The research presented in this study was motivated by the question, "How do information security managers make decisions in the absence of empirical data and how do they know these decisions are successful?" These decisions concern the allocation of security resources across the information technology enterprise and would ideally be based on quantifiable metrics. However, the metrics currently available offer no relevant information about the effectiveness of the security architecture. While effectiveness is generally considered the degree to which objectives are met, in this case the definition is illusive. Defining effective security must be based on assessing a condition where nothing bad is happening. Interestingly, it seems that some security managers are recognized as being more successful at making these decisions than others. Are these successful security managers merely guessing or is there some tacit knowledge or process being used for decision-making? In implementing effective security architectures, the security manager uses not only the available metrics, but also a qualitative assessment of the effectiveness of the information technology security architecture. The security manager's qualitative assessment is the focus of this research. A qualitative research approach was used to explore how information security managers make decisions. A series of open-ended interviews were conducted with six highly experienced and highly regarded security practitioners. The transcribed interviews were qualitatively analyzed, and as a result, two models of information security decision processes were developed and presented to these experts for critique. The process models represent simultaneous and competing goals that are referred to as the As-is Security Decision Process, which describes decisions in the current security environment, and the To-be Security Decision Process, which describes decisions to develop and evolve the security environment. These two security decision process models, with supporting data, are presented in this study. Additionally, analysis of the interviews provided insight to eight additional themes, which provide a detailed elaboration of key process nodes and concepts used in the two process models. Potential uses of the models and the themes include developing curricular materials for teaching information security officers and using them as a starting point to determining effective IT security and describing successful decision-making.
|Advisor:||Ryan, Julie J.C.H.|
|Commitee:||Amin, Rohan M., Barbera, Joseph A., Mazzuchi, Thomas A., Szajnfarber, Zoe|
|School:||The George Washington University|
|Department:||School of Engineering and Applied Science|
|School Location:||United States -- District of Columbia|
|Source:||DAI-B 73/07(E), Dissertation Abstracts International|
|Subjects:||Information Technology, Systems science|
|Keywords:||Decision making, Information security management, Information systems security|
Copyright in each Dissertation and Thesis is retained by the author. All Rights Reserved
The supplemental file or files you are about to download were provided to ProQuest by the author as part of a
dissertation or thesis. The supplemental files are provided "AS IS" without warranty. ProQuest is not responsible for the
content, format or impact on the supplemental file(s) on our system. in some cases, the file type may be unknown or
may be a .exe file. We recommend caution as you open such files.
Copyright of the original materials contained in the supplemental file is retained by the author and your access to the
supplemental files is subject to the ProQuest Terms and Conditions of use.
Depending on the size of the file(s) you are downloading, the system may take some time to download them. Please be