INSTITUTIONALIZED ENVIRONMENTS AND INFORMATION SECURITY MANAGEMENT: LEARNING FROM Y2K A Comparative Study in a Critical Sector Organization A Dissertation Presented to The Academic Faculty by Pamela Grace Burns Hassebroek In Partial Fulfillment of the Requirements for the Degree Doctor of Philosophy in the School of Public Policy Georgia Institute of Technology August 2007 Copyright © Pamela B. Hassebroek 2007 INSTITUTIONALIZED ENVIRONMENTS AND INFORMATION SECURITY MANAGEMENT: LEARNING FROM Y2K A Comparative Study in a Critical Sector Organization Approved by: Dr. Juan D. Rogers, Advisor Dr. Hans K. Klein School of Public Policy School of Public Policy Georgia Institute of Technology Georgia Institute of Technology Dr. Jay D. Bolter School of Literature, Communication, & Mr. Mike Nelson-Palmer Culture College of Computing Georgia Institute of Technology Georgia Institute of Technology Dr. Gordon Kingsley School of Public Policy Georgia Institute of Technology Date approved: June 13, 2007 A … model for improving security may be the Y2K bug. Facing the threat of widespread computer meltdowns at the millennium, industry mobilized to change business practices and governments passed laws requiring Y2K certification for tech gear. Companies underwent massive campaigns to make certain they complied because they didn't want to be held liable for damages. The Securities & Exchange Commission required corporations to provide details of their Y2K efforts in quarterly earnings reports. —Sager, I., & Greene, J., Business Week If we could do it this time, why not do it next time and every time? In many companies, success with Y2K could become the role model for success in all future IT [information technology] projects. —Yourdon, E., Computerworld ACKNOWLEDGEMENTS My success in designing and writing this dissertation reflects the contributions of many individuals, from both inside and outside organizations, who offered information, advice, encouragement, funding, inspiration, hope, and friendship during the Ph.D. process. Individuals from a number of departments at Georgia Tech imparted the educational foundation that led to this degree: the School of Public Policy, the College of Computing, the School of Literature, Communication and Culture, and the Office of Graduate Studies and Research. In the School of Public Policy, members of the faculty and fellow students have contributed immeasurably both to my education and in guidance for this research. Thanks to all of you for your generous contributions. Juan Rogers, chair of my dissertation committee, served as a willing and competent advisor on many occasions when I needed critical direction during the dissertation process. He directed the development of the research protocol for the Institutional Review Board, and assisted me in honing the research design. His advice has been invaluable to the completion of this dissertation. Hans Klein also provided essential direction for which I am especially grateful. Hans served as my advisor through the initial stages of my research—advising me in narrowing the topic of information security, in framing the literature, and in helping me to understand the value of “theory.” The study of Y2K was his idea. Gordon Kingsley, another valued member of my committee, introduced me to the field of public policy; his able leadership for the class entitled Scope and Theory of Public Policy inspired me to join the Ph.D. program. Susan Cozzens, another significant contributor from the School, iv served as a faithful counselor throughout my journey in the Ph.D. program. Officially, Susan served as academic advisor and as my employer in research assistantships. Unofficially, she was always available to help as I attempted to plot a route through various aspects of the program, giving thoughtful consideration to my questions, even as she attended to her far-reaching research agenda and either chairing the department or directing the Ph.D. program. Latissia Caldwell-Jones, graduate coordinator, was so valuable both to me and to the functioning of the graduate programs in the School that I would find it difficult to rule out her hand in any aspect. She made it happen! Her interpersonal skills, her winning personality, and her willingness to tackle almost any graduate student issue all added joy to the transactions involved in accruing the requirements for the Georgia Tech degree. I also acknowledge the good fortune in the collegial support of fellow Ph.D. students and friends, especially Dara, Jingjing, Min, and Carolyn. Thank you for being there, and for patiently listening to many versions of my “evolving” theories and strategies and for offering feedback on my early and ill-formed presentations. In the Georgia Tech College of Computing (CoC), where I spent an interim course of study, Sy Goodman and Mike Nelson-Palmer were responsible for my early education in the field of information security. Sy served as first advisor for this dissertation, and suggested the direction for my research topic area—information security in organizations. My experiences working under Sy’s direction were important and rewarding; and, I am very grateful for his mentoring. I also appreciate the myriad opportunities that he provided for me to contribute to the field. Thanks to Sy, I was able to develop course content, write for presentation and publication, assist in teaching, and v to connect with the field of information security through conferences and meetings, where practitioners and policy-makers were discussing real-world problems. Thank you also to Mike Nelson-Palmer, manager of the Georgia Tech Information Security Center (GTISC). Mike skillfully taught the CoC course that served as my introduction to the study of information security. In addition, as a member of my dissertation committee, he provided extensive and important feedback on this document. I also recognize the contribution of Peter Wan, information security technical expert, a former employee in the CoC and later in the Georgia Tech Office of Information Technology. Peter provided opportunities to discuss the evolution of IT systems and security processes. David McCann and Ben Garrison, CoC students, provided assistance in computer programming and data organization. Thank you to all of these CoC contributors. In the School of Literature, Culture, and Communication, Jay Bolter was thesis advisor for my Master’s research, as well as a member of my Ph.D. dissertation committee. He led classes exploring the “new media,” which included the World Wide Web and virtual reality. Thank you, Jay, for the instruction and early mentoring, for your loyalty and continued support. Anne Balsamo, head of the graduate program, was also a valued committee member for my Master’s work. Her course in communication theory and culture was an important influence in my dissertation research. The writing workshops in the GT Office of Graduate Studies and Research were very helpful when I first began to struggle with the notion of “academic writing.” Amanda Gable read a number of early drafts of various sections of my writing, and gave me encouragement along the way with valuable feedback. Amanda’s support and her faithful friendship have been a wonderful addition to my life at Georgia Tech. Many, vi many thanks to you, Amanda. Thank you also to Georgia Tech students Tim Hartman and Nancy McKee, who contributed considerably to this research by assisting me in organizing and analyzing documents. Beyond the boundaries of Georgia Tech, individuals associated with Delta were critical to the importance of this research. The Delta community—employees and consultants, past and present—has been an exceptionally generous group to work with, especially those individuals who offered personal time to provide data, to help me navigate among the Delta divisions, organizational relationships, and, most especially, to help me understand its technical jargon. Leo Mullin, along with Walter Taylor, Tim Mitchell, Charlie Feld, Charles Gravitt, Gerald Grinstein, Neal Morgan, Curtis Robb, John Day, Jack McMillan, and numerous others have contributed to this research, thus personifying the supportive family that the Delta organization is known to be. I owe an enormous debt of gratitude to all of you; I could not have accomplished this dissertation without your contribution. In addition to the abovementioned support for my academic work, a constellation of professionals has contributed significantly to my ability to sustain focus and energy for this dissertation. I have been very blessed to know and to be in the care of extraordinarily knowledgeable and effective practitioners in their respective fields; it is impossible to overestimate the value of these “angels” in my life. First from Emory University, Nadine Kaslow served as trustworthy and conscientious mentor, counselor, and coach, and more recently as text editor. Thank you, Nadine, for your dedication. The leaders and members of the Dissertation Support Group at Georgia Tech, and the Cancer Support Group at the Samaritan Counseling Center, also provided a supportive environment at times when I vii greatly needed it. Trisha Senterfitt and Nancy Kirwan demonstrate an inspiring and extraordinary calling. Next, over these years of long days of computer work, my physical therapists helped me to maintain stamina and balance. Melissa Wirsig, Peter Hergott, and Jayne Edwards applied their expertise to improve my physical condition beyond what I had ever considered possible. Finally, George Wirth, spiritual and behavioral exemplar and my friend, never failed to believe that I could accomplish the doctoral degree, calling me “soon to be Dr.” at every meeting since I began the Ph.D. program. George and Barb are wonderful friends; and I extend a hand to them especially for the hope that they instill in so many. I also had the blessing of the continuous encouragement of my family, both past and present. I often think of my parents. Even though they are no longer here to witness my achievement, I feel their presence and remember their educational endeavors and their love of learning. I am certain that it is to them that I owe my greatest debt.