Interview schedule

In the contemporary world, information security is considered as the series of management practices, policies, standards as well as technologies, which are aimed to secure the sharing of sensitive information (Thompson 2014). With the growing trend and inclination towards the use of information system in the organizational activities, the threat of misusing the personal data has risen in a significant manner. The HR professionals have a distinctly significant role in recruiting the most appropriate and efficient information security professionals so that organization can develop a robust information security system (Ulrich et al. 2013). Therefore, the capabilities of HR are a key factor of developing the information security system.

The primary research objective of this research study is to assess the nature and scope of human resource capabilities for information security development within Global Aerospace Logistics, LLC GAL-UAE business organizations. Therefore the following research questions are formulated as a qualitative approach that shall be answered through the research study:

• What is the level and impact of information security development in GAL-UAE?
• What are the main causes of information security skills gap in GAL-UAE?
• What are the main responsibilities of the employees in the development of information security skills among employees?
• What are the initiatives that can be undertaken for developing information security skills?

The research questions have been further divided in various sub-questions to extract most detailed knowledge of the HR capabilities for Information Security Systems Development. Although, the research questions are broad, the sub questions (see Appendix 2) have effectively covered every aspect of the research question. The research questions have been formed after considering the detailed literature review on the HR capabilities of Information security systems development. As identified in the literature that skills gap has been proven as most critical factor for the Information security, the research questions has effectively attempted to investigate the current situation of information security including its impact in GAL-UAE. In addition to that, the skills gap, responsibilities as well as initiatives undertaken for development of information security has been also investigated through the research questions.

In the current context, Mr. Mahmood Alameria has been selected as the interviewee on the basis of his significant experience and expertise on the research topic. Mr. Mahmood Alameria had six years of experience of working as HR Strategy Manager. Therefore, he had a remarkable insight on the regular practices and challenges of HR professionals to help in information security development and decision maker. Being responsible for recruiting and conducting the HR operations, Mr. Mahmood Alameria would have been most capable respondent for gathering necessary information regarding the usual practices of the HR professionals and associated factors in Information Security Systems Development.

The interview schedule consists from introduction, which explained the aim of the session and was focused on extracting detailed information to identify the HR capabilities for Information Security Systems Development. As the research project has an explicit focus of qualitative data analysis, the interview has been focused on acquiring open ended responses from the interviewee. In this context, the interviewee has been probed to answer the queries regarding the responsibilities in information security system developer as well as scenario of the skills gap.

First of all, the interview schedule gathered the demographic details of the respondents. It has been effective to understand the background of the selected interviewee. Hall et al. (2011) has successfully identified that in order to mitigate the risks, it is necessary to develop a strategically enhanced and organization-wide defensive approach. In this context, the study had been focused on understanding the issues so that an enhanced and organization-wide defensive approach can be undertaken.  In the second section, the interview investigated the level and impact of information security development. It has been divided into various sub-questions to explore the frequency of cyber security issues as well as the trends of the security threat. Vacca (2013) stated that the already employed professionals lack necessary enthusiasm to continue with the personal as well as professional development program arranged by human resource department. It creates greater skill gap within the organization. The third section comprises the queries regarding the gap of the necessary skills in information security professionals to develop an effective and secure information sharing system. Ahmedet al. (2015) argued that there is no scope to focusing only on information security system as the 70 percent of all fraudulent incidents regarding IT sector is internal. Therefore, the study has immensely emphasized on identifying the roles and responsibilities of general employees in the organization. The fourth section implicitly investigates the responsibilities of the general employees throughout the organization in the development of effective information security system. As stated by Vogel and Broer (2013), the information security professionals must focus on initiating the security system that supports the objectives of the organizations. In order to do that the organization need to take several major development based initiatives. In this aspect, the fifth section concentrates on unearthing the necessary initiatives for developing information security skills. Moreover, the HR professionals’ perception on the research topic has been critically analyzed in this particular assessment.

Discussion of Key Findings

In this context, the data addressed the research questions and show thematic analysis with revealing the interviewee responds for each research question.

The interviewee disclosed, “Yes, there were couples of breaches in last six months. They were actually related to mishandling of documents in one of the cases. In other cases, there was physical access issue.” It has been observed from the data findings that the organizations often experience multiple breaches due to mishandling of documents as well as physical access issue. The interview has also stated, “Yes, we are quite comfortable with the frameworks that we have in place.” It has been also identified that the HR professionals are quite comfortable with the frameworks that they have in place. These frameworks include information security team, quality team as well as HR Admin team. The Interviewee also stated, “In terms of IT, from user perspectives, I see that we have quite a good network security and access is fine, so from IT side I feel it is quite good.” It can be found that HR professionals are trying to keep it as tight as possible, considering the security context. The organizations have always attempted to document and approve the organizational processes. The major advantage of using documented policies is that when it is written down, it can be shared with their employees. The interviewee explicitly said, “New employees come in, they see it in a manual, and they know exactly what happens, which step goes before the other activities.” If any employee has the right skill set he can change or amend the standard operational procedure.

It has been noted that in order to fill the position of information security position the organization takes 5 to 6 months. The interviewee remarked, “It is almost double the average time taken to hire other staffs.” The major reason for a long time of recruiting process is focusing on seasoned professional exclusively rather than concentrating on knowledge and achievement in academic sphere. The interviewee also expressed, “They are hard to find. The highest preference is to have UAE nationals because of the sensitivity of the job.” So they are looking for local spinally UAE nationals. For their experience it was not easy to find them and there is very high competition. The interviewee also disclosed, “This is lot of work, need to be done based on experience, based on proper communication skills, a level of maturity that you can rarely have as fresh graduate. So this is what the major skill gap I would see in the security professionals specially beginners.” The major reason of not recruiting the fresh graduate students, which has been identified in the data findings, is lack of hand on experience. On the other hand, the interviewee also revealed, “Yes, actually, if we have privilege of having a strong team, we need to bring in a fresh guy, we can give him hands on training because we would have and we can couple him with seasoned information security professionals.”  It has been also observed that given the privilege of having a strong team, the organization would be able to train fresh employee by transferring the knowledge through shadow training.

The interviewee stated, “This channel of process has been a defined procedure. He just needs to be aware of it and with some reinforcement from the management also he should be able to secure the information that he works with.” The data findings has successfully revealed that every employee should be aware of the sensitivity of the information that he has make sure that whatever he talks in terms of the business details is vague and does not include actual figures. In addition to that, the interviewee also expressed regarding the role of IT professionals, “As business users, again, they need not divulge information that will compromise their work.” The data findings disclosed that unlike other employees, the IT professionals have access to most of the super users; they have the access to almost all the information that is available electronically. Therefore, they have to be alert all time. The interviewee also disclosed, “We make sure that the information security standard is maintained so everything would be in place.” The data evaluation has been able to find out that the enterprises ensure proper maintenance of the information security standard for development of information security skills. Therefore, progression in achieving information security goals as well as information security standard can be considered as the most important metrics in this sector.

The interviewee expressed, “I am a big believer in communication or awareness. You have to make people aware.” The data findings have successfully stated that communication or awareness greatly contributes in minimizing the impact of threats. The Interviewee stated, “If you want details we can send them to public conferences, we can call our partners and have some knowledge sharing of their experience from our sister companies, from our partner companies whether international or national.” The data findings have disclosed that town hall training and coupling with professionals are quite good example of initiatives for developing information security skills. The interviewee also expressed, “Many people think that information security is only protected from the computer while as we mentioned earlier that our weakest link is human factor where someone would go and just talk about it or brag about it not knowing that they are divulging very important information.” The data findings disclose that lower level risk assessment maybe employee level risk assessment would be most effective to keep the employee informed.

The above data findings have been highly effective in the context of supporting and further investigating the understanding, which has been acquired in the literature. As identified in the literature, the advancement in information technology improves organizational efficiency, but exposes the organization to additional threats (Wawak, 2012). “With an increasing reliance on technologies connected over open data networks, effective information management has become a critical success factor for public and private organizations” (Alfawaz, 2011). The literature has been able to disclose the development of information security capability. The data analysis has immensely supported the facts reviewed in the literature. As reviewed in the literature, we can see despite the response by higher education institutions through adding information security courses; the market is still in dire need of skilled information security professionals (Veltsos, 2015). The current data findings have been quite efficient to point out that the major reason of this scenario is inability of fresh graduate to cope with market requirements without any experience. The review of the literature also disclosed that to achieve sustainable information security, organizations need to implement appropriate controls, including policies, procedures, processes, structures and software and hardware functions. These controls require skilled human capital to be developed, implemented, monitored, reviewed and improved, where necessary, to ensure the security and business objectives are achieved (ISO-IEC 17799, 2005). The data findings have been able to delve into detailing various procedures, policies and techniques of information security development within the organization. It has been found that data findings have been successfully supported the literature review.

The research project has exclusively depended on the qualitative data analysis process. The study had to concentrate on selection of proper technique with respect to the data collection, as the proper data collection greatly contributes in defining the level of research outcome. In order to collect the data the research project has used interview session. There are various types of interviews have been used in the academic research sphere. In this context, considering the qualitative approach of the research project, the open ended question have been selected for the interview session as it would have been most effective for unearthing the detailed insight of the interviewee. In addition to that, the research project had to select appropriate method for analysis the data collected from the interview (Brannen 2012). The thematic analysis has been selected, as most effective techniques as it have been quite efficient to present the underlying themes within the interview data.

Any constructive interview needs to have a proper time allocation for conducting the session so that it can be undertaken without any hindrance (Cameron 2012). Therefore, I have kept in mind to get the appointment two weeks before the time. This way the interview session has provided a greater scope for revealing maximum insight on the research topic without any kind of disturbance. Prior to the interview session, I have been quite nervous, as I had no prior experience of taking this kind of interview session. I emphasized on one thing that I must clearly state out the interview question so that the interviewee would be able to provide necessary information (Ellis and Levy 2012). I have also kept in mind to probe in appropriate time so that I can get more information. I also point to mentioned that this session will be recorded and if the interviewee will be fine with this. However, I found it quite difficult as the interviewee is quite insightful than me. The inexperience has somewhat limited my ability to extract pointed and relevant answer from the interviewee. Nevertheless, the interview session has been quite insightful for me. It has provided a greater confidence, which would be useful in my future research.

There is also various process of conducting the research with greater efficiency. The survey process would have given a greater understanding on the current scenario of the project management from quantitative perspectives (Hooper 2012). In addition to that, the research project also could have conducted more interviews with multiple interviewees. In addition to that, the interview process could have been focused on semi-structured questionnaire so that in certain area, the interview would be bound to provide to the point answer. It would have helped the research project to acquire a pointed perception on the research issue (Morgan 2012). The research could have also adopted the thematic analysis of secondary data. This way the empirical data would have presented greater evidences.

It has been kept into consideration that the interviewee would be aware of the exact purpose of the research. The participant has been involved with the research after their full consent. The research project has been also able to assure that any information would not be used other than the research purpose (Freshwater 2012). The securing the identity of the interviewee has presented a serious challenge to the research project Therefore, the name of the interviewee has been mentioned as Mr. Mahmood Alameria as a pseudonym.

Any research project is highly critical as well as complex. Therefore, every research process has greater chances of issues and dilemmas. In this context, the research project also has presented numerous problematic situations. First of all due to time constraint and the sensitivity I had to compromise for a limited time in the context of taking appointment from the interviewee. Moreover, my experience has been quite limited in the context of taking professional interviews. Therefore, I faced great deal of problems at the time of conducting the interview sessions. I have not been able to direct the interview response within the context of research topic. I could not attain to the point answer from the interviewee. In addition to that, I have been unable to probe appropriately for attaining further data on the research topic.

The research questions have been quite broad and therefore could not find to the point responses from the participants. The broad nature of the research questions naturally directed the interview more widespread, which sometimes became irrelevant. For example, while participant has been asked about documented and approved procedures and policies in the organization, he has answered regarding the departments within the organization. The details of the organization are not relevant to the research topic. In addition to that, my inexperience has been quite critical for the success of the interview session. I have been failed to probe the interviewee so that to the point response can be attained. Without the proper probing the participant has been wandered around the direct answer. In addition to that, the research session has been failed to delve into depth for acquiring most effective research findings.

The interview has been quite effective to attain a vast understanding on the HR capabilities for Information Security Systems Development within UAE. It has been quite effective to attain highly helpful response in the context of perceiving the exact practice in the information security sector. In addition to that, the trends in the information security sector have been also understood through the interview session. The interview session has been also efficient to provide detailed understanding about practices of HR professionals beside the IT professionals. However, the interview session has used open ended question, without any kind of follow up questions. Without the follow up responses has been quite insightful, albeit irrelevant. The proper probing and follow up questions has been quite critical limitation of the current interview project.

There are various kinds of research techniques, which are practiced in the academic sector. Since the beginning of the research process, the academic scholars have used various kind of technique to attain proper research finding. In this context, the quantitative data analysis would have been most effective to attain greater understanding with the exact facts. In addition to that, the empirical data would have been quite effective to provide essential reliability and validity to the research project. Moreover, the secondary research has been a great research method for attaining a detailed understanding regarding any research topic. Although it would not have been able to provide current facts, it would be most important to have an evaluated perception on the research topic.

The current research project has used open ended questionnaire for attaining detailed response from the interviewee. However, the interview would have been also quite successful by using semi structured as well as structured interview. It would have been able to provide greater relevance to the responses of the respondent. At the same time, to the point answer would have been quite essential to attain more realistic research findings.

References

Brannen, J. 2012. ‘Prologue, mixed methods for novice researchers: reflections and themes, International Journal of Multiple Research Approaches, 3(1), 8–12.

Cameron, R. 2012. ‘A sequential mixed model research design: design, analytical and display issues’, International Journal of Multiple Research Approaches, 3(2), 140-152,

Ellis, T. and Levy, Y. 2012. ‘Towards a guide for novice researchers on research methodology: Review and proposed methods’, Issues in Informing Science and Information Technology, 6, 323-337.

Freshwater, D. 2012. “Reading mixed methods research: contexts for criticism”, Journal of Mixed Methods Research, 1(2), pp. 134-46.

Hall, J. H., Shahram, S. Thomas, A., Mazzuchi., 2011,”Impacts of organizational capabilities in information security”, Information Management & Computer Security, Vol. 19 Iss 3 pp. 155 – 176

Hooper, C. S. 2012. Qualitative In Context. Journal of Advertising Research, 51

IEC/ISO 17799, (2005). International Organization for Standardization and International Electrotechnical Commission

Morgan, D. L. 2012. “Paradigms lost and pragmatism regained: methodological implications of combining qualitative and quantitative methods”, Journal of Mixed Methods Research, 1(1), pp. 48-76

Thompson, E.E., 2014. Information Technology Security and Human Risk: Exploring Factors of Unintended Insider Threat and Organizational Resilience. ProQuest LLC.

Ulrich, D., Younger, J., Brockbank, W. and Ulrich, M.D., 2013. The state of the HR profession. Human Resource Management, 52(3), pp.457-471.

Vacca, J.R. ed., 2013. Managing information security. Elsevier.

Veltsos, C. (2015). Addressing the Information Security Skills Gap in Partnership with Academia. Security Intelligence. Available at: https://securityintelligence.com/addressing-the-information-security-skills-gap-in-partnership-with-academia/ (Accessed 02 April 2016)

Vogel, M. and Broer, V., 2013. Security Compliance Monitoring–The next Evolution of Information Security Management? In ISSE 2013 Securing Electronic Business Processes (pp. 183-194). Springer Fachmedien Wiesbaden.

Wawak, S. (2012). The importance of information security management in crisis prevention in the company.Cracow University of Economics. Available at: https://www.academia.edu/1649676/the_importance_of_information_security_management_in_crisis_prevention_in_the_company (Accessed on 03 April 2016).