Extracting Useful Information from Security Assessment Interviews

We conducted N=68 interviews with managers, employees, and information technologists in the course of conducting security assessments of 15 small- and medium-sized organizations. Assessment interviews provide a rich source of information about the security culture and norms of an organization; this information can complement and contextualize the traditional sources of security assessment data, which generally focus on the technical infrastructure of the organization. In this paper we began the process of systematizing audit interview data through the development of a closed vocabulary pertaining to security beliefs. We used a ground-up approach to develop a list of subjects, verbs, objects, and relationships among them that emerged from the audit interviews. We discuss implications for improving the processes and outcomes of security auditing.