Factor analysis (Factor analysis was conducted with use of SPSS Statistics 17) was used to determine number of factors which explain relationships between variables and connection of those variables with factors. Based on correlation matrix of 12 variables and testing of null hypothesis that single coefficients of correlation are equal to null (Null hypothesis is accepted for values of significance greater than 0.05), it can be concluded that null hypothesis may accept coefficients of correlation of variable Information security policy and variables Information classification, Human Resources Security, Communications and Access Control; variable Compliance and Physical and Environmental Security, Information security incident management and Business Continuity management; variables Responsibility for Assets and Communications; variable Human Resources Security and variables Communications and Information security incident management; variable Communications and variables Information systems acquisition, development and maintenance and Information security incident management; variable Access Control and variables Information security incident management and Business Continuity management; and variables Information security incident management and Compliance. This means that it cannot be expected that these couples of variables occur together in explanation of single factors. Bartlett’s Test of Sphericity is highly significant and indicates a conclusion that there is a significant correlation between variables. Banker-customer
Kaiser-Meyer-Olkin Measure of Sampling Adequacy (KMO statistics) has value of 0.66 and this confirms justification of application of factor analyses in the research (Factor analyses is recommended only if KMO statistics is greater than 0.5.). As an Extraction method it was used Principal Component Analysis, while number of factors were determined based on characteristic values (Principal Component Analysis) which were assigned to factors greater than 1. Analyses showed that four factors fulfilled these criteria. Percentage of explained variance for these four factors was 75.96. Rotation was applied using the Varimax rotation method with Kaiser’s normalisation. Table 3 shows the results. The results confirm the justification for using factor analysis when identifying managers’ impression about state of information security in banking and insurance companies. Interpretation and explanation of factors is based on weight of factors, specificity of information security research and our assessments.
First factor, F1 – (Readiness of employees), explains 68.4, 64.8, 56.9 and 45.4 percent of the variance of variables Access Control, Human Resources Security, Physical and Environmental Security and Information systems acquisition, development and maintenance. All variables which explain this factor have coefficients of correlation greater than 0.5, with highest coefficient of correlation (0.80) between variables Physical and Environmental
Security and Access Control. The second factor, F2 – (Adaptability of organisation), explains 74.3, 54.2 and 29.6 percent of variables Information security policy, Information security incident management and Business Continuity management. Highest coefficient of correlation (0.51) is between variables Information security incident management and Business Continuity management. Third factor, F3 – (Availability of resources), explains 75.9, 59.0 and 25.4 percent of variables Organisation of information security, Responsibility for Assets and Information classification. Highest coefficient of correlation (0.63) is between variables Organisation of information security and Responsibility for Assets. Fourth factor, F4 – (Normative aspects of security), explains 83.7 and 60.1 percent of variables Communications management and Compliance. Coefficient of correlation between these variables is 0.70.
Table 3: Results of Factor Analysis after Rotation
|Factor||Factorloading||Variables included in the factor||Strength of factors in explaining variance of variables (%)|
|F1||0.805||Human Resources Security||64.8|
|(Readiness of employees)||0.7540.674||Physical and Environmental SecurityInformation systems acquisition, development and maintenance||56.945.4|
|f2||0.862||Information security policy||74.3|
|(Adaptability of organisation)||0.7360.544||Information security incident managementBusiness Continuity management||54.229.6|
|F3(Availability of resources)||0.8710.768||Organisation of information securityResponsibility for Assets||75.959.0|
|F4(Normative aspects of security)||0.9150.775||CommunicationsmanagementCompliance||83.760.1|