Primary research was conducted with dual methodology applied on two opposite populations with same instrument for measuring of variables, on one side management of banking and insurance companies, and on the other side management of information security auditing companies.
Standardisation of information security is not a compulsory activity in companies and institutions. It is still an optional choice for companies. Organisations from public sector may undertake standardisation activities based on political decision, while commercial sector does it as a measure of business protection as a whole. Banking and insurance companies are commercial companies; therefore they represent a pattern of behaviour for commercial sector. Banking sector
Research was conducted in four countries: Croatia, Serbia, Bosnia and Herzegovina and Montenegro in period March – June 2012. The field work was conducted by e-mail questionnaire. There were two groups of examinees. First group were managers of banking and insurance companies, and second group were managers of information security auditing companies. Population of banking companies includes 30 in Bosnia and Herzegovina (20 banks in Federation of Bosnia and Herzegovina and 10 banks in Republic of Srpska; 32 in Croatia; 32 in Serbia; 11 in Monte Negro (Udruzenje banaka Crne Gore, 2012). Population of insurance companies includes 28 insurance companies in Bosnia and Herzegovina; 27 in Croatia; 18 in Serbia (Osiguravajuca drustva u Srbiji, 2012) and 10 in Monte Negro (Osiguravajuca drustva u Crnoj Gori, 2012). Research sample comprised 21 banks companies and 14 insurance companies, which represents 31.34% and 33.33 % of total population, respectively. The second research group was auditing companies. Total population was 7 companies. Four of them took part in research and that represents 57.14 % of population. Information security auditing companies were from Slovenia, Croatia and Serbia, and their market was geographic space of Western Balkans.
The questionnaire was identical for both groups. Variables that were measured cover important aspects of perception of both samples of examinees regarding information security. The focus was on simultaneous analyses of attitudes of both groups (companies and auditors) regarding perception of importance of measured variables, in order to and determine which factors cause covariance between measured variables.