OMB Control #0693-0043
Expiration Date: 06/30/2025
NIST Generic Clearance for Usability Data Collections
Survey Information Collection
Explain who will be surveyed and why the group is appropriate to survey.
The Information Access Division (IAD), of the Information Technology Laboratory (ITL), at the National Institute of Standards and Technology (NIST) is leading this information collection.
The purpose of this study is to: 1) understand how various cybersecurity stakeholder groups (e.g., decision makers, technical cybersecurity/IT professionals, general ends users) understand and perceive the concept of human-centered cybersecurity and 2) understand how each stakeholder group perceives the impacts and responsibilities of their own and other groups in cybersecurity, and the commonalities and differences across the groups. The study will inform the development of a standard description and set of measurable outcomes for human-centered cybersecurity that can be used to communicate its value towards improving cybersecurity within organizations. Therefore, it is necessary and appropriate to survey people who work in organizations to learn about their perceptions of human-centered cybersecurity and the role of people and human behavior in cybersecurity.
NIST will close the survey once 800 individuals have completed the survey. The information being requested is not available from public sources as this is the first study to focus on these aspects of human-centered cybersecurity. A copy of the recruitment text to be used has been uploaded into ROCIS for review.
2. Explain how the survey was developed including consultation with interested
parties, pretesting, and responses to suggestions for improvement.
The survey questions were developed and refined based on the following: 1) prior NIST research identifying challenges organizations face in implementing human-centered approaches to cybersecurity and 2) discussions with cybersecurity professionals and researchers from industry, government, and academia about the current gaps in human-centered cybersecurity and what might help their organizations make more progress in this area.
The survey questions were reviewed by a researcher with specialized expertise in survey methodology and another researcher with experience as both a cybersecurity practitioner and user experience professional. These expert reviews helped ensure the language and questions were clear and appropriately tailored for the study population. Feedback from the reviewers was incorporated in the final survey instrument. Additionally, NIST performed five cognitive interviews with individuals who were representative of the target survey sample groups to ensure that the survey language and format were clear. Minor adjustments were made to the survey instrument based on feedback from these interviews.
3. Explain how the survey will be conducted, how customers will be sampled if
fewer than all customers will be surveyed, expected response rate, and actions
your agency plans to take to improve the response rate.
NIST will conduct an anonymous survey online using the Qualtrics survey platform.
For recruitment, NIST will send survey invitations via NIST cybersecurity mailing lists and via email directly to professional contacts, with subsequent reminders to increase response rate if needed. To meet the survey criteria, participants must be 18 years or older, be employed part-time or full-time in an organization, and use information technology (e.g., computers, tablets) on a regular basis as part of their job. If eligible and choosing to participate, they will select the survey link to begin the survey. On the first screen of the survey, they will be able to view the NIST study information sheet (attached).
The survey includes 26 questions, including basic organization information. Screenshots are being uploaded for review. The survey will take 15 minutes to complete. The survey will be closed once 800 respondents complete the survey.
Total burden hours: 800 respondents x 15 minutes per response = 200 burden hours (12,000 minutes).
All collected data will be anonymized and identifiers will not be stored. As stated in the provided Information Sheet, data will not be linked back to a participant.
4. Describe how the results of the survey will be analyzed and used to generalize
the results to the entire customer population.
Analysis will consist of qualitative data analysis of open-ended survey responses, summary statistics (e.g., averages, frequencies), and inferential statistical tests to compare data based on stakeholder groups (e.g., decision makers, general end users, technical cybersecurity/IT professionals).
| File Type | application/vnd.openxmlformats-officedocument.wordprocessingml.document |
| File Title | PAPERWORK REDUCTION ACT |
| Author | pboyd |
| File Modified | 0000-00-00 |
| File Created | 2025-07-01 |