This Article 
   
 Share 
   
 Bibliographic References 
   
 Add to: 
 
Digg
Furl
Spurl
Blink
Simpy
Google
Del.icio.us
Y!MyWeb
 
 Search 
   
Making Successful Security Decisions: A Qualitative Evaluation
January/February 2012 (vol. 10 no. 1)
pp. 60-68
James A. Pettigrew III, National Geospatial-Intelligence Agency
Julie J.C.H. Ryan, George Washington University
How do IT security managers make decisions in the absence of empirical data, and how do they know these decisions are successful? Some security managers seem more successful at making decisions than others. Are they guessing, or are they using some tacit knowledge? To address these questions, a study employed open-ended interviews with highly regarded, experienced security practitioners.

1. J.J.C.H. Ryan and D.J. Ryan, "Expected Benefits of Information Security Investments," Computers & Security, vol. 25, no. 8, 2006, pp. 579–588.
2. D.J. Bryant, "Rethinking OODA: Toward a Modern Cognitive Framework of Command Decision Making," Military Psychology, vol. 18, no. 3, 2006, pp. 183–206.
3. S. Kvale and S. Brinkmann, InterViews: Learning the Craft of Qualitative Research Interviewing, Sage Publications, 2009.
4. R. Jones and G. Nobel, "Grounded Theory and Management Research: A Lack of Integrity?" Qualitative Research in Organizations and Management: An Int'l J., vol. 2, no. 2, 2007, pp. 84–103.
5. M.A. Roberto, Why Great Leaders Don't Take Yes for an Answer: Managing for Conflict and Consensus, Wharton School Publishing/Pearson Education, 2005.
6. D. Vaughan, The Challenger Launch Decision: Risky Technology, Culture, and Deviance at NASA, Univ. of Chicago Press, 1996.
7. J.J.C.H. Ryan and D.J. Ryan, "Performance Metrics for Information Security Risk Management," IEEE Security & Privacy, vol. 6, no. 5, 2008, pp. 38–44.
8. M.A. Roberto, Know What You Don't Know: How Great Leaders Prevent Problems before They Happen, Wharton School Publications, 2009.
9. G. Guest, A. Bunce, and L. Johnson, "How Many Interviews Are Enough? An Experiment with Data Saturation and Variability," Field Methods, vol. 18, no. 1, 2006, pp. 59–82.
10. J. Reason, Managing the Risk of Organizational Accidents, Ashgate, 1997.
1. M.T. Siponen, "An Analysis of the Traditional IS Security Approaches: Implications for Research and Practice," European J. Information Systems, vol. 14, no. 3, 2005, pp. 303–315.
2. K. Beznosov and O. Beznosova, "On the Imbalance of the Security Problem Space and Its Expected Consequences," Information Management & Computer Security, vol. 15, no. 5, 2007, pp. 420–431.
3. J.J.C.H. Ryan and D.J. Ryan, "Expected Benefits of Information Security Investments," Computers & Security, vol. 25, no. 8, 2006, pp. 579–588.
4. J.J.C.H. Ryan and D.J. Ryan, "Performance Metrics for Information Security Risk Management," IEEE Security & Privacy, vol. 6, no. 5, 2008, pp. 38–44.
5. J.-N. Ezingeard and M. Bowen-Schrire, "Triggers of Change in Information Security Management Practices," J. General Management, vol. 32, no. 4, 2007, pp. 53–72.
6. D. Botta et al., "Toward Understanding Distributed Cognition in IT Security Management: The Role of Cues and Norms," Int'l J. Cognition, Technology, and Work, vol. 13, no. 2, 2011, pp. 121–134.
7. J. Pettigrew et al., "Decision-Making by Effective Information Security Managers," Proc. 5th Int'l Conf. Information Warfare and Security, Academic Publishing, 2010, pp. 465–472.

Index Terms:
information security management, security decision-making, qualitative research, computer security
Citation:
James A. Pettigrew III, Julie J.C.H. Ryan, "Making Successful Security Decisions: A Qualitative Evaluation," IEEE Security & Privacy, vol. 10, no. 1, pp. 60-68, Jan.-Feb. 2012, doi:10.1109/MSP.2011.128
Usage of this product signifies your acceptance of the Terms of Use.