Current scholarly understanding of information security regulation in the United States is limited. Several competing mechanisms exist, many of which are untested in the courts and before state regulators, and new mechanisms are being proposed on a regular basis. Perhaps of even greater concern, the pace at which technology and threats change far outpaces the abilities of even the most sophisticated regulators.
My Ph.D. dissertation focuses on understanding these laws—how we can classify them, what effects they have, and what are the implications of these effects for organizations and professionals. I explore these concepts through a mixed methods approach, utilizing both qualitative semi-structured interviews and quantitative data on breach incidence. The qualitative interviews inform the development of my hypothesis in addition to providing a basis for empirical analysis. The quantitative data is limited, but promising both in results and in the potential for the future analysis.
In this Dissertation, I report preliminary results as to the effect certain of certain laws on information security practices. I develop a system for classifying information security regulation, and develop hypotheses as to the effect certain types of regulation have on organizations and information security professionals.
Two notable conclusions result. First, the combination of Security Breach Notification (SBN) laws and management-based "regulatory delegation" models together is better at preventing breaches of personal information by organizations in the United States than is either model alone. Second, compliance-oriented prescriptive legislation such as SBNs weakens the role of security professionals within organizations, while management-based regulatory delegation models such as the Health Insurance Portability and Accountability Act (HIPAA) and the Gramm-Leach-Bliley Financial Modernization Act (GLBA) strengthen the role of professionals within organizations.
|Advisor:||Mulligan, Deirdre K.|
|Commitee:||LaPorte, Todd, Samuelson, Pamela|
|School:||University of California, Berkeley|
|Department:||Information Management & Systems|
|School Location:||United States -- California|
|Source:||DAI-A 72/12, Dissertation Abstracts International|
|Subjects:||Law, Information Technology, Public policy, Information science|
|Keywords:||Cybersecurity, Information security, Law, Organizational structure, Privacy, Regulation, Security|
Copyright in each Dissertation and Thesis is retained by the author. All Rights Reserved
The supplemental file or files you are about to download were provided to ProQuest by the author as part of a
dissertation or thesis. The supplemental files are provided "AS IS" without warranty. ProQuest is not responsible for the
content, format or impact on the supplemental file(s) on our system. in some cases, the file type may be unknown or
may be a .exe file. We recommend caution as you open such files.
Copyright of the original materials contained in the supplemental file is retained by the author and your access to the
supplemental files is subject to the ProQuest Terms and Conditions of use.
Depending on the size of the file(s) you are downloading, the system may take some time to download them. Please be