survey of victoria police information security … of victoria police information security culture...
Post on 09-Jun-2018
220 Views
Preview:
TRANSCRIPT
Survey of Victoria Police Information Security Culture
– Survey Results
Commissioner for Law Enforcement Data Security
November 2012
Survey of Victoria Police Inform
ation Security Culture – Survey Results
C
omm
issioner for Law Enforcem
ent Data Security
Survey of Victoria Police Information Security Culture
– Survey Results
Commissioner for Law Enforcement Data Security
November 2012
2
This report was prepared for the Commissioner for Law Enforcement Data Security by Sandra Beanham. Sandra Beanham is the founder and principal of Sandra Beanham & Associates (SBA), a Melbourne-based business consultancy. SBA works primarily with large scale clients in both the public and private sectors and provides a broad range of business, marketing and market research consultancy services. The focus of the consulting practice is to assist clients in the development of smarter business strategies underpinned by superior market insights.
Connect with Sandra Beanham, Principal Consultant: Tel +61 3 8808 6600
Published by:
The Commissioner for Law Enforcement Data Security PO Box 5199 South Melbourne Victoria 3205
November 2012
© Copyright State of Victoria, 2012
3
ContentsIntroduction 7
Section 1 Method & Sample 9
1 Orientation & Plan 12
1.1 Project Orientation 12
1.2 CLEDS Benchmark Research 13
1.3 Research Plan 13
2 Qualitative Pilot Study 17
3 On-line Survey of Sworn Members 18
Survey Publicity Plan 18
Survey Timing 18
Survey Sample 19
Survey Hosting and Data Processing 20
Survey Report 20
Section 2 Detailed Findings 21
Part 1 Sources of Guidance on the Management of Law Enforcement Data 23
Part 2 Incidence and Frequency of Typical Breaches of Law Enforcement Data Security 26
Part 3 Use of Personal Technology 29
3.1 Technology Use 29
3.2 Personally Owned versus Victoria Police Provided Equipment 30
3.3 Main Reasons for Using Personal Technology 32
3.3.1 Overview 32
3.3.2 Mobile Phone 33
3.3.3 Smart Phone 34
3.3.4 USB 35
3.3.5 Laptop Computer 36
3.3.6 Desktop Computer 37
3.3.7 Digital Camera 38
Part 4 Beliefs and Attitudes with Respect to Law Enforcement Data Security 40
4.1 Introduction 40
4.2 Risk Analysis 41
4.2.1 Likelihood of Typical Breaches and Perceived Seriousness 41
4.2.2 Perceived Seriousness and Observed Frequency 43
4
4.3 Scenario 1: Holding Law Enforcement Data on Personally Owned Devices – Sergeant K’s Murder Scene Photos 45
Part 1 Take Photos of a Crime Scene with a Personal Smart Phone 45
Part 2 Storing Crime Scene Photos on Personal Smart Phone 45
Part 3 Observed Frequency (Q6) 46
4.4 Scenario 2: Temporarily Located in Office on Unsecured Floor. Taskforce Linebacker Leaves The Door Unlocked. 47
Part 1 Task Force on Unsecured Floor 47
Part 2 Leaving a Door Unlocked to a Secure Area 47
Part 3 Observed Frequency (Q8) 48
4.5 Scenario 3: Inspector M Gives an Informant's Address Over the Phone in a Public Area While Investigating an Outlaw Motorcycle Gang. 49
Part 1 Giving Information Over the Phone in a Public Area 49
Part 3 Observed Frequency (Q10) 49
4.6 Scenario 4: Transferring Electronic Files to/from Potentially Unprotected Environments. Constable P Works on Her Personally Owned Computer at Home. 50
Part 1 Working at Home on a Personal Computer 50
Part 2 Emailing Information from Work Address to Home Address 50
Part 3 Observed Frequency (Q12) 51
4.7 Scenario 5: Losing/Misplacing Law Enforcement Data. Supt R’s Memory Stick Goes Missing. 52
Part 1 Memory Stick Holds Law Enforcement Information 52
Part 2 Losing a Memory Stick Holding Law Enforcement Data 52
Part 3 Observed Frequency (Q14) 53
4.8 Scenario 6: Disclosing Unauthorised Information. Constable T Talks to the Media. 54
Part 1 Releasing Unauthorised Information 54
Part 3 Observed Frequency (Q16) 54
4.9 Scenario 7: Holding Law Enforcement Data for Personal Records. Constable F is Involved in a Police Pursuit. 55
Part 1 Recording Interviews with an Offender on a Mobile Phone 55
Part 2 Keeping a Personal Record of Law Enforcement Data to Corroborate Any Future Investigation 55
Part 3 Observed Frequency (Q18) 56
5
Part 5 Awareness and Role of CLEDS 57
5.1 Current Status 57
5.2 Incidence of Information Security Training 58
Appendices 59
Appendix 1 List of Tables 61
Appendix 2 List of Graphs 63
Appendix 3 Online Questionaire 64
Appendix 4 Additional Tables for Q4 – Detailed Reasons for Using Own Device 73
6
7
IntroductionThe CLEDS I-Project was a quantitative research project designed to assess the attitudes and behavior of Victoria Police officers in relation to law enforcement data security. It took the form of an anonymous survey of all sworn members of Victoria Police. The survey aimed to provide an evidence base that could be used to better understand the current information security culture of Victoria Police and its members’ use of personal electronic equipment for law enforcement purposes. It was also designed to provide us with a wider variety of measurement tools and indicators to assist in assessing information security trends and developments within Victoria Police.
The following research questions guided the development of the research methodology:
1. Do Victoria Police information management and data security policies and practices align with the CLEDS Standards for Victoria Police Law Enforcement Data Security?
2. What is the nature of the information management and data security culture within Victoria Police?
3. Why do police officers obtain, receive and hold information on personally-owned electronic devices?
The survey took place in March 2012 and was sent to all sworn members of Victoria Police. It achieved a 20.6% response rate, which makes for robust and reliable results.
The need for such research grew out of the findings of a number of reviews we have undertaken over the last few years beginning with a 2008 Personal Holdings review that found a relatively high incidence of police holding law enforcement data off-site, typically at home. The 2008 review was undertaken before the market for sophisticated mobile personal computing devices like iPhones grew. Anecdotal evidence obtained during follow-up activities indicated that police were increasingly using personal electronic equipment (notably mobile phones and recording devices) to capture and store law enforcement data. The widespread adoption and use of these personal devices by police to record information – typically in the form of audio files, photos and videos – meant that significant quantities of law enforcement data were not being included in official Victoria Police data repositories and were being kept insecurely.
In parallel, reviews of information governance within Victoria Police that we undertook in 2009 and in 2011 highlighted shortcomings in Victoria Police’s information security and management culture. The 2009 review found varying levels of understanding about information management and security across Victoria Police and emphasized the need for communicating the value of better information practices to Victoria Police staff, as well as monitoring and addressing issues of non-compliance. It identified weak links between information management and security and Victoria Police’s performance management framework. It highlighted the need for information security training and awareness for all police personnel, not just new recruits or for those seeking promotion. It recommended a broad cultural change program to address these issues.
The 2011 review found that these recommendations had not been implemented and, as a consequence, made further recommendations. Victoria Police was asked to develop a detailed report on its current information management and security culture and its readiness for change and provide it to us for approval by 31 March 2012. Based on those findings, it recommended that Victoria Police produce a cultural change strategy by 31 May 2012. As at mid-July 2012, Victoria Police has yet to complete this work.
Introduction
8
Introduction
The key survey findings are:
1. For Victoria Police, the main guide (52% of respondents) to the way in which officers manage and secure law enforcement data is common sense. Only 6% said their managers were the key guide. Very few mentioned Victoria Police policy as a source of guidance.
This finding suggests that improved information management and security policies alone are relatively ineffective tools for improving Victoria Police’s information management/security practices. It also suggests a significant lack of expertise in these issues at a supervisor/manager level. It follows that Victoria Police should significantly strengthen its investment in information management and security training, education and awareness.
2. The use of electronic equipment (computers, mobile phones, data sticks, digital cameras) is central to day-to-day policing. However, 76% of members use at least one personally-owned such device in an average week to capture and/or store law enforcement data. Personally-owned smart phones are being used by 45% of members. The reasons given for members using personal devices are principally that Victoria Police-issue devices are either unavailable or not provided.
This problem is not unique to Victoria Police. Law enforcement agencies across the world are grappling with the proliferation of personal mobile computing and storage devices. That said, the practice of using personal devices for operational policing is largely unmanaged and uncontrolled and poses significant information management and security risks.
3. Police perception of what constitutes a serious information security breach indicates a preoccupation with the physical security priorities of a paper-based information environment, rather than the reality of the electronic environment in which they work.
CLEDS’ intention is that this initial survey is the first phase of longitudinal research to track changes in Victoria Police information security culture, particularly as a means of assessing the effectiveness of Victoria Police’s information security cultural change program and the education awareness programs.
This project could not have been undertaken without the cooperation of Victoria Police. We wish to record our thanks for the assistance provided by the Chief Commissioner, the Victoria Police Human Research Ethics Committee and to the Police Association. Most importantly, we are grateful that so many of Victoria’s police officers took time out of their operational duties to complete the survey.
David Watts Commissioner for Law Enforcement Data Security
9
Section 1
Method & Sample
10
Method & Sample
11
Method & Sample
Key research stages included:
Orientation and Plan
• Stakeholder briefings/ input on research design
• Literature search for relevant benchmarks/methodologies
Qualitative Pilot Test of on-line Questionnaire
• Feedback on survey questionnaire design
On-line survey of Sworn Members
• Preceded by survey publicity and personal briefings
12
Method & Sample
1 Orientation & Plan1.1 Project Orientation
The purpose of the orientation phase was to determine whether any existing research had been conducted in the area of personal holdings of law enforcement data and/or law enforcement data security. This could then inform the development of the CLEDS research program.
An extensive literature search was carried out and discussions were held with a range of academics and researchers working on policing and police processes. This review indicated that there were no specific benchmark studies relating to personal holdings of law enforcement data other than CLEDS own small scale research conducted in 2008 (see below).
Published articles focused on the following topics with respect to the capture and storage of law enforcement data:
1. General
• The need for records management systems to integrate physical and electronic records
• Increasing provision of portable devices including USB’s and PDA’s to frontline officers
• Public concern with security breaches of personal/identifiable data (UK Case Study)
• Need for security measures e.g. strong encryption
• ‘Rule of thumb’ test – if data information was put on the internet – would it be a problem?
• High numbers of mobile phones, laptops, and other devices which are stolen/mislaid.
2. USB’s
• Concern regarding “life expectancy” and loss of data due to ‘wear and tear’
• ‘Rule of thumb’ – maximum 2 year life expectancy.
3. Police Force Needs/Expectations
• Easy access to data
• Easy sharing of data
• Support for work policies involving
• Flexible work practices
• Home working, i.e. secure, remote access
• Concern with ‘user-friendliness’ of encryption ‘products’.
13
Method & Sample
1.2 CLEDS Benchmark Research
As noted earlier, CLEDS conducted a small scale study in 2008 – ‘Personal Holdings of Law Enforcement Data’. It was a paper based questionnaire and included a convenience sample of n = 50 respondents – all sworn members of Victoria Police. The main findings of the survey were:
• 74% of respondents personally held some form of law enforcement data, 66% at their homes
• Many members keep personal holdings regardless of rank or years of service
• The majority held more than one kind of data, predominantly day book notes and official diaries, 48% held briefs of evidence
• 12% stated they held original briefs, investigation files or criminal histories
• The main reasons for holding the information were in case of an ESD or OPI investigation or possible civil litigation
• 21% held data at home purely for reasons of personal interest.
Specifically the study identified the following:
• 11% hold the equivalent of more than five archive boxes of material and 49% hold the equivalent of at least one box
• 62% of respondents hold data which is more than five years old and 19% hold data that is more than 10 years old
• 73% of members with personal holdings stated that they did not access the data at all, 16% accessed the data at least monthly.
It is believed that the situation has been exacerbated by the widespread ownership and use of personal, portable electronic devices such as mobile phones, USB’s, etc.; together with a police culture which allows the use (and potential abuse) of law enforcement data captured and stored by those devices.
1.3 Research Plan
The key components of the research plan were therefore to conduct an initial benchmark study, with annual updates to monitor changes in attitudes and behaviour with respect to law enforcement data security.
14
Method & Sample
Each survey would use the following protocol, as outlined below and approved by the Victoria Police Human Research Ethics Committee (VPHREC):
Source: Methodology Report submitted to VPHREC, with dates updated as necessary
Research Design
The research will be conducted using a repeated measures, cross-sectional design, allowing CLEDS to measure change in population attitudes and behaviours over time. The project will run for three years and include annual data collection waves starting with a benchmark in 2012 and updated in 2013 and 2014. At the conclusion of each wave of data collection, CLEDS will analyse and report on the survey results to Victoria Police and other stakeholders.
Sample
All sworn members of Victoria Police will be invited to participate in the survey. This inclusive and transparent approach that targets the entire population facilitates CLEDS’ goal to use the survey as a tool to stimulate cultural change. This approach does not require a sampling frame.
The research design provides very little ability to control or stimulate responses within key population segments (e.g. gender and rank). While the researchers will be able to monitor responses in key segments while the survey is in the field and issue emails to encourage greater response rates, no targeted approaches to key population segments will be made. Consideration should be given to post weighting the results using the police profile published by Victoria Police. Care will need to be taken to generate similar samples in data collection waves two and three. It is important that successive samples are representative of the same population.
In 2008/09, there were 11,293 sworn Police Officers in Victoria Police (Victoria Police Annual Report 2008/09). A response rate of between 10 and 20% will return between 1,129 and 2,259 completed surveys.
Participation in the research is voluntary, and participation in the first wave of data collection does not require participation in subsequent waves.
15
Method & Sample
Informed Consent
An Informed Consent Statement will be appended to the front of the survey. The Informed Consent Statement outlines the goals of the research, research method, potential harms associated with participation, confidentiality and participant rights. While participants are not required to sign and return the Informed Consent Statement, the completion of the survey indicates the individual’s consent to participate in the research.
Survey Development
In order to not over burden police officers and promote completion of the survey, the Project Team decided to limit the time required to complete the survey to 10 minutes. Shorter surveys are more likely to be completed and elicit more reliable responses. Respondents answering long or complex surveys may ‘flat line’ rating scales rather than completing thoughtfully, or ‘donkey vote’ by clicking the first answer irrespective of their view. Sweeney Research will identify and exclude completed surveys that fit such patterns.
A decision was also made to use a combination of scales and scenarios, and avoid open-ended questions.
Survey Pretesting
In 2011, the survey will be piloted to determine whether the survey is the appropriate length, survey instructions are clear and survey items are relevant. It will be especially important to test the relevance and clarity of the scenarios used in the survey.
The pilot will involve the selection of a small group (n=8) of sworn Victoria Police Officers, securing a cross-section of key population segments (e.g. gender and rank) where possible. Pilot participants will be asked to complete the online survey without assistance. Participants will then be brought together in a focus group to review each survey item. Where appropriate and necessary, survey instructions and items will be modified to improve readability, relevance and clarity.
Survey Administration
The survey will be conducted online. All sworn officers will receive an email requesting their participation in the research. Through this email, participants will be referred to a CLEDS-branded portal, hosted by Sweeney Research.
Hard copies of the survey (including reply paid, addressed envelopes) will be made available to those who do not wish to complete the survey online (or can be printed out by the officer). Completed hard copy surveys will be integrated into the dataset.
16
Method & Sample
Survey Administration (cont.)
The survey will be administered in the following way:
• Sweeney Research will generate an ID LINK database. The database will contain unique identifiers (one per respondent). Survey respondents will require an ID LINK to access the survey site.
• CLEDS will forward the ID LINK database to Victoria Police.
• Victoria Police will merge their employee database with the ID LINK database so that each sworn officer is allocated a unique ID LINK _
• Victoria Police will email the invitation incorporating the ID LINK to each employee.
• When sworn officers access the link they will be directed to the survey which is held on a dedicated Sweeney Research server.
• Respondents do not include their name or any other personal ID when completing the online survey.
At the conclusion of each wave of data collection, Sweeney Research will provide a clean dataset to CLEDS. CLEDS, or a consultant acting for CLEDS, will analyse and report on survey results, as well as significant changes over time (in 2012 and 2013) where trends are available.
Confidentiality
All information gathered during the study will remain confidential. Datasets used for analysis will not contain any identifiable information. Respondents will not provide their name, nor details that may enable the researchers to identify them through other means. Further, analyses will be conducted on an aggregate level and no attempt will be made to analyse changes over time at the individual or participant level.
Communication of Results
At the conclusion of each wave of data collection, CLEDS will analyse and report on the survey results to Victoria Police. Reports will be made available to all members of Victoria Police.
Approvals
Project and questionnaire approvals were obtained from Victoria Police Human Research Ethics Committee (VPHREC).
Police Checks
All project team members, and in the case of SBA and Sweeney Research, employees participating in the project execution, were required to have current Police Checks.
17
Method & Sample
2 Qualitative Pilot StudyThe Pilot Study was conducted in July 2011. A total of seven sworn Members participated including a cross-section of rank and responsibilities.
The Pilot Study consisted of two parts:
• Individual completion of the on-line survey, on provided PC’s
• Group discussion of the study, the questionnaire and any issues concerning participation, completion or question ambiguities.
The draft questionnaire had been programmed for on-line use, so that participants completed the survey individually on-screen under normal on-line survey conditions.
The key actions from the Pilot Study were that:
• Due to the voluntary nature of the survey, significant strategies be in place to promote survey participation
• The questionnaire length be reduced considerably (pilot questionnaire averaged 15–20 minutes to complete, compared to a target of 10 minutes)
• Measures of attitudes and behaviour be based on observations of what “other” members do, rather than individual’s own behaviour, due to privacy concerns (despite confidentiality assurances).
Following extensive revisions the updated questionnaire was submitted to the Research Committee for final approval.
18
Method & Sample
3 On-line Survey of Sworn Members Survey Publicity Plan
In conjunction with the Police Association and the Victoria Police Internal Communications Unit, the Publicity Plan was designed to create awareness of the survey before launch and with subsequent reminders before the survey close.
The publicity schedule was as follows:
Week Commenced
Feb 13th Feb 20th Feb 27th Mar 5th Mar 12th Mar 19th Mar 26th
SurveyMar 12th/13th
Survey Launch
Mar 26th Survey Closes
Police Association In Brief
Copy Deadline March Issue
Police Gazette Mar 12th Issue
Emails to Members
Mar 12th/13th Survey Launch
Emails to Officer in Charge (for Daily Muster)
Mar 12th/13th Survey Launch
Mar 19th Reminder
Mar 26th Last day
Bulletin Board Mar 12th/18th Mar 19th/22th Mar 23th/26th
Corporate News Mar 14th
Survey Timing
Personal emails were sent to all sworn members on March 14th, with a survey close of midnight Monday March 26th.
These dates were chosen in order to avoid:
• Labour Day Long Weekend (March 12th)
• Easter holiday break (commencing April 6th)
19
Method & Sample
Survey Sample
The survey achieved a final sample of 2,589 sworn members. This represents a response rate of 20.6% based on the current headcount of 12,557 (Workforce at a Glance, December 2011).
The sample profile compares to the Workforce Profile as follows:
Workforce Profile (n = 12,557)
%
Total (n = 2,589)
%
S1 Gender
Male 75.2 78
Female 24.8 22
S2 Age
25 or under NA 5
26 to 30 NA 10
31 to 35 NA 12
36 to 40 NA 16
41 to 45 NA 22
46 to 50 NA 17
51 to 55 NA 13
56 or over NA 6
S3 Rank
Constable to Leading Senior Constable 75.4 66
Sergeant to Senior Sergeant 21.6 30
Other 3.0 4
The achieved sample is therefore slightly overweighted in terms of representation of:
• Males
• Sergeant to Senior Sergeant rank.
Based on the level of these statistical skews, it was felt that the data is sufficiently representative not to require any further weighting.
Depending upon the sample profiles of subsequent waves of research, this issue may need to be addressed to harmonise data between waves.
20
Method & Sample
Survey Hosting and Data Processing
Sweeney Research
• Programmed the questionnaire for online use
• Hosted the survey
• Carried out data processing and prepared the tabular output to specifications provided by SBA.
Survey Report
The Summary report of findings has been prepared by Sandra Beanham, Principal Consultant of SBA.
21
Section 2
Detailed Findings
22
23
Detailed Findings
Part 1 Sources of Guidance on the Management of Law Enforcement Data
For the majority of police officers, Common Sense mostly guides decisions about law enforcement information management (52%) followed by reference to Victoria Police Standards (36%).
Graph 1 Sources of Guidance on Information Management
0
10
20
30
40
50
60
CommonSense
CLEDSStandards
Managers Peers Other
52
36
6
24
% m
entio
ns m
ostly
gui
des
There were few mentions of Victoria Police’s own policy in relation to information management held in the VPM (Victoria Policy Manual).
Even when combining both Mostly and Other sources of guidance, Common Sense is still the key driver.
Table 1 Sources of Guidance on Information Management
Mostly Guides (n = 2,589)
%
Other (n = 2,589)
%
Total (n = 2,589)
%
Common Sense 52 34 87
Standards for Victoria Police Law Enforcement Data Security 36 38 74
Information provided by managers 6 38 44
Information provided by peers 2 19 21
Other 4 6 6
Not established – <1 <1
Q1a As a police officer, you routinely handle law enforcement information. Different types of information present different levels of risk if the security of the information is compromised. What mostly guides your decisions regarding how best to use, store and dispose of law enforcement information?
Q1b Please indicate what else guides your decisions regarding how best to use, store and dispose of law enforcement information.
24
Detailed Findings
Interestingly age, rank, years of experience and type of experience impact the relative emphasis on Common Sense. Specifically, the younger and less experienced police officer is more likely to use Common Sense rather than reference to Standards. There was very little difference by gender.
Graph 2 Influence of Age on Use of Common Sense as Main Guide to Information Management
Common Sense Standards Manager Peer
25 or Under 26 – 40 41 – 55
Age in years
56 and Over
58
61
27
8
2
48
42
5
1 1
34
58
17139
0
10
20
30
40
50
60
70
% m
entio
ns
Similar findings are observed when considering Experience variables such as Rank and Service Years.
Graph 3 Influence of Rank on Use of Common Sense as Main Guide to Information Management
Common Sense Standards Manager Peer
Constable/Senior Constable/ Leading Constable
Sergeant/Senior Sergeant Other
57
31
7 5
32 1
44
55
45
32
0
10
20
30
40
50
60
0
% m
entio
ns
25
Detailed Findings
Table 2 Main Sources of Guidance on Information Management – by Years of Service and Work Area
Years of Service Work Area
Less than 5 (n = 472)
%
5 – 20 years (n = 1006)
%
21 years or more
(n = 1111) %
Specialist e.g. Crime,
Intelligence, etc
(n = 494) %
Other (n = 2095)
%
Common Sense 58 57 45 42 53
Standards for Victoria Police Law Enforcement Data Security 24 32 45 46 35
Information provided by managers 11 7 4 8 6
Information provided by peers 6 1 1 2 2
Other 2 1 4 2 4
TOTAL 100 100 100 100 100
Q1a As a police officer, you routinely handle law enforcement information. Different types of information present different levels of risk if the security of the information is compromised. What mostly guides your decisions regarding how best to use, store and dispose of law enforcement information?
Q1b Please indicate what else guides your decisions regarding how best to use, store and dispose of law enforcement information.
DISCUSSION
The nature of the survey does not identify whether the emphasis on Standards with increased experience as a police officer is due to:
• Actual use of these Standards
OR
• A response to the survey on what ‘should’ be the correct source of guidance.
Follow up investigation may be undertaken with stakeholders to validate this finding.
26
Detailed Findings
Part 2 Incidence and Frequency of Typical Breaches of Law Enforcement Data Security
The most frequently reported breaches (once per week or more often) are:
• Data left unattended on desks (30%)
• Data left unattended on computer screens (21%).
The least likely breaches to occur are breaches of physical security such as leaving doors to secure areas unlocked, or leaving cabinets unlocked.
Table 3 Incidence and Frequency of Typical Breaches of Information Security
A
Leave law enforcement
data unattended on desks
B Leave law
enforcement data
unattended on computer
screens
C
Not remove law
enforcement data from
whiteboards
D
Fail to lock cabinets
containing classified
information
E
Fail to lock doors to
secure areas
Very often (at least once a week) 30 21 14 14 8
Often (about once every 2 – 4 weeks) 18 14 11 8 6
Occasionally (about once every 2 – 6 months)
18 17 16 10 11
Rarely (about once every 7 – 12 months) 12 15 16 13 14
SUB TOTAL Observed in last 12 months
77* 67* 57 44* 46*
Very rarely (less than once every 12 months) 15 20 20 22 28
Have never seen this occur 8 13 23 34 32
Mean times per year 19.67 14.06 10.16 9.27 6.28
* Rounding
Q2a In your opinion, how often do Sworn Police Officers in your work unit… (A, B, C, D, E – above)?
It is however significant that all breaches listed in the survey were reported as occurring at some stage – but with lower incidence and frequency for the least likely breaches.
27
Detailed Findings
Graph 4 Average Frequency of Typical Breaches of Information Security
0
5
10
15
20
14.06
10.169.27
6.28
19.67
Ave
rage
Frq
uenc
y (m
ean
times
per
yea
r)
Data UnattendedOn Desks
Rarely/Never 23% 33% 43% 56% 60%
Data UnattendedOn Computer
Screens
Data Left OnWhite Boards
Leave CabinetsUnlocked
Leave DoorsUnlocked
There are substantial differences reported depending upon Work Area. Specialist areas such as Intelligence report both lower incidence and frequency of breaches. Crime, Other (representing all other non-specialist Work Areas) and to a lesser extent Ethical Standards, have similar higher breach levels (see below).
28
Detailed Findings
Table 4 Incidence and Average Frequency of Information Security Breaches by Work Area
Data on desks
Data on screens
Data on Whiteboards
Unlocked cabinets
Unlocked doors
Crime
Incidence* 85% 68% 63% 43% 39%
Average Frequency^ 19.51 14.51 12.65 9.04 5.95
Intelligence
Incidence* 35% 32% 25% 20% 16%
Average Frequency^ 4.65 5.33 5.16 2.98 1.99
Ethical Standards
Incidence* 62% 62% 40% 39% 14%
Average Frequency^ 10.66 6.06 5.16 6.92 1.86
Forensic
Incidence* 49% 44% 26% 17% 14%
Average Frequency^ 10.45 9.2 6.74 4.6 0.91
State Emergency
Incidence* 51% 37% 25% 23% 21%
Average Frequency^ 11.37 10.42 3.83 2.0 2.4
Other
Incidence* 79% 69% 59% 46% 43%
Average Frequency^ 20.84 14.65 10.39 9.84 6.77
* At least once per year ^ Mean times per year
Discussion
Reported incidence and frequency of typical breaches of law enforcement data security suggest a general lack of awareness and/or commitment to rigorous security procedures.
Crime and Other (the largest segment of police officers) represent the Work Areas with the highest incidence and frequency and therefore the Work Areas which represent priority targets for improvement. Specific strategies might include a mandatory ‘clean desk’/‘clean screen’/‘clean whiteboard’ policy, in line with defined Standards.
Such a policy would need to be accompanied by appropriate office systems in order for officers to realistically achieve such an objective.
29
Detailed Findings
Part 3 Use of Personal Technology
3.1 Technology Use
Mobile Phones (regular or ‘smart’ phones) and computers (either laptops or desktops) are now standard technology in the armoury of a police force.
Graph 5 Technology Used Regularly, 1+ times a week
90
4946
0
20
40
60
80
100
% u
sing
tech
nolo
gy
Mobile Phone(any)
Smart Phone(any)
Memory Stick/USB
Computer(any)
Digital Camera
97
71
30
Detailed Findings
3.2 Personally Owned versus Victoria Police Provided Equipment
In an average week, three (3) in four (4) sworn members (76%) will use at least one personally owned device while carrying out their duties as a police officer. The most frequently mentioned items are mobile phones (no internet access) – 50% and ‘smart’ mobile phones – 45%.
Table 5 Technology Used – Personal versus Victoria Police Provided
Use Regularly, 1+ times a week
(n = 2,589) %
Do not use Regularly (n = 2,589)
%
Don’t Know (n = 2,589)
%
A Victoria Police provided mobile phone (no internet access) 58 39 2
My own mobile phone (no internet access) 50 46 4
A Victoria Police provided ‘smart’ mobile phone (with internet access, e.g. iPhone, Blackberry) 5 80 15
My own ‘smart’ mobile phone (with internet access, e.g. iPhone, Blackberry) 45 47 8
A Victoria Police provided portable data storage device/flash drive/memory stick/USB 22 69 9
My own portable data storage device/flash drive/memory stick/USB 30 64 6
A Victoria Police provided laptop computer 22 69 8
My own laptop computer 11 78 11
A Victoria Police provided desk top computer 92 7 1
My own desk top computer 11 78 10
A Victoria Police provided digital camera 61 36 3
My own digital camera 26 65 8
Net: Use any Victoria Police provided equipment 99 – –
Net: Use any personal equipment 76 – –
Q4a Technology plays an increasing role in policing. Which of these devices do you use regularly (at least once per week or more often) in your role as a Police Officer?
Not surprisingly younger members of the force (under 40 years) both males and females tended to have higher propensity to use their own technology than other members.
31
Detailed Findings
Graph 6 Incidence of Personal Technology Usage by Age/Gender
0
20
40
60
80
100
% u
sing
per
sona
lly o
wne
d te
chno
logy
in ro
le a
s po
lice
offic
er
25 or Under 26–40 41–55 56 and Over
87
80
87
65 63
88
71
50
Males Females
Age in years
Lower ranked members also tended to have a higher propensity to use their own technology – and this is correlated with the younger age skew.
Graph 7 Incidence of Personal Technology Usage by Rank
Constable/Senior Constable/Leading Constable
Sergeant/Senior Sergeant
Other
81
71
46
0
20
40
60
80
100
% u
sing
per
sona
lly o
wne
d te
chno
logy
in ro
le a
s po
lice
offic
er
32
Detailed Findings
3.3 Main Reasons for Using Personal Technology
3.3.1 Overview
Irrespective the type of device the main reason for using a personally owned device was that Victoria Police equipment was either unavailable, not provided or not enough provided. (full details in Appendix)
Table 6 Main Reason Used Personally Owned Technology
Main Reason Used
Device
Mobile Phone
(n = 1297) %
Smart Phone
(n = 1170) %
USB (n = 767)
%
Laptop Computer (n = 283)
%
Desktop Computer (n = 295)
%
Digital Camera (n = 684)
%
Unavailable, not provided, not enough provided 60 56 76 46 34 55
Familiar with own device 17 18 12 13 9 19
Victoria Police equipment outdated/not working/unreliable
14 17 7 19 15 17
Personal Use (while on duty) 3 1 <1 3 13 2
Complete work at home/out of hours 2 <1 – 6 20 <1
Not a ‘smart’ device/ lacks features 1 6 – 1 – –
Convenience 1 1 1 1 3 1
Not sure <1 <1 1 1 – 1
Other 1 1 3 5 3 3
33
Detailed Findings
3.3.2 Mobile Phone
Apart from lack of availability, Victoria Police provided mobile phones were rejected for being outdated and/or unreliable or not working. As with ‘smart phones’ there was also a preference to working with a familiar device.
Graph 8 Main Reason for Using Personal Technology – Mobile Phone
Unavailable/Not Provided/Not Enough Provided
Familiar With Own Device
Personal Use
Convenience
Not Secure
Other
None
Outdated/Not Working/Unreliable
Complete Work At Home/Out Of Hours
Not A Smart Device/Lacks Features
60
17
14
3
2
1
1
<1
1
0
3
4
1
1
1
1
22
29
46
3
73%
36%
32%
3%
3%
4%
1%
1%
5%
NetMain Reason (n=1297) Other Reason (n=1297)
% mentioned
0 10 20 30 40 50 60
Q4b. Please indicate why you use a personally owned (DEVICE).
34
Detailed Findings
3.3.3 Smart Phone
After availability, the next most important reason for using a personal ‘smart’ mobile phone, was being familiar with the features of their own device.
Graph 9 Main Reason for Using Personal Technology – Smart Phone
Unavailable/Not Provided/Not Enough Provided
Familiar With Own Device
Personal Use
Convenience
Not Secure
% mentioned
Other
None
Outdated/Not Working/Unreliable
Complete Work At Home/Out Of Hours
Not A Smart Device/Lacks Features
0 10 20 30 40 50 60
56
18
17
6
2
1
1
<1
<1
<1
1
1
6
4
1
1
4
17
29
50
Main Reason (n=1170) Other Reason (n=1170)
73%
37%
29%
9%
2%
2%
1%
<1%
6%
Net
Q4b. Please indicate why you use a personally owned (DEVICE).
35
Detailed Findings
3.3.4 USB
Despite the fact that nearly one (1) in two (2) police officers regularly use a USB/Memory Stick at least once a week (46%), nearly two thirds use a personally owned USB. The main reason – mentioned by a net 84% of those using a personally owned USB – is unavailability of a Victoria Police device. This is the highest number of mentions for any device.
Graph 10 Main Reason for Using Personal Technology – USB
Unavailable/Not Provided/Not Enough Provided
Familiar With Own Device
Personal Use
Convenience
Not Secure
Other
None
Outdated/Not Working/Unreliable
76
12
1
1
1
1
7
<1
3
0
8
5
3
9
25
54
Main Reason (n=767) Other Reason (n=767)Net
0 10 20 30 40 50 60 70 80
% mentioned
84%
30%
14%
2%
4%
1%
10%
Q4b. Please indicate why you use a personally owned (DEVICE).
36
Detailed Findings
3.3.5 Laptop Computer
Reasons for using personally owned laptop computers are similar to other devices – unavailability (60%), familiarity with own laptop (33%), outdated/unreliable Victoria Police equipment (30%). There was also some mention of out-of-hours work requirement (8%).
Graph 11 Main Reason for Using Personal Technology – Laptop Computer
% mentioned
None
46
13
19
6
2
1
1
1
3
<1
5
1
11
3
1
2
3
18
25
40
Main Reason (n=283) Other Reason (n=283)
0 10 20 30 40 50
Unavailable/Not Provided/Not Enough Provided
Familiar With Own Device
Convenience
Not Secure
Personal Use
Other
Outdated/Not Working/Unreliable
Not A Smart Device/Lacks Features
Complete Work At Home/Out Of Hours
60%
33%
30%
8%
3%
2%
4%
1%
14%
Net
Q4b. Please indicate why you use a personally owned (DEVICE).
37
Detailed Findings
3.3.6 Desktop Computer
Unlike laptop computers, there was significantly higher mention of completing work out of hours – mentioned by 24% of those using their own desktop computer.
Graph 12 Main Reason for Using Personal Technology – Desktop Computer
% mentioned
34
20
15
17
9
13
0
3
2
3
1
4
15
0
5
20
7
29
Main Reason (n=295) Other Reason (n=295)
0 5 10 15 20 25 30 35
None
Unavailable/Not Provided/Not Enough Provided
Personal Use
Familiar With Own Device
Not Secure
Convenience
Other
Complete Work At Home/Out Of Hours
Outdated/Not Working/Unreliable
47%
24%
28%
15%
22%
3%
2%
6%
Net
Q4b. Please indicate why you use a personally owned (DEVICE).
38
Detailed Findings
3.3.7 Digital Camera
Apart from availability, preference for using one’s own digital camera was strongly driven by being familiar with the device. This was mentioned by 46% of personal digital camera users – and was the highest mention than for any other device.
Graph 13 Main Reason for Using Personal Technology – Digital Camera
Unavailable/Not Provided/Not Enough Provided
Familiar With Own Device
Personal Use
Convenience
Not Secure
Other
None
Outdated/Not Working/Unreliable
Complete Work At Home/Out Of Hours
Not A Smart Device/Lacks Features
55
19
17
2
1
1
<1
0
3
0
3
4
<1
2
0
0
22
37
38
0
Main Reason (n=684) Other Reason (n=684)
% mentioned
0 10 20 30 40 50 60
68%
46%
34%
2%
1%
2%
<1%
<1%
6%
Net
Q4b. Please indicate why you use a personally owned (DEVICE).
39
Detailed Findings
Discussion
As hypothesised, the use of personally owned technology is widespread among the police force – particularly among those under 40. Three (3) in Four (4) police officers regularly use at least one personally owned electronic device at least once per week.
The main reasons for using personally owned equipment point to systemic problems with Victoria Police provided items. Specifically:
• The devices are either unreliable/not provided/not enough provided
AND/OR
• Devices outdated/not working/unreliable.
These findings indicate that any policy which makes the use of Victoria Police equipment the only approved equipment for use by police officers, is unlikely to be successful without major improvements in the quantity and quality of provided devices.
The other major issue is that many officers are more comfortable with the familiarity of the features on their personally owned device – whether it is a smart phone, a laptop computer or a digital camera. In a workplace where efficiency and a reliable/predictable outcome is a priority, it is understandable that a familiar device would be preferred.
However, in order for there to be an acceptable level of information security, a common digital platform across each type of device with appropriate security and encryption protocols becomes an important consideration.
If the use of Victoria Police equipment were to become mandatory, this would require intensive training with the launch of any new equipment and regular ‘refresher’ programs to ensure that skills are retained and reinforced.
40
Detailed Findings
Part 4 Beliefs and Attitudes with Respect to Law Enforcement Data Security
4.1 Introduction
Scenarios were used in the questionnaire as a projective technique. This allowed respondents to provide their views and perceptions of various actions involving law enforcement data without having to identify any of their own actions.
The specific scenarios were chosen to evaluate the following:
• Using personally owned equipment to capture law enforcement data
• Using personally owned equipment to store law enforcement data
• Operating out of unsecured offices
• Leaving doors to an unsecured area unlocked, as an example of a secure area left unprotected
• Unintentionally disclosing sensitive information
• Using personal equipment for police work off-site
• Electronically transferring police files to/from unprotected sites
• Losing/misplacing law enforcement data
• Disclosing unauthorised information
• Recording an interview on a personal mobile phone
• Keeping a copy of an interview for personal records.
In each case, respondents were asked to assess:
• Likelihood of the event happening
• The potential seriousness of the action(s) on information security
• Frequency of the event occurring.
The analysis looks at the scenarios in a consolidated matrix in order to determine general perceptions of law enforcement data issues, as well as a specific analysis of each scenario.
41
Detailed Findings
4.2 Risk Analysis
4.2.1 Likelihood of Typical Breaches and Perceived Seriousness
There would appear to be a general acceptance that there are at least regular (and acceptable) occurrences of information security breaches and in most cases the perceived seriousness is low. These include:
• Personal holdings of data
• Using personal devices.
(Refer Graph 14 on next page for risk analysis)
Table 7 Likelihood of Typical Breaches and Perceived Seriousness
Likelihood of occurring*
Perceived Seriousness^
Take photos of a crime scene with a personal smart phone 1.77 1.42
Store crime scene photos on a personal smart phone 1.94 1.64
Task force located on unsecured floor 1.86 1.67
Leaving a door unlocked to a secure area 1.76 1.73
Giving information over the phone in a public area 2.09 1.43
Working at home on a personal computer 2.08 1.33
Email information from work email address to home address 2.14 1.44
Law enforcement information held on (personal) memory stick 2.47 0.98
Losing a memory stick holding law enforcement data 1.95 1.29
Releasing unauthorised information 2.04 1.40
Recording interviews on a personal mobile phone 1.77 0.98
Keeping a personal record of law enforcement data to corroborate any future investigation 2.42 0.95
* Likelihood is a weighted mean based on a 4 point scale where 4 = Very High Likelihood, through to 1 = Very Low Likelihood.
^ Perceived Seriousness based on a weighted mean where 2 = Very Serious, 1 = Serious, 0 = Not Serious.
42
Detailed Findings
Graph 14 Likelihood of Typical Breaches and Perceived Seriousness
VerySerious – 2
NotSerious – 0
Serious – 1
1Very Low
Take photos on (personal) smart phonesCrime data on personal phoneSecure area not providedSecure area unprotectedUnintentional disclosureWork at home on own PC
Transferring electronic filesHolding data on personal deviceLosing dataRelease unauthorised dataCapturing data on personal devicePersonal holdings of data
2Low
3High
4Very High
General acceptance of regular occurance and low seriousness of holding data on personal devices and keeping personal records of data
Info
rmat
ion
man
agem
ent s
ecur
ity–
perc
eive
d se
rious
ness
Likelihood of typical breaches
These are seen as the most serious security risks
43
Detailed Findings
4.2.2 Perceived Seriousness and Observed Frequency
In an ideal world, all potential breaches of data security would be rated 2 (on a seriousness scale of 0 – 2 where 2 in Very Serious) and observed frequency would be close to 0.
In analysing these two criteria, police officers have effectively generated three segments of breaches:
• Segment 1: High Seriousness, High Frequency Such as leaving secure areas unprotected.
• Segment 2: Low Seriousness, High Frequency Such as personal holdings of law enforcement data.
• Segment 3: Serious, Low Frequency Includes a range of data management and disclosure issues.
Segments 1 and 2 (High Frequency) represent targets for cultural change.
Table 8 Perceived Seriousness and Observed Frequency
Perceived Seriousness
to information management
security*
Average observed frequency
in past year
Storing law enforcement data on personally owned electronic devices 1.64 3.21
A secure area being left unprotected 1.73 8.04
Unintentionally disclosing sensitive law enforcement information in the presence of external parties 1.43 3.26
Transferring electronic files to/from potentially unprotected environments 1.44 4.54
Losing/misplacing law enforcement data 1.29 2.56
Disclosing, inadvertently, unauthorised information 1.40 1.50
Keeping a personal record of law enforcement data to corroborate any future investigation 0.95 7.38
* Perceived Seriousness based on a weighted mean where 2 = Very Serious, 1 = Serious, 0 = Not Serious
44
Detailed Findings
Graph 15 Perceived Seriousness and Observed Frequency
VerySerious – 2
NotSerious – 0
Serious – 1
10
Crime data on personal phoneSecure area unprotectedUnintentional disclosureTransferring electronic filesLosing dataRelease unauthorised dataPersonal holdings of data
2 3 4 5 6 7 8 9
Info
rmat
ion
man
agem
ent s
ecur
ity–
perc
eive
d se
rious
ness
Average observed frequency in past year (times)
SeriousLow Frequency
Low SeriousnessHigh Frequency
High SeriousnessHigh Frequency
45
Detailed Findings
4.3 Scenario 1: Holding Law Enforcement Data on Personally Owned Devices – Sergeant K’s Murder Scene PhotosPart 1 Take Photos of a Crime Scene with a Personal Smart Phone
Table 9a Scenario 1: Part 1 – Likelihood of Occurrence
Likelihood – Q5aTotal
(n = 2,589) %
Very High (4) 6
High (3) 17
Low (2) 19
Very Low (1) 50
Don’t Know 8
Mean 1.77
Table 9b Scenario 1: Part 1 – Seriousness of Occurrence
Seriousness of Action – Q5b
Total (n = 2,589)
%
Very Serious (2) 51
Serious (1) 36
Not Serious (0) 10
Don’t Know 3
Mean 1.42
Part 2 Storing Crime Scene Photos on Personal Smart Phone
Table 9c Scenario 1: Part 2 – Likelihood of Occurrence
Likelihood – Q5cTotal
(n = 2,589) %
Very High (4) 7
High (3) 21
Low (2) 19
Very Low (1) 40
Don’t Know 13
Mean 1.94
Table 9d Scenario 1: Part 2 – Seriousness of Occurrence
Seriousness of Action – Q5d
Total (n = 2,589)
%
Very Serious (2) 66
Serious (1) 29
Not Serious (0) 3
Don’t Know 2
Mean 1.38
Q What is the likelihood of the scenario occurring within Victoria Police?
Q And how would you rate the seriousness of these actions to information management security?
46
Detailed Findings
Part 3 Observed Frequency (Q6)
Table 9e Scenario 1: Part 3 – Observed Frequency
Observed – Q6Total
(n = 2,589)%
Not at all 43
Once 4
Two or Three Times 21
Four or Five Times 9
Six to Ten Times 5
Over Ten Times 19
Mean 3.21
Q6 Thinking now about secure data storage, how many times in the last year have you heard about other police officers in your unit or division storing law enforcement data on personally-owned electronic devices? (One response only)
47
Detailed Findings
4.4 Scenario 2: Temporarily Located in Office on Unsecured Floor. Taskforce Linebacker Leaves The Door Unlocked.
Part 1 Task Force on Unsecured Floor
Table 10a Scenario 2: Part 1 – Likelihood of Occurrence
Likelihood – Q7aTotal
(n = 2,589) %
Very High (4) 6
High (3) 12
Low (2) 19
Very Low (1) 34
Don’t Know 29
Mean 1.86
Table 10b Scenario 2: Part 1 – Seriousness of Occurrence
Seriousness of Action – Q7b
Total (n = 2,589)
%
Very Serious (2) 66
Serious (1) 25
Not Serious (0) 3
Don’t Know 6
Mean 1.67
Part 2 Leaving a Door Unlocked to a Secure Area
Table 10c Scenario 2: Part 2 – Likelihood of Occurrence
Likelihood – Q7cTotal
(n = 2,589) %
Very High (4) 5
High (3) 12
Low (2) 21
Very Low (1) 40
Don’t Know 22
Mean 1.76
Table 10d Scenario 2: Part 2 – Seriousness of Occurrence
Seriousness of Action – Q7d
Total (n = 2,589)
%
Very Serious (2) 72
Serious (1) 22
Not Serious (0) 2
Don’t Know 4
Mean 1.73
Q What is the likelihood of the scenario occurring within Victoria Police?
Q And how would you rate the seriousness of these actions to information management security?
48
Detailed Findings
Part 3 Observed Frequency (Q8)
Table 10e Scenario 2: Part 3 – Observed Frequency
Observed – Q8Total
(n = 2,589) %
Never 24
Less Often (than once a year) 35
Once every twelve months 7
Once every six months 6
Once every three months 6
About once a month 9
At least once a week 12
Mean 8.04
Q8 Thinking now about security procedures for secure areas, how often do you notice that a secure area has been left unprotected? (One response only)
49
Detailed Findings
4.5 Scenario 3: Inspector M Gives an Informant's Address Over the Phone in a Public Area While Investigating an Outlaw Motorcycle Gang.Part 1 Giving Information Over the Phone in a Public Area
Table 11a Scenario 3: Part 1 – Likelihood of Occurrence
Likelihood – Q9aTotal
(n = 2,589) %
Very High (4) 7
High (3) 20
Low (2) 22
Very Low (1) 28
Don’t Know 22
Mean 2.09
Table 11b Scenario 3: Part 1 – Seriousness of Occurrence
Seriousness of Action – Q9b
Total (n = 2,589)
%
Very Serious (2) 53
Serious (1) 28
Not Serious (0) 12
Don’t Know 6
Mean 1.43
Q What is the likelihood of the scenario occurring within Victoria Police?
Q And how would you rate the seriousness of these actions to information management security?
Part 3* Observed Frequency (Q10)
*No Part 2 in this scenario
Observed – Q10Total
(n = 2,589) %
Never 31
Less Often (than once a year) 40
Once every twelve months 7
Once every six months 6
Once every three months 6
About once a month 6
At least once a week 4
Mean 3.26
Q10 Thinking now about the unintentional disclosure of sensitive information, how often do you hear that other police officers in your unit or division have unintentionally disclosed sensitive law enforcement information in the presence of parties external to Victoria Police? (One response only)
50
Detailed Findings
4.6 Scenario 4: Transferring Electronic Files to/from Potentially Unprotected Environments. Constable P Works on Her Personally Owned Computer at Home.
Part 1 Working at Home on a Personal Computer
Table 12a Scenario 4: Part 1 – Likelihood of Occurrence
Likelihood – Q11aTotal
(n = 2,589) %
Very High (4) 7
High (3) 21
Low (2) 26
Very Low (1) 29
Don’t Know 16
Mean 2.08
Table 12b Scenario 4: Part 1 – Seriousness of Occurrence
Seriousness of Action – Q11b
Total (n = 2,589)
%
Very Serious (2) 42
Serious (1) 42
Not Serious (0) 11
Don’t Know 5
Mean 1.33
Part 2 Emailing Information from Work Address to Home Address
Table 12c Scenario 4: Part 2 – Likelihood of Occurrence
Likelihood – Q11cTotal
(n = 2,589) %
Very High (4) 9
High (3) 23
Low (2) 26
Very Low (1) 28
Don’t Know 14
Mean 2.14
Table 12d Scenario 4: Part 2 – Seriousness of Occurrence
Seriousness of Action – Q11d
Total (n = 2,589)
%
Very Serious (2) 51
Serious (1) 38
Not Serious (0) 7
Don’t Know 3
Mean 1.44
Q What is the likelihood of the scenario occurring within Victoria Police?
Q And how would you rate the seriousness of these actions to information management security?
51
Detailed Findings
Part 3 Observed Frequency (Q12)
Table 12e Scenario 4: Part 3 – Observed Frequency
Observed – Q12Total
(n = 2,589) %
Never 35
Less Often (than once a year) 33
Once every twelve months 5
Once every six months 6
Once every three months 6
About once a month 9
At least once a week 6
Mean 4.54
Q12 How frequently do you hear about other police officers in your unit or division transferring electronic files to or from potentially unprotected environments? (One response only)
52
Detailed Findings
4.7 Scenario 5: Losing/Misplacing Law Enforcement Data. Supt R’s Memory Stick Goes Missing.
Part 1 Memory Stick Holds Law Enforcement Information
Table 13a Scenario 5: Part 1 – Likelihood of Occurrence
Likelihood – Q13aTotal
(n = 2,589) %
Very High (4) 9
High (3) 24
Low (2) 14
Very Low (1) 13
Don’t Know 40
Mean 2.47
Table 13b Scenario 5: Part 1 – Seriousness of Occurrence
Seriousness of Action – Q13b
Total (n = 2,589)
%
Very Serious (2) 25
Serious (1) 39
Not Serious (0) 27
Don’t Know 9
Mean 0.98
Part 2 Losing a Memory Stick Holding Law Enforcement Data
Table 13c Scenario 5: Part 2 – Likelihood of Occurrence
Likelihood – Q13cTotal
(n = 2,589) %
Very High (4) 4
High (3) 15
Low (2) 28
Very Low (1) 26
Don’t Know 27
Mean 1.95
Table 13d Scenario 5: Part 2 – Seriousness of Occurrence
Seriousness of Action – Q13d
Total (n = 2,589)
%
Very Serious (2) 41
Serious (1) 42
Not Serious (0) 13
Don’t Know 4
Mean 1.29
Q What is the likelihood of the scenario occurring within Victoria Police?
Q And how would you rate the seriousness of these actions to information management security?
53
Detailed Findings
Part 3 Observed Frequency (Q14)
Table 13e Scenario 5: Part 3 – Observed Frequency
Observed – Q14Total
(n = 2,589) %
Never 30
Less Often (than once a year) 40
Once every twelve months 9
Once every six months 8
Once every three months 6
About once a month 6
At least once a week 2
Mean 2.56
Q14 Thinking now about misplacing data, how frequently do you hear that other police officers in your unit or division have lost or temporarily misplaced law enforcement data? (One response only)
54
Detailed Findings
4.8 Scenario 6: Disclosing Unauthorised Information. Constable T Talks to the Media.
Part 1 Releasing Unauthorised Information
Table 14a Scenario 6: Part 1 – Likelihood of Occurrence
Likelihood – Q15aTotal
(n = 2,589) %
Very High (4) 3
High (3) 23
Low (2) 37
Very Low (1) 25
Don’t Know 12
Mean 2.04
Table 14b Scenario 6: Part 1 – Seriousness of Occurrence
Seriousness of Action – Q15b
Total (n = 2,589)
%
Very Serious (2) 43
Serious (1) 50
Not Serious (0) 3
Don’t Know 3
Mean 1.40
Q What is the likelihood of the scenario occurring within Victoria Police?
Q And how would you rate the seriousness of these actions to information management security?
Part 3* Observed Frequency (Q16)
*No Part 2 in this scenario
Table 14c Scenario 6: Part 3 – Observed Frequency
Observed – Q16Total
(n = 2,589) %
Never 32
Less Often (than once a year) 41
Once every twelve months 10
Once every six months 8
Once every three months 5
About once a month 3
At least once a week 1
Mean 1.5
Q16 Thinking now about disclosing unauthorised information, how frequently have you heard that other police officers in your unit or division have inadvertently released law enforcement data in the past? (One response only)
55
Detailed Findings
4.9 Scenario 7: Holding Law Enforcement Data for Personal Records. Constable F is Involved in a Police Pursuit.
Part 1 Recording Interviews with an Offender on a Mobile Phone
Table 15a Scenario 7: Part 1 – Likelihood of Occurrence
Likelihood – Q17aTotal
(n = 2,589) %
Very High (4) 4
High (3) 16
Low (2) 22
Very Low (1) 44
Don’t Know 14
Mean 1.77
Table 15b Scenario 7: Part 1 – Seriousness of Occurrence
Seriousness of Action – Q17b
Total (n = 2,589)
%
Very Serious (2) 25
Serious (1) 42
Not Serious (0) 28
Don’t Know 6
Mean 0.98
Part 2 Keeping a Personal Record of Law Enforcement Data to Corroborate Any Future Investigation
Table 15c Scenario 7: Part 2 – Likelihood of Occurrence
Likelihood – Q17cTotal
(n = 2,589) %
Very High (4) 11
High (3) 34
Low (2) 19
Very Low (1) 21
Don’t Know 15
Mean 2.42
Table 15d Scenario 7: Part 2 – Seriousness of Occurrence
Seriousness of Action – Q17d
Total (n = 2,589)
%
Very Serious (2) 24
Serious (1) 40
Not Serious (0) 29
Don’t Know 7
Mean 0.95
Q What is the likelihood of the scenario occurring within Victoria Police?
Q And how would you rate the seriousness of these actions to information management security?
56
Detailed Findings
Part 3 Observed Frequency (Q18)
Table 15c Scenario 7: Part 3 – Observed Frequency
Observed – Q18Total
(n = 2,589) %
Never 28
Less Often (than once a year) 30
Once every twelve months 7
Once every six months 7
Once every three months 7
About once a month 10
At least once a week 11
Mean 7.38
Q18 Thinking now about holding law enforcement data for personal interest, how frequently have you heard that other police officers in your unit or division have held information to corroborate their accounts of policing interactions? (One response only)
57
Detailed Findings
Part 5 Awareness and Role of CLEDS
5.1 Current Status
Only 1 in 10 police officers feel confident that they know a lot about CLEDS and its functions/role. Of concern, are the 44% of police officers who have either not heard of CLEDS or don’t know what CLEDS does. (see below)
Table 16 Claimed Awareness of CLEDS and Its Role
TOTAL (n = 2,589)
%
I have never seen or heard of CLEDS before today 22
I’ve seen or heard the name before but don’t really know what they do 22
I know broadly about CLEDS and that they are trying to improve the standard of law enforcement data security at Victoria Police 47
I know a lot about CLEDS and specific standards or protocols for the security and integrity of law enforcement data 10
TOTAL AWARE 78
TOTAL AWARE & KNOW WHAT THEY DO 57
TOTAL 100
Q19 This survey is being conducted on behalf of the Commissioner for Law Enforcement Data Security – CLEDS, for short. Which of these statements best describes your familiarity with CLEDS? (One response only)
The following demographic and other segments over index in their claimed knowledge of CLEDS:
Table 17 Know a Lot About CLEDS
Know a lot about CLEDS %
Police officers over 40 14
Male officers over 40 15
Higher ranked officers – Sergeant – Above Sergeant
19 39
In specialist work areas (excluding Crime and Other) 31
Those who have had Information Security Training 12
58
Detailed Findings
5.2 Incidence of Information Security Training
Approximately three (3) in four (4) respondents claimed to have received Information Security training. This was similar across all demographics – though there was some evidence of higher rates among:
• Those with less than five (5) years service (83%)
• Those of higher ranks (85%)
• Those aware and knowledgeable about CLEDS (89%).
Table 18 Incidence of Ever Receiving Information Security Training
Total (n = 2,589)
%
Male (n = 2,019)
%
Female (n = 570)
%
Yes 77 77 77
No 15 16 13
Don’t Know 8 7 10
Total 100 100 100
Q3 In your role as a police officer, have you ever received training on information security?
59
Appendices
1. List of Tables2. List of Graphs3. On-line Questionnaire4. Additional Tables for Q.4
60
Appendices
61
Appendices
Appendix 1 List of TablesTable 1 Sources of Guidance on Information Management 23
Table 2 Main Sources of Guidance on Information Management – by Years of Service and Work Area 25
Table 3 Incidence and Frequency of Typical Breaches of Information Security 26
Table 4 Incidence and Average Frequency of Information Security Breaches by Work Area 28
Table 5 Technology Used – Personal versus Victoria Police Provided 30
Table 6 Main Reason Used Personally Owned Technology 32
Table 7 Likelihood of Typical Breaches and Perceived Seriousness 41
Table 8 Perceived Seriousness and Observed Frequency 43
Table 9a Scenario 1: Part 1 – Likelihood of Occurrence 45
Table 9b Scenario 1: Part 1 – Seriousness of Occurrence 45
Table 9c Scenario 1: Part 2 – Likelihood of Occurrence 45
Table 9d Scenario 1: Part 2 – Seriousness of Occurrence 45
Table 9e Scenario 1: Part 3 – Observed Frequency 46
Table 10a Scenario 2: Part 1 – Likelihood of Occurrence 47
Table 10b Scenario 2: Part 1 – Seriousness of Occurrence 47
Table 10c Scenario 2: Part 2 – Likelihood of Occurrence 47
Table 10d Scenario 2: Part 2 – Seriousness of Occurrence 47
Table 10e Scenario 2: Part 3 – Observed Frequency 48
Table 12a Scenario 4: Part 1 – Likelihood of Occurrence 50
Table 12b Scenario 4: Part 1 – Seriousness of Occurrence 50
Table 12c Scenario 4: Part 2 – Likelihood of Occurrence 50
Table 12d Scenario 4: Part 2 – Seriousness of Occurrence 50
Table 12e Scenario 4: Part 3 – Observed Frequency 51
Table 13a Scenario 5: Part 1 – Likelihood of Occurrence 52
Table 13b Scenario 5: Part 1 – Seriousness of Occurrence 52
Table 13c Scenario 5: Part 2 – Likelihood of Occurrence 52
Table 13d Scenario 5: Part 2 – Seriousness of Occurrence 52
Table 13e Scenario 5: Part 3 – Observed Frequency 53
Table 14a Scenario 6: Part 1 – Likelihood of Occurrence 54
Table 14b Scenario 6: Part 1 – Seriousness of Occurrence 54
Table 14c Scenario 6: Part 3 – Observed Frequency 54
62
Appendices
Table 15a Scenario 7: Part 1 – Likelihood of Occurrence 55
Table 15b Scenario 7: Part 1 – Seriousness of Occurrence 55
Table 15c Scenario 7: Part 2 – Likelihood of Occurrence 55
Table 15d Scenario 7: Part 2 – Seriousness of Occurrence 55
Table 15c Scenario 7: Part 3 – Observed Frequency 56
Table 16 Claimed Awareness of CLEDS and Its Role 57
Table 17 Know a Lot About CLEDS 57
Table 18 Incidence of Ever Receiving Information Security Training 58
63
Appendices
Appendix 2 List of GraphsGraph 1 Sources of Guidance on Information Management 23
Graph 2 Influence of Age on Use of Common Sense as Main Guide to Information Management 24
Graph 3 Influence of Rank on Use of Common Sense as Main Guide to Information Management 24
Graph 4 Average Frequency of Typical Breaches of Information Security 27
Graph 5 Technology Used Regularly, 1+ times a week 29
Graph 6 Incidence of Personal Technology Usage by Age/Gender 31
Graph 7 Incidence of Personal Technology Usage by Rank 31
Graph 8 Main Reason for Using Personal Technology – Mobile Phone 33
Graph 9 Main Reason for Using Personal Technology – Smart Phone 34
Graph 10 Main Reason for Using Personal Technology – USB 35
Graph 11 Main Reason for Using Personal Technology – Laptop Computer 36
Graph 12 Main Reason for Using Personal Technology – Desktop Computer 37
Graph 13 Main Reason for Using Personal Technology – Digital Camera 38
Graph 14 Likelihood of Typical Breaches and Perceived Seriousness 42
Graph 15 Perceived Seriousness and Observed Frequency 44
64
Appendices
Appendix 3 Online Questionaire
65
Appendices
66
Appendices
67
Appendices
68
Appendices
69
Appendices
70
Appendices
71
Appendices
72
Appendices
73
Appendices
Appendix 4 Additional Tables for Q4 – Detailed Reasons for Using Own Device
Main Reason
Other Reason
Total Reasons
Q4b/c. Summary – Mobile Phone 1297 1297 1297
1. Nett Unavailable/Not Provided/Not Enough Provided 60 46 73
I was unable to access the Victoria Police issued DEVICE when I needed to 51 15 66
Not provided by Victoria Police 6 2 8
Device not always available 1 1 2
Don't have access to use device/sargeant only/not for uniformed members 1 1 3
Office only have an allocated number of DEVICES/we have to share/not enough available to wear 1 2 3
2. Nett Familiar with Own Device 17 29 36
I am more familiar with the features and operation of my DEVICE 12 16 28
I like to avoid using more than one DEVICE 5 8 13
3. Nett Outdated/Not Working/Unreliable 14 22 32
Victoria Police issued DEVICE are out-dated 13 17 30
Device broken/batteries flat/card full/lack of coverage/quality/unreliable 1 1 2
Equipment too slow 0 * *
Victoria Police do not use DEVICE 0 * *
4. Nett Personal Use 3 1 3
Use my own for personal use 2 * 2
Use the work DEVICE for work related matters and my DEVICE for personal matters * * 1
Can't use work DEVICE for personal use * * *
5. Nett Complete Work at Home/Out of Hours 2 1 3
Complete work out of hours/home 2 1 3
6. Nett Not a Smart Device/Lacks Features 1 1 1
Police DEVICES don't have access to the internet/maps/have a camera 1 1 1
7. Nett Convenience 1 3 4
Convenience NFI 1 1 2
My DEVICE is reliable/with me all the time/has a camera 1 1 2
Forget to take the Victoria Police DEVICE * * *
8. Nett Not Secure * 1 1
I am not confident that the Victoria Police issued DEVICE is secure * 1 1
74
Appendices
Main Reason
Other Reason
Total Reasons
Q4b/c. Summary – Mobile Phone 1297 1297 1297
9. Nett Other 1 4 5
Other 1 3 4
Don't use DEVICE * * *
To save time as police calls need to be logged * * *
Use both * * *
10. Nett None 0 3 3
None 0 3 3
* <1%
75
Appendices
Main Reason
Other Reason
Total Reasons
Q4b/c. Summary – Smart Phone 1170 1170 1170
1. Nett Unavailable/Not Provided/Not Enough Provided 56 50 73
I was unable to access the Victoria Police issued DEVICE when I needed to 45 16 61
Victoria Police do not use DEVICE 12 5 17
Not provided by Victoria Police 8 7 14
Don't have access to use device/sargeant only/not for uniformed members 2 2 4
Device not always available 1 1 2
Office only have an allocated number of DEVICES/we have to share/not enough available to wear * * 1
Not supplied due to cost/budget issues * 0 *
2. Nett Familiar with Own Device 18 29 37
I am more familiar with the features and operation of my DEVICE 15 18 33
I like to avoid using more than one DEVICE 3 5 8
3. Nett Outdated/Not Working/Unreliable 17 17 29
Victoria Police issued DEVICE are out-dated 5 8 13
Device broken/batteries flat/card full/lack of coverage/quality/unreliable * 1 1
Equipment too slow 0 * *
4. Nett Not a Smart Device/Lacks Features 6 4 9
Police DEVICES don't have access to the internet/maps/have a camera 6 3 9
5. Nett Personal Use 1 1 2
Use my own for personal use 1 1 1
Use the work DEVICE for work related matters and my DEVICE for personal matters * * *
Cant use work DEVICE for personal use * 0 *
6. Nett Convenience 1 2 2
Convenience NFI * 1 1
Forget to take the Victoria Police DEVICE * 0 *
My DEVICE is reliable/with me all the time/has a camera * 1 1
7. Nett Not Secure * 1 1
I am not confident that the Victoria Police issued DEVICE is secure * 1 1
8. Nett Complete Work at Home/Out of Hours * * *
Complete work out of hours/home * * *
76
Appendices
Main Reason
Other Reason
Total Reasons
Q4b/c. Summary – Smart Phone 1170 1170 1170
9. Nett Other 1 6 6
Other 1 4 5
Don't use DEVICE * 0 *
Use both * 0 *
Necessary for work * 1 1
Buy my own 0 1 1
10. Nett None 1 4 5
No other reason 0 0 0
None 1 4 5
* <1%
77
Appendices
Main Reason
Other Reason
Total Reasons
Q4b/c. Summary – USB Device 767 767 767
1. Nett Unavailable/Not Provided/Not Enough Provided 76 54 84
I was unable to access the Victoria Police issued DEVICE when I needed to 55 13 68
Not provided by Victoria Police 20 7 28
Don't have access to use device/sargeant only/not for uniformed members * 2 2
Not supplied due to cost/budget issues * 1 1
Device not always available 0 1 1
Office only have an allocated number of DEVICES/we have to share/not enough available to wear 0 1 1
2. Nett Familiar With Own Device 12 25 30
I am more familiar with the features and operation of my DEVICE 6 11 16
I like to avoid using more than one DEVICE 6 11 17
3. Nett Outdated/Not Working/Unreliable 7 9 14
Victoria Police issued DEVICE are out-dated 5 7 13
Device broken/batteries flat/card full/lack of coverage/quality/unreliable 1 1 3
4. Nett Convenience 1 1 2
Convenience NFI * 1 1
Forget to take the Victoria Police DEVICE * 0 *
My DEVICE is reliable/with me all the time/has a camera * 1 1
5. Nett Not Secure 1 3 4
I am not confident that the Victoria Police issued DEVICE is secure 1 3 4
6. Nett Personal Use * 1 1
Use my own for personal use * 1 1
7. Nett Other 3 8 10
Buy my own 1 1 2
Necessary for work 1 1 2
Other 1 4 6
Instructed to get rid of data from hard drive * * 1
Use both 0 * *
8. Nett None 0 5 5
None 0 5 5
* <1%
78
Appendices
Main Reason
Other Reason
Total Reasons
Q4b/c. Summary – Laptop Computer 283 283 283
1. Nett Unavailable/Not Provided/Not Enough Provided 46 40 60
I was unable to access the Victoria Police issued DEVICE when I needed to 37 14 51
Not provided by Victoria Police 6 1 7
Don't have access to use device/sargeant only/not for uniformed members 2 2 4
Device not always available 1 2 2
Office only have an allocated number of DEVICES/we have to share/not enough available to wear 0 1 1
2. Nett Familiar With Own Device 13 25 33
I am more familiar with the features and operation of my DEVICE 1 19 29
I like to avoid using more than one DEVICE 3 5 8
Familiar with own device/easy to use * 0 *
3. Nett Outdated/Not Working/Unreliable 19 18 30
Victoria Police issued DEVICE are out-dated 17 12 29
Equipment too slow 1 1 2
Device broken/batteries flat/card full/lack of coverage/quality/unreliable 1 1 1
Police DEVICES unreliable/unuseable/cameras poor quality 0 * *
4. Nett Complete Work at Home/Out of Hours 6 3 8
Complete work out of hours/home 6 2 8
Use RSA to connect remotely 1 0 1
5. Nett Convenience 1 2 3
Convenience NFI 1 * 1
Internet research/Victoria Police access is restricted/slow * 1 2
My DEVICE is reliable/with me all the time/has a camera 0 * *
Have remote access token/do not need to transport DEVICE 0 * *
6. Nett Not Secure 1 2 2
I am not confident that the Victoria Police issued DEVICE is secure 1 1 2
7. Nett Personal Use 3 1 4
Use my own for personal use? 3 * 4
8. Nett Not a Smart Device/Lacks Features 1 * 1
DEVICES don't have the right programs to view footage 2 1 3
Police DEVICES don't have access to the internet/maps/have a camera 1 * 1
79
Appendices
Main Reason
Other Reason
Total Reasons
Q4b/c. Summary – Laptop Computer 283 283 283
9. Nett Other 5 11 14
Other 4 7 11
Don't use DEVICE 1 0 1
Buy my own 1 2 2
10. Nett None 1 3 5
None 1 3 5
No other reason 0 2 2
* <1%
80
Appendices
Main Reason
Other Reason
Total Reasons
Q4b/c. Summary – Desktop Computer 295 295 295
1. Nett Unavailable/Not Provided/Not Enough Provided 34 29 47
I was unable to access the Victoria Police issued DEVICE when I needed to 32 13 45
Not provided by Victoria Police 2 1 3
Device not always available 0 1 1
2. Nett Complete Work At Home/Out Of Hours 20 7 24
Complete work out of hours/home 20 4 24
3. Nett Outdated/Not Working/Unreliable 15 20 28
Victoria Police issued DEVICE are out-dated 15 13 28
Internet research/Victoria Police access is restricted/slow 3 0 3
DEVICES don't have the right programs to view footage 1 3 3
DEVICE compact to carry/does the job of two devices 1 0 1
Can control storage of images/files/call logs from own device/security * 0 *
Equipment too slow 0 1 1
Device broken/batteries flat/card full/lack of coverage/quality/unreliable 0 * *
4. Nett Personal Use 13 5 15
Use my own for personal use 8 2 10
5. Nett Familiar with Own Device 9 17 22
I am more familiar with the features and operation of my DEVICE 8 11 18
I like to avoid using more than one DEVICE 1 2 3
Familiar with own device/easy to use 1 1 2
6. Nett Convenience 3 0 3
Have remote access token/do not need to transport DEVICE 4 1 5
7. Nett Not Secure 0 2 2
I am not confident that the Victoria Police issued DEVICE is secure 0 2 2
8. Nett Other 3 4 6
Other 3 3 6
Use both 0 * *
9. Nett None 1 15 17
I do not own one/use one 1 0 1
None 1 15 17
No other reason 0 1 1
* <1%
81
Appendices
Main Reason
Other Reason
Total Reasons
Q4b/c. Summary – Digital Camera 684 684 684
1. Nett Unavailable/Not Provided/Not Enough Provided 55 38 68
I was unable to access the Victoria Police issued DEVICE when I needed to 53 12 65
Device not always available 1 4 5
Don't have access to use device/sargeant only/not for uniformed members * 0 *
Office only have an allocated number of DEVICES/we have to share/not enough available to wear * * 1
Not provided by Victoria Police 0 * *
2. Nett Familiar with Own Device 19 37 46
I am more familiar with the features and operation of my DEVICE 15 25 40
I like to avoid using more than one DEVICE 3 11 14
Familiar with own device/easy to use * * 1
3. Nett Outdated/Not Working/Unreliable 17 22 34
Victoria Police issued DEVICE are out-dated 15 15 30
Device broken/batteries flat/card full/lack of coverage/quality/unreliable 3 4 7
Can control storage of images/files/call logs from own device/security 1 1 1
Police DEVICES unreliable/unuseable/cameras poor quality * 4 4
Police DEVICES don't have access to the internet/maps/have a camera 0 * *
4. Nett Personal Use 2 * 2
Use my own for personal use 2 0 2
5. Nett Convenience 1 * 1
Easier to use own DEVICE/always in your pocket/better quality/reliable/camera 2 4 6
Convenience NFI 1 * 1
DEVICE compact to carry/does the job of two devices * 1 1
Less to sign out * 0 *
My DEVICE is reliable/with me all the time/has a camera 0 * *
6. Nett Not Secure 1 2 2
I am not confident that the Victoria Police issued DEVICE is secure 1 2 2
7. Nett Complete Work at Home/Out of Hours * 0 *
Complete work out of hours/home * 0 *
8. Nett Not a Smart Device/Lacks Features 0 * *
9. Nett Other 3 4 6
Buy my own 2 * 2
Other 1 3 4
Don't use DEVICE 0 * *
82
Appendices
Main Reason
Other Reason
Total Reasons
Q4b/c. Summary – Digital Camera 684 684 684
10. Nett None 0 3 3
None 0 3 3
No other reason 0 0 0
* <1%
83
This page is intentionally left blank.
84
This page is intentionally left blank.
top related