Purdue University Purdue e-Pubs Open Access Theses Theses and Dissertations Spring 2015 An analysis of the effectiveness and cost of project security management Robert E. Bott Purdue University Follow this and additional works at: https://docs.lib.purdue.edu/open_access_theses Part of the Management Information Systems Commons Recommended Citation Bott, Robert E., "An analysis of the effectiveness and cost of project security management" (2015). Open Access Theses. 550. https://docs.lib.purdue.edu/open_access_theses/550 This document has been made available through Purdue e-Pubs, a service of the Purdue University Libraries. Please contact [email protected] for additional information. Graduate School Form 30 Updated 1/15/2015 PURDUE UNIVERSITY GRADUATE SCHOOL Thesis/Dissertation Acceptance This is to certify that the thesis/dissertation prepared By Robert E. Bott Entitled AN ANALYSIS OF THE EFFECTIVENESS AND COST OF PROJECT SECURITY MANAGEMENT For the degree of Master of Science Is approved by the final examining committee: Dr. Eric Dietz Chair Kevin Dittman Raymond Hansen To the best of my knowledge and as understood by the student in the Thesis/Dissertation Agreement, Publication Delay, and Certification Disclaimer (Graduate School Form 32), this thesis/dissertation adheres to the provisions of Purdue University’s “Policy of Integrity in Research” and the use of copyright material. Approved by Major Professor(s): Dr. Eric Dietz Approved by: Jeffrey Whitten 4/6/2015 Head of the Departmental Graduate Program Date i AN ANALYSIS OF THE EFFECTIVENESS AND COST OF PROJECT SECURITY MANAGEMENT A Thesis Submitted to the Faculty of Purdue University by Robert E. Bott In Partial Fulfillment of the Requirements for the Degree of Master of Science May 2015 Purdue University West Lafayette, Indiana ii Any clime and place - Semper Fidelis iii TABLE OF CONTENTS Page LIST OF FIGURES .......................................................................................................... vii LIST OF ABBREVIATIONS .......................................................................................... viii GLOSSARY ....................................................................................................................... x ABSTRACT ...................................................................................................................... xii CHAPTER 1. INTRODUCTION ................................................................................. 1 1.1 Research Question ......................................................................................1 1.2 Problem Statement .....................................................................................1 1.3 Scope ..........................................................................................................2 1.4 Significance ................................................................................................3 1.5 Assumptions ...............................................................................................5 1.6 Limitations .................................................................................................6 1.7 Delimitations ..............................................................................................7 1.8 Chapter Summary ......................................................................................8 CHAPTER 2. REVIEW OF RELEVANT LITERATURE .......................................... 9 2.1 Search Areas for Literature Review .........................................................10 2.2 Information Security Governance and Management ...............................12 2.2.1 Information Security Governance .....................................................13 2.2.2 Information Security Management ...................................................15 2.2.3 Information Security Measures .........................................................17 2.3 A Case for Project Security Management ................................................21 2.3.1 Critical Security Controls and Risk Management .............................22 2.3.2 Security Management as a Process ...................................................24 2.3.3 Defense in Depth ...............................................................................25 iv Page 2.4 Summary ...........................................................................................26 CHAPTER 3. METHODOLOGY .............................................................................. 27 3.1 Framework ...............................................................................................27 3.2 Researcher Bias ........................................................................................28 3.3 Methodology ............................................................................................29 3.4 Credibility of the Research ......................................................................34 3.4.1 Validity of the AnyLogic® Modeling Tool ......................................34 3.5 Data Collection ........................................................................................35 3.6 Model Design ...........................................................................................39 3.7 Summary ..................................................................................................41 CHAPTER 4. MODEL DESIGN AND IMPLEMENTATION ................................. 42 4.1 Introduction ..............................................................................................42 4.2 Agent-Based Modeling ............................................................................44 4.3 Model Design ...........................................................................................45 4.3.1 The Critical Security Controls ..........................................................45 4.3.2 Describing the High-Level Conceptual Model .................................47 4.3.3 COA Decision Making Process ........................................................49 4.3.4 User Input and Scenario Run Design ................................................51 4.4 Model Implementation .............................................................................54 4.4.1 The User Interface .............................................................................55 4.4.2 The State Machine Logic ..................................................................58 4.4.3 Sample Run .......................................................................................61 4.4.4 Future Model Expansion ...................................................................65 4.4.4.1 Threat Behavior ....................................................................................65 4.4.4.2 Adding Multiple Project Agents and Adding Program Agents ............66 4.4.4.3 Detailed State Machine for Project Agents ..........................................66 4.4.4.4 Integrate Asset Agents ..........................................................................66 4.4.4.5 Use of Real Time ..................................................................................67 v Page 4.4.4.6 Detailed Critical Security Control Implementation ..............................67 4.4.4.7 Full Critical Security Control Use ........................................................68 4.5 Summary ..............................................................................................68 CHAPTER 5. PRESENTATION OF DATA, CONCLUSIONS AND RECOMMENDATIONS .................................................................................................. 69 5.1 Introduction ..............................................................................................69 5.2 Presentation of Data .................................................................................71 5.2.1 Literary Sources ................................................................................72 5.2.1.1 Mission Tactics .....................................................................................72 5.2.1.2 Managing Security Risk on Projects ....................................................73 5.2.2 Subject Interviews .............................................................................80 5.2.2.1 Security Management is Risk Management .........................................80 5.2.2.2 Security Management and Quality Management .................................81 5.2.2.3 Project Managers Improve the Security Posture of Organizations ......83 5.2.2.4 Costs of Security and Return on Investment ........................................85 5.2.3 Model Data ........................................................................................86 5.2.3.1 Model Output .......................................................................................86 5.3 Conclusions ..............................................................................................88 5.4 Recommendations ....................................................................................91 5.5 Future Research ........................................................................................92 5.5.1 Quantitative Research .......................................................................92 5.5.2 Security Management Plan Framework ............................................93 5.5.3 Security Process Improvement ..........................................................93 5.5.4 Computerized Modeling....................................................................94