Cybersecurity Definitions Interview

Generic Clearance for Usability Data Collections

Cybersecurity Definitions Interview Supporting Statement

Cybersecurity Definitions Interview

OMB: 0693-0043

Document [docx]
Download: docx | pdf

OMB Control # – NIST Generic Clearance for Usability Data Collections

NIST Survey: Cybersecurity Definitions: Interviews


Survey Information Collection


  1. Explain who will be surveyed and why the group is appropriate to survey.

The Information Access Division (IAD), of the Information Technology Laboratory (ITL), at the National Institute of Standards and Technology (NIST) is leading this information collection.

Human-centered security research considers the human, social, and organizational factors – and the interactions between them – related to security processes, technologies, products, policies, etc. The purpose of this interview is to investigate how individuals without a formal background in information technology or cybersecurity (non-experts) understand typical cybersecurity definitions and potential areas of confusion. Study insights can inform guidance on how to best define and describe cybersecurity to non-experts (individuals without cybersecurity expertise). Therefore, it is necessary and appropriate to interview people who do not have expertise in information technology or cybersecurity to learn about which cybersecurity definitions they most prefer.

NIST will interview 30 individuals. The information being requested is not available from public sources as this is the first study to focus on non-expert understandings and preferences of cybersecurity definitions. A copy of the recruitment text to be used has been uploaded into ROCIS for review.


2. Explain how the survey was developed including consultation with interested

parties, pretesting, and responses to suggestions for improvement.

The interview questions were developed and refined based on the following: 1) prior research on cybersecurity definitions, including a NIST systematic search and analysis of cybersecurity definitions available online and 2) prior research identifying non-expert challenges and misunderstanding of cybersecurity.

The interview questions were reviewed by the following two experts to ensure the language and questions were appropriately tailored for the study population: 1) a cybersecurity practitioner with prior experience and knowledge about cybersecurity definition analysis and writing technical documents for non-experts and 2) a researcher with 15+ years of experience conducting surveys and interviews. Feedback from the reviewers was incorporated in the interview protocol. In addition, NIST piloted the interview protocol with three non-experts to check their understanding of questions, the flow of the interview, and how long the interview took to complete. Based on these pilots, the protocol was streamlined and the wording in several questions was refined.


3. Explain how the survey will be conducted, how customers will be sampled if

fewer than all customers will be surveyed, expected response rate, and actions

your agency plans to take to improve the response rate.

NIST will conduct the interviews using the Microsoft Teams virtual meeting platform.

For recruitment, NIST’s partner, Mediabarn (on contract with NIST) will send targeted survey invitations via email to members of Mediabarn’s proprietary national database. Prospective participants will take a screening survey (submitted as a separate collection: Cybersecurity Definitions: Screening Survey) to determine their eligibility. To be eligible, participants should be current U.S. residents aged 18 years or older who are comfortable taking a survey in English, have never formally studied or worked in an information technology (IT) or cybersecurity field, and are willing to have the interview recorded (audio and video). In addition, all participants must:

  • Be able to attend the interview from a computer/laptop (no tablets, smartphones)

  • Have a working camera and microphone on their computer/laptop

  • Have a high-speed Internet connection capable of supporting a virtual meeting


The interview protocol includes 43 questions, which includes follow-up probing questions that may or may not be asked depending on participant responses and the need for response clarification. Questions address the use of, knowledge of, and familiarity with technology and cybersecurity as well as thoughts and opinions on existing cybersecurity definitions. The protocol is being uploaded for review. The interview will take 75 minutes to complete. The interview study data collection will end once 30 participants complete the interview.

Total burden hours: 30 respondents x 75 minutes per interview = 37.5 burden hours.

The interview is human subjects exempt research. Participants will sign an informed consent form prior to the interview. Interview data will be assigned an anonymous reference code. NIST will not keep a list that links the interview reference codes to specific participants. The recordings will be destroyed upon study completion.



4. Describe how the results of the survey will be analyzed and used to generalize

the results to the entire customer population.


Analysis will be conducted by NIST researchers. Interviews will be transcribed using the built-in Microsoft Teams transcription functionality. Researchers will review and update transcripts for accuracy. Qualitative data analysis of interview transcripts will follow common Grounded Theory-type methods. Potential similarities and differences between different categories of individuals (e.g., age group, gender, education level) will be explored at a high-level (not via statistical analyses due to the small sample size).




2


File Typeapplication/vnd.openxmlformats-officedocument.wordprocessingml.document
File TitlePAPERWORK REDUCTION ACT
Authorpboyd
File Modified0000-00-00
File Created2024-07-20

© 2024 OMB.report | Privacy Policy