contains the name of the subject or company, the subject's public key, a digital serial number, an expiration date, an issuance date, the digital signature of the ...
TR No. CIT/55/2003 PROGRESS REPORT ON DEVELOPMENT OF "INVESTIGATIONS THEORY OF PKI" AND ITS APPLICATION TO AUSTRALIAN INFORMATION SYSTEMS Sashi Nand, Rushmore University, USA & Bhuvan Unhelkar, PhD, FACS SCIT, University of Western Sydney Abstract This paper reports on the development of a theory to investigate public key infrastructure (PKI) technology and its application to Australian information systems. Lack of fundamental theories to guide the launch of new ideas related to PKI into the practical world was identified from review of literature as one of the main reasons for disappointing results and limited use of PKI. Hence, to increase the growth of PKI, a theory called "Investigations Theory of PKI (INVESTPKI)" is being developed as part of PhD research by the lead author. This paper presents the progressive research in developing this INVESTPKI theory. This paper also discusses a framework for testing INVESTPKI and future research directions.
Keywords Public key infrastructure (PKI), Security, Trust, Investigations Theory of PKI (INVESTPKI)
INTRODUCTION This paper discusses the development of theory of investigations into Public Key Infrastructure (PKI) and its application to Australian information systems. The importance of PKI and, in general, security cannot be understated. In fact security is one of the crucial aspects of information systems, and more so in the Internet age. This is so because the identity of the user on the other side of the Internet is not discernible by usual means. This is shown quite appropriately by Steiner's 1993 popular cartoon of a dog sitting on a computer that said: ''On the Internet, nobody knows you're a dog" (Steiner, 1993). Trust is the very simple idea that has held back Internet commerce. Trust is the catalyst and also an essential element for increasing e-commerce (Montague, 2002). We believe the system of PKI provides the missing piece of security jigsaw puzzle-that is trust (Zampetakis, 2001). The primary author in this paper has undertaken a detailed PhD level research to identify the issues related to security and PKI. As was correctly highlighted by Nikki Waters (former chairperson of the Australian Computer Society), "I think everyone is struggling with the area of security of personal information which is addressed somewhat by implementation of PKI, but I don't think anyone understands how it all works from a process point of view". Furthermore, the acknowledged Australian Guru of PKI - Roger Clarke, states "far from being of assistance to the progress of e-business, PKI infrastructure to support digital signatures has been so badly handled that it is now considered a serious impediment" (Clarke, 2003). To address this concern of many, this research paper starts by creating a simple understanding of PKI. The aim is to make possible for everyone to understand PKI. In addition to the theoretical lacunae, there is equal dearth in the applications of PKI. As Datamonitor, a UKbased market research company found in their recent study "the market for PKI solutions has been notable in the past two years for its limited growth "(Datamonitor, 2002). To our minds, one of the reasons for disappointing results and limited growth is the lack of fundamental theories to guide the launch of new ideas related to PKI into the practical world. Therefore, to provide a compass to guide the growth of PKI, we have developed Investigations Theory of PKI (INVESTPKI). We have also provided a framework for testing INVESTPKI.
PKI IN SIMPLE LAY TERMS What exactly is PKI? The acronym literally means 'Public Key Infrastructure'. The term 'Public Key' is the more common name for asymmetric cryptography. Suffice it to say that PKI is named for a particular type of cryptography. Security today between computers is achieved through cryptography, which is also called an 'Infrastructure' (Austin, 2001, p.6). What exactly is cryptography? Cryptography is a word based on two Greek words: kryptos and graphos. Kryptos can be translated as hidden, or secret, while graphos can be translated as writing. Hence, cryptography literally means secret writing, or the art of secret writing. Cryptography, therefore, refers to techniques to write secret messages that only the recipient can decode to understand the message. To illustrate the cryptography concepts, look at your house key. In the early days. House keys typically had 1 large notch at the end. This meant that someone trying to break into your house only had to work out the shape of 1 notch and manufacture something to emulate this notch to gain access as shown in figure 1 below.
Figure 1: House key in the good old trusting society
Your house key these days has a series of notches with different shapes, depths and positions. Someone now trying to break into your house has to work out and manufacture the combination of all these notches to exactly match the shape, depth and position as shown in figure 2 below.
Figure 2: House key in the new non-trusting society
A key in cryptography works on the same principle. The notches are referred to as “bits”, which have 2 states: they are either “On =1” or “Off = 0”. The more bits you have in your cryptography key (referred to as the key length) the harder it is to break. An attacker now has to work out the pattern of these bits and their state. The more bits there are, the more possible combinations there are, therefore the harder the correct sequence is to discover and replicate as shown in figure 3 below.
Figure 3: Key in cryptography Cryptography is used to protect messages during transmission form one point, system, or computer to another. Modern cryptography generally uses one of two techniques: Symmetric, or Secret Key Encryption (SKE), requires identical keys at the sender and receiver’s locations. Then the sender and receiver can send secure messages back and forth. However, the difficulty now lies in transporting the secret keys between each pair of people who wish to communicate securely. Asymmetric encryption, or Public Key Encryption (PKE), uses two different, but mathematically related keys. Providing one key is kept secret (the Private key), the other can be disclosed (the Public key) without decreasing the protection available (www.commbank.com.au) How does cryptography help you? The asymmetric cryptography provides the security. Security implies protective, safeguards to ensure that data in transit are not tampered with or disclosed before delivery to the intended recipient as shown in figure 4 below.
AUTHOR 1 (A1):
PUBLIC KEY
AUTHOR 2 (A2):
SENDER OF:
INFRASTRUCTURE: (PKI)
RECEIVER OF:
INFOSECURITY03 CONFERENCE PAPER
INFOSECURITY03 PKI is a series of processes and technologies for the association to cryptographic keys with entity to whom those keys were issued.
CONFERENCE PAPER
1.1 Author 1 (A1) wants to be able to send secure email containing InfoSecurity03 conference paper to Author 2 (A2)
1. A1 and A2 download a digital certificate (private and public key) from a Certification Authority (CA) eg VeriSign at www.verisign .com at a small fee of say $14.95 for the certificate per year for the certificate.
2.1 Author 1 (A2) wants to be able to receive the secure email containing InfoSecurity03 conference paper from A1
1.2 A1 emails his copy of the digital certificate (public key only) to A2 but keeps his private key to himself
2. Public Key is made public
2.2 A2 emails copy of her digital certificate (public key only) to A1 but keeps her private key to herself
1.3 A1 encrypts the conference paper with A2’s public key.
3. Public key is used by the sender for encryption
The conference paper has now become a cipher text – unreadable text.
Private Key is kept private
2.3 A2 decrypts the conference paper with her private key.
Private key is used by the receiver for decryption of the conference paper
Figure 4: Public Key Infrastructure – A simple version for non PKI specialists
The conference paper has now become deciphered text – readable text.
BHUVAN, THE ABOVE DIAGRAM IS TO TAKE INTO ACCOUNT REVIEWER NO.1 COMMENTS ‘…..AUTHORS SHOULD RESTRUCTURE THE PAPER FOR A SIMPLER LOGICAL FLOW AND SHOULD NOT ASSUME THAT ALL READERS AE PKI SPECIALISTS’ In the simplest use of public key cryptography, the sender encrypts a message using the recipient’s public key, and then sends it over the Internet. The only person who can decrypt this message is the recipient, using his or her private key. However, this simple case does not ensure confidentiality or an authentic message. A more realistic use of public key cryptography uses hash functions and digital signatures to both ensure the confidentiality of the message and authenticate the sender. The only person who could have sent the above message is the owner or the sender using their private key. This authenticates the message. The hash function ensures the message was not altered in transit. As before, the only person who can decipher the message is the recipient, using their private key. A hash function is an algorithm that produces a fixed-length number called a hash or message digest. A digital signature (e-signature) is the signed cipher text that can be sent over the Internet. Public key encryption is computationally slow and it can take long times for transmitting large files. However, this weakness is overcome by digital envelope technique that uses symmetric encryption for large documents, but public key encryption to encrypt and send the symmetric key. There are still some deficiencies in the message security regime described above. How do you know that people and institutions are who they claim to be? In the physical world, if someone asks who you are and you show your ID. Similarly in the digital world, we need a way to know who people and institutions really are. Digital certificates, and the supporting public key infrastructure, is an attempt to solve this problem of digital identity. A digital certificate is a digital document issued by a trusted certification authority (CA) that contains the name of the subject or company, the subject’s public key, a digital serial number, an expiration date, an issuance date, the digital signature of the CA (the name of the CA encrypted using the CA’s private key), and other identifying information. A Certification authority is an institution- also called “trusted third party” that issues digital certificates. Therefore, Public key infrastructure (PKI) refers to the certification authorities and digital certificate procedures that are accepted by all parties (Laudon and Traver, 2001). In short, on the Internet PKI provides the trust (confidentiality, authentication, integrity and non-repudiation) and cryptography provides the security.
PKI IN PRACTICE PKI is already extensively deployed, albeit in the very basic form of the Secure Sockets Layer (SSL) protocol, behind most of the electronic commerce applications in use today (Deitel, Deitel and Steinbuhler, 2001). These are in the main straightforward and relatively simple to protect, but more sophisticated applications are beginning to emerge. Is PKI developing in the right direction to cope with such sophistication? PKI is the obvious choice for large scale integrated authentication and protection of communications, and offers as a bonus the capability of digitally signed transactions. At the national level noteworthy PKI initiatives include Canada (Government of Canada PKI-GOCPKI); USA (Federal PKI-FPKI: FBCA Model); UK (tScheme); and Australia (Gatekeeper). Regional level PKI initiatives include Asia-Pacific Economic Co-operation (Electronic Authentication Task Group) and Europe (European Union Directive). Sectoral level PKI initiatives include Health (HIPAA); Finance (BITS, SETCo, Identrus); and IT security (PKIF) (Ford and Baum, 2001). In Australia, the Federal Government's public key infrastructure is called the Gatekeeper. Gatekeeper was launched in 1998 to drive public and business confidence in e-commerce. So far the Australian Taxation Office (ATO) is the only department to fully adopt PKI for electronic submission of income tax returns and other statutory documents. ATO implemented PKI in the belief that it is the most secure way of transmitting data. PKI is also used in other areas such as e-Tendering, e-Health and e-Defence.
Australian Customs too is ready to implement Gatekeeper in the near future, which will use PKI to identify parties communicating through its new Customs Connect Facility Gateway and assure the integrity of messages. The concept of 'fitness for purpose' is important and PKI is not necessarily appropriate for every organisation. Centrelink has not gone down the PKI route after assessing its needs and the benefits for its clients. There are situations where it is absolutely right to use PKI, but it comes at a cost. According to the head of the National Office for the Information Economy's (NOIE) regulatory group, Keith Besgrove, "the take-up for PKI in Australia and other countries has been somewhat slower than people originally thought. However, it is fair to say no one has come up with a clear alternative and the persistence of interest in PKI around the world reflects the fact it is still probably the best available set of online authentication technologies" (Dearne, 2003). In reality, PKI products have not yet lived up to their promise. Yes, PKI does have the capability of providing confidentiality, integrity, authentication and non-repudiation, but as currently configured it has significant disadvantages. Firstly, although PKI is a unique and powerful technology, the business model which current deployments are based on has so far only been suitable for closed communities of users. Secondly, the public key certificate, which contains the information that relying parties use to decide whether to accept a transaction or not, is too much of a blunt instrument, often failing to give them the information they need to make their decision. Finally, it is complex and costly.
INVESTIGATIONS THEORY OF PKI (INVESTPKI) Despite its costs and complexity, we believe laying down a sound theoretical framework, which can be combined with sound business practice and a sound technological infrastructure, can increase the use of PKI. Hence we have developed Investigations theory of PKI (INVESTPKI) which is really about the practice of PKI. There is no definite meaning given to the term 'theory' and there are many views on what constitutes a theory. We have used the standard or the orthodox view to construct INVESTPKI. According to this view there exists a phenomena in the real world (P-Field). Observation of these phenomena leads to abstractions by an individual's reason (C-Field) (Staunton, 1976). A theory begins in the 'unreal' world of abstraction, that is, in the human mind (C-field). In order for it to be useful, theory must eventually relate to the 'real' world, the world of experience (P-field). Three types of relationship in the theoretical structure are: • Syntactics - rules of language, if expressed in English, then the relationship refers to the rules of grammar. If the theory is mathematical, then the relationship refers to the rules of mathematics. • Semantics - rules of correspondence or operational definitions, link the concepts to objects in the real world. Semantics concern the relationship of a work, sign or symbol to a real world object or event. It is the semantic relationships that make a theory realistic and meaningful. • Pragmatics - effect of words or symbols on people. We are interested in how concepts and their measured correlations in the real world affect people's behaviour. According to INVESTPKI, the first step is to identify the PKI research problem in the P-Field through observation of use of PKI in the real world. Then develop the conceptual and theoretical structure, including the causal links and chains and state the hypothesis (H). To write the hypothesis, one can simply use English language stating the relationship of each hypothesis whether they are directly or indirectly related. The effect on stakeholders of the corporation also has to be shown. The overall theory of INVESTPKI can be viewed as a set of principles for the purpose of enhancing growth and acceptance of PKI.
FRAMEWORK FOR TESTING INVESTPKI The basis to test INVESTPKI can be scientific. An empirical research program based on the inductive-deductive approach developed by Abdel-Khalik and Ajinkya is being used to test INVESTPKI (Godfrey, Hodgson and Holmes, 1997). The testing of INVESTPKI involves the following eight stages: (Please note: A questionnaire for the same has been developed and sent out - this questionnaire is attached in Appendix 1). To date insufficient responses have been received to process and analyse the collected data and to evaluate the results.
BHUVAN, I HAVE ADDED THE EXTRA LINE TO TAKE INTO ACCOUNT REVIEWER NO.2 COMMENTS ‘The authors may want to discuss more about the outcomes of the questionnaire….’ Stage 1: Identify a research problem by observation • PKI is one of the remedies to e-business security problems. An examination is being made of the following six factors influencing use of PKI technology in Australia: (i)
Environment - includes security, globalisation, and market competition, regulating forces, telecommunications, political influence.
(ii)
Organisation - includes corporate governance, management, organisational structure, and resources.
(iii)
Business strategy - includes strategic planning, business process reengineering, total cost of ownership, return on investment.
(iv)
IT strategy - includes strategic planning, system development, system maintenance, technological risk, complexity of PKI.
(v)
PKI technology - includes necessity of trust, PKI initiatives, PKI availability, and PKI success stories.
(vi)
People - includes PKI skills, PKI training and dissemination of information, employee culture.
Stage 2: Develop the conceptual and theoretical structure, including causal links and chains • To develop a rationale as to why firms do or do not use PKI. The study would test the effect of some selected independent variables for the use of PKI. • Two independent variables which influence use of PKI are industry type (service or non-service) and the number of years of IT experience. The dependent variable is the level of usage of PKI. Stage 3: Operationalise the theoretical constructs and relationships and state the specific hypothesis to be tested • Two hypotheses that can be tested are as follows: −
Hypothesis 1:
We expect to see higher use of PKI technology in the service industry compared with the non-service industry.
−
Hypothesis 2:
We expect to see greater use of PKI technology in organisations that have greater number of years of IT experience.
Stage 4: Construct the research design • The survey research method can be adopted as one of the methods for obtaining data from organisations Australia wide. Stage 5: Implement this design by sampling and gathering data • A sample of Australian companies from at least one service industry and one non-service industry can be selected and company details recorded using a database. Stage 6: Analyse observations in order to test each hypothesis • Descriptive statistics and Chi-Square test can be used to process and analyse the collected data using Microsoft Excel together with PHStat, a Prentice Hall's statistical add-in for Excel. • Descriptive statistics - Frequency distributions of all responses to the national survey can be recorded using simple tabulations and cross tabulations on the Microsoft Excel spreadsheet.
• Chi-Square Test - Hypotheses 1 and 2 can be tested using the Chi-Square Test together with PHStat, a Prentice Hall's statistical add-in for Excel. This test involves comparison of actual frequency with expected frequency. Stage 7: Evaluate the results • Determine whether or not the results support INVESTPKI theory. Stage 8: Consider the specific limitations and constraints • Referring to the procedures undertaken in Stages 1-7, determine if there are any limitations to the way the theory was developed or tested? Do any refinements of the theory appear warranted? If the answer is 'yes' to either question, then return to the appropriate stage and attempt to remedy the limitation.
CONCLUSION People, in general, do not support concepts and practices they cannot understand. And it is as simple as this: if people do not feel secure, they simply will not take on e-commerce. And security without trust is wasted; and trust without security is foolhardy. Thus in the broadest sense a PKI is intended to provide trust systemically and confidence not only in a particular message but in the system that produced and transmitted it .In the context of e-commerce, trust is critical (DeMaio and Marcia, 2001). Theories play an important role in understanding and changing the world. This paper developed Investigations theory of PKI far from the footsteps of humans. The next step is to test the hypotheses stated in this paper to check out the reality of PKI usages and refine INVESTPKI theory. People dealing with information security systems never rest because security is an unending mission. What was unthinkable years ago is now a trend: Experimental Computer Science has arrived. Our sincere hope is that it will continue and that through experimentation, we will enjoy a renaissance in the interaction of theory and practice (Wood, 1997). PKI is to cryptography as gasoline is to cars. One fuels the other. We hope INVESTPKI theory will be the fuel injector to speed up PKI's growth and illuminate PKI phenomenon by practical experience, by trial and error-followed by intelligent retrial and eventual success.
FUTURE WORK The authors intend to test INVESTPKI theory by selecting one specific service industry - Health Care Industry and one specific non-service industry - Mining, Oil and Gas.
REFERENCES Austin, T. (2001) PKI: A Wiley Tech Brief, John Wiley & Sons, USA. Clarke, R. (2003) Annotated Bibliography of Roger Clarke's Papers on Electronic Commerce, URL. http://www.anu.edu.au/people/Roger.Clarke/EC/AnnBibl.html, Accessed 01 Aug 2003. Datamonitor, (2002) PKI: Re-positioning the product in light of disappointing market revenues, URL http://www.datamonitor.com/technology, Accessed 21 Aug 2002. Dearne, K. (2003, April 22) Gatekeeper goes missing, The Australian: IT Today, p.1. Deitel, H.M., Deitel, P.J. and Steinbuhler, K. (2001) e-Business & e-Commerce for Managers, Prentice Hall, USA. DeMaio, H. and Marcia, O. (2001) e-Commerce Security: Public Key Infrastructure: Good Practices for Secure Communications, Information Systems Audit and Control Foundation, USA. Ford, W. and Baum, M.S. (2001) Secure Electronic Commerce: Building the Infrastructure for Digital Signatures and Encryption, (2nd ed.), Prentice Hall, USA. Godfrey, G., Hodgson, A. and Holmes, S. (1997) Accounting Theory, (3rd ed.), John Wiley & Sons, Australia.
Housley, R. and Polk, T. (2001) Planning for PKI: Best Practices Guide for Deploying Public Key Infrastructure, John Wiley & Sons, USA. Laudon, K. C. and Traver. C.G. (2001) E-Commerce: business.technology.society., Addison Wesley, USA. Montague, N. (2002, October) A question of e-trust? CA Charter, 70-71. Nash, A., Duane, W., Joseph, C. and Brink, D. (2001) PKI: Implementing and Managing E-Security, Osborne/McGraw-Hill, USA. Ross, E., Mirowsky, J. and Pribesh, S. (2000, August) Powerlessness and the Amplification of Threat: Neighborhood Disadvantage, Disorder, and Mistrust, American Sociological Review, 66(4), 568-587. Staunton, J.J. (1976) Theory Construction and Verification in Accounting, University of New England, Australia. Steiner, P. (1993) The New Yorker Collection, URL http://www.cartoonbank.com, Accessed 15 May 2003. www.verisign.com/product/pki, Accessed 20 September 2003 Wood, D. (1997) WIA and Theory and Practice, Second International Workshop on Implementing Automata, WIA’97, London, Ontario, Canada, September, 1-6. www.commbank.com.au/NetBank/Security/TBC-Cryptography, Accessed 28 August 2003 Zampetakis, H. (2001, September) The Security Jigsaw: Who can you rely on in the evolving e-security industry? Managing Information Strategies Special Report, 4-6.
ACKNOWLEDGEMENTS The authors would like to acknowledge the comments and feedback provided by many reviewers of this paper. We gratefully acknowledge Teri Kempe for her excellent secretarial services. Finally, we thank Gai Scott for her editorial efforts.
APPENDIX Appendix 1: QUESTIONNAIRE
FACTORS INFLUENCING USE OF PUBLIC KEY INFRASTRUCTURE TECHNOLOGY IN AUSTRALIA Please rate the significance of each of the following factors, which you believe influences the use of Public Key Infrastructure (PKI) technology in an organisation. Please use the following significance rating scale and circle the appropriate response column. 1 = Extremely Significant 2 = Very Significant 3 = Significant 4 = Somewhat Significant 5 = Not Significant At All 6 = Not Applicable 1 ENVIRONMENT 1.1 Security
Importance of the type of security mechanisms used to provide security services such as confidentiality, authentication, integrity, and non-repudiation
1 2 3 4 5 6
1.2 Globalisation Influence of the Internet
1 2 3 4 5 6
Availability of 24 x 7 global trading
1 2 3 4 5 6
1.3 Market competition Increasing market competition from new market dynamics such as e-commerce
1 2 3 4 5 6
1.4 Regulating forces Adequate government legislation, regulations, standards and guidelines for security
1 2 3 4 5 6
Adequate government legislation, regulations, standards and guidelines for e-commerce
1 2 3 4 5 6
Adequate government legislation, regulations, standards and guidelines for PKI
1 2 3 4 5 6
1.5 Telecommunications Availability of telecommunications infrastructure
1 2 3 4 5 6
Cost of telecommunications
1 2 3 4 5 6
1.6 Political influence Current political issues such as national security arising from September 11 event in USA
1 2 3 4 5 6
2 ORGANISATION 2.1 Corporate Governance Awareness of new technologies
1 2 3 4 5 6
Awareness of financial health of the organisation
1 2 3 4 5 6
Responsibility for articulating policy for security
1 2 3 4 5 6
Responsibility for articulating policy for e-commerce
1 2 3 4 5 6
Responsibility for articulating policy for PKI
1 2 3 4 5 6
2.2 Management Strong PKI project management culture
1 2 3 4 5 6
2.3 Organisational structure Addressing all internal and external enterprise – wide PKI requirements
1 2 3 4 5 6
2.4 Resources Funding PKI project
1 2 3 4 5 6
Allocating human resources to PKI project
1 2 3 4 5 6
3 BUSINESS STRATEGY 3.1 Strategic planning
Alignment of business strategy with IT strategy
1 2 3 4 5 6
Incorporation of security in systems planning
1 2 3 4 5 6
3.2 Business Process Reengineering Importance of business as compared with the enabling technology PKI
1 2 3 4 5 6
3.3 Total cost of ownership Availability of finance for total cost of ownership (TCO) of PKI – acquisition, implementation and management
1 2 3 4 5 6
3.4 Return on investment Significance of return on investment (ROI) in PKI technology
1 2 3 4 5 6
4 IT STRATEGY 4.1 Strategic planning Incorporation of PKI in the overall business plan
1 2 3 4 5 6
4.2 System development Incorporation of PKI in systems architecture and development
1 2 3 4 5 6
4.3 System maintenance Flexible and cost effective for PKI
1 2 3 4 5 6
4.4 Technological risk Risk of investing in new technology PKI
1 2 3 4 5 6
4.5 Complexity of PKI PKI is a technically complex area, widely talked about but narrowly understood
1 2 3 4 5 6
5 PUBLIC KEY INFRASTRUCTURE TECHNOLOLGY 5.1 Necessity of trust Necessity of trust ( confidentiality, integrity, authentication and non-repudiation) provided by PKI for secure e-commerce
1
2
3
4
5
6
Initiatives at international level such as Canada (GOCPKI), USA (FPKI), UK (tScheme)
1
2
3
4
5
6
Initiatives at national level such as Australia (Gatekeeper)
1
2
3
4
5
6
Initiatives at regional level such as Asia-Pacific Economic Cooperation ( Electronic Authentication Task Group), European Union (EU Directive)
1
2
3
4
5
6
Initiatives at sectoral level such as Health Sector (HIPAA), Finance Sector (Identrus), IT SecurityPKI Sector (PKI Forum)
1
2
3
4
5
6
1
2
3
4
5
6
5.2 PKI initiatives
5.3 PKI availability Preparation of request for proposal for provision of PKI
Selection of PKI vendors
1
2
3
4
5
6
1
2
3
4
5
6
1
2
3
4
5
6
1
2
3
4
5
6
1
2
3
4
5
6
5.4 PKI Success stories Stories of successful PKI projects such as ATO in Australia 6 PEOPLE 6.1 PKI skills Availability of people with PKI skills and experience 6.2 PKI training and dissemination of information Adequate end user/customer awareness and education about PKI 6.3 Employee culture Flexibility of employees culture to handle change in systems using PKI Demographics Please provide a few demographic items that will assist with the analysis of the results of this survey. 1.
Name of your organisation (Optional): …
2.
Industry your organisation is in: Service Industry Banking and finance Communications and Information Services Insurance Retailers Transport Health Care
3.
Does your organisation currently use PKI technology? Yes
4.
5.
Non-Service Industry Chemicals, Rubber and Plastics Construction Food, Beverages and Tobacco Metal Manufacturers Mining, Oil and Gas
No
If your organisation is not currently using PKI technology, are there any plans to use it in the future? Yes
When--------------------------------------------------------------------------------
No
Why not------------------------------------------------------------------------------
Number of years of IT experience your organisation has: 0-5
6 - 10
11 - 15
Above 15
COPYRIGHT The authors assign the We-B Centre & Edith Cowan University a non-exclusive license to use this document for personal use provided that the article is used in full and this copyright statement is reproduced. The authors also grant a non-exclusive license to the We-B Centre & ECU to publish this document in full in the Conference Proceedings. Such documents may be published on the World Wide Web, CD-ROM, in printed form, and on
mirror sites on the World Wide Web. Any other usage is prohibited without the express permission of the authors.
