CEC Theses and Dissertations


Improving Information Systems Security Through Management Practices: A Non-technical Approach

Date of Award


Document Type


Degree Name

Doctor of Philosophy (PhD)


Graduate School of Computer and Information Sciences


James D. Cannady

Committee Member

Maxine S. Cohen

Committee Member

Timothy Ellis


Most organizations have acknowledged the importance of information systems security, yet in this environment of heightened awareness many organizations focus on technology and overlook the non-technical security resources available to them. This project focused on the non-technical side of security and the management practices that can be used to establish an important layer in a comprehensive security solution.

A security planning matrix was developed by drawing from the theoretical and practical body of knowledge in the information systems security field. The matrix was designed to support generally accepted security principles, standards, and legislation so that information systems management can use the product to protect information systems using non-technical controls and techniques such as people, policies, practices, training, awareness, and the organizational structure and culture.

A hybrid waterfall/spiral process model, Microsoft Solutions Framework (MSF) was used to develop the security planning matrix. Specific procedures emulated those used by the National Institute of Standards and Technology (NIST) based on their experience and expertise in developing security guidelines and other security tools. A prototype of the product was developed early in the process based on requirements abstracted from security standards, legislation, and industry best practices. The prototype was then reviewed by an expert panel to refine both product requirements and design. One round of feedback and two versions of the prototype were required before the panel approved the prototype for use in the pilot study. The pilot was performed in a real-world setting at Republic Mortgage Insurance Corporation (RMIC), where user acceptance testing, success criteria evaluation, and security performance improvement testing were all performed to evaluate and stabilize the product.

The research improved professional practice and added to the body of information systems security knowledge by identifying and demonstrating methods for defining requirements of, developing, and evaluating a product such as the security planning matrix. Results of the research also showed that the product's features and functions were acceptable to both subject matter experts and real-world users and that implementation and use of the security planning matrix could improve the level of security preparedness as evidenced by pilot study results at RMIC.

This document is currently not available here.

  Link to NovaCat