Defense Date

Summer 7-24-2018

Degree Type



Information Systems


Business Administration

Chair or Co-Chair

Dr. Humayun Zafar

Committee Member or Co-Chair

Dr. Traci Carte


Dr. Adriane Randolph


Information technology executives continue to have concerns about information security (Kappelman, McLean, Johnson, & Torres, 2016) and the increasing rate of information security threats facing organizations (Ponemon Institute, 2017). This exploratory study aimed to take a closer look at the organizational security risk management process for improved effectiveness, and its integral role among other organizational processes. Two research questions were addressed by identifying organizational drivers to security risk management effectiveness, and by determining challenges to achieving organizational security risk management effectiveness. Using the resource-based view theory (RBV), and Carnegie Mellon University’s Software Engineering Institute Capability Maturity Model Integration (SEI-CMMI) Risk Management (RSKM) model, a three-phased approach was taken to conduct the study. Phase 1 of the study involved planning the research activities, defining the samples to be used, and designing and developing the research tools needed for the study’s execution. During Phase 1, the categories and codes needed for the directed content analysis were created. Also, the recruitment and procurement of a sample of three subject matter experts in information security risk management practices serving in the role of a Chief Information Security Officer (CISO) or an equivalent executive position were identified to validate the security risk management content derived from the initial directed content analysis performed. Phase 2 consisted of the implementation of the study’s categories and codes to be used in the directed content analysis. The directed content analysis was performed against 1,113 financial reporting artifacts covering the period of January 1, 2005 through December 31, 2016 for a sample of U.S. banks. In the last phase, Phase 3, the Q-sort technique was used to validate the initial directed content analysis results, which were captured as security risk management financial reported statements. The CISOs applied their experience and understanding of the CMMI-SVC RSKM model’s different capability levels and maturity levels to classify and validate each of the security risk management’s financial reported statements. Critical discourse analysis was applied to the feedback data collected from the CISOs during the Q-sort application. The results of both the directed content analysis and critical discourse analysis were reported, and any known limitations were stated. With researchers and practitioners in mind, this study used two previously unpaired frameworks of the RBV theory and the CMMI-SVC RSKM model to examine organizational security risk management. Additionally, this qualitative study used two previously unpaired analysis approaches of a directed content analysis on organizational financial reporting artifacts and critical discourse analysis of validation feedback. Because of the highly complex, sensitive nature surrounding organizational security risk management, the overall study’s approach provided an alternative way to assess its maturity and its effectiveness, and to identify improvement opportunities.

Available for download on Wednesday, October 11, 2023