Digital security threats may impact governments, businesses, and consumers through intellectual property theft, loss of physical assets, economic damages, and loss of confidence. Significant effort has been placed on technology solutions that can mitigate threat exposure. Additionally, hundreds of years of literature have focused on non-digital, human-centric strategies that proactively allow organizations to assess threats and implement mitigation plans. For both human and technology-centric solutions, little to no prior research exists on the efficacy of how humans employ defenses. Security professionals are armed with commonly adopted "best practices" but are generally unaware of the particular artifacts and conditions (e.g., organizational culture, procurement processes, employee training/education) that may or may not make a particular environment well-suited for employing the best practices.

In this thesis, we will study the human and organizational factors that shape the adoption and employment of defensive strategies and identify optimizations that can be applied for measurable increases in security. To do this, we will use a range of methods to measure the efficacy of security mechanisms in real-world environments. Thus far, we have completed multiple case studies with partnered organizations and comprehensive evaluations of federal compliance programs that mandate security controls in many organizations across the United States. From our results, we have identified the importance that various learning styles and organizational adoption methods have played on reinforcing security practices. We suggest further work in understanding how organizations select proactive security measures to offset security gaps that may be caused by compliance standards. Through extensive surveys and interviews, we will attempt to understand how organizations prioritize security efforts, how well proactive security controls work under various conditions, and how organizations continually assess security without guidance from mandatory programs. This novel research will illuminate best practices within an under-researched area and hopefully lead to broader community awareness for ways to proactively improve security operations.

Examining Committee: 

 

                          Chair:               Dr. Michelle Mazurek        
                          Dept rep:         Dr.   Jennifer Golbeck  
                          Members:        Dr.  Dave Levin
                                                    Dr. John Dickerson
                                                     Dr. Tudor Dumitras