The first act of cyber-warfare brought the developing problem to the forefront: is information security governance enough to address the imminent threat posed by nation-state cyber-warfare operations utilizing advanced persistent threat (APT) exploitation against national security critical infrastructure? This study investigated how to reduce APT risk to business information systems using information security governance. When it comes to the tension caused by the business requirement to share data and multiple regulatory requirements to protect data, there is a gap in the current research literature on threat-based information security governance implementations. Using the information security control theory, this qualitative Delphi study asked how identifying the tension between data sharing and data protection in threat-based information security governance implementation reduces the escalating threat of APT exploitation in cyber-warfare upon national security critical infrastructure, and build more robust business information system security. This study’s population was 12 certified subject matter experts (SME) in information security holding DoD 8140/8570 level III information security certification and a minimum of five years of work experience securing business information or security systems. The SME panel consisted of three females and eight males, varying in age from 25 to 74 years old who were ethnically diverse and geographically diverse, with members residing in six states of the United States. The SMEs’ data and literature analysis both indicated that threat-based information security governance implementation was the solution. This study provided more detailed information for IT security professionals on APT exploitation risk, increasing the effectiveness of information security governance built upon the information security control theory’s construct of tension. The data showed that the tension between data protection and data sharing requirements compounded business fiscal constraints on information security governance implementations. APT exploitation risk is no longer about the classification of sensitive data, as it is as much about the value of exploiting sensitive data and network infrastructure to launch other cyber-operations. The data also suggested no single technical control measure solution can defend against nation-state actors using advanced targeted malware engineered to bypass security control measures, gain continued access to data, and remain undetected for years. Top-level management must understand the function of information security governance and the threat actors targeting their industry to defend against APT exploitation risk. Further study is needed on cyber-warfare to expand the topic of information security governance and research into information assurance and cybersecurity.
|Commitee:||Valentine, Randall, Hilley, Michael|
|Department:||School of Business, Technology and Health Administration|
|School Location:||United States -- Minnesota|
|Source:||DAI-A 82/6(E), Dissertation Abstracts International|
|Subjects:||Information Technology, Systems science, Operations research, Computer science, Public policy, Management, Information science, Public administration|
|Keywords:||Advanced Persisten Threat (APT), Cyber-warfare operations, Data protection, Data sharing, Information security control Theory, Threat-based information security Governance, Cybersecurity, Cyber-operations, Information security governance, IT security professionals, Subject matter experts (SME)|
Copyright in each Dissertation and Thesis is retained by the author. All Rights Reserved
The supplemental file or files you are about to download were provided to ProQuest by the author as part of a
dissertation or thesis. The supplemental files are provided "AS IS" without warranty. ProQuest is not responsible for the
content, format or impact on the supplemental file(s) on our system. in some cases, the file type may be unknown or
may be a .exe file. We recommend caution as you open such files.
Copyright of the original materials contained in the supplemental file is retained by the author and your access to the
supplemental files is subject to the ProQuest Terms and Conditions of use.
Depending on the size of the file(s) you are downloading, the system may take some time to download them. Please be