126 ◾ The Security Risk Assessment Handbook
© 2011 by Taylor & Francis Group, LLC
◾ Measurement of security awareness among sta
◾ Identication of vulnerabilities in the area of the interviewee’s expertise
Interviews can provide an incredible amount of information in a short amount
of time. However, information gained during the interview should be considered
as a single data point regarding vulnerabilities. Some ndings from interviews are
considered “hearsay” and should be conrmed through follow-up activities. Other
ndings, such as a lack of security awareness, can be considered “direct evidence.”
e process of conducting interviews to gather data for the security risk assessment
involves selecting the interviewer(s), preparing for the ...