Paper Title:
|
State
of IT Security Study
of Utilities & Energy Companies
|
Authors:
|
Ponemon
Institute
|
URL:
|
|
Publication
Date:
|
April,
2011
|
Issue:
|
State
of organisational readiness to information security and data protection risks.
|
Purpose:
|
To
gain an understanding of how energy and utility companies determine their
preparedness for the many information security and data protection risks
together with those from Supervisory Control And Data Acquisition (SCADA)
networks and smart grid communications (Ponemon Institute, 2011).
This
purpose is not in tune with the paper as the report explored organisational
readiness for IT Security exploits rather than how organisations determine
their readiness state.
|
Conclusion:
|
The
report concluded that Energy and Utility companies do not have a firm
understanding of the information security risks they face as they do not
treat IT security as a priority and believe that physical security is of much
more importance.
The
report also concludes that these organisations either do not know or are not sure
of the existing IT solutions that can solve their IT security issues.
The
report further concludes that these companies need to urgently address these
IT Security issues to prevent disruption to their installations by making IT
a strategic initiative in the whole organisation.
|
Abstract:
|
The
paper does not present an abstract that would have presented an outline of
the white paper with a summary of the findings and conclusion (Fowler, 2011) which in turn may have attracted more readers (Hernon & Schwartz, 2010).
|
Introduction:
|
The
paper does not include an introduction. In the absence of an abstract, the
introduction would have presented the context of the research (Thrower, 2008) and filled the void left by the absence of an
abstract.
|
Report
Summary:
|
The
paper presents the results of a survey of USA energy and utility companies on
their readiness to handle information security risks affecting their
organisations. The survey covered 17 areas listed below:
1. Organisational
view of security
2. Perceived view
of compliance of industry related regulations
3. Top
organizational IT objectives
4. Data breach
frequency
5. Probability of
successful exploit
6. Core systems
compromised due to security exploits
7. Average cost of
due to IT security issues
8. Average time to
discover malicious insider activity
9. Top IT security
threats affecting companies
10. Who has
responsibility of ensuring top IT objectives are achieved?
11. Opinion on if
existing security controls present sufficient controls against security
exploits arising from smart meters and smart grid systems
12. Percentage of
network points outside control of security operations
13. Perceived levels
of concern about third party vendors connected to the smart grid
14. New steps
deployed to protect smart grid
15.
Organisational
view on which of physical or IT security is more important
16.
Comparison
of IT and Physical security costs in the current fiscal year
17.
Ranking
of six security priorities
The
paper concludes by stating that the lack of their readiness is because IT is
not seen as strategic to their businesses. It then recommends a rethink to
enable them to achieve high security posture which will help them handle
emerging security threats and fulfil regulatory and legal requirements.
|
A:
Quality of the Research
Item
|
Comments
|
Is the research question
or objective clearly stated?
|
Poneman Institute (2011) states the research questions as:
·
“Do
global energy organizations view IT security as a strategic initiative across
the enterprise?”
·
“Is
compliance with industry-related regulatory initiatives a priority?”
·
“How frequent do
these organization experience data breaches?”
·
“Are
existing controls designed to protect against exploits and attacks through
smart grid and smart meter-connected systems?”
While
these objectives are well stated, no categorical answers on the research
questions were provided in the report except for the first question. Readers
were presented with an analysis of the survey and left to make their own
conclusions rather than providing definite answers based on analysis and
interpretation of the data presented (Lipowski, 2008)
|
Is the research question interesting
and important?
|
The
research questions are important as they explored very relevant, interesting
and crucial issues relating to critical national infrastructure which if
attacked can be disastrous which are defining criteria
of relevant research questions (Hulley, Cummings, Browner, Grady, & Newman, 2013).
|
Is the work original?
|
The
research is original and relevant.
|
Are there any ethical
problems?
|
There
are no ethical problems as risks to participants are low and acceptable (Patino & Ferreira, 2016)
|
Are there errors of fact
and interpretation?
|
No
errors were found.
|
Are References used
properly?
|
Though
references are made to some publications, no list of references is provided
at the end.
|
Underlying assumptions
|
The
paper assumed that the reader was conversant with the operations of energy and utility
organisations and their technicalities.
|
B:
The Research Method
Item
|
Comments
|
Summary of research method
|
The research
method consisted of conducting a survey of IT security professionals in the
USA and analysing their replies to form an opinion.
The initial
sample size was 8,220. However, only 363 individuals completed the survey
from which 46 were considered unreliable and rejected before screening. A
further 47 were eliminated through screening procedures thus leaving 291 as
the final sample size.
|
Does the research method
seem appropriate for the research question?
|
Based
on the research questions highlighted above, the research method is
appropriate.
|
Are the methods adequately
described, appropriate and repeatable?
|
The
methods were adequately described and can easily be repeated.
|
Were the analyses done
correctly?
|
Analysis
was done in line with the data collected.
|
Are the conclusions
supported by the data?
|
The
responses collected supported the final conclusion reached.
|
C:
Quality of Presentation
Item
|
Comments
|
Is the work well
presented?
|
The
research is well presented with tables, charts and explanations.
|
Is the paper well
structured?
|
The
paper could have been improved with an introduction, a brief discussion on
the methodology adopted and perhaps an abstract.
|
Are symbols, terms, and
concepts adequately defined?
|
Some
terms and abbreviations like SCADA were used without any explanation.
|
D:
Additional Notes
Additional notes
|
This
topic is particularly useful as it keys in with the issue of ensuring
security which was handled in the blog post on “Securing the Retailer
Information Systems”.
|
References
Fowler, J. (2011). Writing for professional publication. Part 6: Writing the abstract. British Journal of Nursing, 20(2), 120. Retrieved from https://www-magonlinelibrary-com.salford.idm.oclc.org/doi/pdf/10.12968/bjon.2011.20.2.120
Hernon, P., & Schwartz, C. (2010). Writing an abstract. Library & Information Science Research, 32, 173. Retrieved from https://ac-els-cdn-com.salford.idm.oclc.org/S0740818810000277/1-s2.0-S0740818810000277-main.pdf?_tid=444c5def-3cd6-4e45-8e14-a0f03abb8faa&acdnat=1529528770_8a549b250be0d002b13f24048affed45
Hulley, S. B., Cummings, S. R., Browner, W. S., Grady, D., & Newman, T. B. (2013). Designing Clinical Research. LIPPINCOTT WILLIAMS & WILKINS. Retrieved from http://web.b.ebscohost.com.salford.idm.oclc.org/ehost/ebookviewer/ebook/bmxlYmtfXzE0NzMwNTJfX0FO0?sid=892a5d5a-1d82-410b-bbbd-46fbb0076016@sessionmgr102&vid=0&format=EK&lpid=a010&rid=0
Lipowski, E. E. (2008, September 1). Developing great research questions. Americal Journal of Health-System Pharmacy, 65(17), 1667-1670. Retrieved from http://web.b.ebscohost.com.salford.idm.oclc.org/ehost/pdfviewer/pdfviewer?vid=1&sid=b97b7d65-6a04-42d8-9a5e-550d49c12c7f%40sessionmgr102
Patino, C. M., & Ferreira, J. C. (2016). Developing research questions that make a difference. Jornal Brasileiro de Pneumologia, 42(6), 403. Retrieved from http://www.scielo.br/pdf/jbpneu/v42n6/1806-3713-jbpneu-42-06-00403.pdf
Ponemon Institute. (2011). State of IT Security Study of Utilities & Energy Companies. White Paper. Retrieved June 15, 2018, from https://www.automationworld.com/sites/default/files/securityutilities.pdf
Thrower, P. A. (2008). Writing a scientific paper: II. Introduction and references. Carbon, 46, 183-184. Retrieved from https://ac-els-cdn-com.salford.idm.oclc.org/S0008622308000122/1-s2.0-S0008622308000122-main.pdf?_tid=dab3b767-48b8-4d98-9d90-e38a0cc68c75&acdnat=1529616206_c5d8a4094ec441c02f2d64ba3933c0c1
No comments:
Post a Comment