170707_Henny Tjahjadi_CHP_1-6
advertisement
CHAPTER 2 THEORITICAL FOUNDATION 2.1 Theoretical Foundation 2.1.1 Information Security Retrieve March 10, 2007 from http://its.ucsf.edu/about/policy/ucop_is3.jsp, Information security is the process of protecting data from unauthorized access, use, disclosure, destruction, modification, or disruption. 2.1.2 Computer Security Computer security is collection of tools designed to protect from the misused did by irresponsible person for example; hacker. Retrieve March 20, 2007, from ww.cse.buffalo.edu/~bina/cse421/fall2002/securityDec3.ppt. The terms information security, computer security and information assurance are frequently used interchangeably. These fields are interrelated and share the common goals of protecting the confidentiality, integrity and availability of information. 2.1.3 Security Types According to Jill 2006 “Information Technology Security Risk and Management”, p.41. Usually, business continuity management has revolved around restoring key applications, but that model is of decreasing usefulness as contemporary IT-Driven 8 9 business operations are interconnected and complemented reliable network connectivity within the organization and with its partner, suppliers, distributors and customers. Hence, it is imperative that the business’s information infrastructure is well secured. This security must extend to physical and logical security which discusses below: 2.1.3.1 Physical Security Physical security refers to the protection of the computer system from natural disaster and from unauthorized intruders. The natural disaster includes range of threat including fire, floods, earthquake, etc. 2.1.3.2 Logical Security Logical security is protection mechanisms that limit users' access to information and restrict their forms of access on the system to only what is appropriate for them. 2.1.4 Threats Definition Matt Bishop 2005 “Introduction to Computer Security”, Addison Wesley, p. 4. Threat is potential violation of security. The violation need not actually occur for there to be a threat. The fact that the violation might occur means that those actions that could cause it to occur must be guarded against. Those actions are called attacks. 2.1.5 Various Threats There are two types of threats according to Archer Kevin, core James, Davis Roger 2001”Voice and data security”, SAMS, p. 11.There are: 10 2.1.5.1 Internal Threats It means threats done by the internal party. The insiders know where the locations of the most important information are saved. Internal party has an access through the physical access to physical facilities and equipment and usually have a time to be cautious and patient and thus can often avoid detection or suspicious. 2.1.5.2 External Threats The actor of this kind of threat is the external party, for example; competitors, hackers and so forth. 2.1.6 Threats to Logical Security According to Jill 2006 “Information Technology Security Risk and Management”, p.41. There are 4 types of threats to logical security: 2.1.6.1 Interception Interception is an authorized party gain access to the system. Generally interception is carried out by: • Direct Observation It refers to the interception of data by just look at the source. For example; unauthorized/visitors can watch the screens of other employees. • Network Interception It refers to the interception of data by accessing and reading the data as it moves through the data transmission channel. For 11 example; in an Ethernet-based Local Area Network will allow every data packet sent through the network to be read by any machine connected to the network. • Electromagnetic Interception This interception relies on using a radio receiver to intercept electromagne tic energy radiated by the computer 2.1.6.2 Modification Modification means changing the nature of data. The alien can gain access to the system and capable to change/edit the file/data. Modifications are either reversible or irreversible which discuss below: • Reve rsible Modification A reversible modification occurs when the changes made to the information or data can be undone. • Irreversible Modification A reversible modification occurs when the changes made to the information or data can be undone. 2.1.6.3 Fabrication Fabrication occurs when the unauthorized party does insertion of unauthentic message into the network / system. Besides, it can also occur owing to the malfunctioning of hardware components through software bugs and through other human intrusion or hacking into the system. 12 2.1.6.4 Interruption Interruption aimed at the availability of the system. Interruption is an asset of the system is destroyed / becomes unavailable and reusable. Otherwise, the threat is cut the communication line. It can occur in 3 ways: • Software Interruption Software interruption occurs owing to modification and fabrication of data, bugs in application software, illegal copies software, programming code alteration, Trojan, viruses and the destruction of original and backup data. • Hardware Interruption Hardware interruption occurs owing to natural disaster, advertent or inadvertent misuse of equipment, crashed server, mis-configured hardware, unwarranted addition to computer equipment and theft. These all result in the breakdown or the malfunctioning of hardware that interrupt normal operation. • Staff Interruption Staff interruption occurs where employees cause some interruption to the business process. 13 Figure 2-1 Types of Logical Security Threats Retrieve April 21, 2007, from www.cse.buffalo.edu/~bina/cse421/fall2002/securityDec3.ppt 2.1.7 Access Control Access to protected information must be restricted to people who are authorized to access the information. This requires that mechanisms be in place to control the access to protected information. The sophistication of the access control mechanisms should be in parity with the value of the information being protected - the more sensitive or valuable the information the stronger the control mechanisms need to be. The foundation on which access control mechanisms are built, start with identification and authentication. • Identification Identification is an assertion of who someone is or what something is. • Authentication Authentication is the act of confirm the identity. There are three different types of information that can be used for authentication: 14 something you know, something you have, or something you are. Examples of something you know are PIN number, password, or your mother’s maiden name. Examples of something you have include a driver’s license or a magnetic swipe card. Something you are refers to biometrics. Examples of biometrics include palm prints, finger prints, voice prints and retina (eye) scans • Cryptography Cryptography is protecting information from unauthorized or accidental discloser while the information is in transit (either electronically or physically) and while information is in storage 2.1.8 Elements of logical security 1. User ID User ID is the unique identifier for user of the computer. The examples are: logins, user names, logons or accounts. These identifiers are based on short strings of alphanumeric characters, and are either assigned or chosen by the users 2. Authentication Authentication is the process to confirm the identity of a user used by a computer program, computer, or network. Blind credentials (anonymous users) have no identity, but are allowed to enter the system. The confirmation of identities is essential to the concept of 15 access control, which gives access to the authorized and excludes the unauthorized 3. Biometric Authentication Biometric Authentication is the measuring of a user’s physiological or behavioral features to attempt to confirm his/her identity. Physiological aspects that are used include fingerprints, eye retinas and irises, voice patterns, facial patterns, and hand measurements. Behavioral aspects that are used include signature recognition, gait recognition, speaker recognitio n and typing pattern recognition. When a user registers with the system which he/she will attempt to access later, one or more of his/her physiological characteristics are obtained and processed by a numerical algorithm. This number is then entered into a database, and the features of the user attempting to match the stored features must match up to a certain error rate. 2.1.9 Biometrics In information technology, biometrics retrieve April 2, 2007 from http://searchsecurity.techtarget.com/sDefinition/0,,sid14_gci211666,00.html refers to technologies that measure and analyze human body characteristics, such as fingerprints, eye retinas and irises, voice patterns, facial patterns and hand measurements, for authentication purposes. 16 Biometric verification is any means by which a person can be uniquely identified by evaluating one or more distinguishing biological traits. Unique identifiers include fingerprints, hand geometry, earlobe geometry, retina and iris patterns, voice waves, DNA, and signatures. The oldest form of biometric is fingerprint. When choosing a biometric for an application the following issues have to be addressed: o Does the application need verification or identification? If an application requires an identification of a subject from a large database, it needs a scalable and relatively more distinctive biometric (e.g., fingerprint, iris, or DNA). o What are the operational modes of the application? Whether the application is attended (semi-automatic) or unattended (fully automa tic), whether the users are habituated (or willing to be habituated) to the given biometrics, whether the application is covert or overt, whether subjects are cooperative or non-cooperative, and so on o What is the storage requirement of the application? For example, an application that performs the recognition at a remote server may require a small template size. o How stringent are the performance requirements? For example, an application that demands very high accuracy needs a more distinctive biometric. 17 o What types of biometrics are acceptable to the users? Different biometrics is acceptable in applications deployed in different demographics depending on the cultural, ethical, social, religious, and hygienic standards of that society. 2.1.9.1 Comparison of Various Biometrics Biometric in an application is often a compromise between the sensitivity of a community to various perceptions/taboos and the value/convenience offered by biometrics- based recognition. A brief introduction to the most common biometrics is provided below. • DNA: Deoxyribonucleic Acid (DNA) is the one-dimensional ultimate unique code • Ear: The features of an ear are not expected to be unique to an individual. The ear recognition approaches are based on matching the distance of salient points on the pinna from a landmark location on the ear • Face: The face is one of the most acceptable biometrics. • Facial, hand, and hand vein infrared thermo grams: The pattern of heat radiated by the human body is a characteristic of each individual body and can be captured by an infrared camera in an unobtrusive way much like a regular (visible spectrum) photograph. Infrared sensors are prohibitively expensive which a factor inhibiting widespread use of the thermograms is. 18 • Gait: Gait is the peculiar way one walks and is a complex spatio-temporal biometric. Gait is not supposed to be very distinctive, but is sufficiently characteristic to allow verification in some low-security applications • Hand and finger geometry: Some features related to a human hand (e.g., length of fingers) are relatively invariant and peculiar (although not very distinctive) to an individual. Due to limited distinctiveness, hand geometry-based systems are typically used for verification and do not scale well for identification applications. • Iris: Visual texture of the human iris is determined by the chaotic morphogenetic processes during embryonic development and is posited to be distinctive for each person and each eye (Daugman, 1999a). An iris image is typically captured using a non-contact imaging process. The iris recognition technology is believed to be extremely accurate and fast. • Keystroke dynamics: It is hypothesized that each person types on a keyboard in a characteristic way. Keystroke dynamics is a behavioral biometric. This behavioral biometric is not expected to be unique to each individual but it offers sufficient discriminatory information to permit identity verification. • Odor: It is known that each object exudes an odor that is characteristic of its chemical composition and could be used for distinguishing various objects. A whiff of air surrounding an object is blown over an array of chemical sensors, each sensitive to a certain group of (aromatic) compounds. A component of the odor emitted by a human (or any animal) 19 body is distinctive to a particular individual. It is not clear if the invariance in the body odor could be detected despite deodorant smells and varying chemical composition of the surrounding environment • Retinal scan: The retinal vasculature is rich in structure and is supposed to be a characteristic of each individual and each eye. • Signature: The way a person signs his name is known to be a characteristic of that individual. • Voice: Voice capture is unobtrusive and voice print is an acceptable biometric in almost all societies. 2.1.10 Passwords/Keys/Tokens The most common way to protect information on IT system is Password. It is being use to identified and authenticated on the system and also used to protect data and applications on many IT systems. Passwords are also used frequent ly in PC applications as a means of logical access control. For instance, an accounting application may require a password in order to access certain financial data or invoke a sensitive application. The primary advantage of password-based logical access control is that it is provided by a large variety of PC applications and thus often does not have to be implemented as a new/separate feature on an operating system. The drawbacks of this approach center on the difficulty for users to manage even moderate numbers of passwords. 20 2.1.10.1 Component of Good Password According to Archer Kevin, core James, Davis Roger 2001”Voice and data security”, SAMS, p. 11. These are the guideline to make a password more difficult to guess / obtain; • Password should be at least seven characters long • A password should have at least three of the four following elements: o One / more English uppercase (A-Z) o One / more English lowercase (a- z) o One / more Arabic numerals (0-9) o One / more special characters (!@#$%^*) • A password should not consist of dictionary words • A password should never be the same as the user’s login name or contain the login name • A password should not consist of user’s first or last name, family member’s name, birth date and etc. • Password should be changed every 60 -90 days (very secure policy may want to change password 30 to 45 days) • Having a system that can reminder the user to change the password. Do not allow the user to use that format again; they should create a new password whenever the password expired. 21 2.1.10.2 Type of Problematic Password and Account According to Archer Kevin, core James, Davis Roger 2001”Voice and data security”, SAMS, p. 11. Password management and account management always go hand-inhand to protect computing resources adequately. Below explain the issues: • Default Account It has a common ID and password. For example the ID is “admin” then the default password is “admin”. This type of account can be easily cracked in a minute. • Easily guessed or cracked password The password only contains the birth date, name friends, pet’s name and etc. Weak password is the opposite of the aforesaid about guideline to make strong password. • Un password accounts The meaning is having an account without having a password. This can give the attacker easiness to access the computer with correct username. • Shared accounts Share account is usually used by group that performs similar function. These accounts are typically discouraged because more than one user knows the password and it makes more difficult to ascertain which user us actively using the account. • Password aging The password remains the same in long of period. Attacker can easily memorizing the password and use it to log in the computer. 22 2.1.11 Bank There are around 130 banks which locate in Indonesia which define below Bank Sentral 1 Bank Indonesia Bank Persero (BUMN) Bank Campuran 79 PT Bank Commonwealth 80 PT Bank BNP Paribas Indonesia 81 PT Bank Capital Indonesia 2 PT Bank Ekspor Indonesia (Persero) 82 PT Bank DBS Indonesia 3 PT Bank Negara Indonesia (Persero) Tbk. 83 PT Bank Finconesia 4 PT Bank Rakyat Indonesia (Persero) Tbk. 84 PT Bank KEB Indonesia 5 PT Bank Tabungan Negara (Persero) 85 PT Bank Maybank Indocorp 6 PT. Bank Mandiri (Persero) Tbk. 86 PT Bank Mizuho Indonesia 87 PT Bank Multicor 88 PT Bank OCBC Indonesia Bank Swasta PT Bank Rabobank Internasional Bank Umum Swasta Nasional Devisa 89 Indonesia 7 PT Bank Agroniaga Tbk. 90 PT Bank Resona Perdania 8 PT Bank Antardaerah (Surabaya) 91 PT Bank UOB Indonesia 9 PT Bank Arta Niaga Kencana (Surabaya) 92 PT Bank Woori Indonesia 10 PT Bank Artha Graha Internasional Tbk. 93 PT Bank China Trust Indonesia 11 PT Bank Buana Indonesia Tbk. 94 PT Bank Sumitomo Mitsui Indonesia 12 PT Bank Bukopin 95 PT Bank UFJ Indonesia 13 PT Bank Bumi Arta 14 PT Bank Bumiputera Indonesia Tbk. 15 PT Bank Central Asia Tbk. 96 ABN Amro Bank 16 PT Bank Century Tbk. 97 American Express Bank Ltd. 17 PT Bank Danamon Indonesia Tbk 98 Bank of America, N.A. 18 PT Bank Ekonomi Raharja 99 Bank of China Limited Bank Asing 23 19 PT Bank Ganesha 100 Citibank N.A. 20 PT Bank Haga 101 Deutsche Bank Ag. 21 PT Bank Hagakita (Surabaya) 102 JP. Morgan Chase Bank, N.A. 22 PT Bank Halim Indonesia (Surabaya) 103 Standard Chartered Bank 23 Bank IFI 104 The Bangkok Bank Comp. Ltd. The Bank of Tokyo Mitsubishi Ufj 24 PT Bank Internasional Indonesia Tbk 105 25 PT Bank Kesawan Tbk 106 26 PT Bank Lippo Tbk (Tangerang) 27 PT Bank Maspion Indonesia (Surabaya) 28 PT Bank Mayapada International Tbk Ltd. The Hongkong & Shanghai B.C. Bank Pembangunan Daerah 107 BPD Jambi (Jambi) BPD Kalimantan Selatan 29 PT Bank Mega Tbk 108 30 PT Bank Mestika Dharma (Medan) 109 BPD Kalimantan Timur (Samarinda) 31 PT Bank Metro Express 110 BPD Sulawesi Tenggara (Kendari) 32 PT Bank Muamalat Indonesia 111 BPD Yogyakarta (Yogyakarta) 33 PT Bank Niaga Tbk 112 BPD Sumatera Barat (Padang) 34 PT Bank NISP Tbk 113 PT Bank DKI (Jakarta) PT Bank Nusantara Parahyangan Tbk 35 (Bandung) (Banjarmasin) PT Bank Lampung (Bandar 114 Lampung) 36 PT Bank Permata Tbk 115 PT Bank Kalteng (Palangka Raya) 37 PT Bank Shinta Indonesia 116 PT BPD Aceh (Banda Aceh) PT BPD Sulawesi Selatan 38 PT Bank Swadesi Tbk 117 39 PT Bank Syariah Mandiri 118 (Makassar) PT BPD Jawa Barat (Bandung) PT BPD Kalimantan Barat 40 PT Bank Windu Kentjana 119 (Pontianak) 24 41 PT Pan Indonesia Bank Tbk Bank Umum Swasta Nasional Non Devisa 120 PT BPD Maluku (Ambon) 121 PT BPD Bengkulu (Kota Bengkulu) 122 PT BPD Jawa Tengah (Semarang) 123 PT BPD Jawa Timur (Surabaya) PT Anglomas Internasional Bank 42 (Surabaya) PT BPD Nusa Tenggara Barat 124 (Mataram) PT BPD Nusa Tenggara Timur 43 PT Bank Akita 125 (Kupang) 44 PT Bank Alfindo 126 PT BPD Sulawesi Tengah (Palu) 45 PT Bank Artos Indonesia (Bandung) 127 PT BPD Sulawesi Utara (Manado) 46 PT Bank Bintang Manunggal 128 PT BPD Bali (Denpasar) 47 PT Bank Bisnis Internasional 129 PT BPD Papua Jayapura) 48 PT Bank Dipo International 130 PT BPD Riau (Pekanbaru) PT BPD Sumatera Selatan 49 PT Bank Eksekutif Internasional 131 50 PT Bank Fama Internasional (Bandung) 132 51 PT Bank Harda Internasional 52 PT Bank Harfa 53 PT Bank Harmoni International PT Bank Himpunan Saudara 1906 54 (Bandung) 55 PT Bank Ina Perdana 56 PT Bank Index Selindo 57 PT Bank Indomonex 58 PT Bank Jasa Arta 59 PT Bank Jasa Jakarta 60 PT Bank Kesejahteraan Ekonomi (Palembang) PT BPD Sumatera Utara (Medan) 25 61 PT Bank Mayora 62 PT Bank Mitraniaga 63 PT Bank Multi Arta Sentosa 64 PT Bank Persyarikatan Indonesia 65 PT Bank Purba Danarta (Semarang) 66 PT Bank Royal Indonesia 67 PT Bank Sinar Harapan Bali (Denpasar) 68 PT Bank Sri Partha (Denpasar) 69 PT Bank Swaguna 70 PT Bank Syariah Mega Indonesia PT Bank Tabungan Pensiunan Nasional 71 (Bandung) 72 PT Bank UIB 73 PT Bank Victoria International Tbk 74 PT Bank Yudha Bhakti 75 PT Centratama Nasional Bank (Surabaya) 76 PT Liman International Bank 77 PT Prima Master Bank (Surabaya) Table 2-1 Links Banks in Jakarta Version: 2004 Retrieve April 1, 2007 from http://www.bi.go.id/web/id/Links/daftarbank.aspx.htm 26 2.1.12 Protecting Information and Information System According to Jill 2006 “Information Technology Security Risk and Management”, p.55. Security controls is used to manage and contain risks and threats posed to information resources are employed at different level in an organization. Security controls are measures taken to safeguard an information system from attacks against the confidentiality, integrity, and availability (C.I.A.) of the information system. To provide secure information system so that business process continues to operate smoothly, there are 3 controls: 2.1.12.1 Technical Control Technical control is software and hardware controls aimed at preventing a risk event, detecting an attempted security breach. It includes identification, authentication, access control, audit, accountability and system and communication protection. Technical control grouped into: • Support Technical Controls Support controls are derived from the security policy in a business. The technical security control architecture is identification, cryptographic key management, security administration, and system protection. 27 • Preventive Control This control is limiting the viola tion of information resources security policy. This preventive control based on 5 principles: 1. Authentication Authentication proves the identity of a person and also ensures that person is the correct/ right receiver of particular information. Example: smartcard, password, ID, etc 2. Authorization Authorization controls the ability to execute certain action on particular data. Example: Data administrator has a right to allow particular user to have rights to just read/edit files in the database. 3. Access control Access control is controlling the employees’ access to the system. Usually this control limited the access of employees based on the employee’s role. 4. Non-repudiation The identity of receiver is known to the sender and vice versa. 5. Transaction Privacy This control is ensures the confidentiality information when doing the transaction. of 28 • Detection and Recovery Controls Detective control is a control of any wrong doing in businesses. If there is something wrong, the tools warn the organization. Detective security controls are invoked after the undesirable event has occurred. Example detective security controls are log monitoring and review, system audit, file integrity checkers, and motion detection. Besides the corrective controls support recovery and preve nt a recurrence. It is used to respond to and fix a security incident. Corrective security controls also limit or reduce further damage from an attack. Examples: Procedure to clean a virus from an infected system, guard checking and locking a door left unlocked by a careless employee, Updating firewall rules to block an attacking IP address 2.1.12.2 Management Control Managerial controls include manage the information resources and controlling the process of business conducted and the way employee contribute to the business process. Besides, it enforces the policies and guidelines that are followed to carry out the business process and procedures towards attaining the business goals and missions. 29 2.1.12.3 Operational Control Operational controls are the process measures that the technical and management controls work properly. It include segregation of duties (approval of changes, authorization to access internal systems allocated appropriately, and related requirements), version tracking, and retention of audit trails around who changed what and when, reporting and monitoring requirements, and other controls 2.1.13 Classes and Family Security Control Note that there is a third popular taxonomy developed by National Institute Standard & Technology (NIST) and described in NIST Special Publication 800-53, "Recommended Security Controls for Federal Information Systems." NIST categorizes security controls into 3 classes and then further categorizes the controls within the classes into 17 families (Table 1). Within each security control family are dozens of specific controls. CLASS Management Operational FAMILY Certification, Accreditation, and Security Assessments Planning Risk Assessment System and Services Acquisition Awareness and Training Configuration Management Contingency Planning Incident Response Maintenance 30 Technical Media Protection Personnel Security Physical and Environmental Protection System and Information Integrity Access Control Audit and Accountability Identification and Authentication System and Communications Protection Table 2-2 NIST Security Control Classes and Families Retrieve April 30, 2007 from http://www.giac.org/resources/whitepaper/operations/207.php 2.2 Theory Framework 2.2.1 Research Method Retrieve April22, 2007, from http://www.socialresearchmethods.net/kb/ define Research is a human activity based on intellectual investigation and aimed at discovering, interpreting, and revising human knowledge on different aspects of the world. It can be scientific or not scientific. 2.2.1.1 What is the Research Methods Knowledge Base? Retrieve April 22, 2007, from http://www.socialresearchmethods.net/kb/ The Research Methods Knowledge Base is a complete web-based textbook / e-book that address all of the topics in a typical introductory undergraduate or graduate course in social research methods. It covers the entire research process including: formulating research questions; sampling (probability and non probability); measurement (surveys, scaling, qualitative, unobtrusive); research design (experimental and quasiexperimental); data analysis; and, writing the research paper. It also addresses the 31 major theoretical and philosophical underpinnings of research including: the idea of validity in research; reliability of measures; and ethics. 2.2.1.2 Research Methodology • Action Research is research that each of us can do on our own practice, that “we” (any team or family or informal community of practice) can do to improve its practice, or that larger organizations or institutions can conduct on themselves, assisted or guided by professional researchers, with the aim of improving their strategies, practices, and knowledge of the environments within which they practice • Experience as a general concept comprises knowledge of or skill in or observation of some thing or some event gained through involvement in or exposure to that thing or event. • Statistical Analysis is a mathematical science pertaining to the collection, analysis, interpretation or explanation, and presentation of data • Statistical Survey also refers to questionnaire; it is used to collect quantitative information about items in a population. Actually, there are 2 types of questions; there are close-ended questions and open-ended questions. Generally, research is understood to follow a certain structural process. Though step order may vary depending on the subject matter and researcher, the following steps 32 are usually part of most formal research, both basic and applied: Formation of topic, hypothesis, conceptual definition, gather data, analysis of data, and conclusion 2.2.2 Advantages and Disadvantages of Survey There are advantages and disadvantages of Survey explained below. Retrieve March 28, 2007 from http://writing.colostate.edu/guides/research/survey/com2d1.cfm. 2.2.2.1 Advantages • Surveys are relatively inexpensive (especially self-administered surveys). • Surveys are useful in describing the characteristics of a large population. No other method of observation can provide this general capability. • They can be administered from remote locations using mail, email or telephone. • Consequently, very large samples are feasible, making the results statistically significant even when analyzing multiple variables. • Many questions can be asked about a given topic giving considerable flexibility to the analysis. • There is flexibility at the creation phase in deciding how the questions will be administered: as face-to- face interviews, by telephone, as group administered written or oral survey, or by electronic means. • Standardized questions make measurement more precise by enforcing uniform definitions upon the participants. 33 • Standardization ensures that similar data can be collected from groups then interpreted comparatively (between-group study). • Usually, high reliability is easy to obtain--by presenting all subjects with a standardized stimulus, observer subjectivity is greatly eliminated. 2.2.2.2 Disadvantages • A methodology relying on standardization forces the researcher to develop questions general enough to be minimally appropriate for all respondents, possibly missing what is most appropriate to many respondents. • Surveys are inflexible in that they require the initial study design (the tool and administration of the tool) to remain unchanged throughout the data collection. • The researcher must ensure that a large number of the selected sample will reply. • It may be hard for participants to recall information or to tell the truth about a controversial question. • As opposed to direct observation, survey research (excluding some interview approaches) can seldom deal with "context." 2.2.3 Questionnaire According to Frenkle, Jack R. and Wallen, Norman E 2005” How to Design and Evaluate Research In Education”, McGraw-Hill, p. 126. These are the advantages and disadvantages of using questionnaire in collecting data. 34 2.2.3.1 Advantages • It is good method in order to collect huge collection of data, • Because there is an electronic mail, the author can easily distribute the questionnaire through the email and get the correspondent’s opinion in short time • Most questionnaires can be answered in short time. • Low cost for gathering huge amount of data • Response can be tabulated and analyzed quickly 2.2.3.2 Disadvantages • Unclear questions can not be clarified, so the author has to build good design of questionnaires. • The number of responses is low • It is impossible for analyzing the respondents body language • Good questionnaire are difficult to predict because there’s not guarantee that each individual will answer or expand on all the questions correctly 2.2.4 Type of Questionnaire As says in Whitten, jefru L.bentley, Loonie D. and Dittman, Kevin C 2000 “System Analysis and Design Method”, McGraw-Hill. There are several types of questionnaire: 35 o Boxes questionnaire, the respondent’s are given2 choices, yes or no answer. For example: Do you use ID and password to access the computer? Yes No o Short answer questionnaire, the participant just answering why question and let them write their reasons Assuming that you understand the important of security system, do you need security device to lock the monitor automatically whenever you leave your PC? Yes, Why? __________________________________________ No, Why? __________________________________________ o Ranking questions, the respondents are given to rank himself /herself whether she he / she is strongly agree (SA), agree (A), abstain (ABS), disagree (DA) or strongly disagree (SDA) of that particular statement. No. Statement 1 In my opinion, system security in an office is very important to protect critical data. SDA DA ABS A SA 2.2.5 Steps Built Good Questionnaire Below are the procedures or steps in order to build a good questionnaire: (Meaning of good design is there is not any ambiguity questions, so what the participants understand about the questions is the same with the author perspective) according to Whitten, jefru L.bentley, Loonie D. and Dittman, Kevin C 2000 “System Analysis and Design Method”, McGraw-Hill 36 • Determine what facts and opinion must be collected and from whom you should get them. • Based on the needed facts and opinions, determine whether free- or fixedformat questions will produce the best answer • Write the questions • Test the question on small of respondents • Duplicate and distribute the questionnaire. 2.2.6 Sampling Method According to Bartlett, Kotrlik, and Higgins (2001) published a paper titled “Organizational Research: Determining Appropriate Sample Size in Survey Research Information Technology, Learning, and Performance Journal”. There are 2 sampling method: 2.2.6.1 Simple Random Sampling Simple random sampling is sample selected in such a way that every possible sample with the same number of observations is equally likely to be chosen. 2.2.6.2 Sampling Error and Non Sampling Errors Sampling Error refers to differences between the sample and the population that exist only because of the observation that happened to be selected for the sample. Non sampling errors are due to mistakes made in the acquisition of data or due to the samp le observation being selected improperly. 37 2.2.7 Sample Size (n) Sample size is one of the four inter-related features of a study design that can influence the detection of significant differences, relationships or interactions (Peers, 1996). Bartlett, Kotrlik, and Higgins (2001) published a paper titled Organizational Research: Determining Appropriate Sample Size in Survey Research Information Technology, Learning, and Performance Journal that provides an explanation of Cochran’s (1977) formulas. As a part of this discussion, considerations for the appropriate use of Cochran’s (1977) sample size formula for both continuous and categor ical data will be presented. 2.2.7.1 Continuous Data A set of data is said to be continuo us if the values / observations belonging to it may take on any value within a finite or infinite interval. You can count, order and measure continuous data. For example height, weight, temperature, the amount of sugar in an orange, the time required to run a mile. 2.2.7.2 Categorical Data A set of data is said to be categorical if the values or observations belonging to it can be sorted according to category. Each value is chosen from a set of non-overlapping categories. For example, shoes in a cupboard can be sorted according to color: the characteristic 'colors' can have non-overlapping 38 categories 'black', 'brown', 'red' and 'other'. Every value should belong to one and only one category, and there should be no doubt as to which one. Variance Estimation Number of points on the scale S = --------------------------------------------Number of standard deviations (t)2 * (p) (q) n0 = --------------------(d)2 n0 n1 = -----------------------------(1 + n0 / Population) t = value for selected alpha level s = estimate of standard deviation in the population d = acceptable margin of error for mean being estimated (p)(q) = estimate of variance (Maximum possible proportion (.5) * 1- maximum possible proportion (.5) produces maximum possible sample size). n0= required return sample size according to Cochran’s formula. n1 = required return sample size because sample > 5% of population. 39 Table 2-3 Sample Size Retrieve April 7, 2007 from http://www.osra.org/itlpj/bartlettkotrlikhiggins.pdf 2.2.8 Sampling and Data Collection Good data collection involves: • Following the defined sampling process • Keeping the data in time order • Noting comments and other contextual event • Recording non-response 40 2.2.9 Important Factor When Build Solution Retrieve May 4, 2007 from http://www.virtualsalt.com/creative.htm. To build proper and acceptable solution, there are some important factors to consider when build solutions are: Successful • Solves The Problem Effectively The solutions achieve the goals and meet the requirement well. Many solutions are only partial; the degree to which the solution works and the degree of superiority also important part of this measure. • Meets Constraints The solution should meet the constraint to the problem. For example; should be on time, under budget and meet the specification required. • Acceptable to Users The solution is agreeable to those who must implement it, to society, to those affected by it. Acceptance is a perceptual, emotional, and psychological phenomenon, as well as an intellectual and experiential one. It is crucial to think beyond the engineering, beyond the technology, when deciding whether the solution is or will be successful. It may have invented a high tech security device, but if no one will use it, it is not a successful solution 41 Efficient • Good Cost / Benefit Ratio The solution is economical; the solution has to be worth it. Money exists in finite amounts, and all solutions must compete with each other for these limited resources. • Practical The solution is logical, useful, systematic, understandable, "do-able," not overly difficult or complex for the intended benefits. It is as simple and direct as possible for the desired outcome. • Reliable The solution will continue to work over time with a high degree of reliability, consistency, and effectiveness. Dependability is at the core of user satisfaction. New • Original The solution is innovative, breaking new ground. • Surprising The solution is unusual, out of the ordinary lines of thought. • Seminal The solution provides the foundation for further, similar solutions, opens new vistas for further development. It represents a beginning--a new line of inquiry--with the promise of a future. 42 Coherent • Unified Solutions that involve a clear (and perhaps even simple) conceptual design are most likely to emerge as unified. • Refined The solution is synergetic, high quality, good, well-designed, well-crafted, well-executed. The best solutions have usually passed through several iterations of the refinement process before being implemented. (Of course, refinement continues after the solution collides with the "real world" as well.) • Esthetic The solution is artistic, attractive, beautiful, enduring, timeless, and likable. Many a great technology has failed because it was put into an ugly plastic shell.
