined with more detailed information requiring deeper qualitative analysis. Qualitative analysis is a credible tool whereby a deeper understanding of an issue can be achieved, giving researchers a more thorough awareness of the complexity of interacting variables within a system as they work together to produce an outcome β in other words, qualitative analysis helps "to illustrate this issue" (Cresswell, 2012, p. 74).
Sixty surveys were sent to IT professionals at two selected companies via email. There were only 22 responses, and those came in via email as well. The responses were printed out and then tabulated in Excel, which allowed for the production of graphs and the opportunity for statistical analysis of results. The surveys were not sent to individuals at random β they were chosen for their expressed willingness to participate in the study. In the end, the 22 who completed the surveys self-selected to participate. There was no intent to randomize the sample; the population of this study is essentially the 22 participants in question.
The sample of 22 participants was drawn from the larger pool of 60 participants initially selected for this study. As noted in the methodology section, the initial sample was 12 participants, and these twelve were asked to identify other participants who might also be willing to take part. That is how the original set of 60 participants was generated. Participants then self-selected whether they would complete the survey. The sample was therefore not randomized but was built from a list using the snowball sampling technique, and it neither represents all industries nor a particular geography. The 22 participants come from a cross-section of different departments and are of varying organizational sizes. Further identifying information cannot be divulged, as doing so might compromise the confidentiality of the companies involved.
The personnel who filled out the survey were all information technology managers and administrators at their respective companies, so the views presented represent those of IT professionals who would reasonably be expected to possess knowledge of the material addressed in the questions.
The method of analysis utilized for this study was based on the eidetic reduction concept used by phenomenologists, which helps researchers identify the basic components of a process by filtering out "the noise" and seeing "between the lines" of communications (Lin, 2013, p. 471). This process encourages a better awareness of the total picture and prompts the analyst to track trends and focus on imaginative variation, allowing the researcher to "employ polarities" that serve as a structural source for perceiving the overall tenor of responses (Lin, 2013, p. 471).
By locating themes within the responses and categorizing them accordingly, the study is able to highlight specific qualitative areas that can be explored for more information and insight into the IT world, including what the needs and limitations of the field consist of. Drawing out these themes from the sample's responses depends on reducing the phenomena of experience to a basic, clear unit of response from which meaning can be extracted via an intuitive process of discernment. This process is grounded in the researcher's own understanding of human character, experience, and reason for engagement. It is through close and intimate interaction with the responses, and through thorough immersion in the ideas and concepts involved, that a more precise and rigorous qualitative analysis can take place (Baxter & Jack, 2008).
Overall, the major themes to emerge from assessment of the survey were that there is a significant lack of security protocol among participants. Their attitude toward IT security systems was essentially one of moderate concern. It appeared across the collective responses that so long as the company had at least some sort of IT department, it was assumed that systems were secure. However, when asked specific questions about awareness of threat levels, risks, and dangers to the IT security system, a significant percentage of participants showed no real understanding of threat perceptions. Satisfaction levels indicated in the answers suggested that anywhere between a quarter and a half of all respondents had little faith in the risk-mitigating abilities of authorities in the industry or in the systems themselves. Likewise, there was little flow of information between security vendors and the companies for which participants worked.
Outsourcing security was not a priority for most respondents' companies, and the overall impression given was that IT departments were expected to oversee risk areas, identify threats, and guard against attacks internally. However, there was no indication that these respondents were fully qualified for that responsibility, particularly since some expressed no significant understanding of basic elements of computing β such as the use of the cloud, how cloud systems work, or how to mitigate risks using cloud technology. Too many respondents replied with a sense of uncertainty regarding how well protected their systems were.
In the portion of the questionnaire where respondents could answer open-ended questions about their perceptions of their company's approach to security, participants made statements such as: "My company does not put security at the very top of its priorities," and "We are very concerned about security, but lack the funds to implement effective strategies." One respondent answered that he was "not sure" how his company viewed security threats, indicating that his company was either not concerned about them or that he was simply not part of a department tasked with security measures β and he was unable to name any team or department that was. Respondents thus indicated in their open-ended responses that their companies were essentially limited in terms of ability, financing, and technical know-how when it came to providing adequate IT security.
One of the most striking responses in the survey was that while a participant's company was motivated to establish secure systems via the IT department, the IT department itself had a poor leader and therefore did not "take seriously" any of the security measures it was meant to address. The respondent suggested the reason for this was threefold: first, the leader was negative and mostly unhelpful in terms of guiding the team, encouraging members, and helping them identify risks and threats; second, while upper management expressed passing concern about security issues, there was never any follow-up to ensure the IT department was actually checking on these issues or applying upgrades, so the team never took directives seriously; third, the team was severely limited in its ability to apply fixes or upgrades because whenever the team leader had proposed fixes and a budget to upper management, he had always been denied. This was the actual reason the team leader was not positive about defining and meeting objectives β he felt there was no point, as upper management only appeared to care about security while never agreeing to fund any changes or advancements. This response illustrated that without proper leadership, security will not be "taken seriously," as the respondent put it.
Analysis of open-ended responses revealed another major theme: ambivalence. IT workers were only as concerned about security as their team leaders, managers, or co-workers. If those around them did not place security knowledge, risk management, and threat identification at the top of their priorities, workers who were predisposed to be concerned about security began to feel discouraged and expressed dissatisfaction about their company's direction and capability. "Dissatisfied" with security was a term used by a significant number of respondents. Even though a significant number also used the term "satisfied" to describe their assessment of their company's security, when asked to define concretely how their company was secure β in terms of strategies or tools in place to protect against attacks, breaches, blackouts, or data loss β few could provide any clarity on what their company had actually done to protect itself.
Regarding the overall open-ended section, participants answered in a range of tones β from matter-of-fact to regretful. About half expressed satisfaction with their company's preparedness in terms of security measures and awareness of risks and threats. However, when measured against the closed-question responses, this assurance appears unfounded, as there was no meaningful correlation between objective identification of actual preparedness and subjective assessment. Respondents who expressed satisfaction with their company's risk management and IT security infrastructure were most likely unaware of the actual threat levels present in their workplace, since their responses to closed questions gave no indication of knowledge on these matters.
The most important finding from the open-ended questions is a disconnect between the stated mission of the IT department and the execution of that mission within the larger corporate entity. The majority of respondents described a situation in which the IT department's mission was either unclear or unrealistic when compared to other elements of company performance, such as awareness of threats, preparedness in risk management, and overall orientation toward computer security and healthy IT infrastructure. Terms such as "outdated computer technology," "old software," "expensive updates," and "inexperienced users" appeared across multiple respondents' answers, suggesting that IT development in these workplaces is stunted by financial, educational, and resource constraints.
The use of "negative" terms in connection with IT development was defined by characteristics that did not denote positive advancement or efficient use of resources β materials (hardware, software) being out of date, a lack of specific infrastructural services such as training or backup provisions, or a simple inability to identify key security strategies or resources within the company.
Positive terms were identified by qualities denoting affirmative or efficient use and results β meeting department or company security goals. These included words such as "adequate," "up-to-date," "latest technology," "very serious," "efficient," and "rigorous," as well as identification of concepts related to measuring progress or stability within the company's security response system. Any identification of a risk management strategy was viewed as a positive element, and the more descriptive a respondent was, the more positive the assessment. However, only two respondents indicated a very positive comprehension of their company's risk management strategy; about half indicated that some form of risk management was in place but could not describe it; and the rest did not indicate that any such strategy existed.
The disconnect between affirmative tones and an inability to concretely define the basis for a positive outlook suggests that workplace cultures within these companies may promote a status-quo orientation, where employees are expected to maintain the same level of diligence they inherited from previous employees. This is further suggested by the phrasing used by respondents when describing their company's culture: the majority conveyed that expectations were not high or demanding and that, as long as output levels set by precedent were met, there would be no pressure to develop technologies further. Moreover, output expectations consisted mainly of meeting workers' immediate computer needs rather than advancing technological capabilities.
The first part of the survey questionnaire aimed to understand the basic security framework adopted by the surveyed organizations β to evaluate whether organizations employ any security measures and, if so, what basic policies they use with respect to securing their cloud computing. There were ten questions in this section.
The first question asked whether the organization had a security service, and 95% of participants responded affirmatively. The only real surprise was that one participant stated that the company did not have a security service. The question reflects the fundamental attitude these companies hold with respect to security, and it is near-unanimous that security has at least some importance.
The second question concerned linked password and access controls. Results were mixed, with 14 answering affirmatively. Passwords are one of the most common areas of security breach, so it was perhaps surprising that 8 companies did not undertake this relatively basic password protection protocol. Combined with the first question, this illustrates the level of security consciousness these companies possess.
The third question asked whether a data log had been installed. Data logs are important because they provide backup against hacking, enable forensic analysis of incidents, and assist in recovering lost data. Eighteen participants responded affirmatively.
The fourth question asked about having a hierarchy of access for sensitive data. Seventeen participants answered affirmatively.
All told, 14 participants answered affirmatively on all four of the first questions, indicating that their companies have covered their bases with respect to IT security. A total of 17 participants answered affirmatively on three of four, and 18 on two of four. Only one participant appeared not to worry about security at all. However, gaps among even four or five participants illustrate that many are either unaware of the basic risks faced in IT or have not prioritized the implementation of solutions. All four of these practices are recommended as methods of minimizing company risk.
All participants responded affirmatively to the fifth question β whether their organization employs certified, dedicated systems analysts in security. This is best practice and is valuable to confirm. It calls into question the finding of the first question, in which one department reported having no security service, since that department does in fact employ certified security analysts. That anomaly aside, this finding reconfirms at least a baseline level of security consciousness at these companies.
The sixth question begins the vendor-focused section. Seventy-seven percent of organizations answered affirmatively that they check business vendors prior to linking their systems. It is perhaps surprising that some do not, given the risks inherent in sharing data and opening systems to vendors. However, the survey did not inquire as to why those who answered negatively did so β a valuable subject for subsequent research.
The seventh question pertains to security outsourcing, and 91% of organizations do not outsource security. Outsourcing has both advantages and disadvantages. On the positive side, outsourcing can bring specialist expertise and free up internal resources for core business activities. On the negative side, it costs more, and the more companies that have access to secure data, the more security risks exist, even when the company in question specializes in security. For a small company, outsourcing might be the better choice; for a larger company that can afford a substantial in-house security budget, outsourcing might actually increase risk.
The eighth question asked whether the company specifies the points and issues at risk to its security vendor. Only 55% answered affirmatively. Working with vendors on security issues is an important aspect of improving overall security, and companies not regularly communicating with their security vendors run the risk of developing gaps in coverage. This is a more high-end practice, and the responses reflect that reality.
The ninth question asked whether the vendor specifically notes areas that are at risk. Again, only 55% answered affirmatively, supporting the finding of the eighth question. Both pertain to the flow of information between the company and its security vendors, and both suggest clear room for improvement. A possible explanatory factor is that most companies reported keeping security in-house, meaning their vendor is a software provider rather than a full-service provider. Companies may feel that in-depth consultations will cost additional money and may avoid such communication except on matters covered under contract or of extreme significance.
The tenth question asked whether background checks were carried out before linking to suppliers' services. In a world where supply chains are integrated and partnerships require close communication, such linkages increase the level of IT risk a company faces. Fifty-nine percent of participants reported conducting background checks. When combined with the findings from question six, it appears that quite a few participants' companies verified neither their security vendors nor their suppliers β an exposure to significant risk.
The overall response to the preliminary security questions suggests that the majority of organizations make use of a security policy framework. All surveyed organizations preferred to implement security as an internal process rather than outsourcing it. To ensure security is properly administered, they employ highly qualified, certified security analysts. Simple measures such as hierarchical and password-based user authentication are employed for accessing sensitive data. Organizations also take steps to check business services and systems before linking them to their networks.
Cloud computing is a relatively new technology, and apprehensiveness toward active adoption is a normal human behavioral response. The main purpose of this section is to identify how business organizations can adopt cloud computing and to understand the security and privacy risks involved β as well as whether those risks can be overcome in a cloud computing environment.
Out of the 22 participants, 59% reported that their organizations have fair knowledge about cloud computing, and 36% reported good knowledge. This indicates that the majority of IT personnel are familiar with cloud computing on a basic to moderate level. Only about 5% stated that they had little knowledge or understanding of it. Given the developing nature of the industry and the role cloud computing plays within it, this finding is not surprising and indicates that the IT world is adaptive to new and emergent trends.
"Knowledge levels, service types, and adoption motivations"
"Perceived threat levels and trust in regulatory authorities"
"Key findings, response-rate limitations, and future research"
You’re 69% through this paper. Sign up to read the remaining 3 sections.
Sign Up Now — Instant Access Already a member? Log inAlways verify citation format against your institution’s current style guide requirements.