IT-Web Sample Paper on Information Technology Security

Information Technology Security

Research Proposal and Plan

Information Technology Security

Research Questions or Hypothesis(s)

The applicable research questions to be answered are:

  1. What are the technical data security threats to IT that individuals, organizations and business should be aware of? There is need to know the possible technical data security threats to IT that stakeholders should be aware of. Answering this research question is necessary it equips an organization and individuals with necessary information which should be used when promoting IT awareness on the importance of IT security.
  2. What are the non-technical cyber security threats to information systems?  There is need to know the possible non-technical data security threats to IT that stakeholders should be aware of. This is necessary as it will enable organizations be aware of the possible non-technical data security threats to IT security while creating awareness.
  3. What are the mitigation measures which can be used to curtail or minimize these security threats? Determining and identifying the possible countermeasures to IT security vulnerabilities is necessary to awareness creation and answering this question makes it possible to equip individuals and personnel with necessary IT security countermeasures.
  4. What is the importance of IT Security against risks and vulnerabilities?  IT security importance is vital to organizations and personnel and for this reason, answering this question, it is necessary for organizations and individual users to be aware of the importance of IT security as it comes to possible risks and vulnerabilities.
  5. What are the roles of security awareness as regards to the importance of IT security? The question will provide answers as regards to the roles played by security awareness to the importance of IT security. This is necessary it will give organizations and individuals’ reasons to promote security awareness.
  6. What are the recommendations which could be made to create awareness on the threats of cybercrime threats and the importance of IT security?  The answer will provide recommendations as relates to the ways which could be used to create awareness at individual levels and throughout the organization. This will ensure that that the importance of IT campaign is achieved.

Hypothesis

The proposed hypothesis is: Raising awareness on the importance of IT Security promotes safe and secure information systems.

Aims and Objectives

Advancements in information technology (IT) in the past have raised concerns related to risks and vulnerabilities to data associated with weak IT security, including vulnerability to viruses, malware, attacks and compromise of network systems and services.  Furthermore, limited IT security may result in compromised confidentiality, integrity, and availability of the data due to unauthorized access. To make sure that individual privacy is carefully protected and safeguarded, local and state education agencies are obligated to implement state-of-the-art information security practices. It is also worth noting that being ahead of the ever-evolving threat of a data breach in the IT sector needs diligence as one of strategies need to make sure that the IT community and the non-IT community understands possible risks and vulnerabilities (Privacy Technical Assistance Center, 2011).  As cybercrime and related IT incidents increase, its menace continues to affect organizations and governments both small and large, as well as individuals and business. In this regard, the aim of the research plan is to raise the awareness against the importance of IT Security, specifically against vulnerabilities.

The objectives are:

  1. To determine the roles of security awareness as it regards to the importance of IT security against vulnerabilities and risks. 

A primary objective is the research study is to determine the roles of security awareness as it regards to the importance of IT security against vulnerabilities and risks.  This aim is importance for the proposal because the biggest and primary risks to an organization’s and individuals information security is not necessarily a weakness in the technology control environment (Security Standards Council, 2014). Instead, it is the inaction or the action by employees and other personnel and individuals that can make an organization too prone to security incidents. For instance, through disclosure of vital and confidential information to third parties which could be use the information in a social engineering attack, have access sensitive information unrelated to the user’s role without following the proper protocol or not reporting to observed unusual activity among others,  have high capability to promote IT security vulnerabilities. It is therefore crucial that organizations and individuals have a security awareness program put into place to make sure employees and other personnel are aware of the importance of IT security as regards its importance in safeguarding sensitive information against vulnerabilities. Moreover, awareness would enable them know what they should exactly do to handle information securely, and the vulnerabilities and risks of information mismanagement (environment (Security Standards Council, 2014). This objective will ensure that employees and other personal understand the and organizational consequences of sensitive information mismanagement and that it is important to promote IT security awareness to ensure an organization’s success.

Under this objective, the roles of security awareness such as identifying the levels of responsibility, establishing the minimum awareness level for all personnel and determining the content training and applicability will be discussed. Such awareness such as the role-based security awareness would provide the employees and personnel with ways to assist enhance IT security and hinder any possible security risks and vulnerabilities.

  • To determine the possible technical data security threats to IT that individuals, organizations and business should be.

The aim will assist to research on deliberate attacks on the security of IT (inclusive of distributed and mobile ones), vulnerabilities to the organization and assist in designing appropriate countermeasures, such as:  in the areas of applied cryptography, biometric authentication, secure hardware, and personnel authorization. Privacy Technical Assistance Center (PTAC) explains that technical data security threats make IT security vulnerable to attacks and for this reason it is necessary to highlight the possible technical data security threats  (PTAC, 2011). This is necessary as it will assist in coming with a list of the possible technical data security threats which can be applied while making awareness to the targeted audience. Some of the possible technical data security threats to be considered under this objective are: non-existent security architecture, un-patched client side software and applications, “phishing” and targeted attacks, internet web sites, poor configuration management, use of mobile devices, such as laptops or handheld devices, cloud computing, and removable media (such as flash drives, CDs, and external hard drives). As such, the organization, individuals and personnel and other stakeholders targeted in the research would be aware of the primary technical data security threats which make systems vulnerable to IT security attacks.

  • To establish some of the non-technical cyber security threats to information systems

The aim of the objective is to assist the research deliberate on the possible non-technical cyber security threats to IT. This will help while creating awareness to the targeted stakeholders beneficiaries of the proposed research project. Some of the possible the non-technical cyber security threats to information systems (IS) are: Insider threats (such as mishandling of information), the use of poor passwords in data protection protocol, poor physical security, absence of a robust data backup and recovery solution, use of social media networks such as Facebook and twitter. As such, determining the possible non-technical cyber security threats to information systems, it would be possible for an organization to make the possible awareness of the importance of IT security in both organizational and personal levels.

  • To identify the mitigation measures which can be used to curtail or minimize these security threats.

Creating awareness on the importance of IT as regards to exposure to vulnerabilities, without noting and identifying the possible mitigation measures which can be used to curtail or minimize these security threats would be waste of resources and time. For this reasons, this determining mitigation measures would enhance the organization equip its employees and personnel as well as individuals necessary to prevent any vulnerabilities. Some of the possible mitigation measures likely to be addressed as such as  setting strong passwords, keeping operating system, browser, and other critical software optimized by installing updates, maintaining an open dialogue with employees and personnel about Internet safety, limiting the amount of personal information and use privacy settings to avoid sharing information widely, promote data security, reduce vulnerability to phishing and other e-mail security scams, prevent threats from compromised websites, make use of virus and firewalls, encrypt data on all mobile devices storing sensitive information, have a strong security architecture and have an effective physical security system among others.

  • To determine the importance of IT Security against risks and vulnerabilities.

The objective will determine why it is necessary for organizations and individual users to be aware of the importance of IT security as it comes to possible risks and vulnerabilities. This is necessary because the role of risk and vulnerability management in IT is to create a level of protection that mitigates the organization or users against any reasonably anticipated security threat or vulnerability. It is also significant because it allows personnel and employees determine any security flaws present in a system that make it possible for an attack to be successful. It is also worth noting that as part of an ongoing process awareness on the importance of IT security would allow an organization undertake vulnerability testing by the parties accountable for solving such vulnerabilities, and assist to offer data applied to identify unanticipated dangers to security that need to be addressed. An integral part of the research would be the design and verification of techniques for evaluation of information system security.

  • To recommend possible ways that could be used to create awareness on the threats of cybercrime threats and the importance of IT security.

The objectives will identify the possible ways or best practices which organizations can use to enhance organizational security awareness related to the importance of IT security against related vulnerabilities. Some of the possible practices include training personnel and employees, determining the roles for security awareness and making it an organizational culture to promote security awareness throughout the organization.

The objective is necessary to the study because security awareness is a process which ought to be carried out as an on-going program to make sure that training and knowledge is not just made available to as an annual activity, it is instead applied to maintain a high level of IT security awareness on a daily basis. Moreover, people have become the weakest links in the IT security chain and no amount of the latest security technology can guarantee protection against vulnerabilities and risks (Caldwell, 2013). For this reason, the objective is necessary because security technology can protect core systems from technological attacks, but it cannot protect organizations against employees and personnel giving away information on social media networks or using the information making the organization vulnerable.

Research Methodology

Research methodology is the process used in the collection of information and data for the purpose of answering the research questions and realizing the aim and objectives of a research study. The way in which the techniques of a research study are engaged and how they are applied could have a significant impact of the research findings of such a study. Consequently, there is need for the researcher to exercise wisdom in choosing the methodology for his/her research study as this would enable the easy collection of data and its subsequent analysis. For this reason, it becomes important that the researcher devises reliable methods of data collection in order to ensure dependable, predictive, and tenable results. This section of the research proposal reports on the various sources of data for the current study and the various techniques used to collect this data.  In describing the techniques used in data collection, the researcher hopes that the reader of the study will acknowledge the specific limitations and strengths of the study.  Justification of the proposed research methodology will be provided.

The methodology section of any research is crucial in ensuring its reliability, consistency, and validity. Creswell (2003) has identified qualitative, quantitative and triangulation as the three most common methods of research and they may be experimental, descriptive, historical, ethnogenic, feminist, action, comparative, or evaluative in structure. Descriptive research design will be used in the research paper. Research design is the plan adopted in a study which acts as a guide in the process of data collection and analysis (Crowther& Lancaster, 2012). Its usability in research makes it a very key aspect. With reference to the current research proposal, descriptive and exploratory research designs will be adopted. Exploratory research method has been adapted because it will allow the researcher examine any potential errors which may lead to bias. Subsequently, it will be easy to make an inquiry on the phenomenon being studied based on the attitudes, experiences and perceptions of the respondents.

It is worth noting that the combination of a mixed research method with exploratory research design is critical as it will assist in the process of collecting reliable and valid data. De Vaus (2001) states that “the function of a research design is to ensure that the evidence obtained enabled us to answer the initial question as unambiguously as possible” (p.9). This implies that the research design will play an important part in ensuring that the questions provided have been answered. On the other hand, exploratory research design has been chosen to assist in exploring major facts and information associated with the research problem. On the same measure, descriptive research design has been chosen to provide a description crucial for the formation of a foundation for the outcomes explanation.

Methods and justification

Due to the nature of the research, both qualitative and quantitative research method will be used. The underlying principle behind the adoption is that qualitative research method is used with the objective of understanding a particular phenomenon so as to discover the innermost meaning (Creswell 2003). With respect to the research study, the approach will be used to resolve the opinions, perspectives, and attitudes towards the need to raise the awareness against the importance of IT Security, specifically against Vulnerabilities. A quantitative research study design according to Walker (2005) is a strategy which has its “underpinnings in the philosophical paradigm for human inquiry known as positivism” (p. 572). It means that quantitative research design is a methodological and systematic process which is based on positivist tradition.  The choice of quantitative research strategy is because it will provide the researcher with a platform from where statistical inferences could be carried. In the same vein, it will allow a researcher to use numerical representations to explain a phenomenon based on the available observations. In contrast, qualitative research design will be applied to determine the attitudes, opinions, and the perceptions of the respondents. This strategy is justifiable since it provides insights, which later on allow for the generation of theoretical frameworks (Wilson, 2010).

The reason for choosing both qualitative and quantitative research strategy is based on the observation that it allows a researcher to estimate and to relate different variables used in the research and at the same time use opinions and attitudes of the participants to support the statistical data.  In the same magnitude, quantitative research study allows deductive process of reasoning which advances the level of accuracy, reliability and validity of the research outcomes (Williams 2007). As Walker (2005) observes quantitative research study is preferred because it will allow quantitative analysis of the data. Contrary, qualitative research method will allow qualitative analysis of the collected data. The underlying principle behind the use of a mixed research method is to have an understanding a specific phenomenon and to as well as to discover the innermost meaning (Creswell 2003). For example, in proposed study, it will assist to understanding the roles of awareness as regards to the importance of IT security in an organization and individual levels. The figure below is the framework which showed the combination of research methods, research strategies and strategies of inquiry.

Figure 1: A Framework for Design- The Interconnection of Worldviews, Strategies of Inquiry, and Research Methods. Source: Creswell (2009).

Research Paradigm

            Research paradigms are used to provide guidance on how to undertake a research and answer the proposed research questions. Wahyuni (2012) has described a research paradigm has “a set of fundamental assumptions and beliefs as to how the world is perceived which then serves as a thinking framework that guides the behaviour of the researcher” (p. 69). In this context, it can be concluded that a research design is composed of the beliefs that guide or act as the thinking framework of the researcher. The primary research paradigms are: positivism, post-positivism, interpretivism and pragmatism.

            Since a mixed approach (both qualitative and quantitative research methods) will be used in the study, the most appropriate research paradigm is pragmatism. Pragmatism is a branch of research paradigm which does not join the ‘paradigm war’ that exists between the interpretivist and positivist research philosophies. Rather than questioning ontology and epistemology, this research paradigm will enable the researcher start off with the research question(s) and aid in determining their research framework. Wahyuni (2012) emphases that pragmatism emphasise that a researcher should view research philosophy as a continuum, instead of an option that stands in opposite positions. The paradigm is based on the supposition that both subjectivist and objectivist are not mutually exclusive. For this reason, a mixture of ontology, axiology and epistemology is satisfactory to approach and comprehend social phenomena. In the context of this research proposal, the emphasis will be on what works best to address the research problem being studies. The research paradigm is justifiable because “pragmatist researchers favour working with both quantitative and qualitative data because it enables them to better understand social reality” (Wahyuni, 2012, p. 71).

Data Collection Techniques

Data collection encompass of two parts namely: (1) the theoretical; (2) the empirical part. The theoretical part of dissertation relies on secondary data collection. The empirical part is based on primary data collection. Secondary data is composed of data which is already in existence and were collected for some other intention but it could be used for a second time such as in this project. Secondary data comes from different sources such as books, articles, journals, internet, reports, theses, and archives among other sources. The use of secondary data is to supplement data collected via primary data collection. The choice of primary data collection method was based on the fact that it allows an investigator to get firsthand information from the participants. This provides original information and data which according to Bryman (2012) is one of the fundamental requirements for any research project.

The core element of the data collection process is primary data. The primary data collection tool is a questionnaire survey, chosen over other methods because of its flexibility. The survey questionnaires will be designed in such a way that it can capture both the qualitative and quantitative aspects of the research. The data will be collected from 15 organizations targeted the department of IT. The organizations will be randomly selected although the aspect of volunteerism will also be considered. For example, organizations willing to volunteer to act as case studies will be used. Notably, the questionnaire will only be made available to the head of IT departments as they are more concerned with IT security and awareness on its importance. Small and big, early and late adopters of information technology and systems will be also be targeted.

A sample of 15 respondents will be used in the research study because of time and financial constraints. Thus, 15 participants will be selected and recruited from a sample population of probably 60 employees working in the selected IT departments. A simple random sampling process will be adopted to come up with the proposed sample size. A simple random sampling is described by Creswell (2003) as one the simplest methods of sampling used in research study. Under this technique, the 60 sample population will be randomly sampled via the use of an identified random number generator. In this case, 4 is the random number generator where every 4 person will be selected until the fifth one is reached. Simple random sampling is chosen over other sampling techniques because the probability of each member being selected is increased (Cochran 2007).

The key advantage associated to simple random sampling is the propensity to allow freedom from bias and representativeness. Creswell (2009) opines that the investigator will have freedom from human bias, and for this reason each of participants will have an equal opportunity to participate in selection process. As such, simple random sampling shall encourage external validity and reliability.

After the participants have been selected, the 15-item IT Awareness Questionnaire (ITAQ) will be used to capture general and specific information related to the creation of awareness as regards to the importance of IT security. The questionnaire will be divided into three questions. The first sections will comprise of the demographic data and information, the second will entail the opinions and attitudes of the participants, while the third part will be composed of closed ended questions, specifically touching the aspects of IT awareness and its importance among others. The participants will be allowed to answer the questionnaires in a period of one week after which they will be collected back for analysis.

The use of survey questionnaires is justifiable because they are cheap, time saving and allow the researcher to collect firsthand information. Additionally, it has been chosen over other data collection tools because it presents a researcher with the chance to collect data necessary for statistical inferences and presentations as well as qualitative data. Saunders, Lewis and Thornhil (2003) expounds that questionnaires allow a researcher to provide consistency, organisation and direction of the project in comparison to the other methods. Not only is a questionnaire easy to administer but it also enables the researcher to collect data in a very short time. Survey questionnaires give the boundaries of the project. Moreover, questionnaires can be easily used, scored and coded, thereby facilitating data analysis. The researcher intends to use a questionnaire with both closed ended and open ended questions to capture both qualitative and quantitative aspects of the research questions. Open ended questions will enable the respondents to give their views on a number of issues raised by the questionnaire.

Data Analysis Technique

Data analysis entails the drawing of inferences from raw data. It can also entail multi-methods that are used consecutively. Notably, a multi-method application in conducting research is referred to as methodological triangulation (Patton 2002). The steps have been discussed below

            After the questionnaires have returned, the researcher will go through each of them and authenticate all the questions have been answered and the answered are visible. Afterwards, those not completed or those with numerous errors will be excluded to make sure that consistence in data and information collected is realized. Moreover, the researcher will then keep the questionnaires safe from third parties ready for analysis. At the end of the data analysis process, the researcher hopes to have both qualitative and quantitative data. Basically, data generated from quantitative research will be numerical; whilst data collected in qualitative research will majorly be text-based.

Considering the ethics concerns related to privacy, anonymity and confidentiality, all information and data that will identify both the respondents and the case organisations being used in the research will be omitted. The research questions, aims and objectives will be guidance to the data analysis process. After the data has been collected from the field, it will be keyed and encoded into a computer program. The MS Excel software application tool will be been used to analyse the collected data. Given that both qualitative and quantitative research designs will be used in the research, the data will be analysed both quantitatively and qualitatively. The mixed choice is analysis is expected to enhance reliability and quality of the analysed data. A quantitative analysis is well-suited for the study as it will provide statistical data related to the subject under study.

The Excel software has been chosen because the data will easily and effectively be managed which will give the investigator the required control. All descriptive statistics will be analysed qualitatively with the aim of deriving the primary themes reassociated with the respondents’ perceptions and expectations towards awareness on the importance of IT security to minimize vulnerability. The analysed data will be presented in form of tables, charts, or pie charts for easy interpretation. Also, qualitative information will be transformed into numerical number so as to establish a set of categories for easy presentation. As Silverman (2011) puts it, qualitative contents analysis will concentrate on depicting reality by ascertaining meanings from the textual data. Consistent with the pragmatism research paradigm used, qualitative content analysis and quantitative analysis will be applied in the final study to derive meaning from the findings of the research.

Validity and Reliability and Trustworthiness

As regards to quantitative research reliability and validity ensure replicability and generalizability of the outcomes. Reliability is the consistency of measures whilst validity is linked to the extent to which the social phenomena being observed is reflected (Creswell, 2003).  To ensure validity and reliability on the quantitative data, a correlation coefficient will be used to measure criterion validity while construct validity will be acquired by comparing the researches outcomes with existing literature and findings.  Moreover, the sampling method used will ensure external validity because it gives each participant an equal opportunity, which leads to an accurate representation of a population.  On the other hand, reliability will be achieved by determining the degree to which observers give consistent answers.

As regards to qualitative research, trustworthiness  according to Bryman (2012) is achieved through credibility which equals to internal validity, transferability which bear a resemblance to external validity, dependability which matches reliability, and conformability which look like objectivity in quantitative research method. Transferability will be achieved by noting the applicability into other settings or situations, while dependability will be on replicability or repeatability of the results. As regards to conformability the researcher will ensure that only the experiences from observed participants, instead of his own preferences are recorded. Lastly, Credibility will be achieved by ensuring that the questionnaire measures the intended objectives.

Conclusions

Advanced IT has raised concerns associated to vulnerabilities to data associated with weak IT security, viruses, malware, attacks and compromise of network systems and services. The aim of the research plan is to raise the awareness against the importance of IT Security, specifically against vulnerabilities. In addition, the proposal will try to answer the question: What are the roles of security awareness as it regards to the importance of IT security against vulnerabilities and risks? The data will be collected through the use of both primary and secondary data collection methods. Also, a mixed research method (qualitative research and quantitative research methods) will be used. As regards to data analysis, both qualitative and quantitative analytical methods will be used.

Research Plan

Hypothesis and Research Questions

The primary question is: What are the roles of security awareness as it regards to the importance of IT security against vulnerabilities and risks?

The subsidiary questions for the paper are:

  • What are the technical data security threats to IT that individuals, organizations and business should be aware of?
  • What are the non-technical cyber security threats to information systems? 
  • What are the mitigation measures which can be used to curtail or minimize these security threats?
  • What is the importance of IT Security against risks and vulnerabilities? 
  • What are the recommendations which could be made to create awareness on the threats of cybercrime threats and the importance of IT security? 

Hypothesis: Raising awareness on the importance of IT Security promotes safe and secure information systems.

Aims and Objectives

The aim of the research plan is to raise the awareness against the importance of IT Security, specifically against vulnerabilities.

The objectives are:

  • To determine the roles of security awareness as it regards to the importance of IT security against vulnerabilities and risks. 
  • To determine the possible technical data security threats to IT that individuals, organizations and business should be are of.
  • To establish some of the non-technical cyber security threats to information systems
  • To identify the mitigation measures which can be used to curtail or minimize these security threats.
  • To determine the importance of IT Security against risks and vulnerabilities.
  • To recommend possible ways that could be used to create awareness on the threats of cybercrime threats and the importance of IT security.

Research Method, Design and Statistical Analysis

Both qualitative and quantitative research method will be used. The qualitative research method is used with the objective of understanding a particular phenomenon so as to discover the innermost meaning whilst, quantitative research design is a methodological and systematic process which is based on positivist tradition. A mixed approach has been chosen because it will it allow the researcher to estimate and to relate different variables used in the research and at the same time use opinions and attitudes of the participants to support the statistical data.   Pragmatism research paradigm has been chosen and will be applied in the research. This is because its major emphasis is on viewing research philosophy as a continuum, instead of an option that stands in opposite positions. Descriptive research design and exploratory research designs have been chosen for the study. The descriptive research design will provide a description crucial for the formation of a foundation for the outcomes explanation; while exploratory research design will allow the researcher examine any potential errors which may lead to bias.

Survey questionnaires will be used to collect data and information. They will be distributed to the selected 15 participants and expected to return them after a period of one week. In addition, the questionnaires will have both qualitative and quantitative-related questions.

Data will be analysed through the use of the use of MS Excel where charts, figures and tables will be generated. In addition, the data will qualitatively and quantitatively be analysed.

References

Bryman, A. (2012).  Social research methods. Oxford, UK: Oxford University Press

Caldwell, T. (February 12, 2013). Risky business: why security awareness is crucial for employees. The Guardian. Retrieved form http://www.theguardian.com/media-network/media-network-blog/2013/feb/12/business-cyber-security-risks-employees.

Creswell, J. (2009), Research design: quantitative and qualitative approaches (3nd Ed). California, CA: Thousand Oaks. .

Creswell, J. W. (2003). Research design: qualitative, quantitative, and mixed method approaches. London, UK: SAGE.

Cowther, D., & Lancaster, G., (2012), Research methods. Routledge.

De Vaus, D. (2001).  Research design in social research, SAGE.

Patton, M.Q. (2002). Qualitative Research and Evaluation Methods. California, US:  Thousand Oaks.

Privacy Technical Assistance Center. (2011). Data Security: Top Threats to Data Protection. http://ptac.ed.gov/sites/default/files/issue-brief-threats-to-your-data.pdf.

Saunders, M., Lewis, P. & Thornhill, A. (2009). Research Methods for Business Students. London, UK: , Pearson Education.

Silverman, D. (2011). Interpreting Qualitative Data: A Guide to the Principles of Qualitative Research, 4th edn, London, UK: Sage Publications.

Social Standards Council. (2014). Information supplement: Best practices for implementing a security awareness program. Retrieved from https://www.pcisecuritystandards.org/documents/PCI_DSS_V1.0_Best_Practices_for_Implementing_Security_Awareness_Program.pdf

Wahyuni, D. (2012). The Research Design Maze: Understanding Paradigms, Cases, Methods and Methodologies. JAMAR, 10(1), 69-80

Walker, W. (2005). The strengths and weaknesses of research designs involving quantitative measures. Journal of Research in Nursing, 10(5), 571–582.

Williams, C. (2007). Research methods. Journal of Business & Economic Research, 5(3),  65-71.

Wilson, S. (2010). Research is ceremony: indigenous research methods. Canada.