POLICIES, STANDARDS, AND PRACTICES: AN ANALYSIS OF THE CURRENT STATE OF ORGANIZATIONAL SECURITY AT UNIVERSITIES AND CORPORATIONS
Open Access
- Author:
- Weidman, Jake Anthony
- Graduate Program:
- Informatics
- Degree:
- Doctor of Philosophy
- Document Type:
- Dissertation
- Date of Defense:
- June 14, 2018
- Committee Members:
- Don Shemanski, Dissertation Advisor/Co-Advisor
Don Shemanski, Committee Chair/Co-Chair
Mary Beth Rosson, Committee Member
Gerry Santoro, Committee Member
Krishna Prasad Jayakar, Outside Member - Keywords:
- Information Security
Security Policies
Security Policy
Policies
Organzational Security
2FA - Abstract:
- Corporations, colleges, and universities across the United States have seen data breaches and intellectual property theft rise at a heightened rate over the past several years, in part due to the ever-increasing amount of intellectual property and sensitive data collected by these respective organizations. An integral step in the first line of defense against various forms of attacks, both in the corporate and academic space, are (written) security policies, procedures, and practices designed to prescribe the construction and function of a technical system, while simultaneously guiding the actions of individuals operating within such a system. For multiple reasons, work in this specific security context is an insufficiently discussed topic in many academic communities, with \textit{very} little research presently being conducted. In an attempt to overcome this relative lack of focus by the present community at large, we position this dissertation as a series of new foundational works in this organizational security space by studying polices, standards, and practices currently implemented by a number of universities and companies in the United States. The first three studies in this dissertation focus on three key organizational security documents: the acceptable use policy, information security policy, and minimum security standard. These different document types are analyzed through a mixed method approach to determine what the current state(s) of these policies are, and how they can be improved to better address current cyber threats. The fourth study in this dissertation examines how an organization, in this case a university, implemented a major technological change, with a focus on organizational administration and planning, as well as the employee response(s) to this change. Lastly, a final study examines how a number of corporations educate short-term employees, specifically interns, about organizational policies and practices, as well as how these behaviors are enforced (or not). While these research studies are not an exhaustive exploration of the modern organizational security landscape, we posit that these studies, and thus this dissertation, serve as an important step forward in researching and understanding the current organizational security landscape.