The research described in this paper lead us to the conclusions that there is a big gap in perception of information security issues of respondents from banking and insurance companies and auditing managers. In general, banking and insurance managers graded higher all information security issues in own companies than auditing managers did it. These two populations of respondents have different motivation regarding information security. On one hand, mangers of banking and insurance companies do not appreciate the security strategy issues, and they are always trying to spend lesser on it. On the other hand, information security auditing managers have commercial motivation and they are trying to earn more by estimating information security worse than it really is. Real state of information security should lie somewhere between grades of these two populations of respondents. Screening methods
Ranking the significance of information security variables from groups of respondents has rather high correlation. Although they disagree in terms of real state of information security, they mostly agree concerning significance of particular security procedures. This should be a good starting point which can bring managers together when it comes to implementing information security procedures.
Factor analyses extracted four factors as following: readiness of employees, adaptability of organisation, availability of resources, and normative aspects of security. Mentioned factors have high correlation with belonging variables and simplify the view on standardisation of information security. This should make it easier for banking and insurance managers to appreciate information security and to invest in it more than it has been case so far. The results confirm the justification for using factor analysis to identify managers’ impression about state of information security in banking and insurance companies.
Analyses of perception of information security barriers show that there is a significant gap in perception of information security barriers among respondents from both populations. This can help information security auditors in their approach to companies, because they can look on information security issues from company managers perspective.
Analyses of marketing aspects of information security show which marketing activities were mainly presented. This means that information security auditing managers can adapt their marketing approach to banking and insurance companies. This is even more noticeable when it comes to amount of money that managers are ready to invest in standardisation of information security. Investment gap was not significantly big when it comes to the financial potential of banking and insurance companies, therefore big market and financial potential of standardisation of information security in the region of countries of Western Balkans can be exploited with lower barriers than it has been case so far.
Results of this research show that there is necessary to conduct promotion activities of importance of information security in countries of Western Balkans and to give to this aspect of business adequate place in overall business activities in organisations.
In this paper it has been given a new methodology of research of information security which is called “dual methodology”. The results of research confirm justification of usage of proposed methodology and statistical procedures within it. Dual methodology proved to be efficient and it can be recommended for research of state of information security in other regional markets.