James Pettigrew , National Geospatial Intelligence Agency, Chantilly
Julie Ryan , George Washington University, Washington
DOI Bookmark: http://doi.ieeecomputersociety.org/10.1109/MSP.2011.128
This research was motivated by the question, “How do IT security managers make decisions in the absence of empirical data and how do they know these decisions are successful?” It seems that some security managers are more successful at making decisions than others. Are they guessing or is there some tacit knowledge being used for decision-making? To address this question, a qualitative research approach was used to explore security decision-making. Open-ended interviews were conducted with highly regarded, experienced security practitioners. The transcriptions were qualitatively analyzed from which two simultaneous and competing models of security decision processes were developed. The As-Is Process describes decisions in the current security environment, and the To-Be Process describes decisions to develop and evolve the security environment. Potential uses of these models include developing curricular materials and as a starting point in determining effective IT security and describing successful IT security decision-making.
computer security, information security, Information Security Management, Security Decision-Making, Qualitative Research
James Pettigrew, Julie Ryan, "Making Successful Security Decisions: A Qualitative Evaluation", IEEE Security & Privacy, , no. 1, pp. , PrePrints PrePrints, doi:10.1109/MSP.2011.128