Improving the Decision Making Process for Information Security through a Pre-Implementation Impact Review of Security Countermeasures
Date of Award
Doctor of Philosophy in Information Systems (DISS)
Graduate School of Computer and Information Sciences
James D. Cannady
William L. Hafner
Information security is an important part of business in today's connected society. In the effort to keep assets safe, security professionals continuously add to their company's security profile, and in some cases, are not reviewing how these additional countermeasures are impacting the business users. Business users are generally the most affected by security countermeasures, either in positive, or in some cases, negative ways. While the goal of keeping assets more secure is an important one, there is a point of diminishing returns, depending on the negative impact to users once the countermeasure is in place. In cases where there is negative impact, it is usually discovered during a post implementation review. This negative impact often "costs" the company more in lost productivity, etc. than the increase in the protection of the company assets.
While some companies retain experienced security professionals that may look to avoid these unnecessary negative outcomes, research shows that this negative impact happens often. After a review of many of the popular security and risk models and methodologies, it was discovered that this business impact review step is largely absent from them. Those that mention this activity at all do so in an indirect way, and it is not an established part of the methodology. The key result is that there is no standardized methodology in the industry that calls for a review of the impact of security implementations on the business users, before the countermeasures are implemented.
This report describes a methodology that was created, provides the theory of how it was approached, and the plan that was used to solve this problem. The methodology that was created is called the Pre-Implementation Countermeasure Impact Review (PIClR) Method. This serves as a "plug-in" to currently established methodologies, and enables security professionals to follow a repeatable, predictable procedure to identify impact issues before implementation begins. The methodology was implemented at two organizations. Through a combination of surveys, completed by both business users and security teams that executed the methodology, and a review of historical decisions, the theory has been validated that the PIClR method is a value-added activity.
Glenn Allan Stout. 2006. Improving the Decision Making Process for Information Security through a Pre-Implementation Impact Review of Security Countermeasures. Doctoral dissertation. Nova Southeastern University. Retrieved from NSUWorks, Graduate School of Computer and Information Sciences. (863)