Annex: Survey questions

These were the questions present in the survey

Information security and operational risk

Welcome to this information security study.

This survey contains 6 initial questions and 38 statements. All answers remain anonymous.

Please answer the questions and indicate your level of agreement with the statements.

At the end of the survey, you can provide an email address where you will receive an executive summary of the results of this study. No link will exist between the email address and the answers.

Thank you for your contribution.

Let's first start with six questions.

Question 1. What is the name of your current position?

Choose only one of the following

Chief Risk Management Officer
Risk Management Expert
Chief Information Security Officer
Information Security Expert
Chief Information Systems Security Officer (CISSO)
Information Systems Security Expert
Other

Question 2. How long have you been working in your current position?

Less than 1 year
Between 1 and 3 years
Between 3 and 5 years
More than 5 years

Question 3. In which field of expertise was your previous position located?

Choose only one of the following
Risk Management
Information Technology
Audit
Other

Question 4. Which position do you report to?

Choose only one of the following
The Chief Information Systems Officer
The Chief Financial Officer
The Chief Internal Audit Officer
The Chief Executive Officer
The Executive Board
Other

Question 5. How many employees are influenced (directly or indirectly) by the work your group does?

Less than 100
Between 100 and 1000
Between 1001 and 10000
Between 10001 and 100000
More than 100000
Question 6. In which sector does your organisation operate?
Choose only one of the following
Telecommunications
Administration
Financial sector
Utilities
Other

Thank you for answering these 6 questions. There are now 38 statements to disagree or agree with.

Statement 1. My organisation currently uses information technology (IT) to transform its business processes.

1 = I strongly disagree with this statement
2 = I disagree with this statement
3 = I neither disagree nor agree with this statement
4 = I agree with this statement
5 = I strongly agree with this statement

Please select only one answer per statement. All statements follow the same scale.

Statement 2. My organisation considers that global risk management is a strategic activity that requires all employees' involvement.

1 2 3 4 5

Please select only one answer per statement. All statements follow the same scale. Possible answers range from strong disagreement (1) to strong agreement (5).

Statement 3. In my organisation, changes to business processes happen frequently.

1 2 3 4 5

Statement 4. In my organisation, changes to management structures happen frequently.

1 2 3 4 5

Statement 5. My organisation is ready to practice transparency in its corporate governance by being open to stakeholders about its risk exposure.

1 = I strongly disagree with this statement
2 = I disagree with this statement
3 = I neither disagree nor agree with this statement
4 = I agree with this statement
5 = I strongly agree with this statement

Please select only one answer per statement. All statements follow the same scale.

Statement 6. My organisation's management sets long term (e.g. 2 years) information security objectives.

1 2 3 4 5

Statement 7. My organisation's management sets middle term (e.g. 6 months) information security objectives.

1 2 3 4 5

Statement 8. My organisation's management shows a high level of commitment to information security.

1 2 3 4 5

Statement 9. My organisation performs information risk analysis based on business impact assessments.

1 2 3 4 5

Statement 10. My organisation performs information risk analysis based on threat and vulnerability analysis.

1 = I strongly disagree with this statement
2 = I disagree with this statement
3 = I neither disagree nor agree with this statement
4 = I agree with this statement
5 = I strongly agree with this statement

Please select only one answer per statement. All statements follow the same scale.

Statement 11. The information owner always receives the results of the risk analysis.

1 2 3 4 5

Statement 12. The information owner is responsible for accepting or mitigating risks.

1 2 3 4 5

Statement 13. My organisation has a security policy approved by management.

1 2 3 4 5

Statement 14. The security policy has been actively communicated to all employees.

1 2 3 4 5

Statement 15. In my organisation, an executive committee is accountable for information security.

1 = I strongly disagree with this statement
2 = I disagree with this statement
3 = I neither disagree nor agree with this statement
4 = I agree with this statement
5 = I strongly agree with this statement

Please select only one answer per statement. All statements follow the same scale.

Statement 16. In my organisation, an executive committee is accountable for the implementation of information security controls.

1 2 3 4 5

Statement 17. In my organisation, an executive committee is accountable for operational risk.

1 2 3 4 5

Statement 18. In my organisation, an executive committee is accountable for the implementation of an operational risk management model.

1 2 3 4 5

Statement 19. In my organisation, the information security function collaborates with the information systems security function.

1 2 3 4 5

Statement 20. In my organisation, management has provided a clear message about which risks can be accepted and which risks can't.

1 = I strongly disagree with this statement
2 = I disagree with this statement
3 = I neither disagree nor agree with this statement
4 = I agree with this statement
5 = I strongly agree with this statement

Please select only one answer per statement. All statements follow the same scale.

Statement 21. In my organisation, the message about acceptable risks is documented.

1 2 3 4 5

Statement 22. In my organisation, the message about acceptable risks is accessible
by all employees.

1 2 3 4 5

Statement 23. In my organisation, the current information security practice helps comply with regulatory requirements.

1 2 3 4 5

Statement 24. In my organisation, the current information security practice influences positively my organisation's operations.

1 2 3 4 5

Statement 25. In my organisation, the current information security practice facilitates new business opportunities.

1 = I strongly disagree with this statement
2 = I disagree with this statement
3 = I neither disagree nor agree with this statement
4 = I agree with this statement
5 = I strongly agree with this statement

Please select only one answer per statement. All statements follow the same scale.

Statement 26. In my organisation, the current information security practice increases the degree of loyalty shown by partner organisations and customers.

1 2 3 4 5

Statement 27. In my organisation, the current information security practice contributes to its corporate governance.

1 2 3 4 5

Statement 28. In my organisation, the current information security practice improves its financing capability.

1 2 3 4 5

Statement 29. In my organisation, the current information security practice helps increase sales.

1 2 3 4 5

Statement 30. In my organisation, the current information security practice helps save costs.

1 = I strongly disagree with this statement
2 = I disagree with this statement
3 = I neither disagree nor agree with this statement
4 = I agree with this statement
5 = I strongly agree with this statement

Please select only one answer per statement. All statements follow the same scale.

Statement 31. My organisation's risk management strategy is aligned with its business strategy.

1 2 3 4 5

Statement 32. My organisation's information security strategy is aligned with its business strategy.

1 2 3 4 5

Statement 33. My organisation's information systems security strategy is aligned with its business strategy.

1 2 3 4 5

Statement 34. My organisation's risk management practice provides a competitive advantage to my organisation.

1 2 3 4 5

Statement 35. My organisation's information security practice provides a competitive advantage to my organisation.

1 = I strongly disagree with this statement
2 = I disagree with this statement
3 = I neither disagree nor agree with this statement
4 = I agree with this statement
5 = I strongly agree with this statement

Please select only one answer per statement. All statements follow the same scale.

Statement 36. My organisation's risk management practice provides a greater value to its stakeholders.

1 2 3 4 5

Statement 37. My organisation's information security practice provides a greater value to its stakeholders.

1 2 3 4 5

Statement 38. In my organisation, risks will be managed in a more coordinated way.

1 2 3 4 5

Thank you very much for your answers. They are very valuable for this study. If you wish to receive an executive summary before the end of 2006, please insert an email address to receive it. No link will exist between the email address and your answers.