From: Factors influencing network risk judgments: a conceptual inquiry and exploratory analysis
 | Factor # | Mean | SD | Factor description |
---|---|---|---|---|
Least Important | 30 | 38.8 | 29.5 | The perceived organizational allegiance (purchases predominantly domestic brands of hardware/software versus purchases foreign brands) |
 | 39 | 39.6 | 32.2 | Different methods of paying the contractor (e.g., fixed price versus cost plus) to your perception of risk? Fixed price: Payment is a flat fee that must meet predetermined list of requirements. Cost plus: Payment is not flat fee, but it scales over time to cover unforeseen costs of meeting predetermined requirements. |
 | 49 | 40.6 | 30.5 | The presence or absence of an organization’s fear-driven responsiveness to threat |
 | 44 | 41.8 | 30.5 | The open- or closed-source protection technology used by your organization |
 | 25 | 42.0 | 30.9 | The recertification cycle (e.g., short versus long) as a constraint effecting the ability to secure the organization’s network before an attack |
Most Important | 66 | 79.9 | 21.4 | The complexity of the organization’s systems and/or networks that makes it easy or difficult to secure |
 | 45 | 80.5 | 13.7 | The organization’s response to threats (proactively planned for an attack versus reactively responded to an attack) |
 | 31 | 80.8 | 23.3 | The level of skill the adversary has (e.g., professional or amateur) |
 | 51 | 81.1 | 14.3 | The maturity of the organization’s system capabilities for network defense |
 | 18 | 83.5 | 17.4 | The adversary’s knowledge (e.g., high versus low knowledge) about the organization’s deployed network and security technology |