Dissertation/Thesis Abstract

Characterizing, Classifying, and Understanding Information Security Laws and Regulations: Considerations for Policymakers and Organizations Protecting Sensitive Information Assets
by Thaw, David Bernard, Ph.D., University of California, Berkeley, 2011, 216; 3473927
Abstract (Summary)

Current scholarly understanding of information security regulation in the United States is limited. Several competing mechanisms exist, many of which are untested in the courts and before state regulators, and new mechanisms are being proposed on a regular basis. Perhaps of even greater concern, the pace at which technology and threats change far outpaces the abilities of even the most sophisticated regulators.

My Ph.D. dissertation focuses on understanding these laws—how we can classify them, what effects they have, and what are the implications of these effects for organizations and professionals. I explore these concepts through a mixed methods approach, utilizing both qualitative semi-structured interviews and quantitative data on breach incidence. The qualitative interviews inform the development of my hypothesis in addition to providing a basis for empirical analysis. The quantitative data is limited, but promising both in results and in the potential for the future analysis.

In this Dissertation, I report preliminary results as to the effect certain of certain laws on information security practices. I develop a system for classifying information security regulation, and develop hypotheses as to the effect certain types of regulation have on organizations and information security professionals.

Two notable conclusions result. First, the combination of Security Breach Notification (SBN) laws and management-based "regulatory delegation" models together is better at preventing breaches of personal information by organizations in the United States than is either model alone. Second, compliance-oriented prescriptive legislation such as SBNs weakens the role of security professionals within organizations, while management-based regulatory delegation models such as the Health Insurance Portability and Accountability Act (HIPAA) and the Gramm-Leach-Bliley Financial Modernization Act (GLBA) strengthen the role of professionals within organizations.

Indexing (document details)
Advisor: Mulligan, Deirdre K.
Commitee: LaPorte, Todd, Samuelson, Pamela
School: University of California, Berkeley
Department: Information Management & Systems
School Location: United States -- California
Source: DAI-A 72/12, Dissertation Abstracts International
Subjects: Law, Information Technology, Public policy, Information science
Keywords: Cybersecurity, Information security, Law, Organizational structure, Privacy, Regulation, Security
Publication Number: 3473927
ISBN: 9781124889863
Copyright © 2019 ProQuest LLC. All rights reserved. Terms and Conditions Privacy Policy Cookie Policy