Commitment to Cybersecurity and Information Technology Governance: A Case Study

IE

by

and Leadership Model

PR
EV

Scipiaruth Kendall Curtis

A Dissertation Presented in Partial Fulfillment

of the Requirements for the Degree

Doctor of Management of Information Systems Technology

UNIVERSITY OF PHOENIX
May 2012

UMI Number: 3569139

All rights reserved

INFORMATION TO ALL USERS
The quality of this reproduction is dependent upon the quality of the copy submitted.

IE

In the unlikely event that the author did not send a complete manuscript
and there are missing pages, these will be noted. Also, if material had to be removed,
a note will indicate the deletion.

UMI 3569139

PR
EV

Published by ProQuest LLC (2013). Copyright in the Dissertation held by the Author.
Microform Edition ProQuest LLC.
All rights reserved. This work is protected against
unauthorized copying under Title 17, United States Code

ProQuest LLC.
789 East Eisenhower Parkway
P.O. Box 1346
Ann Arbor, MI 48106 - 1346

W
IE
PR
EV
2012 by Scipiaruth Kendall Curtis
ALL RIGHTS RESERVED

IE

EV

PR

Abstract
The continual emergence of technologies has infiltrated government and industry
business infrastructures, requiring reforming organizations and fragile network
infrastructures. Emerging technologies necessitates countermeasures, commitment to
cybersecurity and information technology governance for organizations survivability and
sustainability. The purpose of the qualitative exploratory case study was to analyze the
critical inclusion of information assurance professionals in the organizations strategic
plan by senior leadership to advance the integration of cybersecurity and information

technology governance, resulting in diminishing network vulnerabilities. Interviews

IE

were conducted with 10 information assurance professionals and 10 supervisors of

information assurance professionals from March Air Reserve Base, California. The

PR
EV

findings generated six themes with meaningful interdependencies between information

technology organization, information technology governance, cybersecurity, network
management, security management, and senior leadership involvement. Results of the
study concluded government organizations need a National Defense Cybersecurity
Strategy (NDCS) to protect the nations interest. The NDCS would establish
meaningfulness to the interdependency relationship between senior leadership and the IT
organization in government organizations. The NDCS would establish meaningful
interdependent relationships between the organizations strategic planning and
information assurance professionals expertise in cybersecurity and IT governance.
Recommendation to leadership was to develop and deploy NDCS to federal organizations
to assist in contributing to transferability, and recruitment and retention of IA
professionals to provide standardization, controls, and to increase the body of knowledge.

iv
Dedication
I dedicate this study to my loving husband Kelly, my chef, and true love. Your
sage advice, endless patience, and continual encouragement to persevere made it easy for
me to complete my doctoral journey. I would never forget the many long nights that you
kept me entertained, so that I could make my doctoral class deadlines and the many
vacations, bike rides, golfing, and tennis events that you sacrificed because you wanted
me there as your wife and partner. To my parentsmy mother, who gave me the guiding
light, and my first leadership course on developing my own footsteps. To my father, who

I did not have the pleasure of knowing, but very much aware that he was responsible for

IE

my creativity and analytical mindset that I use on a daily basis, ultimately the foundation
for my doctoral map. To Michele, my confidante and tennis doubles partner, whose

PR
EV

creativity and innovativeness provided the vehicle to transcend many writing challenges
presented during the doctoral journey into mental keenness on and off the court. To the
almighty spiritGod, who gave me the mental, physical, and spiritual strength, the will
to find meaningfulness, and most of all to remember that will provides a way to succeed.

v
Acknowledgments
Many senior leaders, colleagues, peers, and friends supported my doctoral
journey. Every encounter provided a unique relationship that will always add special
meaning and value in my travels. My sincerest and heart-felt words of thank you will
forever remain at the forefront of my memories. To Dr. Linda de Charon, my dissertation
chair, Dr. C. Augusto Casas and Dr. Melissa Holmberg, my committee members, for
your continual focus, astute recommendations, and steadfast reinforcement to stay on the
doctoral course. To my University of Phoenix cohorts, who provided unwavering

dedication, best practices, and lessons learned particularly difficult in distance learning

IE

doctoral courses. To the men and women at March Air Reserve Base, especially the
information technology organization, that supported this research study with confidence

PR
EV

and professionalism. Special thanks to Brig Gen Udo Karl McGregor without his
permission and support, this research study would not have been possible.

vi
Disclaimer
The views presented in this dissertation are those of the author or the research
participants and do not necessarily represent the views of the Department of Defense or

PR
EV

IE

its Components or any U.S. government department or agency.

vii
Table of Contents
Chapter 1: Introduction .............................................................................................. 1
Background of the Problem ....................................................................................... 3
Statement of the Problem ........................................................................................... 8
Purpose of the Study .................................................................................................. 9
Significance of the Study ......................................................................................... 13
Importance of the Study to Leadership .................................................................... 15
Nature of the Study .................................................................................................. 16

Overview of the research method. .................................................................... 19

IE

Overview of the design appropriateness. .......................................................... 21

Research Questions .................................................................................................. 25

PR
EV

Theoretical Framework ............................................................................................ 28

Organizational competition ...................................................................................... 29
Organizational competencies. ........................................................................... 30
Organizational change ............................................................................................. 31
Organizational emotional intelligence. .................................................................... 32
Organizational risk............................................................................................ 33
Organizational cybersecurity and IT governance ............................................. 34
IT organization and organizational change. ...................................................... 36
Definition of Terms.................................................................................................. 36
Assumptions............................................................................................................. 40
Scope and Limitations.............................................................................................. 41
Delimitations ............................................................................................................ 45

viii
Summary .................................................................................................................. 46
Chapter 2: Review of the Literature......................................................................... 49
Title Searches, Articles, Research Documents, and Journals .................................. 49
Historical overview. ................................................................................................. 51
Organizational communication. ........................................................................ 52
Organizational discourse. ................................................................................. 52
Organizational change. ..................................................................................... 53
Organizational adaptability. .............................................................................. 55

Lifetime learning. ............................................................................................. 55

IE

Knowledge management. ................................................................................. 56

Emerging technologies. .................................................................................... 58

PR
EV

Organizational structure.................................................................................... 58
Organizational conflict. .................................................................................... 59
Organizational survivability. ............................................................................ 60
Organizational culture. ..................................................................................... 62
Organizational strategies. ................................................................................. 63
Organizational resources. ................................................................................. 64
Leadership theory. ............................................................................................ 65
Organizational leadership. ................................................................................ 66
Executive leadership. ........................................................................................ 67
Decision-making. .............................................................................................. 68
Emotional intelligence. ..................................................................................... 68
Management and information. .......................................................................... 69

ix
Organizational performance. ............................................................................ 70
Organizational management. ............................................................................ 71
Strategic management. ...................................................................................... 72
Innovation. ........................................................................................................ 73
Globalization of information technologies. ...................................................... 73
Information technology environment. .............................................................. 74
Security, certification, and accreditation. ......................................................... 74
IT governance ................................................................................................... 76

Cybersecurity. ................................................................................................... 76

IE

Current Findings ...................................................................................................... 78

Organizational communication. ........................................................................ 79

PR
EV

Organizational discourse. ................................................................................. 80

Organizational design. ...................................................................................... 81
Organizational adaptability. .............................................................................. 82
Organizational change. ..................................................................................... 83
Lifetime learning. ............................................................................................. 83
Knowledge management. ................................................................................. 85
Emerging technologies. .................................................................................... 85
Organizational structure.................................................................................... 86
Organizational conflict. .................................................................................... 87
Organizational survivability. ............................................................................ 87
Organizational culture. ..................................................................................... 88
Organizational strategies. ................................................................................. 89

x
Organizational resources. ................................................................................. 90
Leadership......................................................................................................... 91
Organizational leadership. ................................................................................ 92
Executive leadership. ........................................................................................ 92
Decision making. .............................................................................................. 93
Emotional intelligence. ..................................................................................... 94
Management and information technology. ....................................................... 95
Organizational performance. ............................................................................ 96

Organizational management. ............................................................................ 98

IE

Strategic management. ...................................................................................... 99

Innovation. ...................................................................................................... 100

PR
EV

Globalization and information technology. .................................................... 102

Information technology environment. ............................................................ 103
Security, certification, and accreditation. ....................................................... 105
IT governance. ................................................................................................ 106
Cybersecurity. ................................................................................................. 107
Risk management............................................................................................ 108
Conclusions ............................................................................................................ 109
Summary ................................................................................................................ 110
Chapter 3: Method ................................................................................................. 113
Research Method ................................................................................................... 114
Design Appropriateness ......................................................................................... 115
Research Questions ................................................................................................ 117

xi
Population .............................................................................................................. 119
Sampling Frame ..................................................................................................... 121
Informed Consent................................................................................................... 123
Confidentiality ....................................................................................................... 125
Geographic Location .............................................................................................. 127
Data Collection ...................................................................................................... 127
Instrumentation ...................................................................................................... 130
Validity .................................................................................................................. 132

Expert panel. ................................................................................................... 133

IE

Internal validity............................................................................................... 134

External validity.............................................................................................. 135

PR
EV

Data Analysis ......................................................................................................... 137

Summary ................................................................................................................ 141
Chapter 4: Analysis and Results ............................................................................ 143
Expert Panel ........................................................................................................... 144
Demographics ........................................................................................................ 144
Data Collection ...................................................................................................... 150
Data Analysis ......................................................................................................... 152
Interview Questions Asked and Relevant Responses ............................................ 155
Information Assurance Professionals (IAPs) Interview Questions ........... 156
Supervisors of Information Assurance Professionals (SIAPs) Interview
Questions................................................................................................................ 163
Emerging Themes Results ..................................................................................... 169

xii
Research Question Findings .................................................................................. 181
Summary ................................................................................................................ 183
Chapter 5: Conclusions and Recommendations .................................................... 186
Implication of Research Question Findings ........................................................... 188
Implications of the themes ..................................................................................... 193
Limitations ............................................................................................................. 210
Recommendations for Action ................................................................................ 214
Recommendations for Further Research ................................................................ 219

Chapter 5 Summary ............................................................................................... 221

IE

References .............................................................................................................. 227

Appendix A: Summary of Literature Searched by Category ................................. 293

PR
EV

Appendix B: Permission to Use Premises ............................................................. 294

Appendix C: Informed Consent and Withdrawal Procedure ................................. 295
Appendix D: Information Assurance, Cybersecurity, and IT Governance IA
Professionals Questionnaire ................................................................................. 297
Appendix E: Information Assurance, Cybersecurity, and IT Governance
Supervisors Questionnaire .................................................................................... 298
Appendix F: The Expert Panel Communiqu ........................................................ 299
Appendix G: IT Organization Emerging Nodes ................................................. 300
Appendix H: IT Organization Emerging Responses .......................................... 301
Appendix I: IT Governance Emerging Nodes .................................................... 302
Appendix J: IT Governance Emerging Responses ............................................. 303
Appendix K: Security Management Emerging Nodes ....................................... 304

xiii
Appendix L: Security Management Emerging Responses ................................. 305
Appendix M: Cybersecurity Emerging Nodes ....................................................... 306
Appendix N: Cybersecurity Emerging Responses .............................................. 307
Appendix O: Network Management Emerging Nodes ....................................... 308
Appendix P: Network Management Emerging Responses ................................. 309
Appendix Q: Senior Leadership Involvement Emerging Nodes ........................ 310
Appendix R: Senior Leadership Involvement Emerging Responses .................. 311
Appendix S: Emerging Response Themes Populated from Significant Frequency

Word Search Criteria ............................................................................................. 312

IE

Appendix T: Emerging Themes Comparison with Germinal (Historical) and

PR
EV

Current Literature................................................................................................... 313

1
Chapter 1: Introduction
The continual emergence of technologies in the 21st century indirectly influences
cyberattacks and postures the federal government to develop countermeasures by
establishing partnerships with organizations in the public and private sectors to combat
network intrusions (Hare, 2009). In December 2008, the Cyberspace for the 44th
Presidency Report identified cybersecurity as an essential strategic national security issue
that challenges on a global enterprise scale, beckons public diplomacy practitioners, and
academics to analyze the economic influence (Baker, 2009). Emerging technologies

increase the number of cyberattacks on information networks, which may result in data

IE

transfer vulnerabilities and data communication infiltration of enterprise networks

(Holstein, 2009). The globalization of information technologies might require the federal

PR
EV

government to develop cybersecurity strategies to enforce information assurance (IA)

policies and support metrics (Vaughn, Henning, & Siraj, 2010) to increase information
technology (IT) governance to protect the dissemination of information (Wilshusen,
2010a). Chabinsky (2010) emphasized cybersecurity is a process requiring continual
assessments of technical, policy, resources, and uncertainties.
A commitment by senior leadership to plan strategically the evolutionary
strategies for security policies to ensure standards protect organizational information may
provide the blueprint for effective network design (Hite, 2006), and sound
countermeasures to defend the network enterprise infrastructure (Alam & Bokhari, 2007).
The federal government is the largest employer in the United States, but the private
organizational sector has approximately 85% of the nations critical network
infrastructure (Rhodes & Willemssen, 2004). Cybersecurity is a defensive

2
countermeasure against network vulnerabilities (Matisziw, Murray, & Grubesic, 2009).
Organizations investing in information assurance (IA) ensure the protection of critical
information (Ezingeard, McFadzean, & Birchall, 2007) and IT governance might provide
organizations countermeasures against cyberattacks (Chanda, 2008).
In Chapter 1, the focus of discussion provided the overview for this case research
study--background of the problem, problem statement, purpose, significance of the study,
importance of the study to leadership, nature of the study, research questions, theoretical
framework, definition of terms, assumptions, scope and limitations, and delimitations.

Chapter 1 continued with an outlay of how emerging technologies influenced

IE

organizational strategies (VonKortzfleisch, 2003), cybersecurity (Harknett & Stever,

2009; Paladino & Fingerman, 2009; Zhu, 2009), including organizational commitment

PR
EV

(Ramamurthy, Premkumar, & Crum, 1999) to IA (Vaugh et al., 2010) and IT governance
(Iliescu, 2010; see also Wallace & Webber, 2007, 2010; Weill & Ross, 2004; Wood,
2005). Additionally, in Chapter 1 insight to decision theories (Cavusoglu, Raghunathan,
& Yue, 2008; Clemmons, 2008; Yajiong, Huigang, & Boulton, 2008) incorporated IA
professionals as critical elements in developing cybersecurity strategies to counter
network vulnerabilities formed the research study foundation. In summary, Chapter 1
focused on how March Air Reserve Base leaders may capitalize by using IA
professionals expertise to diminish network vulnerabilities through cybersecurity
strategies and IT governance, thereby adding to the body of research literature,
leadership, and practice.

3
Background of the Problem
Network infrastructure vulnerabilities may escalate over time (Matisziw et al.,
2009) as technology evolves. The continual emergence of technologies has infiltrated
government and industry business infrastructures, resulting in reforming organizations
and fragile network infrastructures. The outcome from network vulnerabilities is the
potential debilitating aftermath occurring to national security, economic security, public
health, and safety may combine to precipitate global inoperability of the nations
communication system, affecting government, private, and public agencies (Moteff,

2010). Data security is the number-one issue as highly personal data and fiscal records

IE

are lost through theft (Trope, Power, Polley, & Morley, 2007). Bartlett and Smith (2008)
described the importance of data security to lower organizational risk by eliminating data

PR
EV

breaches, first quarter of 2008, there were 167 data breaches reported, compromising
more than 8.3 million personal and financial records (p. 34).
The U.S. established compliance policies for information assurance professionals
to have certification and accreditation and for the remaining workforce to receive
information assurance training (U.S. Department of the Air Force, 2008; 2010). In
January 2008, the Bush Administration identified cybersecurity as the critical entity for
national security and economic stability in the Comprehensive National Cybersecurity
Initiative (CNCI) (Rollins & Henning, 2009). CNCI includes defensive and offensive
cybersecurity strategies to deny adversaries network access and reduce network
vulnerabilities (Rollins & Henning, 2009). Sheldon and Vishik (2010) described CNCI
as a multidisciplinary approach for solving difficult cybersecurity threats (Raduege Jr.,

4
2009) through initiatives to control scalability and to establish trustworthy processes for
organizations using hardware, software, data, and networks for information.
Cybersecurity threats to organizational infrastructures come in a variety of forms,
such as organization insiders, terrorists, software (malware), hackers, and criminal groups
(Langevin, 2008). IA professionals frequently must attend technology events, participate
in cyber exercises, and enroll in cyber courses to hone skill level and to remain informed
of the latest cyber threats. IA professionals may assist organizational leadership in
configuring security policy elements, doctrine, and other security resources necessary in

the organizations strategic plan to defend the organizations critical infrastructure

IE

(Brechbuhl, Bruce, Dynes, & Johnson, 2010). The National Science and Technology
Council develop cost strategies for implementing cybersecurity solutions (Sternstein,

PR
EV

2006). Cybersecurity is a collective agreement occurring immediately through the

Internet as a boundaryless network-sharing cyberspace (Greenwald, 2010), therefore,
underlining security as a global concern (Brechbuhl et al., 2010).
The subcommittees of the National Science and Technology Council (NSTC)
recognize information assurance as a critical resource in defending the nations security,
and through organizational commitment with private and public interorganizational
partnerships may assist in achieving government compliance in cybersecurity (Wilshusen
& Rhodes, 2006). The evolution of interorganizational relationships remains challenging
as the globalization of markets increases the need for interorganizational IT governance
(Wood, 2005). IT governance as an internal organizational process governs internal
security policies to provide the necessary access to information (Sambamurthy & Zmud,
1999). The alliance of international organizational relationships drives the creation of

5
partnerships, resulting in new security policies under the disguise for interorganizational
IT governance (Croteau & Bergeron, 2009). Organizational leaderships commitment to
a strategic plan might require refocusing to incorporate IA at various organizational
levels as organizations use technology for global business expansion (Tiwana &
Konsynski, 2010).
The U.S. Air Force as a rational organization must have countermeasures for the
increasing emerging technologies and challenging the organizations network
infrastructure (Young, 2010). The Air Force strategic decision makers sought to control

the impact of emerging technologies on the organizations infrastructure and architecture

IE

by reengineering the U.S. Strategic Command and include the U.S. Cyber Command as a
subordinate organization (U.S. Department of Defense [DoD], 2009). The U.S. Cyber

PR
EV

Command (USCYBERCOM) established the foundation for implementing the

cybersecurity doctrine on DoD network infrastructure but deficient in the application and
resources to implement as a global cybersecurity strategy (Andrues, 2010).
The Air Force Reserve Command (AFRC) as a Major Command (MAJCOM) has
the same mission as Headquarters Air Force (HAF), which is to maintain superiority in
air, space, and cyberspace (U.S. Air Force Reserve, 2010). March Air Reserve Base
(MARB) operates as a wing organization, as such the strategic plan links to a higher-level
organization known as the Numbered Air Force (NAF), which supports AFRC, and HAF
(U.S. Air Force, 2009). The U.S. would seek command and control as a rational
organization by instituting information security, information assurance, and information
awareness to institute critical value toward cybersecurity. Brechbuhl et al. (2010) defined
cybersecurity as a collective concern whereby the government must depend on the private

6
sector to manage the cybersecurity risk along with the information communication
technologies (ICTs) infrastructure administration. The federal government recognizes the
course of action is to inform the public concerning cybersecurity and has initiated
partnerships with public-and-private sectors, and international industries for critical
alliance (Obama, 2011).
MARBs cybersecurity strategic plan require stakeholders responsible at all
organizational levels, external commitment through cooperative partnerships, and internal
commitment of functional organizations to support the network infrastructure. The

MARB network enterprise supports approximately 5,000 personnel (reservists, civil

IE

service, and contractors) and 29 tenant organizations (March Air Reserve Base Strategic
Plan, 2009). MARB personnel establish business-to-business (B2B) partnerships to

PR
EV

increase functional interdependencies and to compete for shrinking resources (Buhman,

Kekre, & Singhal, 2005). The B2B partnerships provide increased opportunity to
coordinate, collaborate, and communicate with industry and other government agencies.
New interdependent partnerships assist to counterbalance external forces requirements
during organizational changes such as government regulations, the economy, and
information communication technologies (Morris, 2009). Technological advances and
data reliability drives the evolution of business-to-customer (B2C) and B2B relationships,
particularly as partnerships flourish to maintain a competitive edge (Vijayaraman &
Bhatia, 2002).
Secure information retrieval requires network security as a primary role in the
strategic plan and in software management (Knowles, 1999). As information and
intelligent information converts into knowledge, an organization may advance as a

7
competitor. Broadbent and Kitzis (2004) described legislation would increase to control
information security through an organizations compliance mechanisms, the passage of
liabilities onto the organization, and in some cases criminal liability for the misuse or loss
of corporate data. Buszta (2008) expressed organizational leaders must strategically plan
to incorporate certification and accreditation cybersecurity components to ensure the
organization remains in compliance and does not contradict federal government
regulations.
Organizational leaders must reassess continually outcomes from legislative

initiatives such as Federal Information Security Management Act (FISMA), the

IE

Paperwork Reduction Act of 1995, and the Information Technology Management Reform
Act of 1996 (also known as the Clinger-Cohen Act) for compliance (Buszta, 2008).

PR
EV

Organizations must adopt new paradigms to interface with the new compliance
mechanisms, risk assessment, and security assurance (Tashi, 2009). A hidden pivotal
chasm unknown to organizational leaders induces network vulnerabilities when the
organizations acquisition technologies seek ROI for the organization. IA professionals
continually adjust protocols for just-in-time fixes or patch management strategies to
secure the network infrastructure and lower organizational risks as business units invest
in technologies without seeking IT expertise prior to the acquisition decision. The United
States General Accounting Office (GAO) recognized the criticality to assess requirements
for building a DoD enterprise with secure architecture and network infrastructure to
ensure the nations valuable information remains protected and available to only
individuals with the proper credentials (Rhodes & Willemssen, 2004).

8
Statement of the Problem
The general problem is organizational leaders who work for government agencies
have experienced cyberattacks occurring on federal enterprise network systems and
critical architectural infrastructures (Wilshusen, 2010a) and presently seek alternatives
for securing information (Clark & Levin, 2009). The globalization of information
communication technologies (ICTs), such as social networking, increases organizational
risks (Barr, 2010). The implementation of ICTs challenges the federal governments

network enterprise (Wilshusen, 2010a).

organizational security policies to protect vital information and to maintain a secure

IE

The specific problem is organizations exclude IA professionals as a critical

element in cybersecurity, while ICTs use continually increases, resulting in

PR
EV

organizational risks to network vulnerabilities such as denial of service attacks, network

intrusions, and viruses (Denning & Denning, 2010). Wilshusen (2010) contended the
federal government needs better control in decreasing the number of network
vulnerabilities by diminishing the continual cyberattacks to the federal system. Assante
and Tobey (2011) argued the deficit of a cybersecurity workforce challenges government,
industry, and academia such that organizations must implement emerging technologies to
expand business processes by using innovative or alternative methods.
Min, Beyeler, Brown, Son, and Jones (2007) accentuated critical collaborative
network infrastructures rely on cyber interdependencies as business processes realign to
the web as virtual applications, organizational leaders need to identify potential risks,
expedite the development, and execution of cybersecurity strategies by IA professionals.
Agresti (2010) argued cybersecurity requires sharing as a global responsibility from all

9
organizational levels. The Federal Information Security Management Act (FISMA)
provides regulatory guidance for federal agencies to ensure data security, data protection,
and require organizations to implement policies and procedures to reduce the risk
throughout the information life cycle (Ross, Swanson, Stoneburner, Katzke, & Johnson,
2004). Organizational leaders who work in the federal government may seek to control
information security through legislative initiatives on certification and accreditation of IA
professionals (Ross, Swanson, Stoneburner, Katzke, & Johnson, 2004), information
awareness, information technology governance, and countermeasures to support

cybersecurity (Koontz, 2003).

IE

The qualitative case study design involved exploring the critical inclusion of IA
professionals in the organizations strategic plan by senior leadership to advance the

PR
EV

integration of cybersecurity and IT governance (Wood, 2005), resulting to diminish

network vulnerabilities. The outcome from developing a cybersecurity strategy may
provide practical application to reduce the risk (Knapp & Boulton, 2006) at MARB as a
government institution. A cybersecurity strategy may pertain to private and public
organizations, especially as organizations increasingly share information and depend on
information globally in cyberspace (Powner, 2010a). Ghernouti-Hlie (2010) argued a
cybersecurity strategy should exist and be enforceable on the national level and
compatible with the international level as the evolution of technologies challenges
managerial issues such as organizational structures, legal, and human resources.
Purpose of the Study
The purpose of the qualitative exploratory case study design analyzed the critical
inclusion of IA professionals in the organizations strategic plan by senior leadership to