Chapter 3-Research Methodology Chapter 3

RESEARCH METHODOLOGY

3.1 INTRODUCTION: Research is commonly known to be search for knowledge. Research is an art of scientific search for specific information. According to Clifford Woody, research comprises defining and redefining problems, formulating hypothesis or suggested solutions, collecting, organizing and evaluating data, making deductions and reaching conclusion and further testing the conclusion whether they fit into formulating hypothesis. Research Methodology is a scientific and systematic way of finding problem to a solution. In this research, researcher has studied various steps as mentioned above for research associated problem along with the logic behind them. For this study, researcher must know various research techniques like mean, mode, median, frequency distribution, standard deviation or CHI-Square and need to analyze that which of these techniques are relevant to his or her research. Thus for any systematic research study, a scientific approach is necessary. It is therefore, essential to conceive and plan a systematic design to arrive at an appropriate conclusion. All the business undertakings are operating in the world of uncertainty, but research design, more than any other procedure, can minimize the degree of uncertainty to a greater extent.

3.2 OBJECTIVE OF THE STUDY: The title of research is to` A Study Information security policies of selected IT companies in Pune City`. To ensure success towards reaching to the goals of organization from business continuity point of view, the security of information should be the highest priority for an organization. Various studies have come to the conclusion that sensitive corporate information which is of prime importance is vulnerable to security attacks. Today, the key asset is often information. Pune is considered to be a biggest IT hub in India. Number of IT companies is increasing in the Pune-city day-by-day. Hence researcher has carried out the study of Information security policies with following objectives and Hypothesis.
A study of Information Security Policies Page 58

Chapter 3-Research Methodology 3.2.1. Objectives of study: To identify status of Information security policy in selected IT companies. To compare and identify the Domains of the security policies, on the basis of security parameters which are regularly implemented in most of the IT companies. To identify the best practices framework followed by IT companies. To identify benefits of implementing Information security policies.

3.2.2. Hypothesis of study: 1. Information security policy is a need of every IT enabled organizations in global and changing environment.

2. Most of the IT companies are having and implementing Information security policies.

3. Use of ISP reduces the risk of stealing data and information.

4. Information Security Policies improves safeguarding assets of IT companies like hardware, software and skilled people.

5. Implementation of Information Security Policies better protects confidential information.

6.

Information Security Policies improves productivity in terms of conducting Information Systems Audit.

7. Policies developed under the domains such as Physical access, data access, user access, Internet access, Network access and E-mail are more rigorously implemented in the IT companies than the rest of the domains.
A study of Information Security Policies Page 59

Chapter 3-Research Methodology

3.3 RESEARCH DESIGN:

Research design is an outline of research study which indicates that what researcher will do from writing the hypothesis and its operational implications to the final analysis of data. A research design is the arrangement of conditions for data collection and analysis of data in a manner that aim to combine relevance to research purpose with economy in research procedure[1] research design constitutes decision regarding what, why, where, when and how concerning an inquiry or a research study. Overall research design may be divided into the following parts. [2] a. Sampling Design: This deals with the method of selecting items to be observed for researcher`s study b. Observational Design: It relates to the conditions under which the observations are made. c. Statistical Design: It is concerned with the questions of how many items are to be observed and how the information and data gathered are to be analyzed. d. Operational design: It states the techniques by which procedures specified in the sampling, statistical and observational designs can be carried out. 3.4. SAMPLING DESIGN: There are different types of sample designs based on two factors such as representation basis and element selection technique basis. For representation basis the sample may be Probability or non-probability sampling. Probability sampling relates with random selection while non- probability with the non-random sampling. This Researcher has used Random Sampling Method for selection of sample. The Researcher has attempted almost 50% of the sample out of total population. Sample is IT companies from Pune City i.e. Pune region. Population of IT companies in Pune Zone is 483, as per best reliable source. This Researcher found this information with Maharashtra Chamber of Commerce, Industries and Agriculture (MCCIA). The information is supported with entire database of IT companies in Pune City with the address, area of specialization and company size. As the sample is Selected IT companies, the researcher has found that there are total 99 IT companies which have
A study of Information Security Policies Page 60

Chapter 3-Research Methodology their size of organization (employee size) 100 or more. This criterion is applicable for selection of IT companies. From the total population of 99 IT companies the researcher has selected a sample size of 45 IT companies. This selection is made on random sampling basis. The sample of 45 selected IT companies is further more divided into 15 software, 15 Hardware and 15 BPO companies each. This is shown in following table. Total Number of Number IT Companies in Companies Pune in 2006 of IT Segment wise Total Percentage of

distribution of IT Sample Population sample

selected based on Companies employees size S/W BPO H/W

483

99

15

15

15

45

45.45%

Table 3.1: Selection of sample for Selected IT companies. The reason behind selection of IT companies based on employee size is that the research is based more on the administrative policies rather than the technical policies. For implementation of security policies administrative policies affects most of the employees in an organization and actually implemented by employees of the organization. 3.4.1: Random Sampling Method: The researcher has used random sampling method for selection of a sample. In this simple random sampling method, the process of selection of a sample is in such a manner that each and every unit of a population has an equal and independent probability of being included in the sample [3]. The researcher decided the inclusion criteria for selection of IT companies in this as the company size 100 or more. This limited the number of qualifying IT companies in and around Pune to 99. The Researcher has sent questionnaire to all these 99 companies, out of which 70 companies have responded to the researcher. From these 70 companies, 60 companies have responded well and complete while remaining 10 companies have
A study of Information Security Policies Page 61

Chapter 3-Research Methodology partially responded to the entire questionnaire. Among these 60 companies the segment wise distribution of IT companies is given below. Number of Software companies responded: 25. Number of BPO companies responded: 20. Number of Hardware companies responded: 15

To have equal representation from all these three sectors, researcher chose 15 companies at random from each of these sectors. Hence the total sample of 45 IT companies consists of 15 software, 15 BPO and 15 hardware companies. (45% of population) Random sampling is a scientific and most important method among all types of sampling methods. It is simplest possible sampling method and it is most appropriate when the population is more or less homogeneous with respect to the characteristics under study. References of data collected for sampling: 1. Pune IT Directory 2006, published by MCCIA 2. Pune IT Directory 2009, published by MCCIA 3. WWW. Discoverpune.com 4. www.punediary.com

3.5 OBSERVATION DESIGN: This deals with different data collection methods. For data collection, the researcher has used primary and secondary sources of data. A survey method is used by the researcher for collection of primary data. 3.5.1 COLLECTION OF PRIMARY DATA: Primary data are those which are collected for the first time and which could be original in character. There are several methods of data collection, particularly in descriptive researches. This includes following methods.

A study of Information Security Policies

Page 62

Chapter 3-Research Methodology

3.5.1.1 Observation Method: In research design, many times the observation helps the researcher to reduce complexities and to make the research work more fruitful. When observation is used for research purpose; it becomes a scientific tool for data collection and it serves for a formulated research purpose. Under the observation method, the information is sought by the way of investigator`s own direct observation without asking from the respondent. The advantages of this method is; information obtained through observations relates with current happenings, subjective bias is eliminated, is independent of respondents and relatively less demanding for active cooperation from others. The limitations for this method are; information provided is limited, some obstacles created may be for unforeseen factors and may hamper data collection effectively if concerned resources are not directly accessible [4]. This method was partially useful for the researcher in order to design and formulate the questionnaire. While studding domains of security policy Physical access, User access, Data access, Internet access and e-mail access, researcher could easily formulate the questions just only by visiting few IT companies, without any interaction with the employees. Examples could be gate-pass at the entry, media devices such as pen drive, CD and even mobiles were not allowed inside the company. Internet access was denied on some machines as employees were discussing among themselves. For each department they had automatic door lock facility. 3.5.1.2 Interview Method: This type of data collection method needs direct interaction with the respondents. This interaction involves presentation of oral- verbal stimuli and response in terms of oralverbal communications. The method of collecting information through personal interviews is usually carried out in a structured way. This method can be used through personal interview or telephonic interviews. Personal interview requires interaction between minimum two people where one is interviewer while the other could be an interviewee. This generally involves face to face contact with direct or indirect personal or group investigation. For telephonic interview information is collected by
A study of Information Security Policies Page 63

Chapter 3-Research Methodology the interviewer on telephone itself. This method is generally applicable for industrial survey. This is the cheapest, fastest, flexible method. This method was also of great help to the researcher as she could fill up some of the questionnaires through the direct interviews with the respondents like employees of IT companies. The Researcher had some informative discussions during this interview process. This method was found to be very useful for the researcher for Pilot survey.

3.5.1.3 Collection of data through questionnaires: This method of data collection is quite common and popular and it is applicable for detailed enquiries. Questionnaire is a set of questions focused on specific topic or specialized area. This questionnaire can be divided into subsets depending on the subtopics of specialized area. This method is generally adopted by research workers, private and public organizations, as well as government organizations also. In this method, usually a questionnaire is sent to a respondent with a request to answer the questions and return the questionnaire. The respondents have to answer the questions on their own. Today, as we are in an era of information technology the method of collecting data by mailing the questionnaires is most extensively employed in various economic and business surveys. The major advantages of this method are no geographical constraints for global survey, low cost; respondents get sufficient time to go through questionnaire and can handle large samples in order to get reliable and precise results. The only major disadvantage is that it is time-consuming as compared to other methods of data collection where constant follow-up is needed. This method of data collection is adopted by the researcher considering the advantages as discussed above. Researcher prepared a questionnaire based on different Information security policies, security standards and procedures (baselines)
[5]

which are globally accepted. This questionnaire is designed for twelve different

domains. These domains are user access, data access, Physical access, Internet access, e-mails access, software acquisition, Hardware acquisition, outsourcing, digital signature, Business continuity planning and Disaster Recovery planning, Network and telecom security and Security organization structure. Each domain represents a subset of entire questionnaire. All the questions are of objective type and manly based on
A study of Information Security Policies Page 64

Chapter 3-Research Methodology yes/no type. Very few that are 10% of questions were related to multiple choices than merely yes or no. The subset of questionnaire is distributed to different departments of IT companies as per the domains of the company. The researcher has forwarded the questionnaire to respective departments through Human Resource (HR) department authority. Human resource departments have identified the domains of respective IT companies and then it was passed on to respective department. 3.5.1.4 Some other methods of data collection: There are some other methods of data collection such as warranty cards, content analysis, projective techniques, depth interviews and systems audits which are particularly used by big business units in modern times. For such type of data collection, some specific standards and procedures are necessarily adopted. In these methods, data can be directly or indirectly collected. Some of the methods such as projective techniques require intensive specialized training.

3.5.2 COLLECTION OF SECONDARY DATA: Secondary data represents a very powerful tool for the researcher as entire research work is carried out on the basis of secondary data. It is nothing but the backbone of research work. Secondary data is the one which has already been collected and analyzed by someone else. Usually this analyzed data is available in the published form. The researcher has collected this secondary data from various sources such as research books, white papers from technical journals, magazines, weekly news papers, official diaries and directories, newsletters, company broachers and manuals and research websites. The collected data is verified with the support of following characteristics: 3.5.2.1 Reliability of data: Reliability means the consistency or repeatability of the measure. Reliability refers to the confidence we can place on the measuring instrument to give the same numeric value when the measurement is repeated on the same subject
[6]

.Reliability is the

extent to which an experiment, test, or any measuring procedure yields the same result
A study of Information Security Policies Page 65

Chapter 3-Research Methodology on repeated trials. Without the agreement of independent observers able to replicate research procedures, or the ability to use research tools and procedures that yield consistent measurements, researchers would be unable to satisfactorily draw conclusions, formulate theories, or make claims about the generalizability of their research. Following questions are usually taken into consideration by the researcher while testing the data. Who collects the data? What are the sources of data? Whether the Methods of data collection are proper? At what time the data is collected? Was there any bias for compilation? What was the degree of accuracy? Survey research presents all subjects with a standardized stimulus, and so goes a long way toward eliminating unreliability in the researcher's observations. Careful wording, format, content, etc. can reduce significantly the subject's own unreliability. 3.5.2.2 Suitability of Data: This relates with appropriateness of data with the suitable enquiry. If collected data does not match with the content of specific research topic, then it is called as unsuitable data. Partial data can be extracted from the source if the researcher finds it appropriate with the content of research topic. Considering object, scope and nature of research broad study is carried out on the guidelines of research guide. Researcher has made questionnaire on twelve different domains and only concerned department which can provide appropriate data have been involved in answering the questions. While questions based on physical, user and data access policies are answered by normal users whereas questions based on network access, software and hardware acquisition were responded by Network administrator, Chief Information Officer (CIO) and Chief Technical Officer (CTO) of IT companies. 3.5.2.3 Adequacy of Data: Adequacy is nothing but sufficient availability of data. If the level of accuracy required for utilizing the data is not adequate, then the researcher should not use this
A study of Information Security Policies Page 66

Chapter 3-Research Methodology data for research purpose. The available data had been used by researcher after checking reliability, availability and suitability of data. For the adequacy of data, the researcher has made pilot survey of IT companies for identifying people who can provide appropriate and adequate information for responding the questions. Not only this, the researcher has also studied the web sites of concerned IT companies to check adequacy of data.

3.5.3 Reliability and Validity of Questionnaire: A reliable questionnaire is one that would give the same results if used repeatedly with the same group. The validity of a questionnaire relies first and foremost on reliability. The questionnaire cannot be shown to be reliable; if there is no discussion of validity. Validity refers to whether the questionnaire or survey measures what it intends to measure. Demonstrating validity is easy, compared to reliability. The overriding principle of validity is that it focuses on how a questionnaire or assessment process is used. Reliability is a characteristic of the instrument itself, but validity comes from the way the instrument is employed.

Reliability in questionnaire studies, relates to the ability of your tool to produce the same results if you tested it five times over. Reliability is more likely to be ensured if the respondent devotes a consistent degree of concentration and interest throughout. Validity in questionnaire studies is the extent to which the questions provide a true measure of what they are designed to measure. The researcher needs to consider that the questions are clear and likely to produce accurate information, and that the full scope of the area that he or she intends to measure is covered by researchers tool. Researcher has used the questionnaire on many different groups of people; the important objective was to test it on different groups, and to ensure that it is valid in all its intended usages.

3.5.4 Threats of Validity: There are a number of factors that can limit the validity of this research study. The greatest threat to internal validity is confounding. Confounding occurs whenever an extraneous variable changes systematically along with the independent variable.
A study of Information Security Policies Page 67

Chapter 3-Research Methodology Confounding prevents us from inferring a causal relationship between the independent and dependent variables. Threats to reliability in questionnaires include the use of ambiguous questions, or being overly long. There are several types of validity that contribute to the overall validity of a study.

3.5.4.1 History: History threat is a threat to internal validity in which an outside event or occurrence might have produced effects on the dependent variable. In case of my research work, a biggest threat was advancement in technology. As we know that technology advances every three to six months, so the researcher has considered this issue in his questionnaire that relates with the change in IT plan of the organization.

3.5.4.2 Instrumentation: Instrumentation can often be viewed as a simple input device or method. This is a process of collection of functions and their applications for the purpose of measuring, monitoring and controlling activities. The structured questionnaire designed by the researcher is the main instrument for handling all the processes mentioned above.

3.5.4.3 Testing: For the test of validity the researcher carried out survey by a pilot test. This test has been performed by observations, interviewing employees of the company and discussions with few people in order to check whether the questionnaire is precise or not. Researcher has convinced the users that how the results of this research will be helpful for them in handling the issues related to information security.

3.5.4.4 Morality: It is a threat to internal validity produced by differences in dropout rates across the conditions of the survey. As the respondents for my questionnaire are employees of IT companies, this is closely associated with personal morals. Personal moral is human action which pertains to matter of right or wrong. Researcher has selected specific group of employees from the IT Company having high profile with maximum tenure with the same company.
A study of Information Security Policies Page 68

Chapter 3-Research Methodology

3.5.4.5 Maturation: Maturation leads to the growth of organization as the study progresses. This is nothing but impact on the research study with the growth of organizations. For the study of Information security policies, the growth of organization was highly associated with the employee-size of organization. To begin with the study, the sample was selected considering lower limit for specific size of the employees where administrative policy works efficiently. Hence, there was no limitation for maximum size of organizations with the growth of organization.

3.6. AMBIGUTY ABOUT CASUAL DIRECTION: Ambiguity is associated with words, terms, notations and concepts which are not defined clearly for a specific concept. When the questionnaire had been sent to the respondents by the researcher, there was no query generated as such regarding unknown or undefined concepts as researcher is focused on security standards and as per guidelines provided by the respected guide in terms of reliability and validity of questionnaire.

3.7. PROFILE OF RESEARCH: Study of research includes selected IT companies in Pune region. These IT companies are further divided into three types such as Software, BPO and Hardware. From all these three types of companies, the respondents were medium or top level people from the companies. These respondents were Chief Information Officer, Chief Technical Officer, Chief Security Officer, Network Administrator, Project Manager, Software Solution architect, Software Developer, Information Security Manager and System Administrators. Human Resource Managers and authorized users were also part of respondents as preliminary information was supported by them.

3.8 VARIABLES OF THE STUDY: A variable, as opposed to a constant, is simply anything that can vary. As the research is mainly based on a theory, all variables must be defined and the methods of conducting the research must be determined.
A study of Information Security Policies

Once this is done, the resulting

Page 69

Chapter 3-Research Methodology statement about the relationship is called a hypothesis. The hypothesis is what gets tested in any research study. As per the researcher, the variables from this study are as follows: 1. 2. 3. 4. 5. 6. 7. 8. 9. 10. 11. 12. 13. 14. 15. 16. 17. 18. 19. 20. 21. 22. Policy Existence Policy training and awareness User Authorization Resistance from the users. Length of password Access permissions Access to specific resources Virus protection software Policy implementation Physical access control Security devices Usage quota Organization e-mail account Non discloser agreement Maintenance Agreement Hardware Inventory Management Time frame Private and public key System fault tolerance Resistance from users Security Management Team Information Systems Audit

Though the variables are declared, they cannot be categories as independent or dependent variables that will demonstrate interdependencies or interrelationships. This is illustrated with following reasons. The objective of research is to assess the status of information security policies. The scope of research is not to establish any relationship between variables.

A study of Information Security Policies

Page 70

Chapter 3-Research Methodology This is being a qualitative research there is no cause effect as these variables are not measurable. The variables are the parameters in this research, which are required to prove the hypothesis but apart from these parameters, there are some unknown factors which are also responsible but cannot be directly measured. The unknown factors or parameters would be beyond the control, measurement and would vary with specific technology and as per situation. The questionnaire designed was open ended and there were no specific quantitative options. From the information security point of view, sensitive and very specific Information is not been provided by the respondents from the IT companies.

3.9 STATISTICAL DESIGN: Statistical tools play important role in research. Statistics helps the researcher in designing the research, analyzing its data and drawing conclusions there from. Statistics is divided into major areas that are Descriptive statistics and inferential statistics. Descriptive statistics deals with development of certain indices from raw data while inferential statistics deals with the process of generalization [7]. Inferential statistics is also known as sampling statistics which is mainly concerned with two problems. a. Estimation of statistical measures, b. Testing of statistical hypothesis.

3.9.1 Tools of Data Analysis: Researcher has used data analysis tools such as advanced Excel and the SPSS to analyze the data. Company-wise data is collected, segregated and then consolidated with Microsoft Excel. Then simple analysis in terms of percentage for all three different types of IT companies is also calculated with Microsoft Excel. SPSS is used for further analysis with the help of techniques such as frequency distribution and CHI- Square test. Coding is first made in Excel and then this data is imported from Excel. After importing the data, variables were declared first in SPSS. Frequency distribution technique was applied to the data to test numbers of IT
A study of Information Security Policies Page 71

Chapter 3-Research Methodology companies which are for (yes) and against (no) for related parameters of hypothesis. Hypothesis is tested with the level of significance which is generated by output shown by Cross Tabulation. CHI-square test was applicable for one of the hypothesis where it was associated with the comparison between different domains of IT companies. Thus Statistical analysis is performed in following two stages.

1.

Application of statistical software tools such as Microsoft Excel 2007 and SPSS 11.0.

2.

Interpretation and Conclusion.

3.10 OPERATIONAL DESIGN: The Researcher has applied chi-square test for hypothesis testing. Cross tabulations are used to represent the output results with the help of SPSS.

3.10.1 CHI-SQUARE TEST: Chi-square as a non-parametric test is used for testing of hypothesis. This Chi-square test is selected on the basis of following important characteristics [8]. This test as a non-parametric test is based frequencies and not on the parameters like mean and standard deviation. This test is useful for testing the hypothesis and is not useful for estimation. This is very useful test in research as it can be applied to complex contingency table. As no assumptions are necessary in regard to the type of population and no need of parameter values, this is considered to be an important non-parametric test.

In this data analysis chi-square test for comparison between expected value and observed value. In this comparison the observed as well as theoretical or expected frequencies must be grouped in the same way and the theoretical distribution must be adjusted to give the same total frequency as we find in case of observed distribution. Usually in case of a 22 or any contingency table the expected frequency of any given cell is worked out as shown below.
A study of Information Security Policies Page 72

Chapter 3-Research Methodology Expected Frequency of any cell = [(Row total for row of that cell Column Total for the column of that cell) / Grand Total] 2 (chi-square) is calculated with following formula [9].

Where Oij= Observed frequency of the cell in the ith row and jth column. Eij= Expected frequency of the cell in the ith row and jth column . If the calculated value of 2 is equal to or exceeds the table value, the difference between the observed and expected frequencies is taken as significant, but if table value is more that the calculated value of 2, then difference is considered as insignificant. Degree of freedom plays major role in case of chi-square distribution and calculated as follows: d.f.= (c-1) (r-1) Here c represents number of columns while r represents number of rows. 3.10.2 Cross Tabulation: Researcher has presented the output of data analysis in the form of cross tabulations. A cross-tabulation table represents the joint frequency distribution of two discrete variables. Rows and columns correspond to the possible values of the first and the second variables, the cells contain frequencies (numbers) of occurrence of the corresponding pairs of values of the 1st and 2nd variable. Cross-tabulation tables can be also used for more than two variables.

A study of Information Security Policies

Page 73

Chapter 3-Research Methodology A frequency distribution is a tabular summary of a set of data showing the frequency (or number) of items in each of several non-overlapping classes (or bins). This definition is applicable to both quantitative and categorical (qualitative) data. For quantitative data, the classes are typically contiguous and of equal width. 3.10.3 Advantages of Cross tabulations: Following are some of the major advantages of cross tabulation. 1. They are easy to understand. They appeal to people who do not want to use more sophisticated measures. 2. They can be used with any level of measurement: nominal, ordinal, interval, or ratio. Cross tabulations treat all data as if it is nominal. 3. A table can provide greater insight than single statistics. 4. It solves the problem of empty or sparse cells. 5. They are simple to conduct.

A study of Information Security Policies

Page 74

Chapter 3-Research Methodology

3.11 REFERENCES: 1. Clair Selltiz and others, Research Methods in social sciences, [1962], Pg 50.

2. C.R. Kothari , Research Methodology , Methods and techniques, New age International (p) Ltd, Second Edition [2004], Pg. 31.

3. Dr. Priyantosh Khan, Statistics for Management, Economics and Computers, Everest Publishing House, First Edition [2004], pages 15.2.

4. C.R. Kothari , Research Methodology , Methods and techniques, New age International (p) Ltd, Second Edition [2004], Pg. 31.

5. Thomas R. Peltier, Information Security Policies, Procedures and Standards-Guidelines for effective information security management, Auerbach Publications, 2002, Pg.195 APPENDIX A.

6.

Ajai Gaur,sanjaya Gaur,Stastictial Methods for Practice and Research, Pg. 31

7. C.R. Kothari , Research Methodology , Methods and techniques, New age International (p) Ltd, Second Edition [2004], Pg.131.

8.

C.R. Kothari , Research Methodology , Methods and techniques, New age International (p) Ltd, Second Edition [2004], Pg.250.

9. Amir D. Aczel, Jayavel Sounderpandian, Complete Business Statistics, McGraw Hill Companies, Sixth Edition [2007] Pg 681.

A study of Information Security Policies

Page 75