Decision-Making by Effective Information Security Managers Open Access
Downloadable ContentDownload PDF
The research presented in this study was motivated by the question, "How do information security managers make decisions in the absence of empirical data and how do they know these decisions are successful?" These decisions concern the allocation of security resources across the information technology enterprise and would ideally be based on quantifiable metrics. However, the metrics currently available offer no relevant information about the effectiveness of the security architecture. While effectiveness is generally considered the degree to which objectives are met, in this case the definition is illusive. Defining effective security must be based on assessing a condition where nothing bad is happening. Interestingly, it seems that some security managers are recognized as being more successful at making these decisions than others. Are these successful security managers merely guessing or is there some tacit knowledge or process being used for decision-making? In implementing effective security architectures, the security manager uses not only the available metrics, but also a qualitative assessment of the effectiveness of the information technology security architecture. The security manager's qualitative assessment is the focus of this research. A qualitative research approach was used to explore how information security managers make decisions. A series of open-ended interviews were conducted with six highly experienced and highly regarded security practitioners. The transcribed interviews were qualitatively analyzed, and as a result, two models of information security decision processes were developed and presented to these experts for critique. The process models represent simultaneous and competing goals that are referred to as the As-is Security Decision Process, which describes decisions in the current security environment, and the To-be Security Decision Process, which describes decisions to develop and evolve the security environment. These two security decision process models, with supporting data, are presented in this study. Additionally, analysis of the interviews provided insight to eight additional themes, which provide a detailed elaboration of key process nodes and concepts used in the two process models. Potential uses of the models and the themes include developing curricular materials for teaching information security officers and using them as a starting point to determining effective IT security and describing successful decision-making.