Survey Information Collection
Explain who will be surveyed and why the group is appropriate to survey.
The Information Access Division (IAD), of the Information Technology Laboratory (ITL), at the National Institute of Standards and Technology (NIST) is leading this information collection.
Human-centered security research considers the human, social, and organizational factors – and the interactions between them – related to security processes, technologies, products, policies, etc. The purpose of this survey is to understand current human-centered security researcher-practitioner interaction points and associated challenges throughout the entire research lifecycle. Study insights can inform the creation of bridges between human-centered security researchers and cybersecurity practitioners that result in research that is more relevant and actionable to practitioners. Therefore, it is necessary and appropriate to survey people who are security and information technology (IT) practitioners to learn about how human-centered security insights and research informs their daily work.
NIST will survey 150 practitioners. The information being requested is not available from public sources as this is the first study to focus on research-practice interactions for this specific research domain. A copy of the recruitment text to be used has been uploaded into ROCIS for review.
2. Explain how the survey was developed including consultation with interested
parties, pretesting, and responses to suggestions for improvement.
The survey questions were developed and refined based on the following: 1) prior research identifying research-practice gaps in human-computer interaction, cybersecurity, and other domains and 2) discussions with human-centered security researchers about their own challenges interacting with practitioners throughout the research lifecycle and producing practitioner-focused outputs.
The survey questions were reviewed by two security practitioners to ensure the language and questions were appropriately tailored for the study population. Feedback from the reviewers was incorporated in the final survey instrument.
3. Explain how the survey will be conducted, how customers will be sampled if
fewer than all customers will be surveyed, expected response rate, and actions
your agency plans to take to improve the response rate.
NIST will conduct an anonymous survey online using the Qualtrix survey platform.
For recruitment, NIST will send survey invitations via mailing lists and social media accounts targeted at security and IT practitioners. To meet the survey criteria, participants must be 18 years or older and be a security or IT practitioner. If eligible and choosing to participate, they will select the survey link to begin the survey. On the first screen of the survey, they will be able to view the NIST study information sheet (attached).
The survey includes 22 questions, including basic demographic information such as number of years of practitioner experience and type of organization. Screenshots are being uploaded for review. The survey will take approximately 7 minutes to complete. The survey will be closed once 150 respondents complete the survey.
Total burden hours: 150 respondents x 7 minutes per response = 17.5 burden hours.
The survey is human subjects exempt research. We are only collecting high-level demographic information and all collected data are anonymized. As stated in the provided Information Sheet, to maintain participant confidentiality, no identifiers, data, or information are collected that can be traced back to participants. Individual responses will be assigned an anonymous reference code. NIST will not create or keep a list that links the response reference codes to specific participants.
4. Describe how the results of the survey will be analyzed and used to generalize
the results to the entire customer population.
Data analysis will be conducted by NIST researchers. Analysis will consist of summary statistics (e.g., averages, frequencies) as well as inferential statistical tests to compare data based on sub-groups of practitioners (type of organization, region, whether they also have prior research experience).
The survey results may be generalizable to the practitioner population if sufficient statistical power is reached. For exploring 3 possible predictors (type of organization, region, whether they also have prior research experience) for a medium effect size with a power of 0.8 and significance level of alpha = 0.05, a sample size of at least 77 is needed.
| File Type | application/vnd.openxmlformats-officedocument.wordprocessingml.document |
| File Title | PAPERWORK REDUCTION ACT |
| Author | pboyd |
| File Modified | 0000-00-00 |
| File Created | 2024-07-20 |