Download:
docx |
pdf
Supporting
Statement B for Paperwork Reduction Act Submissions
Title:
Department of Homeland Security (DHS)
Office of Cyber Security &
Communications (CS&C)
Information
Technology (IT) Sector
Small
and Midsize Businesses (SMB) Cybersecurity Survey
OMB
Control Number: 1670-NEW
B.
Collections of Information Employing Statistical Methods.
������
Describe
(including numerical estimate) the potential respondent universe
and
any sampling or other respondent selection method to be used. Data
on the number of entities (e.g., establishments, State and local
government units, households, or persons) in the universe covered by
the collection and in the corresponding sample are to be provided in
tabular form for the universe as a whole and for each of the strata
in the proposed sample. Indicate expected response rates for the
collection as a whole. If the collection has been conducted
previously, include the actual response rate achieved during the last
collection.
Response…
This
survey is part of an ongoing joint IT SCC effort to develop and
coordinate strategies to engage the SMB community on educating SMBs
about cybersecurity risks and how the national Cybersecurity
Framework can assist SMBs strengthen their overall cybersecurity
posture. The questionnaire is meant to collect information about what
sources IT SMBs are using to reference cybersecurity best practices,
about companies’ specific assets and management practices, such
as physical access management, and cost of NIST CSF adoption and
implementation.
The
primary purpose of these collections will be for internal management
purposes; there are no plans to publish or otherwise release this
information.
This
data collection is not conducted by DHS. The actual survey will be
administered by the IT-SCC private sector partners. The respondent’s
universe will include members of the ACT (The App Association) and
members of other of IT SMBs professional associations and forums.
This
selection procedure is a non-probability sampling method. Because of
the subjective nature of the selection process, non-probability
samples add uncertainty when the sample is used to represent the
population as a whole. The accuracy and precision of statements
about the population can only be determined by subjective judgment.
The selection procedure does not provide rules or methods for
inferring sample results to the population, and such inferences are
not valid because of bias in the selection process.
The
activities under this clearance may also involve additional samples
of self-selected customers, as well as convenience samples, and quota
samples, with respondents selected to include small and medium size
businesses within the IT sector. Results will not be used to make
statements representative of the universe of study, to produce
statistical descriptions (careful, repeatable measurements), or to
generalize the data beyond the scope of the sample.
Describe
the procedures for the collection of information including:
Response…
The
respondent’s universe will include members of the ACT (The App
Association) and members of other of IT SMBs professional
associations and forums.
This
data collection is not conducted by DHS. The IT SCC will administer
the survey and anonymize the data, which will then be sent to DHS for
analysis. The analysis will determine ROI information for NIST
Cybersecurity Framework adoption in the SMB community. The results of
this analysis will be used to provide the SMB community with best
practices on how to use the Cybersecurity Framework for business
protection and risk management.
The
questionnaire will be distributed to SMBs and is a two-part survey.
Questions 1-11 of the survey are for an organization’s
leadership, as these questions pertain to high level information
about the company (core function, number of employees, etc.). The
remaining questions are intended for the Chief Information Services
Officer (CISO) and/or appropriate IT staff, as these questions are
technical and ask about the IT security of the company.
IT
SCC intends to further reduce burden on the respondents through use
of a variety of methodologies for the collection with subsequent
electronic data comparison. IT SCC may use commercial survey-specific
software to automate its collection and analysis of feedback.
Information collection instruments may be electronically disseminated
and/or posted on target pages of the IT SMB-related web sites.
Telephone scripts, personal interviews, and focus groups with
professional guidance and moderation may also be used.
Response…
This
selection procedure is a non-probability sampling method. Because of
the subjective nature of the selection process, non-probability
samples add uncertainty when the sample is used to represent the
population as a whole. The accuracy and precision of statements
about the population can only be determined by subjective judgment.
The selection procedure does not provide rules or methods for
inferring sample results to the population, and such inferences are
not valid because of bias in the selection process.
The
samples associated with this collection are not subjected to the same
scrutiny as scientifically drawn samples where estimates are
published or otherwise released to the public.
Response…
Qualitative
surveys as the one intended by IT SCC are tools used by program
managers to change or improve programs, products, or services. The
accuracy, reliability, and applicability of the results of these
surveys are adequate for their purpose.
The
primary purpose of these collections will be for internal management
purposes; there are no plans to publish or otherwise release this
information.
Response…
The
private sector will exclude any Point of Contact (POC) information
during the microdata processing, No PII information should be
included in the anonymized dataset transmitted to DHS. DHS will use
anonymized data to conduct their analysis.
Once
the survey is administered by the private sector partners of the IT
SCC to the member organizations, the collected raw inputs will be
compiled and the resulting dataset will be processed by the private
sector partners to a) assign unique random identifiers to each of the
responses, b) scrub any PII from the microdata, and c) QA against the
raw input. These processing steps (a-c) will be implemented PRIOR to
handing the dataset over to DHS for statistical analysis.
Response…
This
data collection is not intended as an annual activity. Intended
frequency of response is every five years.
3.
Describe methods to maximize response rates and to deal with issues
of
non-response.
The accuracy and reliability of information collected must be shown
to be adequate for intended uses. For collections based on sampling,
a special justification must be provided for any collection that will
not yield “reliable” data that can be generalized to the
universe studied.
Response…
Information
collected under this generic clearance will not yield generalizable
quantitative findings; it can provide useful customer input, but it
does not yield data about customer opinions that can be generalized.
The
activities under this clearance may also involve additional or
follow-up samples of self-selected customers, as well as convenience
samples, and quota samples, with respondents selected to include
small and medium size businesses within the IT sector. Results will
not be used to make statements representative of the universe of
study, to produce statistical descriptions (careful, repeatable
measurements), or to generalize the data beyond the scope of the
sample.
4.
Describe any tests of procedures or methods to be undertaken.
Testing is encouraged as an effective means of refining collections
of information to minimize burden and improve utility. Tests must be
approved if they call for answers to identical questions from 10 or
more respondents. A proposed test or set of tests may be submitted
for approval separately or in combination with the main collection of
information.
Response…
Pretesting
may be done with internal staff, a limited number of external
colleagues, and/or customers who are familiar with the programs and
products. If the number of pretest respondents exceeds nine members
of the public, the Agency will submit the pretest instruments for
review under this generic clearance.
5.
Provide the name and telephone number of individuals consulted on
statistical aspects of the design and the name of the agency unit,
contractor(s), grantee(s), or other person(s) who will actually
collect and/or analyze the information for the agency.
Response…
This
data collection is not conducted by DHS. The following SMEs at the
DHS NPPD were consulted in designing the IT SCC information
collection instrument:
Dr.
Olga Livingston, Senior Economist, NPPD Office of Chief Economist,
DHS
Dr.
Jade Freeman, Senior Statistician, NPPD Office of Cybersecurity and
Communications, DHS
The
actual survey will be administered by the IT-SCC private sector
partners. The respondent’s universe will include members of the
ACT (The App Association) and members of other of IT SMBs
professional associations and forums.
Once
the survey is administered by the private sector partners of the IT
SCC to the member organizations, the collected raw inputs will be
compiled and the resulting dataset will be processed by the private
sector partners to a) assign unique random identifiers to each of the
responses, b) scrub any PII from the microdata, and c) QA against the
raw input. These processing steps (a-c) will be implemented PRIOR to
handing the dataset over to DHS for statistical analysis.
IT
SCC private sector partners intend to obtain additional information
from statisticians in the development, design, conduct, and analysis
of customer/partner service surveys, when appropriate. This
statistical expertise will be available from DHS NPPD statisticians
or from contractors, or other IT SCC private sector partners.
| File Type | application/vnd.openxmlformats-officedocument.wordprocessingml.document |
| File Title | Supporting Statement B - Template |
| Author | Corey Mull |
| File Modified | 0000-00-00 |
| File Created | 2021-01-21 |