1670-NEW_IT Sector Survey_SS-B

1670-NEW_IT Sector Survey_SS-B.docx

Office of Cyber Security & Communications (CS&C) Information Technology (IT) Sector Small and Midsize Businesses (SMB) Cybersecurity Survey

OMB: 1670-0038

Document [docx]
Download: docx | pdf

Supporting Statement B for Paperwork Reduction Act Submissions


Title: Department of Homeland Security (DHS)
Office of Cyber Security & Communications (CS&C)

Information Technology (IT) Sector

Small and Midsize Businesses (SMB) Cybersecurity Survey


OMB Control Number: 1670-NEW


B. Collections of Information Employing Statistical Methods.



  1. Describe (including numerical estimate) the potential respondent universe

and any sampling or other respondent selection method to be used. Data on the number of entities (e.g., establishments, State and local government units, households, or persons) in the universe covered by the collection and in the corresponding sample are to be provided in tabular form for the universe as a whole and for each of the strata in the proposed sample. Indicate expected response rates for the collection as a whole. If the collection has been conducted previously, include the actual response rate achieved during the last collection.

Response…



This survey is part of an ongoing joint IT SCC effort to develop and coordinate strategies to engage the SMB community on educating SMBs about cybersecurity risks and how the national Cybersecurity Framework can assist SMBs strengthen their overall cybersecurity posture. The questionnaire is meant to collect information about what sources IT SMBs are using to reference cybersecurity best practices, about companies’ specific assets and management practices, such as physical access management, and cost of NIST CSF adoption and implementation.


The primary purpose of these collections will be for internal management purposes; there are no plans to publish or otherwise release this information.


This data collection is not conducted by DHS. The actual survey will be administered by the IT-SCC private sector partners. The respondent’s universe will include members of the ACT (The App Association) and members of other of IT SMBs professional associations and forums.


This selection procedure is a non-probability sampling method. Because of the subjective nature of the selection process, non-probability samples add uncertainty when the sample is used to represent the population as a whole. The accuracy and precision of statements about the population can only be determined by subjective judgment. The selection procedure does not provide rules or methods for inferring sample results to the population, and such inferences are not valid because of bias in the selection process.


The activities under this clearance may also involve additional samples of self-selected customers, as well as convenience samples, and quota samples, with respondents selected to include small and medium size businesses within the IT sector. Results will not be used to make statements representative of the universe of study, to produce statistical descriptions (careful, repeatable measurements), or to generalize the data beyond the scope of the sample.



  1. Describe the procedures for the collection of information including:


  • Statistical methodology for stratification and sample selection,

Response…


The respondent’s universe will include members of the ACT (The App Association) and members of other of IT SMBs professional associations and forums.


This data collection is not conducted by DHS. The IT SCC will administer the survey and anonymize the data, which will then be sent to DHS for analysis. The analysis will determine ROI information for NIST Cybersecurity Framework adoption in the SMB community. The results of this analysis will be used to provide the SMB community with best practices on how to use the Cybersecurity Framework for business protection and risk management.

The questionnaire will be distributed to SMBs and is a two-part survey. Questions 1-11 of the survey are for an organization’s leadership, as these questions pertain to high level information about the company (core function, number of employees, etc.). The remaining questions are intended for the Chief Information Services Officer (CISO) and/or appropriate IT staff, as these questions are technical and ask about the IT security of the company.


IT SCC intends to further reduce burden on the respondents through use of a variety of methodologies for the collection with subsequent electronic data comparison. IT SCC may use commercial survey-specific software to automate its collection and analysis of feedback. Information collection instruments may be electronically disseminated and/or posted on target pages of the IT SMB-related web sites. Telephone scripts, personal interviews, and focus groups with professional guidance and moderation may also be used.



  • Estimation procedure,

Response…


This selection procedure is a non-probability sampling method. Because of the subjective nature of the selection process, non-probability samples add uncertainty when the sample is used to represent the population as a whole. The accuracy and precision of statements about the population can only be determined by subjective judgment. The selection procedure does not provide rules or methods for inferring sample results to the population, and such inferences are not valid because of bias in the selection process.


The samples associated with this collection are not subjected to the same scrutiny as scientifically drawn samples where estimates are published or otherwise released to the public.



  • Degree of accuracy needed for the purpose described in the justification,

Response…


Qualitative surveys as the one intended by IT SCC are tools used by program managers to change or improve programs, products, or services. The accuracy, reliability, and applicability of the results of these surveys are adequate for their purpose.


The primary purpose of these collections will be for internal management purposes; there are no plans to publish or otherwise release this information.



  • Unusual problems requiring specialized sampling procedures, and

Response…


The private sector will exclude any Point of Contact (POC) information during the microdata processing, No PII information should be included in the anonymized dataset transmitted to DHS. DHS will use anonymized data to conduct their analysis.


Once the survey is administered by the private sector partners of the IT SCC to the member organizations, the collected raw inputs will be compiled and the resulting dataset will be processed by the private sector partners to a) assign unique random identifiers to each of the responses, b) scrub any PII from the microdata, and c) QA against the raw input. These processing steps (a-c) will be implemented PRIOR to handing the dataset over to DHS for statistical analysis.



  • Any use of periodic (less frequent than annual) data collection cycles to reduce burden.

Response…



This data collection is not intended as an annual activity. Intended frequency of response is every five years.



3. Describe methods to maximize response rates and to deal with issues of

non-response. The accuracy and reliability of information collected must be shown to be adequate for intended uses. For collections based on sampling, a special justification must be provided for any collection that will not yield “reliable” data that can be generalized to the universe studied.

Response…


Information collected under this generic clearance will not yield generalizable quantitative findings; it can provide useful customer input, but it does not yield data about customer opinions that can be generalized.


The activities under this clearance may also involve additional or follow-up samples of self-selected customers, as well as convenience samples, and quota samples, with respondents selected to include small and medium size businesses within the IT sector. Results will not be used to make statements representative of the universe of study, to produce statistical descriptions (careful, repeatable measurements), or to generalize the data beyond the scope of the sample.



4. Describe any tests of procedures or methods to be undertaken. Testing is encouraged as an effective means of refining collections of information to minimize burden and improve utility. Tests must be approved if they call for answers to identical questions from 10 or more respondents. A proposed test or set of tests may be submitted for approval separately or in combination with the main collection of information.

Response…


Pretesting may be done with internal staff, a limited number of external colleagues, and/or customers who are familiar with the programs and products. If the number of pretest respondents exceeds nine members of the public, the Agency will submit the pretest instruments for review under this generic clearance.


5. Provide the name and telephone number of individuals consulted on statistical aspects of the design and the name of the agency unit, contractor(s), grantee(s), or other person(s) who will actually collect and/or analyze the information for the agency.

Response…


This data collection is not conducted by DHS. The following SMEs at the DHS NPPD were consulted in designing the IT SCC information collection instrument:

  • Dr. Olga Livingston, Senior Economist, NPPD Office of Chief Economist, DHS

  • Dr. Jade Freeman, Senior Statistician, NPPD Office of Cybersecurity and Communications, DHS


The actual survey will be administered by the IT-SCC private sector partners. The respondent’s universe will include members of the ACT (The App Association) and members of other of IT SMBs professional associations and forums.


Once the survey is administered by the private sector partners of the IT SCC to the member organizations, the collected raw inputs will be compiled and the resulting dataset will be processed by the private sector partners to a) assign unique random identifiers to each of the responses, b) scrub any PII from the microdata, and c) QA against the raw input. These processing steps (a-c) will be implemented PRIOR to handing the dataset over to DHS for statistical analysis.


IT SCC private sector partners intend to obtain additional information from statisticians in the development, design, conduct, and analysis of customer/partner service surveys, when appropriate. This statistical expertise will be available from DHS NPPD statisticians or from contractors, or other IT SCC private sector partners.


4


File Typeapplication/vnd.openxmlformats-officedocument.wordprocessingml.document
File TitleSupporting Statement B - Template
AuthorCorey Mull
File Modified0000-00-00
File Created2021-01-21

© 2024 OMB.report | Privacy Policy