In the area of security, businesses can measure perceptions, not just reality. Stuart Madnick, a professor of IT at MIT's Sloan School of Management, and associates are developing a methodology that compares IT security measures taken by an organization and the perception that employees and managers have of the current state of security. The gap between reality and perception identifies which security needs should be investigated and resolved.

The MIT researchers identified 30 security issues, divided into eight groups: accessibility to data and systems, business strategy, confidentiality of data, security culture, security policies and procedures, and vulnerability to attack, as well as financial and IT resources to facilitate security measures. They asked employees at companies where the idea was tested to respond to questions about security and created an index to compare responses. One survey showed a gap of 0.78 on people's awareness of good security practices and a gap of 1.08 on whether they followed those practices. That suggests a need to put more effort in getting employees to follow security practices.