First Advisor

Tugrul Daim

Term of Graduation

Summer 2021

Date of Publication

8-3-2021

Document Type

Dissertation

Degree Name

Doctor of Philosophy (Ph.D.) in Technology Management

Department

Engineering and Technology Management

Language

English

DOI

10.15760/etd.7629

Physical Description

1 online resource (xvii, 254 pages)

Abstract

This research provides a maturity model for information security for healthcare organizations in the United States. Healthcare organizations are faced with increasing threats to the security of their information systems. The maturity model identifies specific performance metrics, with relative importance measures, that can be used to enhance information security at healthcare organizations allowing them to focus scarce resources on mitigating the most important information security threat vectors. This generalizable, hierarchical decision model uses both qualitative and quantitative metrics based on objective goals. This model may be used as a baseline by which to measure individual organizational performance, to measure performance against other organizations, or to monitor changes in the information security environment over time.

Information security incidents cause significant harm, both financial and reputational, to individuals and organizations across the globe. The cybersecurity threat is pervasive and continues to grow at an alarming rate. This harm is heightened in healthcare organizations because human lives may also be at risk in the event of an information security incident. Healthcare organizations have also become a popular target with cybercriminals due to the rich trove of personal information entrusted to them. Existing information system security frameworks are complicated, difficult and time intensive to administer and monitor, and rarely provide relative importance of key performance metrics. Understanding the most important levers in improving information security by introducing a generalizable model can help close a gap in the existing literature.

Using a comprehensive literature review, objectives, goals, and outputs were identified and linked together in a four-level hierarchical decision model (HDM). At level 1, the purpose of the HDM is to determine the degree to which the organization meets the mission of providing a secure information security environment by evaluating a broad set of metrics. Level 2 specifies five objectives, based on industry- and domain-relevant research, for the promotion of a secure information security environment. Level 3 identifies twenty-two goals with associated measurable outputs, characterized by desirability functions, to create level 4. A structured model is developed using these linked concepts with the help of subject matter experts to validate the content and construct of the model. The model is further tested by measuring for inconsistency and disagreement.

Using case studies, actual industry data are used to demonstrate how the model calculates a score to create a performance measure for each case study organization. Results are discussed to illustrate how the case study sites might increase their performance in future assessments against the model.

This research project contributes to the field by introducing a generalizable model and measurement system that compares information security performance in healthcare organization to an ideal state. Healthcare organizations provide critical resources to millions every day and must remain operational despite information security threats. Understanding where healthcare organizations can best direct their limited resources to support stability of their information systems is essential to leaders of these organizations.

Rights

©2021 Bridget Joan Barnes Page

In Copyright. URI: http://rightsstatements.org/vocab/InC/1.0/ This Item is protected by copyright and/or related rights. You are free to use this Item in any way that is permitted by the copyright and related rights legislation that applies to your use. For other uses you need to obtain permission from the rights-holder(s).

Persistent Identifier

https://archives.pdx.edu/ds/psu/36284

Share

COinS