Electronic Thesis/Dissertation

The research presented in this study was motivated by the question, "How do information security managers make decisions in the absence of empirical data and how do they know these decisions are successful?" These decisions concern the allocation of security resources across the information technology enterprise and would ideally be based on quantifiable metrics. However, the metrics currently available offer no relevant information about the effectiveness of the security architecture. While effectiveness is generally considered the degree to which objectives are met, in this case the definition is illusive. Defining effective security must be based on assessing a condition where nothing bad is happening. Interestingly, it seems that some security managers are recognized as being more successful at making these decisions than others. Are these successful security managers merely guessing or is there some tacit knowledge or process being used for decision-making? In implementing effective security architectures, the security manager uses not only the available metrics, but also a qualitative assessment of the effectiveness of the information technology security architecture. The security manager's qualitative assessment is the focus of this research. A qualitative research approach was used to explore how information security managers make decisions. A series of open-ended interviews were conducted with six highly experienced and highly regarded security practitioners. The transcribed interviews were qualitatively analyzed, and as a result, two models of information security decision processes were developed and presented to these experts for critique. The process models represent simultaneous and competing goals that are referred to as the As-is Security Decision Process, which describes decisions in the current security environment, and the To-be Security Decision Process, which describes decisions to develop and evolve the security environment. These two security decision process models, with supporting data, are presented in this study. Additionally, analysis of the interviews provided insight to eight additional themes, which provide a detailed elaboration of key process nodes and concepts used in the two process models. Potential uses of the models and the themes include developing curricular materials for teaching information security officers and using them as a starting point to determining effective IT security and describing successful decision-making.

Author

• Pettigrew III, James Andrew

Language

• en

Keyword

• Information Systems Security
• Decision Making
• Information Security Management

Date created

• 2012

Type of Work

• Thesis or Dissertation

Rights statement

• In Copyright

GW Unit

• School of Engineering and Applied Science

Degree

• Ph.D.

Advisor

• Ryan, Julie J.C.H.

Committee Member(s)

• Mazzuchi, Thomas A.
• Amin, Rohan M.
• Barbera, Joseph A.
• Szajnfarber, Zoe

Persistent URL

•  https://scholarspace.library.gwu.edu/etd/zc77sq117

License

• All rights reserved

Relationships

Items

Thumbnail	Title	Date Uploaded	Visibility	Actions
	PettigrewIII_gwu_0075A_11318.pdf	2018-01-16	Open Access	Press to Select an action Download View in Browser