Development of methods for identifying an appropriate benchmarking peer to establish information security policy