help 4 pages

bcs

4.pdf

Home >Computer Science homework help >help 4 pages

HOW THE ADOPTION OF THE BIG-DATA PARADIGM AFFECTS THE KEY

FACTORS THAT INFLUENCE THE EFFECTIVENESS OF AN INFORMATION

ASSURANCE (IA) FRAMEWORK: A MULTIPLE-CASE STUDY.

Benjamin G. Apple

STEVEN BROWN, PhD, Faculty Mentor and Chair

RUBYE BRAYE, PhD, Committee Member

STEPHEN CALLENDER, EdD, Committee Member

Bill Dafnis, PhD, Interim Dean of Technology

School of Business and Technology

A Dissertation Presented in Partial Fulfillment

Of the Requirements for the Degree

Doctor of Philosophy

Capella University

Month Year [of final school approval]

ProQuest Number:

INFORMATION TO ALL USERS The quality of this reproduction is dependent upon the quality of the copy submitted.

In the unlikely event that the author did not send a complete manuscript and there are missing pages, these will be noted. Also, if material had to be removed,

a note will indicate the deletion.

ProQuest

Published by ProQuest LLC ( ). Copyright of the Dissertation is held by the Author.

Microform Edition © ProQuest LLC.

ProQuest LLC. 789 East Eisenhower Parkway

P.O. Box 1346 Ann Arbor, MI 48106 - 1346

10257655

2017

Abstract

This qualitative study identified those factors that influence the perceived effectiveness of

traditional IA control frameworks. The key factors examined in this study are risk management,

governance, access control, privacy protection, integrity, availability, reliability, and usability.

The researcher endeavored to determine how the effectiveness of the factors of effectiveness is

impacted when the IA frameworks are applied to a big-data environment within the context of

the unified theory of acceptance and use of technology (UTAUT) Model. The multiple-case

study approached the issue from the perspective of three operational groups, senior decision

makers, information assurance professionals, and information security practioners across three

organizations. Data was gathered by face-to-face interview, direct observation, and historic

documentation review. Gathered data was processed and evaluated by use of the NVivo 10

software process. The data gathered and analyzed during the multiple-case study leads one to

infer that traditional IA control frameworks are engineered to take advantage of the foundational

controls of a traditional network-centric data base environment. In a traditional data base

environment, the data base management software provides controls such as read/write, content

type, and audit logging which are the foundation for the keys of effectiveness. In a big data

environment those foundational controls must be provided by intention through policy, structure,

or performance agreement, as opposed to by implementation. Thus, while the key factors of

traditional controls are perceived as structurally sound and effective, to remain effective in a big

data environment traditional controls and their associated key factors require some level of

reengineering. Or, as in the case of training, greater application is required to gain the perception

of trust in a big data environment.

iii

Dedication

This work is dedicated to my loving and supportive wife Francine. Without her support

and belief in me I would not have been able to make this journey. My wife believed in me even

when I did not believe in myself. To all who endeavor to make this journey I would say that you

must have those that will lift you up even when you lose faith in yourself. To my wife, my

biggest fan, I say thank you for believing in me and believing in us.

Acknowledgments

First and foremost, I would like to thank my committee chair and mentor Dr. Steven

Brown for his unwavering support, patience, and guidance in this academic pursuit. Dr. Brown

demonstrated an exceptional level of mentorship and patience for which I am extremely grateful.

To my committee, Dr. Rubye Braye and Dr. Stephen Callender, thank you for your commitment,

guidance, and support throughout this study.

I would like to thank the US NAVY leadership for the foresight that provided me the

opportunity to conduct the study, as well as the members of the defense industrial complex

involved in providing the case study environments for this research. I hope this work assists in

supporting you with the awesome work you do for our country. Finally, I thank my friend and

voice of reason Dr. Michael Schumann.

Table of Contents

Abstract ....................................................................................................................3

Dedication .............................................................................................................. iii

Acknowledgments.................................................................................................. iv

List of Tables ....................................................................................................... viii

CHAPTER 1. INTRODUCTION ........................................................................................1

Background of the Study .........................................................................................1

Need for the Study ...................................................................................................2

Purpose of the Study ................................................................................................3

Significance of the Study .........................................................................................4

Research Question ...................................................................................................6

Definition of Terms..................................................................................................6

Research Design.......................................................................................................9

Assumptions and Limitations ................................................................................10

Assumptions ...................................................................................................10

Limitations ......................................................................................................11

Organization of the Remainder of the Study .........................................................11

CHAPTER 2. LITERATURE REVIEW ...........................................................................12

Methods of Searching ............................................................................................12

Theoretical Orientation for the Study ....................................................................13

Review of the Information Assurance Literature...................................................16

History of Information Assurance ..................................................................18

Guidance and Regulation ................................................................................20

Information Assurance Control Challenges of Big-Data ................................24

Information Assurance Frameworks ...............................................................34

Synthesis of the Research Findings .......................................................................37

Critique of Previous Research Methods ................................................................39

Contrary Opinions, Evidence, or Views .........................................................40

Summary ................................................................................................................41

CHAPTER 3. METHODOLOGY .....................................................................................42

Research Question .................................................................................................42

Research Design.....................................................................................................42

Target Population and Sample ...............................................................................45

Population .......................................................................................................45

Sample ............................................................................................................46

Procedures ..............................................................................................................46

Participant Selection .......................................................................................48

Protection of Participants ................................................................................48

Data Collection ...............................................................................................49

Data Analysis ..................................................................................................50

Instruments .............................................................................................................51

The Role of the Researcher .............................................................................52

Guiding Interview Questions ..........................................................................53

Ethical Considerations ...........................................................................................54

Summary ................................................................................................................55

CHAPTER 4. PRESENTATION OF THE DATA............................................................56

vii

Introduction: The Study and the Researcher ..........................................................56

Description of the Sample ......................................................................................58

Research Methodology Applied to the Data Analysis ...........................................59

Presentation of Data and Results of the Analysis ..................................................61

Summary ..............................................................................................................103

CHAPTER 5. DISCUSSION, IMPLICATIONS, RECOMMENDATIONS ..................107

Introduction ..........................................................................................................107

Summary of the Results .......................................................................................107

Discussion of the Results .....................................................................................113

Conclusions Based on the Results .......................................................................114

Comparison of Findings with Theoretical Framework and Previous Literature .115

Interpretation of the Findings...............................................................................116

Limitations ...........................................................................................................118

Implications for Practice ......................................................................................119

Recommendations for Further Research ..............................................................121

Conclusion ...........................................................................................................122

References ........................................................................................................................124

STATEMENT OF ORIGINAL WORK ..........................................................................139

APPENDIX A. INTERVIEW QUESTIONS ..................................................................141

APPENDIX B. DATA INDEX KEY ..............................................................................142

viii

List of Tables

Table 1. Question 1 distillation ...............................................................................................61

Table 2. Question 2 distillation ...............................................................................................62

Table 3. Question 3 distillation ...............................................................................................64

Table 4. Question 4 distillation ...............................................................................................65

Table 5. Direst Observation distillation ..................................................................................67

Table 6. Historic Document Review distillation .....................................................................67

Table 7. Case Study B -- IS Practitioner Interview Question 1 and Responses .....................79

Table 8. Case Study B -- IS Practitioner Interview Question 2 and Responses ......................80

Table 9. Case Study B -- IS Practitioner Interview Question 3 and Responses ......................80

Table 10. Case Study B -- IS Practitioner Interview Question 4 and Responses ....................81

Table 11. Case Study B -- IS Practitioner Interview Question 5 and Response ......................82

Table 12. Case Study C – Senior Executive Interview Question 1 and Responses .................86

Table 13. Case Study C – Senior Executive Interview Question 2 and Responses .................87

Table 14. Case Study C – Senior Executive Interview Question 3 and Responses .................88

Table 15. Case Study C – Senior Executive Interview Question 4 and Responses .................89

Table 16. Case Study C – Senior Executive Interview Question 5 and Response ..................90

Table 17. Case Study C – IA Professional Interview Question 1 and Responses ...................91

Table 18. Case Study C – IA Professional Interview Question 2 and Responses ...................92

Table 19. Case Study C – IA Professional Interview Question 3 and Responses ...................93

Table 20. Case Study C – IA Professional Interview Question 4 and Responses ...................94

Table 21. Case Study C – IA Professional Interview Question 5 and Response…………….94

Table 22. Case Study C – IAP Interview Question 6 and Response .......................................95

Table 23. Case Study C – IS Practitioner Interview Question 2 and Responses .....................96

Table 24. Case Study C – IS Practitioner Interview Question 3 and Responses .....................96

Table 25. Case Study C – IS Practitioner Interview Question 4 and Responses .....................97

Table 26. Case Study C – IS Practitioner Interview Question 4 and Responses .....................98

Table 27. Perceptions of effectiveness...................................................................................101

Table 28. Key Factors of Perceived Effectiveness ................................................................112

Table 29. Big-data IA controls framework model .................................................................120

List of Figures

Figure 1. TAM Model .............................................................................................................13

Figure 2. UTAUT Model ........................................................................................................15

Figure 3. Data Key Index .........................................................................................................67

CHAPTER 1. INTRODUCTION

Background of the Study

As valuable as the big-data proposition is there are concerns among those professionals

responsible for safe guarding the Information Assurance (IA) environment of the organization

(Douglas, 2013). In order to attest to the confidentiality, integrity, and availability of the data

critical to the operations of the organization IA professionals rely on established and accepted

(i.e. traditional) IA frameworks, such as: (a) the Control Objectives for Information and Related

Technology (COBIT) created by the Information Systems Audit and Control Association

(ISACA); (b) SP800-53 from the National Institute of Standards and Technology (NIST); (c)

Information Assurance Technical Framework (IATF) from the U.S. Department of Commerce;

or (d) Information Assurance Framework (IAF) from the European Union (EU) Audit

Commission and the standards of International Standards Organization/International

Electrotechnical Commission 20000 (ISO/IEC 20000) (Burr, Ferraiolo & Waltermire, 2014;

Frankel, 2012; Trombetta, Jiang, Bertino & Bossi, 2011; von Roessing, 2010). The current field

of established IA frameworks has evolved in the traditional database environment of relatively

static rows and columns bounded by well-defined data schema and well understood data sources

(Frankel, 2012). In the high volume, high velocity, diverse variety environment of big-data the

perceived effectiveness of the established IA framework is challenged (Abdulhamid, Latiff &

Bashir, 2014; Salierno, 2012; Thomson & Solms, 2006). In the context of this study

effectiveness is defined by NIST SP800-53 as the extent to which the application of a framework

ensures the integrity, availability, and provenance of the targeted information assets (Vivekanand

& Vidyavathi, 2015; von Roessing, 2010). The very attributes (velocity, volume, and variety)

that make big-data attractive to senior decision makers challenges the effectiveness of traditional

IA frameworks (Adu & Ward, 2011). The attributes of big-data combined with large-scale cloud

infrastructures and the trend toward data transparency have pushed traditional IA control

frameworks to the limit of effectiveness (Munné, 2013). The volume, velocity, and variety of

big-data have challenged traditional IA frameworks, tailored to securing small to mid-scale static

data and schema bound environments in network-centric environments (Munné, 2013; Shute,

2012). Without established control-frameworks effectively and reliably applied to the IA

attestation of big-data environments, organizations will experience challenges realizing the

operational advantages of adopting a big-data decision-making environment (Gobble, 2013).

The challenge to the adoption of big-data may affect the ability of on organization to remain

competitive in their market or operating domain (Gobble, 2013; Mahrt & Scharkow, 2013;

Leavitt, 2013).

Need for the Study

Organizations are generating, capturing, and processing greater amounts of data than ever

before known (Castelluccio, 2013; Geer, 2011). Experts estimate that man has generated 90% of

the existing data in the last five years (Castelluccio, 2013; Geer, 2011; Heaton, 2012). Daniel

Geer (2011) estimates that the industrialized countries are generating 2.5 quintillion bytes of data

per day. A quintillion is equal to one followed by 18 zeros. Douglas (2013) and Gobble (2013)

characterize this explosive growth in data as the catalyst for the next evolution of decision-

making. The expanded data environment resulting from the explosive data growth is big-data.

Due to the relative immaturity of the big-data paradigm, there are more than a few definitions of

big-data. A condensation of the various definitions defines big-data as that data that is too

voluminous, changes too quickly, or is too inconsistent of format to manage by traditional means

(Castelluccio, 2013; Costello & Prohaska, 2013; Geer, 2011; Gobble, 2013; Heaton, 2012).

NIST SP1500-1 defines big data as consisting of extensive datasets, primarily in the

characteristics of volume, variety, velocity, and/or variability that require a scalable architecture

for efficient storage, manipulation, and analysis. NIST SP1500-1 further describes big data as

that data that traditional data architectures cannot handle due to the size of the datasets. The

common thread of all the various definitions show that the attributes that differentiate big-data

from traditional data structures are volume, velocity, and variety, commonly referred to as the

3Vs of big-data and the inability of traditional computing structures to accommodate big data

(Gobble, 2013; Costello & Prohaska, 2013). The data environment of the common internet

search engine known as Google is an example of big-data. Google processes an estimated 24

petabytes of data a day (volume) that changes as rapidly as every minute (velocity) of which very

little is formatted in the rows and columns of the traditional data base domain (variety) (Leavitt,

2013). The value proposition of big-data is the ability for decision makers to look at trends and

make inferences in ways that are not feasible in a traditional database environment (Courtney,

2012). While data consumers and senior decision makers see high value in the adoption of a big-

data paradigm, information security (IS) practitioners and information assurance (IA)

professionals are experiencing challenges in their attempts to attest to the reliability of the IA

controls of the organization. (Albrechtsen, 2007; Frankel, 2012; Douglas, 2013).

Purpose of the Study

This qualitative study identified those factors that influence the perceived effectiveness of

traditional IA control frameworks. The study endeavored to determine how the effectiveness of

the identified factors differs when the IA frameworks are applied to a big-data environment

(Nadjaran, Calherios, & Buyya, 2014). The study approached the issue from the perspective of

three groups. Those that use big-data to make organizational impacting decisions (senior

decision makers); those that are responsible for attesting to the reliability and accuracy of the

data used by senior decision makers (IA auditors); and those that are tasked with assuring the

confidentiality, availability , and integrity of the data used by the organization (information

security professionals). The study identified possible changes required to increase the

effectiveness of traditional IA frameworks in a big-data environment.

The qualitative study used the multiple-case study methodology to address the proposed

research question. The multiple-case study approach as defined by Robert Yin (2014) was used

for data collection, to record and report the experiences of three distinct operational groups

impacted by the adoption of a big-data paradigm. The researcher made use of multiple sources

of evidence segmented across three operational groups, specifically a segment of senior decision

makers, IA auditors, and information security professionals (Yin, 2014). The study determined

how traditional IA frameworks may be modified (i.e., add factors, change factors, and delete

factors) to make the IA frameworks more effective for use in big-data environments/paradigms.

Significance of the Study

As organizations move toward the adoption of the big-data decision-making paradigm,

senior decision makers will focus on the implications of big-data as it pertains to their locust of

control while the IA and information security professionals will be required to address the

broader implications of enterprise-level impacts of big-data (Bisong and Rahman, 2011;

Castelluccio, 2013; Chang and Lin, 2007; “Holistic approach needed for big-data security,”

2013). There are estimates that the adoption of big-data could improve productivity by 0.5 to 1

percent annually in the government services, retailing, and manufacturing sectors (O'Reilly &

Paper, 2012). In these sectors, the adoption of big-data could produce hundreds of billions of

dollars in economic impact (Goel & Shawky, 2009).

With impact projections of this magnitude comes the increased probability of regulatory

oversight such as Sarbanes-Oxley and Graham-Leach-Bliley (“Big-Data Working Group Tackles

Privacy and Information Security,” 2013; Crawford and Schultz, 2014). Such regulatory

guidance will require that IA professionals attest to the reliability and integrity of the data used

by decision makers through the application of accepted IA control frameworks (Frankel, 2012).

Beyond the business impacts of the adoption of the big-data paradigm, there is research that

implies that big-data may ultimately be a key factor in how nations compete and prosper in the

world-economy (Castelluccio, 2013). Through investments and forward-looking policies,

company leaders and their counterparts in government can capitalize on big-data only if the

reliability and integrity of the data sources can be verified and trusted through the application of

effective IA controls (Frankel, 2012; Gordon & Loeb, 2002).

By contributing to an understanding of those factors that influence the effectiveness and

acceptability of an IA controls framework this dissertation shall aide in the development and

adoption of IA control frameworks that are effective in a big-data environment (Nosworthy,

2000). Thereby, enabling the development of IA control frameworks that support the big-data

paradigm and subsequently enabling the advancement of the data science domain (Mitchell &

Meggison, 2014). By identifying those factors that impact the effectiveness of traditional IA

frameworks this dissertation is of vital importance to the IA domain in the establishing and

maintaining the IA control frameworks necessary to the attestation of the reliability of a big-data

environment (Nadjaran et al., 2014).

Until existing IA control frameworks are modified to increase perceived effectiveness in

a big-data environment or big-data specific IA frameworks are developed, IA professionals will

continue to be challenged in their attestation to the reliability of the organizations IA governance

processes and procedures (Douglas, 2013). Organizations will continue to be challenged in their

adoption of the big-data decision making paradigm (Goldsborough, 2013; O`Donnell, Arnold, &

Sullivan, 2000). In order to determine how the current IA frameworks need to be modified or

establish the foundation controls for big-data specific IA frameworks, professionals must identify

and understand those factors that impact the effectiveness of an IA framework (Frankel, 2012).

Further, the professional must then determine how those key factors are impacted by the

adoption of a big-data environment (Marshall, 2012). Until IA professionals understand the

factors that impact the effectiveness of traditional IA controls frameworks and what

modifications are needed to increase the effectiveness of those frameworks, in a big-data

environment, organizations information assets will continue to be at risk (Kahn & Malluhi, 2010;

Mader & Srinivasan, 2005; Kremer, 2009).

Research Question

The research question for this study is:

RQ1: What are the key factors of effectiveness for an Information Assurance (IA)

control framework and what modifications would make an IA control framework more effective

when applied to a big-data paradigm.

Definition of Terms

ACL: Short for access control list, a set of data that informs a computer’s operating

system which permissions, or access rights, that each user or group has to a specific system

object, such as a directory or file. Each object has a unique security attribute that identifies which

users have access to it, and the ACL is a list of each object and user access privileges such as

read, write or execute (Knapp, Ford, Marshall, & Rainer, 2007)

Availability: When or how often an asset must be present or ready for use (Alberts

& Dorofee, 2003).

Big-Data: A term for describing data of the volume, velocity, veracity, or variety which

are outside the normal operating specifications of traditional database systems. This data

requires innovative forms of information processing to enable enhanced insight, decision-

making, and process automation (O'Reilly & Paper, 2012).

CISA: Certified Information Systems Auditor

CISSP: Certified Information Systems Security Professional

Control Objectives for Information and Related Technology (COBIT): An information

assurance framework created by the ISACA to provide a structured set of IA controls that are

measureable and repeatable.

Confidentiality: The need to keep proprietary, sensitive, or personal information private

and inaccessible to anyone who not authorized to see it (Alberts & Dorofee, 2003).

Critical assets: Critical assets are the information-related assets that are most important in

meeting the missions of the organization (Alberts & Dorofee, 2003).

Culture: Pattern of behaviors, beliefs, assumptions, attitudes and ways of doing things

(Kiely & Benzel, 2006).

Data loss prevention: Products that, based on central policies, identify, monitor, and

protect data at rest, in motion, and in use through deep content analysis (Securosis & Sans

Institute, 2009).

Firewall: Computer hardware or software that prevents unauthorized access to private

data (as on a company’s local area network or intranet) by outside computer users (according to

Merriam-Webster’s Collegiate Dictionary, 11th edition).

Governance: The set of responsibilities and practices exercised by the board and

executive management with the goal of providing strategic direction, ensuring that objectives are

achieved, ascertaining that risks are managed appropriately and verifying that the enterprise’s

resources are used responsibly (Brotby, 2008).

Information Assurance (IA): The practice of assuring information and managing risks

related to the use, processing, storage, and transmission of information or data and the systems

and processes used for those purposes. Information assurance includes protection of the integrity,

availability, authenticity, non-repudiation and confidentiality of user data (Frankel, 2012).

Information Security (IS): The protection of information and information systems from

unauthorized access, use, disclosure, disruption, modification, or destruction in order to provide

confidentiality, integrity, and availability (NIST SP800-53 44 U.S.C., Sec. 3542).

Integrity: The authenticity, accuracy, and completeness of an asset (Alberts &

Dorofee, 2003).

ISACA: Information Systems Audit and Control Association

ISC2: International Information System Security Certification Consortium

Risk assessment: A process to look at the security-related risks within a company,

including internal and external sources of risk as well as electronic-based and people based risks

(Alberts & Dorofee, 2003).

Research Design

The qualitative study used the multiple-case study methodology to address the proposed

research question within the context of the UTAUT Model. The multiple-case study approach as

defined by Robert Yin was used for data collection, to record and report the experiences of three

distinct operational groups impacted by the adoption of a big-data paradigm (Patton, 1990; Yin,

2014). The researcher made use of multiple sources of evidence (Yin, 2014) segmented across

three operational groups, specifically a segment of senior decision makers, IA auditors, and

information security professionals. The study determined how traditional IA frameworks may be

modified (i.e., add factors, change factors, and delete factors) to make the IA frameworks more

effective for use in big-data environments/paradigms.

The use of the multiple-case study methodology is well suited for this study by allowing

the researcher to observe interaction between peers on a sensitive topic in a relatively short

amount of time (Morgan, 1997; Krueger & Kearney, 2006). By stratifying the individual

interviews across three professional segments, the researcher mitigates role bias and does not

constrain the interview discussions to selected questions (Krueger & Kearney, 2006). This study

mirrored other multiple-case studies in IA controls frameworks effectiveness, which validated

the approach and methodology used for the study. The study provided a methodology for

conducting multiple-case study research in environments that may be difficult to research due to

the sensitive nature of the issues. This study approach can be a model for use in future multiple

case study research efforts in organizations that are implementing a big-data paradigm.

This study made use of three frameworks COBIT, IATF, and DoD 8510:01 to identify

the key attributes of effective IA controls frameworks. In order to attest to the confidentiality,

integrity and availability of the data critical to the operations of the organization IA professionals

rely on established and accepted IA frameworks, such as (a) the Control Objectives for

Information and Related Technology (COBIT) created by the Information Systems Audit and

Control Association (ISACA) (b) Risk Management Framework (RMF) (DoD 8510.01) (c)

Information Assurance Technical Framework (IATF) from the U.S. Department of Commerce

(d) Information Assurance Framework (IAF) from the EU Audit Commission and the standards

of ISO/IEC 20000 (Hinson, 2007; Lam & Carayannis, 2011). The current field of established IA

frameworks has evolved in the traditional database environment of relatively static rows and

columns bounded by well-defined data schema and well understood data sources (Frankel,

2012). The control foundation for the research design is convergence of the IA controls of the

above frameworks. This study expanded on prior research of the ISACA for measuring IA

control effectiveness using constructs applicable for researching effectiveness in a complex

environment such as the big-data environment.

Assumptions and Limitations

Assumptions

This study was conducted using the following key assumption:

 The organizations selected as case-study subjects have recently implemented or are

planning to implement a big-data paradigm.

 The theoretical framework and constructs defined by Knapp et al. (2007) are

applicable to this research study.

 An organization would be willing to allow an anonymous research study of the

effectiveness of their IA control framework.

Limitations

As in any case study the researcher does not always have full control of all variables and

events (Yin, 2014). One effect of this lack of lab-quality control is that the findings from a case

study are only applicable to similar cases (Yin, 2014).

Organization of the Remainder of the Study

The remainder of the study contains four main chapters. Chapter 2 is the literature review and

examines the existing literature regarding information assurance controls, existing information

assurance frameworks, and information assurance culture independently. Further, Chapter 2

examines the study’s theoretical groundwork. Chapter 3 is the methodology discussion for

collection and analysis of requisite data for the study. Results of the collected data and its

analysis are presented in Chapter 4. Chapter 5 presents an interpretation of the analysis and

results, as well as recommendations for future research and practical implications for those who

are interested in evolving information assurance controls.

CHAPTER 2. LITERATURE REVIEW

This chapter will cover the search methodology employed to discover the literature

resources used in this study. The researcher will explain theoretical orientation of the study

followed by the body of the literature review. The researcher then presents a synthesis of the

reviewed literature and a critique of previous research methods. The chapter is closed out with a

summary of the literature review.

Methods of Searching

For literature reviewed for in this study the researcher made use of a number of resources.

The primary resource was the Capella University library. To acquire resources, the researcher

searched the following databases Computers & Applied Sciences Complete EBSCO;

Dissertations @ Capella; Dissertations and Thesis Global; Goggle Scholar; Homeland Security

Digital Library; Library, Information Security & Technology Abstracts (LISTA). The

researcher augmented the Capella University Library results with journal articles from the

ISACA and the ISC2, as a long standing member of these organizations the researcher had

access to a library of peer reviewed journal articles. The researcher searched for resources that

covered information assurance, big-data, big-data acceptance, new technology acceptance,

information assurance frameworks, information assurance controls, information assurance

controls weakness, information assurance controls strengths, information security, and

information security controls. The researcher primarily searched academic and peer reviewed

repositories. The researcher used non-academic resources for suggestions where to search for

academically acceptable resources. The researcher did not use dissertations as referenceable

sources but as a source for academically acceptable resources.

Theoretical Orientation for the Study

This qualitative study looks at the key factors of effectiveness for an Information

Assurance (IA) control framework and what modifications would make an IA control framework

support the organizational adoption of a big-data based information system. The researcher

made use of the multiple-case study methodology to gather the evidence necessary to address the

proposed research question.

There are a number of theoretical models that have been proposed to explain the factors

that impact the acceptance of information technologies or information systems (IT/IS) (Davis,

1989; Chau, 1996; Venkatesh & Davis, 2000). For some time, the most influential and robust of

these models was the Technology Acceptance Model (TAM) (Davis, F. D., Bagozzi, R. P.,

Warshaw, P. R., 1989). The key purpose of TAM was to provide a basis for discovering the

impact of external variables on internal beliefs, attitudes, and intentions.

Figure 1

TAM Model (Davis, Et Al, 1989)

TAM assumed that beliefs about usefulness and ease of use are always the primary

determinants of information technologies adoption in organizations. According to TAM, these

two determinants serve as the basis for attitudes toward using a particular system, which in turn

determines the intention to use, and then generates the actual usage behavior (Davis, 1989).

Perceived usefulness is defined as the extent to which a person believes that using a system

would enhance his or her job performance. Perceived ease of use refers to the extent to which a

person believes that using a system would be free of mental efforts (Davis, 1989). The original

TAM was created to examine IT/IS adoption in the context of profit generating business

organizations this limiting applicability gave rise to the extension of the TAM model by the

UTAUT Model (Bagozzi, 2007; Venkatesh, Morris, Davis, and Davis, 2003).

In response to the limited applicability of the TAM Venkatesh, Morris, Davis, and Davis

(2003) developed the Unified Theory of Acceptance and Use of Technology (UTAUT) model to

consolidate previous TAM related studies (see Figure 2). In the UTAUT model, performance

expectance and effort expectancy are used to incorporate the constructs of perceived usefulness

and ease of use in the original TAM study. Although the UTAUT model proposes that the Effort

Expectancy construct can be significant in determining user acceptance of information

technology, concerns for ease of use may become non-significant over extended and sustained

usage (Bagozzi, 2007). Therefore, perceived ease of use can be expected to be prevalent in the

early stages of adopting a new technology and it can have a positive effect on perceived

usefulness of the technology (Bagozzi, 2007).

Figure 2

UTAUT Model (Venkatesh Et Al, 2003)

Adapted from “User Acceptance of Information Technology: Toward a Unified View” by

Venkatesh, Morris, Davis, and Davis, 2003, MIS Quarterly, 27(3), p.447

The UTAUT (Figure 2) model attempts to explain how individual differences influence

technology acceptance. More specifically, the UTAUT proposes that the relationship between

perceived usefulness, ease of use, and intention to use can be moderated by age, gender, and

experience (Venkatesh Et Al, 2003). The UTAUT Model implies that the relationship between

perceived usefulness and intention to use varies with age and gender to the extent that the

relationship is of greater significance for males and younger workers. The model further implies

that the effect of perceived ease of use on intention is also moderated by gender and age such

that it is more significant for females and older workers, and those effects decrease with

experiences (Venkatesh Et Al, 2003). According to Moran, Hawkes, and El-Gayer (2010) the

UTAUT model typically accounted for 70 percent of the variance in usage intention, better than

any of TAM studies alone. Although UTAUT provides great promise to enhance our

understanding for technology acceptance, the initial UTUAT study focused on large

organizations. In addition, the scales used in UTAUT model are new as they are in combination

of a number of prior scales, and therefore, the suitability of these scales needs to be further tested

(Venkatesh Et Al, 2003).

Review of the Information Assurance Literature

In the context of this research, Information Assurance (IA) refers to the steps involved in

protecting information assets that reside on computer systems and networks and is synonymous

with information security (Cummings 2002). There are commonly five terms associated with the

definition of information assurance: Integrity, Availability, Authentication, Confidentiality, and

Nonrepudiation (NSTISSI No.4009, 1997).

Information assurance (IA) is an area of specialization within the information governance

domain (Cherdantseva & Hilton, 2013). An IA specialist must have a thorough understanding of

how information systems work and are interconnected. With all of the threats that are now

common in the IT world, such as viruses, worms, phishing attacks, social engineering, identity

theft and more, a focus on protection against these threats is required (Denning & Denning,

2010). The IA professional provides that focus.

The mission of IA is protecting the information assets of an organization through the

application of established control frameworks with the goal of maintaining the five assurance

qualities of an IT system: Integrity, Availability, Authentication, Confidentiality, and

Nonrepudiation (NSTISSI No.4009, 1997).

Integrity, in the context of IA, refers to methods of ensuring that data is real, accurate and

safeguarded from unauthorized user modification. Integrity involves making sure that the

information created from data remains unscathed and that no one has tampered with the

information (Frankel, 2012; IT Governance Institute, 2003). IA takes steps to maintain integrity

through the implementation and enforcement of trusted IA controls so that data and subsequent

information remains unaltered and intact (Da Veiga & Eloff, 2007; IT Governance Institute,

2003). Effective IA controls ensure that enforceable policies and procedures are in place so that

users understand behaviors required to minimize the risk of compromised information integrity

(Dlodlo, 2011; Levitin, Hausken, Taboada & Coit, 2012).

Availability is the facet of IA where information must be available for use by authorized

users (Griffiths, 2012; Griffiths, 2010; IT Governance Institute, 2003). In the context of IA,

availability refers to the ability of an authorized user to access data or information resources in a

specified location, in a timely manner, and in the correct format (Griffiths, 2012; Griffiths,

2010). Protecting the availability can involve protecting against malicious code and any other

threat that could block timely access to the information assets (Idrissi & Abourezq, 2014;

Idziorek, Tannian & Jacobson, 2013).

Authentication involves ensuring that users, both human and none human, are who they

say they are. Controls used for authentication are user names, passwords, biometrics, tokens and

other devices (IT Governance Institute, 2003; Kreimer, 2009; McFadzean, Ezingeard, &

Birchall, 2011).

IA involves keeping information confidential (IT Governance Institute, 2003). This

means that only those authorized to view information have access to the information.

Confidentiality of information is important in all organizations and critical in many (Matwyshyn,

2010). Many civilian and government systems classify data and the associated information in

manner that ensures that only people with certain clearance levels may access highly confidential

information (Kimbrough, 2006; McFadzean, et al., 2011).

The final pillar is nonrepudiation (IT Governance Institute, 2003). This means that

someone cannot deny having completed an action because there will be proof that they did it

(Matwyshyn, 2010; Levitin, et al., 2012).

History of Information Assurance

In the late 1960s and early 1970s computers were being steadily introduced into

mainstream business processing (Birman, 2000). During the early adoption of business-

computing, computers only manipulated numbers, solved difficult-to-compute mathematical

problems, or carried out highly repetitive numerical computations within a fraction of the time

taken by humans (Lacey, 2009; Mader & Srinivasan, 2005; Masli, Peters, Richardson &Sanchez,

2010). The first truly business applications were purely focused on financial accounting; the

concept of word processing was only invented in the mid-1970s (Mader & Srinivasan, 2005).

Because financial accounts required auditing, a new breed of financial auditor was born,

known as the computer auditor (Cummings, 2002). These people were still financial auditors, but

had computer expertise and so could verify the computer-based accounts. The knowledge and

skill of computer auditors gradually expanded more and more into the technology as it became

clear that verifying the accounts meant verifying the proper working of the computer, which in

turn gave rise to the domain of computer controls (Fuchs, Permul, & Sandhu, 2011).

The need to address security issues became apparent as organizations adopted data

processing and computer security became a domain (Furnell, 2007). Computer auditors were the

first practitioners of the discipline of computer security (Guba, 2008). With the adoption of

automated data processing (ADP) by the commercial and government sectors, concern

transitioned from the machines and onto the data, and the term data security became fashionable

(Furnell, 2007; Griffiths, 2012; Griffiths, 2012; Hamill, Deckro, & Kloeber, 2005).

In the late 1970s computer networks were being developed and rolled out into business

and government applications, the term information-technology was invented to embrace both

computing and data-communications (Lee, Bagchi-Sen, Rao, & Upadhyaya 2010). This term

gained popularity around 1980. In 1983, academia took notice of the new trend in information

science with the launch of the first official IT courses (Cegelski, 2008). The course launch

followed a U.K. Government awareness campaign the previous year, branded as IT 82 (Cegelski,

2008).

In the mid-1980s, business computing/IT domain became an accepted operational domain

in business and government. With the maturity of IT, the focus on security of raw data seemed

too many to be too technical, and so, following the IT terminology, we adopted the more

business-focused term information assurance, including the security of information not

necessarily processed by computers (Herath, & Rao, 2009). The discipline adopted a control

structure designed to provide three attributes of information assurance: confidentiality, integrity,

and availability (CIA) (Lee, et al, 2010). For those who wanted to emphasize the technology

aspects, the term information systems security remained intact as a sub-domain of information

assurance (Lam & Carayannis, 2011).

Information security and information assurance were the terms used to identify the

discipline of risk reduction in the IT domain (Alberts & Dorofee, 2003; Baird, Furukawa &

Raghu, 2012). In the late 1990s, information assurance took on a broader meaning when the

Sherwood Applied Business Security Architecture (SABSA) team introduced the concept of

Business Attributes Profiling (BAP) (Cummings, 2002). BAP introduced the concept of

measuring (i.e. auditing) information assurance controls for effectiveness. Fraud events such as

the ENRON, TYCO, and WorldComm in combination with many personal information leaks as

well as the general business risk atmosphere of the early 2000s fueled the growth of the

information assurance auditing practice and profession (Cummings, 2002; Dubie, 2008; Hinson,

2007). It was around this time that the nefarious element began to see the value of

compromising information systems with the intent of gaining unauthorized access to information

for profit. Since 2000, there have been a number of governmental acts and industry best

practices developed in an attempt to quantify and codify information assurance and the control

that measure effectiveness (Dinh, 2009). The intent of these codification and quantification

efforts was to establish a set of metrics that give professionals and decision makers a

methodology for measuring and attesting to the effectiveness of the controls associated with the

applied information assurance frameworks (Johnston & Hale, 2009).

Guidance and Regulation

Gramm-Leach-Biley Act

The GLB Act was formally known as the Financial Modernization Act of 1999. The

Gramm-Leach-Bliley Act (GLB Act or GLBA) is U.S. legislation signed into law on November

12, 1999, by former President Bill Clinton. The GLB Act requires the full disclosure of

consumer data sharing practices and ensured consumer data privacy by financial institutions.

The GLB Act repealed provisions of the Banking Act of 1933, the Glass-Steagall Act, which

restricted alliances within the banking and securities industries. By broadening financial services

and facilitating market affiliations, the GLB Act introduced innovation. Electronic transactions

soon became the norm and evolved in step with the rapid development of e-commerce. The

GLB Act primarily focused on tightening and expanding consumer data- privacy safeguards and

restrictions. For IT professionals, this means ensuring and securing confidential financial

information from unauthorized access.

National Information Assurance Partnership

The National Information Assurance Partnership (NIAP) is a U.S. Government initiative

that looks at products in the information technology (IT) realm and ensures that they adhere to

international standards and controls. NIAP created a partnership between the National Institute

of Standards and Technology (NIST) and the National Security Agency (NSA) to ensure that

products related to technology are conforming to certain standards.

Sarbanes-Oxley Act

The Public Company Accounting Reform and Investor Protection Act, otherwise known

as the Sarbanes-Oxley Act (SOX), was enacted in July 2002 after a series of high-profile

corporate scandals involving companies such as Enron and WorldCom. Section 404(a) of the Act

requires management to assess and report on the effectiveness of internal control over financial

reporting (ICFR). Section 404(b) requires that an independent auditor attest to management’s

assessment of the effectiveness of those internal controls.

The intent of SOX was to protect investors by improving the accuracy and reliability of

corporate disclosures made pursuant to the securities laws, and for other purposes. SOX created

new standards for corporate accountability as well as new penalties for acts of wrongdoing. SOX

changed how corporate boards and executives must interact with each other and with corporate

auditors. SOX removed the defense: I wasn't aware of financial issues, from CEOs and CFOs,

holding them accountable for the accuracy of financial statements. SOX specified new financial

reporting responsibilities, including adherence to new internal controls and procedures designed

to ensure the validity of their financial records.

SOX required all financial reports to include an internal control report verifying that not

only are the company's financial data accurate, but the company has confidence in them because

adequate controls are in place to safeguard financial data. Year-end financial reports must

contain an assessment of the effectiveness of the internal controls. The issuer's auditing firm is

required to attest to that assessment. The auditing firm does this after reviewing controls,

policies, and procedures during a Section 404 audit, conducted along with a traditional financial

audit.

National Strategy for Information Sharing and Safe Guarding

Based on the 2010 National Security Strategy, the 2012 presidential document provides

guidance for integration and implementation of policies, processes, standards, and technologies

to assure secure and responsible national security information sharing. The document does not

define categories or types of information to share. Rather, it shifts the focus of information

sharing and safeguarding policy to defining information control requirements that support

effective decision-making. The document outlines a national policy roadmap to guide

information sharing and assurance controls within existing law and policy. The document is not

intended to replace the National Strategy for Information Sharing (2007 NSIS), as the 2007 NSIS

continues to provide a policy framework and directs many core initiatives intended to improve

information sharing. (National Strategy for Information Sharing and Safeguarding, 2012).

Cybersecurity/Information Assurance (IA) DCMA-INST 815

The Defense Contract Management Agency (DCMA) Information Assurance Program is

the Department of Defense (DoD) framework to protect unclassified, sensitive, and classified

information stored, processed, accessed, and transmitted by DCMA Information Systems (IS).

The DCMA Information Assurance Program intended to consolidate and focus DCMA efforts in

securing information, including its associated systems and resources, in order to increase the

level of trust of this information and the originating source (DCMA-INST 815, 2014).

Federal Information Security Management Act of 2002 (FISMA)

Enacted in 2002 as Title III of the E-Government Act of 2002 the Federal Information

Security Management Act of 2002 (FISMA, 44 U.S.C. § 3541, et seq.) is a United States federal

law (Pub.L. 107–347, 116 Stat. 2899). By enacting FISMA, national leaders acknowledged the

critical nature of information security to the economic and national security interests of the

United States. FISMA places strict and unambiguous requirements on each federal agency to

develop, document, and implement an agency-wide program to provide security and

assurance for the information and information systems that support the operations and assets of

the agency, including those provided or managed by another agency, contractor, or other source

(NIST: FISMA Overview, 2014).

In order to strengthen information assurance and security FISMA assigns specific

responsibilities to federal agencies, the National Institute of Standards and Technology (NIST)

and the Office of Management and Budget (OMB). In particular, FISMA requires the head of

each agency to implement policies and procedures to effectively reduce information technology

security risks to an acceptable level (NIST: FISMA Overview, 2014).

FISMA defines the term information security to include the controls required to protect

information and information systems from unauthorized access, use, disclosure, disruption,

modification, or destruction in order to provide integrity, confidentiality and availability of

critical data (FISMA implementation, 2014).

Appendix III to OMB Circular No. A-130

The appendix assigns responsibilities for the security of automated information systems

to various Federal agencies. The appendix gives guidance on the linkage of automated

information security programs and agency management control systems established in

accordance with OMB Circular No. A-123.

Information Assurance Control Challenges of Big-Data

A 2013 survey revealed that effective information security/assurance controls are vital

influencing factors in the adoption of a big-data paradigm, followed by compliance/regulatory

issues, cost, internal cloud computing management expertise, and reliability concerns

(Posthumus & von Solms, 2004; Tripathi & Jigeesh, 2013). Over 80% of organizational

management fear security threats and loss of control of data and systems (AlZain et al., 2013).

Due to a lack in confidence in the effectiveness of current IA controls, less than 15% of

information security professionals’ at large and midsize firms in North America will consider

using big-data services (Douglas, 2013; Kalyvas, Overly, & Karlyn, 2013). IA controls and

network-centric problems related to standards may also be a deterrent. Further security concerns

are associated with the information security and assurance practices and policies of the various

countries when it comes protecting the data of other countries (Arnold & Sutton, 2000; Carcary,

Doherty & Conway, 2014; Rossi, 2008). Hoffman & Podgurski, give examples of this exposure

risk with regard to health related data; “Once data is distributed on the Internet, it may become

available to anyone who wishes to purchase it, and it cannot be expunged. Accidental or

intentional disclosure, corruption, or loss of private health information can, therefore, cause

individuals substantial harm” (2007, p. 1). Lastly, a vagueness of big-data provenance and

privacy laws has put the big-data paradigm at a disadvantage. Under the current structure of

guidance and regulation, many organizations will remain reluctant to invest if the effort needed

for the adoption of a big-data paradigm (Vilaplana, Solsona, Abella, Filgueira & Rius, 2013).

The Harris Interactive (2006) study revealed security as a leading barrier to big-data

paradigm adoption. Every business, big or small, faces major financial consequences due to loss

of data or a breach of security (Hobson, 2008; Sanganni & Vijayakumar, 2012). Out of the

various types of data breaches reported, 47% accounted for the security incidents involving

corporations and businesses (Parakkattu & Kunnathur, 2010). At the bottom line, a business

cannot afford to take the risk of ignoring the need for effective information assurance controls

(Hobson, 2008). Therefore, it is imperative that an organization give due consideration to

information assurance controls when adopting a big-data paradigm (Demirkan & Goul, 2013).

Studies have shown that companies with above average data governance generate 20%

higher profits than those with poor data governance (Angela, Irwin, Slay, Kim-Kwang & Liu,

2013; Cooper & Shindler, 2008; Tarn et al., 2009). As organizations experience unacceptably

high levels of risk of data breaches or spillage, they seldom provide consistently high quality

information resources to meet manager’s requirements (Parakkattu & Kunnathur, 2010). The

cost of compromising the information for any reason is extremely grave in terms of the damages

caused due to monetary losses, disruption of internal processes and communication, loss of

potential sales, loss of competitive advantage, wastage of time, efforts, labor, and even business

opportunities while it also damages the reputation, goodwill, trust and business relationships

(Parakkattu & Kunnathur, 2010).

Currently big-data does not have many normally acknowledged standards, aside from the

simple definition of high volume, high variance, and high velocity (Srinivasan, 2013). ISO

27001, NIST, and the Big-Data Alliance are working toward establishing procedures for the use

and adoption of a big-data paradigm as well as cloud computing standards (Srinivasan, 2013).

Srinivasan (2013) discusses a report on privacy implications that concentrates on the many legal

facets of compliance based on regulations such as HIPAA (Health Insurance Portability and

Accountability Act), GLBA (Gramm-Leach-Bliley Act), ECPA (Electronic Communications

Privacy Act), and Fair Credit Reporting Act. The report showed that the data kept by an

individual or an organization with a cloud service supplier may require less protection than when

the same data is held by the data creator (Srinivasan, 2013).

Some health care organizations are not prepared to incorporate the security that goes

along with the adoption of a big-data paradigm (Burkon, 2013; Cannoy & Salam, 2010;

Vilaplana; Solsona; Abella; Filgueira & Rius, 2013). The Healthcare Information and

Management Systems Society (HIMSS) 2009 Security Survey sponsored by Symantec Corp.,

which found that health care organizations in the U.S. have not made many changes in privacy

and security since 2008 (Cate & Cate, 2012). The 2009 Symantec survey of 196 organizations,

found that organizations are not using the security technologies available to keep patient data

safe (Cate & Cate, 2012). The survey showed that only 67% used encryption to secure data in

transmission. Some of the reasons why health care organizations were not prepared was security

budgets remain low; organizations often do not have a response plan for threats or a security

breach; and a designated Chief Security Officer (CSO) or Chief Information Security Officer

(CISO) is not in place (Cannoy & Salam, 2010; Cate & Cate, 2012).

Big-data governance is a critical issue concerning organizations commercial and

government (Wibowo & Batra, 2010). All organizations are involved in information-handling

activities (Valeri, 2000; Vizard, 2014). Therefore, it becomes increasingly important to

organize, manage, and disseminate information in a useful and secured manner (Angela et al.,

2013; Verhezen, 2010; Zafar, 2011). Extant research in Big-Data governance focuses on

technological controls to protect information from internal and external attacks (Parakkattu &

Kunnathur, 2010). However, practitioners and academicians have started to realize that effective

information assurance lies in the coordination of people, processes, and technology; and is not

exclusively a technical issue (Baird et al., 2012; Lineberry, 2007). In spite of the vast resources

expended by organizational entities attempting to secure information systems through technical

controls and restrictive formal procedures, occurrences of security breaches and the magnitude of

consequential damage continue to rise (Burkon, 2013). The weakest link in the security chain

appears to be the absence of or inadequate emphasis on the training of the human element

(Linberry, 2007). Effective big-data governance depends on managing the three components,

namely; people, process, and technology (Parakkattu & Kunnathur, 2010). The human dimension

of big-data governance is a semantic issue as opposed to a technology issue as such technical

solutions alone are insufficient and any solution requires sound information assurance policies

and procedures supported by effective controls (Linberry, 2007; Stahl, 2007).

Information assurance controls concentrate on verifying the confidentiality, authenticity,

integrity, availability of the data (Burkon, 2013). To ensure the governance of data in a big-data

environment, most control frameworks are concerned with filtering unauthorized users, auditing

abnormal data retrieval actions, and preventing data from unauthorized access by hiding actual

locations of data in the environment (Lomas, 2010; Papagianni, Leivadeas & Papavassiliou,

2013). M. Babu, A. Babu, and Sekar (2013) inferred that contingent on the applications big-data

is supporting, maintenance and security concerns can arise pertaining to complying with laws

and regulations such as the Sarbanes-Oxley Act of 2002 (SOX), the Health Insurance Portability

and Accountability Act of 1996 (HIPAA), and the numerous information privacy and protection

laws legislated in various countries.

Additionally, a commercial entity that makes use of a big-data solution maybe unaware

of the data provenance challenges (Thomson, von Solms & Louw, 2006; Trombetta, jiang,

Bertino & Bossi, 2011). Therefore, the burden of compliance is the responsibility of the service

supplier (Srinivasan, 2013). An example of this burden is the commercial entity that must

indemnify its users for any damage due to failure in information assurance controls (Srinivasan,

2013). Nanavati, Colp, Aiello, and Warfield (2014) explained that many information assurance

breaches are not obvious from the outside and could go undetected for a long time. Big-data

consumers face governance issues both from outside and inside the hosting environment. Many

of the data governance issues involved in protecting data from outside threats are similar to those

already facing large data centers (Armbrust et al., 2010). Certain levels of data governance are

the responsibility of either the big-data consumer or the big-data service provider, depending on

the flow of the big-data (Son & Alves-Foss, 2009).

Predominant infrastructure enabler for big-data is the deployment of virtualized

infrastructure as a cloud-computing infrastructure (Armbrust et al., 2010). Nanavati et al. (2014)

states, “Virtualized environments expose a larger attack surface than conventional non-

virtualized environments; even fully patched and secured systems may be compromised due to

vulnerabilities in the virtualization platform while simultaneously remaining vulnerable to all

attacks possible on non-virtualized systems” (p. 72). Cloud computing environments may lack

many of the foundational controls of non-virtualized environments that traditional information

assurance frameworks rely on (Armbrust et al., 2010; Simnett, 2007).

Cloud computing infrastructures support many services including big-data, Virtual

Machine Monitors (VMM), Microsoft Virtual PC and Microsoft Virtual Server, and online

banking (Kalyvas & et al., 2013). Many aspects of big-data challenge the traditional information

assurance control frameworks possibly exposing the data of the organization to threats of

unauthorized access, internal and external (Janssen, Charalabidis & Zuiderwijk, 2012. Some

internal and external vulnerabilities are unique to a specific implementation of the big-data

paradigm however, some vulnerabilities affect the entire big-data fabric (Silic & Back, 2014). A

vulnerability that affects the entire big-data fabric is the threat from data aggregation (Ledig and

Vartanian, 2012). Data aggregation is the combining of non-sensitive data from many sources

into a single store from which one can derive sensitive information from the aggregated data

(Ledig and Vartanian, 2012). Early in 2000 governments realized that the exploitation of

ineffective IA controls enabled a form of cyber-attack against adversaries (Denning & Denning,

2010). Influencing decision makers through the exploitation of weak and ineffective IA control

structures has proven an effective extension of kinetic military tactics (Schumann, Drusinsky,

Michael, & Wijesekera, 2014). P. Denning & D. Denning (2010) infer that information

assurance/information security is usually conceptualized as a matter of defending the critical

information assets of an organization against threats such as hackers and malware, but systematic

assaults by national governments do not fit this paradigm. The vulnerabilities associated with the

implementation of a big-data paradigm can affect many types of organizations (Khan & Malluhi,

2010). Federal laws, virtualization, online banking, and data markets all have information

assurance risks that make them susceptible to internal and external attacks (Ledig and Vartanian,

2012).

The widening use of big-data by advertisers and governments has given rise to privacy

concerns (Jones, 2014). The ease of access to large amounts of data facilitated by a big-data

implementation can expose information in ways that were extremely difficult in the traditional

data base environment (“Holistic approach needed for big-data security,” 2013; Jones, 2014).

This increased availability generates significant vulnerability issues to privacy, information,

critical operations, and decision-making supported by the data system (Suduc, Bizoi, & Filip,

2010).

Clearly, the controls associated with information assurance frameworks have a definitive

need to protect the information governed by these frameworks (“Holistic approach needed for

big-data security,” 2013; Huang & Nicol, 2013). While the need to protect information is quite

evident, it is important to consider the specific threats from which information assurance controls

protects the data and its information. In his examination of the specific vulnerabilities of

databases Verton (2001) argues that in most instances, organizations suffer when hackers gain

access to the database. Once hackers gain access to the database, critical information is at risk

and the organization is exposed to operational and financial damage (Hobson, 2008). Hackers

can use this information to illegally assume another individual’s identity, or to access bank

accounts or other critical financial resources held by the individual (Hobson, 2008;

Machanavajjhala & Reiter, 2012). In addition to stealing sensitive personal information, Saran

(2005) noted that some hackers would acquire access to the data of an organization only to

corrupt information in manner that will influence decision makers. Further nefarious entities will

gain access to a data repository and make critical changes that will cause that data to become

unavailable to the organization or its customer (Guthrie, 2015). This failure of information

assurance controls can cause decision makers and customers to lose confidence in the reliability

and accuracy of the data of the organization (Hobson, 2008; Guthrie, 2015). Such a lapse in

controls effectiveness will cost the organization a considerable loss of both time and money in

the commercial context (Guthrie, 2015; Hobson, 2008; Ponemon Institute, 2009). In government

context such an event could influence national security or worse put people at risk (Iasiello,

2014; Inukollu, Arsi & Ravuri, 2014; Jones, 2014). Even with early detection of information,

assurance control failures, the damage to an organization’s reputation, operational stability, and

domain confidence can be irreparably damaged (Hobson, 2008; Ferguson, 2015).

Organizations, commercial and government, are constantly under attack by those entities

that would seek unauthorized access to critical information/data and continuously challenge their

information assurance controls (Pavolotsky, 2013; Privacy Rights Clearing House, 2010;

Sherstobitoff, 2008). According to Johnston and Hale (2009) “These unauthorized uses include

malicious acts such as theft or destruction of intellectual property, insider abuse and

unauthorized access to information that results in a loss of data integrity and confidentiality, as

well as malware threats such as viruses, spyware, worms, and Trojans” (p. 126). The importance

of effective information assurance controls management is critical to the success of an

organization’s ability to protect the valuable information assets and carryout the mission of the

organization. Johnston and Hale (2009) discussed information assurance management as

practiced by organizations, examining the effectiveness of the information assurance controls as

well as the operational stability and reliability delivered to the organization through the

implementation of effective information assurance frameworks. Commitment to an effective

information assurance program originates with senior management and flow downwards into the

organization, with input from information assurance specialists such as information assurance

auditors, information security practitioners, risk managers, and external information assurance

attestation agents (Hill & Pemberton, 1995). Johnston and Hale (2009) stated that many

organizations approach information assurance from reactive posture responding with increased

effectiveness only after an event has occurred. This reactive approach tends to encourage a

bottom-up philosophy to information assurance that encourages an information assurance at the

perimeter atmosphere as opposed to an information assurance an operational norm. This

approach can cause a rift between information assurance and the overall strategic command

creating an adversarial relationship between the governance of the business and the managing of

information security (p. 126). Hill and Pemberton (1995) stated, “The goal in any organization's

information security (assurance) program should be to achieve a healthy balance between

information security (assurance) and the free flow of information” (p. 1). When applied to a big-

data environment the traditional information assurance controls tend to hamper the free-flow of

information to which Hill and Pemberton (1995) refer. Training for employees needs to apply

the information assurance controls of the organization to the applicable work tasks in order to

prevent the organization's loss of critical information. The most effective information assurance

controls frameworks effectively assess each of the operational areas involved and will apply

those controls most suitable to each information type to make the organization's information

optimally governed (Hill & Pemberton, 1995). The goals of an information assurance framework

for data and the associated decision-making support applications are privacy, integrity, and

availability to authorized personnel. To meet these goals information assurance frameworks

must include reliable and effective access controls and systematic audit trails to enable

information assurance professionals to trace and attest to provenance of the data. (Hill &

Pemberton, 1995). Da Veiga and Eloff (2007) stated, “Information assurance culture develops in

an organization due to certain actions taken by the organization” (p. 361). To create an effective

information assurance culture, the organization must govern data and the resulting information

effectively by implementing an effective information assurance framework. An effective IA

framework applies the appropriate control for the operating environment of the organization

information security while enabling the organization to meet the mission (Babu et al., 2013). Da

Veiga and Eloff (2007) proposed an information assurance governance framework that can be

used by organizations to ensure they are governing information in an effective manner, reducing

risk to an acceptable level while cultivating an acceptable level of information interoperability

and sharing. An information assurance framework is a blueprint for the mitigation of

information risk through the application of specific information assurance controls (Da Veiga &

Eloff, 2007).

The technical and procedural operating environment of the organization as well as the

cultural norms (human behavior) of the organization will define the effective implementation

strategy for an information assurance framework (Johnston & Hale, 2009).

Traditional information assurance frameworks rely heavily on the underlying technical

infrastructure of an organization as the foundation for effective controls. Research by Babu et al.

(2013) provides strong evidence that the effectiveness of the implemented information assurance

controls framework influences the regulatory compliance in organizations. Appropriate

information governance relies on an effective information assurance controls framework (Bisong

and Rahman, 2011). The dependence of decision makers on well-governed information and

evolving big-data technology infers a need for organizations to implement information assurance

frameworks that do not rely on the technical foundations of the traditional database and network

structures (Chebrolu, 2010). In discussions with decision makers and information assurance

professionals’, in both the government and commercial domains, on the adoption of big-data

paradigm three concerns dominate the discussions: protection and security of sensitive data;

accountability and non-repudiation; and effective governance of information (Dial & Moye,

2014). The information assurance framework deployed in the organization impact how

organizational leaders make decisions based on the perception of the effectiveness in mitigating

the risk concerns of big-data. It is essential that the information assurance framework adopted by

an organization be appropriate for the operating domain of the organization (Dial, & Moye,

2014).

Information Assurance Frameworks

Information Assurance Minimum Security Control Checklist (SCC)

The SCC defines a set of minimum security requirements Federal agencies must meet,

defined through the use of security controls described in National Institute of Standards and

Technology (NIST) Special Publication (SP) 800-53, “Recommended Security Controls for

Federal Information Systems and Organizations,” DoD Instruction (DoDI) 8500.2, “Information

Assurance Implementation,” FIPS 200 “Minimum Security Requirements for Federal

Information and Information Systems” associated documents.

The SCC encompasses 157 information assurance (IA) Controls from which each agency

must establish a baseline set. Each IA control describes an objective IA condition achieved

through the application of specific safeguards, or through the regulation of specific activities.

The objective condition is testable, compliance is measurable, and the activities required to

achieve the objective condition for every IA Control are assignable, and thus accountable. The

IA Controls specifically address availability, integrity, and confidentiality requirements, but also

take into consideration the requirements for non-repudiation and authentication.

Risk Management Framework (RMF) (DoD 8510.01)

DoD 8510.01 clearly identifies the roles, responsibilities, and high-level life cycle

process of the Risk Management Framework (RMF) for DoD IT. The RMF is on track to

replace to the DoD Information Assurance Certification and Accreditation Process (DIACAP).

The RMF includes a complete specification of information assurance and security controls and

system categorization methodology, formerly published in DoD I 8500.2.

Control Objectives for Information and Related Technology (COBIT)

The IT Governance Institute and the Information Systems Audit and Control Association

(ISACA) publish the COBIT framework. The goal of the framework is to provide a common

language for expressing and measuring the effectiveness of the goals, objectives and results of a

well-defined set of information assurance controls (Noble, 2012). The original version, published

in 1996, focused largely on information security auditing. The latest version, published in 2013,

concentrates on information governance and provides a controls framework for information

assurance and risk management (Noble, 2013).

ITIL Security Management

The ITIL security management process describes the structured fitting of security in the

management organization. The ISO 27001 standard is the foundation of the ITIL security

management. ISO.ORG states that ISO/IEC 27001:2005 covers all types of organizations (e.g.

commercial enterprises, government agencies, not-for profit organizations). ISO/IEC

27001:2005 specifies the requirements for establishing, implementing, operating, monitoring,

reviewing, maintaining and improving a documented Information Security Management System

within the context of the organization's overall business risks. It specifies requirements for the

implementation of security controls customized to the needs of individual organizations or parts

thereof (Sheikhpour & Modiri, 2012). ISO/IEC 27001:2005 clearly defines a set of adequate and

proportionate information assurance controls to protect information assets and give confidence to

interested parties (Faris, Hasnaoui, Medromi, Iguer, & Sayouti, 2014).

A basic concept of information security governance is the assurance of the integrity,

confidentiality, and availability of the critical information of the organization (Barnard & von

Solms, 2000; Griffths, 2012). The primary goal of information assurance is to guarantee safety

and governance of the information. When protecting information, it is the value of the

information that must be protected (Feglar, 2005; Griffths, 2010). The value of the information

governs the level of effort used to assure the confidentiality, integrity and availability of the

information. Inferred aspects of information assurance are the governance attributes of privacy,

anonymity and verifiability (Sheikhpour & Modiri, 2012).

The ITIL Security Management has a two-part goal (Feglar, 2005):

1. The realization of the security requirements defined in the service level

agreement (SLA) and other external requirements specified in underpinning contracts,

legislation and possible internal or external imposed policies enforced by a set of

well-defined information assurance controls.

2. The realization of a basic level of information security. This is necessary to guarantee

the actual provenance of the information and the continuity of the management

organization. This is also necessary in order to reach a simplified service-level

management for the information assurance, as it happens to be easier to manage a

limited number of SLAs than it is to manage a large number of SLAs.

The SLAs form the input of the security management process governed by the specified

information assurance controls and security requirements, legislation documents (if applicable)

and other (external) underpinning contracts (Al-Zain, Soh & Pardede, 2013; Sheikhpour &

Modiri, 2012). These requirements are the indictors/metrics for the effectiveness of the

information assurance controls, which measure the effectiveness of the process management and

are the justification of the results of the information governance framework (Arias-Cabarcos,

Almenárez-Mendoza, Marín-López, Díaz-Sánchez, & Sánchez-Guerrero, 2012; Sheikhpour &

Modiri, 2012).

Synthesis of the Research Findings

The research for this study grouped loosely into four groupings. The first group discussed

the purpose of information security (IS) and the applicability of traditional IS controls in a cloud

computing and big-data environment. While these works discussed IS in a big-data environment

there was a tendency for the authors to avoid the topic of perceived effectiveness. The authors

did present the concept of various metrics of effectiveness however, there was no definition of

those metrics nor did the authors couple the metrics with user perception. The authors generally

related purpose of controls to protection of information assets and either ignored or glossed over

information assurance. In this grouping of research reviewed there appeared to be a pattern of

using surveys to gather data as opposed to the direct observation and face-to-face interviews

methodology employed by the researcher for this study. Without a discussion of information

assurance there is a gap in how the discussed controls are impacted when applied to a big-data

environment; and in turn, how the perceived effectiveness of those controls is impacted when

applied to a big-data environment. In particular, how the effectiveness of an IA control

framework is impacted when an organization shifts from a traditional operating environment to a

big-data environment. This qualitative study shall fill that gap.

The second group tended to discuss the structure of the information assurance control

frameworks in the context of traditional operational environments, ignoring any impact on

effectiveness that may result from the application of the IA control framework in a big-data

environment. The research resources in this section tended to be an explanation of the structure

of the controls frameworks. Authors of these papers discussed strengths of the various control

structures and how the structures would be applied in traditional operating environments. The

authors of these research items did a good job of presenting the effectiveness of the control

frameworks in the environment for which the frameworks were designed. However, in these

articles the author did not address the ability of the frameworks to adapt to new environments.

There appears to be a gap in research that explores the ability of existing IA control frameworks

to flex and adapt to new environments such as the big-data paradigm.

The authors of the third and most interesting literature grouping endeavored to explain

the IS and IA operations risks that come with a big-data paradigm adoption. These authors did a

fair job of explaining the types of an increases in the IS and IA risks that are inherit to the big-

data environment such as the loose of provenance assurance and the need for trusted

relationships between data suppliers and consumers. The authors glossed over the increased risk

of exposure of personal identifying information (PII) and the increase in data aggregation risk

that comes with a big-data paradigm. Both of these risks are of great concern to organizations

when they access the risk of adopting a big-data paradigm (Kimbrough, 2006; McFadzean, et al.,

2011). While the discussions in this grouping of literature explained the change in IA risk when

adopting a big-data paradigm, they did not present any argument for or against the effectiveness

of traditional IA controls frameworks at mitigating the identified risks. It is the goal of this

qualitative study to fill that gap in research by identifying the key attributes of the IA control

frameworks that mitigate the perceived risks of adopting a big-data paradigm.

The fourth and final literature grouping is that of simple control framework definition and

guidance. The works in this literature grouping tend to be developed by scholars and scientists

in the IA framework governing body. These works define the controls and give guidance as to

conditions that require the application of specific controls. The authors of the papers in this

grouping explain regulatory requirement that each control satisfies and how IA and IS

professionals might apply each control. The authors explain how the IA control frameworks

leverage the controls inherent to the traditional operating environment in which the control

framework is engineered to serve. A few of the authors allude to the key factors of effectiveness

and the changes that are required to factors to adjust for the changes in foundational controls in a

big-data environment. None of them go into any detail as to the effectiveness of the specific IA

control framework when applied to a big-data environment. This study shall identify those key

factors that impact the perceived of effectiveness of an IA control framework and how they are

impacted by the adoption of a big-data paradigm.

Critique of Previous Research Methods

The majority of the previous qualitative research into the IA controls and big-data

adoption fell into two categories, either survey or direct observation. This researcher was unable

to locate any case studies performed covering the impact of big-data adoption on IA controls

effectiveness. While survey and direct observation are adequate research methodologies neither

approach encourages the open ended dialog of face-to-face interviews. This qualitative study

made use of multiple case study methodology. One of the strengths of the multiple-case study

approach is that the evidence comes from multiple sources (Hancké, 2009; Yin, 2009). The use

of the multiple-case study supported by multiple source evidence resulted in findings that are

more compelling and robust than that of a study based on a single case study (Sandelowski,

1986; Yin, 2009). The descriptive nature of the question what makes an IA control effective

supports the use of the case study approach (Yin, 2012).

Contrary Opinions, Evidence, or Views

In his 2012 work, “Secure and Cost Effective Framework for Cloud Computing Based on

Optimization and Virtualization,” Patel proposes that the use of optimization and virtualization

enhance tradition IA and IS frameworks for effective protection of a big-data environment. In

his 2012 study Patel used a single organization for evidence and did not conduct interviews with

IA or IS professionals. The lack of face-to-face interviews excludes the perceptions of

stakeholders and practicing IA professionals.

In their 2012 work “A Best Practice Approach for Integration of ITIL and ISO/IEC

27001 Services for Information Security Management,” Sheikhpour and Modiri present ITIL as

an effective IA/IS control framework for all information processing including a big-data

environment. In this work Sheikhpour and Modiri use checklist or desk audit as an adequate

method for determining effectiveness of the ITIL framework. This approach does not consider

the perception of stakeholders as does the multiple-case study methodology.

In 2013 Srinivasan questioned if security and assurance were even possible in a big-data

environment. His experiment was discussed in the paper, “Is Security Realistic in Cloud

Computing?” Srinivasan performed experiment in lab environment designed by himself for his

experiment. While his results are interesting the study lacked the real world applicability of a

multiple-case study research project.

Summary

The research for this study grouped loosely into four groupings. The first group discussed

the purpose of information security (IS) and the applicability of traditional IS controls in a cloud

computing and big-data environment. The second group tended to discuss the structure of the

information assurance control frameworks in the context of traditional operational environments,

ignoring any impact on effectiveness that may result from the application of the IA control

framework in a big-data environment. The authors of the third and most interesting literature

grouping endeavored to explain the IS and IA operations risks that come with a big-data

paradigm adoption. The fourth and final literature grouping is that of simple control framework

definition and guidance. The works in this literature grouping tend to be developed by scholars

and scientists in the IA framework governing body.

The majority of the previous qualitative research into the IA controls and big-data

adoption fell into two categories, either survey or direct observation. Neither of these

methodologies encourages the open ended dialog of the face-to-face interviews included in the

multiple-case study approach applied to this study (Yin, 2014).

There were contrary views in the literature review however, none of the methods used in

those studies addressed the perceptions of stakeholders or IA/IS professionals as does the

multiple-case study approach used in this study. Chapter three will explain the strengths and

weakness of the multiple-case study methodology.

CHAPTER 3. METHODOLOGY

This chapter will present the purpose for this study and the research question addressed in

this study. The study will discuss the research design and why that design is appropriate for the

research question. The chapter presents the target population and the logic for participation

selection. This chapter delves into the procedures used to conduct the study, the data collection

strategy, and the ethical considerations of the study. The final section is the chapter summary.

Purpose of the Study

The purpose of this qualitative multiple-case study is to identify those factors that

influence perceived effectiveness of traditional IA control frameworks. The study endeavored to

determine the effectiveness of the identified IA frameworks factors when applied to a big-data

environment. The study identified the possible changes required to increase the effectiveness of

traditional IA frameworks in a big-data environment.

Research Question

The research question for this study is:

RQ1: What are the key factors of effectiveness for an Information Assurance (IA)

control framework and what modifications would make an IA control framework more effective

when applied to a big-data paradigm.

Research Design

To increase analytic generalization, the methodology chosen for this qualitative study is

the multiple-case study approach (Mills, Durepos, Gabrielle & Wiebe, 2010; Yin, 2014). The

evidence for the multiple-case study came from multiple sources. The use of the multiple-case

study supported by multiple source evidence resulted in findings that are more compelling and

robust than that of a study based on a single case study (Yin, 2009). The use of the case study

approach is appropriate when the research is answering a descriptive question such as what

makes an IA control effective (Leedy & Ormrod, 2012; Yin, 2012).

Many research frameworks have been established to ensure the rigor and credibility of

qualitative data (Dul & Hak, 2008). Krefting (1991) and Sandelowski (1986, 1993) have defined

strategies for establishing credibility, transferability, dependability, and confirmability about

across fields. In addition, Forchuk & Roberts (1993) and Mays & Pope (2000) established

general guidelines for critically appraising qualitative research. The theoretical framework used

for this qualitative study was the multiple-case study approach as described by Robert K. Yin

(2014). The evidence for the multiple-case study came from multiple sources. The use of the

multiple-case study supported by multiple source evidence resulted in findings that are more

compelling and robust than that of a study based on a single case study (Hancké, 2009; Patton,

1990; Yin, 2009). The use of the case study approach is appropriate when the research is

answering a descriptive question such as what makes an IA control effective (Yin, 2012).

Researchers have a responsibility to ensure that the case study research question is clearly

written and the question is substantiated (Russell, Gregory, Ploeg, DiCenso, & Guyatt, 2005).

Further, it is incumbent upon the researcher to assure that the case study design is appropriate for

the research question (Kyburz-Graber, 2004). It is the responsibility of the researcher to establish

purposeful sampling strategies appropriate for case study have been applied and that data are

collected and managed systematically (Russell, et. al, 2005). Finally, the researcher must ensure

that the data are analyzed correctly (Russell, et. al, 2005).

As this research answers a descriptive question such as what makes an IA control

effective the researcher determined that multiple-case study is an appropriate case study design

(Guba, 2008; Lincoln & Guba, 1985). To aid the reader in accessing the validity or credibility of

the work this multiple-case study design was broken into three phases (Forchuk & Roberts,

1993; Mays & Pope, 2000; Thomas, 2011; Yin, 2014). The first phase was define and design. In

this phase, the researcher refined the theoretical basis for the study, selected the candidates for

the multiple cases, and defined the data collection protocol. The second phase entailed

preparation, collection, and initial analysis of the research data. During the second phase, the

researcher conducted each of the identified case studies (Russell, et.al, 2005). Each case study

resulted in an individual report. In the third and final stage of the multiple-case study, the

research synthesized the individual case studies into a single set of findings used to draw the

final cross-study conclusion (Knafl & Breitmayer, 1989).

By using the multiple-case study approach the researcher realized improved validation as

the evidence for the multiple-case design is “considered more compelling, and the overall study

is therefore regarded as being more robust” (Yin, 2014, p.59). To improve the reliability of the

final findings the study made use of multiple sources of evidence drawn from the six common

sources of evidence (Krefting, 1991; Yin, 2012). The researcher engaged in direct observation

of the behaviors of select participants in each case study. The researcher conducted one-on-one

interviews with IA managers, certified IA auditors, and senior decision makers in each of the

selected case-study environments. To add historic context to the case studies the researcher

made use of archival documents such as audit reports and compliance filings with the

understanding that archival evidence is often bias (Krefting, 1991; Yin, 2012). The review of

operational documents such as operating procedures and standards gave the researcher a view

into the desired control state each case study subject. To ensure the relevance and cross-study

applicability all of the case studies, the researcher made us of the same case study protocol

across all case study subjects (Patton, 2001; Yin, 2012).

By using the multiple-case study approach the researcher realized improved validation as

the evidence for the multiple-case design is considered more compelling, and the overall study is

therefore regarded as being more robust (Baskarada, 2014; Eisenhardt, 1989; Yin, 2014). To

improve the reliability of the final findings the study made use of multiple sources of evidence

drawn from the six common sources of evidence (Leedy & Ormrod, 2012; Yin, 2012). The

researcher engaged in direct observation of the behaviors of select participants in each case

study, and conducted one-on-one interviews with IA managers, certified IA auditors, and senior

decision makers in each of the selected case-study environments. To add historic context to the

case studies the researcher made use of archival documents such as audit reports and compliance

filings with the understanding that archival evidence is often biased (Baxter & Jack, 2008; Yin,

2012). The review of operational documents such as the operating procedures and standards

gave the researcher a view into the desired control state of each case study subject. To ensure

the relevance and cross-study applicability all of the case studies, the researcher made us of the

same case study protocol across all case study subjects (Gerring, 2005; Yin, 2012).

Target Population and Sample

Population

This study was interested in the perceptions of senior decision makers, IA audit

professionals, and IS practitioners in those defense industrial complex and US Government

agencies that are responsible for the operation, assurance, and security of their respective

organizations. The defense industrial complex is a service provider to the US Government, and

involved in the strategic decision making of the Department of Defense (DoD). The study

focused on one DoD agency from the Department of the Navy (DoN) and two defense industrial

complex organizations for the multiple-case study. The direct interview target included senior

decision makers, IA professionals, and IS practitioners as well as the management of the specific

entity.

Sample

The sample selection criteria required that to be included in the study the organization

had to be working in a big-data environment or be in process of adopting the big-data paradigm.

Due to the selection criteria the sample was not a random sample from the population (Creswell,

2009; Yin, 2012).

Procedures

In order to enhance validity of the research, the researcher conducted testing of the

demographic and interview questions through pilot testing with IA control professionals, senior

decision makers, and IS practitioners (Yin, 2014). The selected IA control professional, senior

decision makers, and IS practitioners, from the Office Naval Intelligence (ONI) IA Compliance

Office, would be able to identify with the content and the structure of the questions. Their IA

audit experience assisted the researcher in modifying unclear questions as well as identifying

additional probing questions that were useful in answering the research questions. The IA

control professional, senior decision makers, and IS practitioners were able to assist the

researcher in the order and flow of the interview.

Use of the correct data collection method was important in insuring that the data collected

was the best suited to answer the research questions (Yin, 2014; Moore, Lapan, & Quartaroli,

2011). There are no set rules to define what types of data to use in case study research.

However, it was important to recognize that the purpose of the case study was to describe and

provide insight, which often requires a substantial amount of qualitative data (Yin, 2014). To

answer the research question and shed light on the case study, the researcher collected contextual

information, demographic information, and theoretical information (Bloomberg & Volpe, 2012;

Yin, 2014;).

The use of contextual information aided in the description of the study participants’

environment, culture, and setting (Bloomberg & Volpe, 2012; Yin, 2014). This information

proved important for the case study research as it aided in the identification of those elements

that may have influenced behavior (Baxter & Jack, 2008; Yin, 2014). The contextual

information provided information about the organization’s history, vision, operating principles,

and business strategy. The researcher conducted historic document reviews to collect the

contextual information.

The researcher made use of demographic information to describe the participant

attributes of age, gender, education background, and organizational role. This information

proved relevant in the identification and explanation of underlying perceptions as well as

identifying similarities and differences in perceptions among participants (Bloomberg & Volpe,

2012; Yin, 2014). The researcher gathered the demographic data at the start of each interview

session.

Theoretical information included information previously researched and collected from

various sources and literature to identify existing knowledge about the research topic

(Bloomberg & Volpe, 2012; Yin, 2014). Theoretical information provided support for the

interpretations and analysis, and the research conclusions (Bloomberg & Volpe, 2012). For

addressing each of the research questions, the researcher gathered relevant information based on

the theoretical information attained during the individual interviews. The researcher constructed

a matrix to ensure that the interview questions provide the necessary coverage for data collection

to address the research questions (Yin, 2012).

Participant Selection

From the population only those organizations that were currently operating in a big data

environment or were in the process of adopting the big-data operating environment were selected

as possible case-study targets. The recent introduction of big data to the chosen population

presented a challenge to participation selection and as a result, the list of possible participants

was relatively small, less than twenty (Denzin & Lincoln, 2003). The researcher solicited the

entire possible-participation list for willingness to participate in the research project. The

response from the solicitation was very small, two DoN respondents and five from the defense

industrial base (Grim, Harmon & Gromis, 2006). The small selection set required the researcher

to make the selection of one DoN participant and two participants from the defense industrial

base (Creswell, 2009; Yin, 2012). From each of the case-study participating organizations

candidates for interview were purpose-selected by the researcher with one-each selected from

senior decision makers, information assurances audit professionals, and information security

practitioners (Yin, 2012).

Protection of Participants

Research participation was voluntary, and the researcher took the necessary steps to

ensure the participants understood the purpose of the research through informed consent (Yin,

2012). Participation in the study was not a requirement of employment, and at the beginning of

each interview, written consent was required to proceed. Additionally, the researcher kept all

organization and participants’ identities anonymous (Yin, 2012). All interview responses are

confidential and secure. To ensure information security, confidentiality, and anonymity of the

organizations and interviewees the researcher assigned random identification numbers to each

interviewee, and the participant’s demographic information was not stored with responses

(Creswell, 2009; Yin, 2012). Due to the sensitive nature of the topic and the study population

the researcher was required to sign very restrictive non-disclosure agreements with each of the

case study participants.

Data Collection

The research study utilized semi-structured interviews, direct observation, and document

reviews for data collection (Baxter & Jack, 2008; Yin, 2014). The researcher made use of an

interview protocol developed to guide the interview process. It was the goal of the researcher to

keep the interview open-ended and to allow for flexibility to collect as much detail as possible

(Yin, 2012). The intent was for the interview protocol to facilitate the introduction and a

narrative would develop the topical discussions (Grim et al., 2006; Yin, 2012).

The case study methodology typical makes use of six evidence/data sources:

documentation, archival records, interviews, direct observation, participant observation, and

physical artifacts (George & Bennett, 2005; Yin, 2014). For this multiple case study, the

researcher used three of these evidence/data types: interviews, direct observation, and

documentation (Yin, 2012).

The researcher conducted all interviews in a one-on-one setting (Creswell, 2009; Yin,

2012). The individual response to the interview questions provided data indicating the user

perceptions of the key factors of effectiveness of an organization’s IA controls frameworks

concerning decision making, IA posture, IA process, and IA compliance as well as which factors

of those IA controls frameworks are perceived as effective in a big-data environment. Further,

the interview process enabled the researcher to establish a user perception of what should be

changed, added, or dropped from the current IA controls framework (Yin, 2012).

The documentation review gave the researcher a picture of the organization reasoning

that went into selecting the IA control framework as implemented by the organization. The data

acquired during the documentation review supported the assessment of the intended

effectiveness of the selected IA controls framework applied to a big-data environment (Yin,

2012). Reviewing the archival records associated with the IA audit history of the organization

provided the researcher insight into the historic effectiveness of the organizations IA controls

framework. This historic insight provided the researcher with the background information

needed to track any changes in the effectiveness of the IA controls frameworks as the

organization adopted a big-data environment (Creswell, 2009; Yin, 2012). The use of multiple

case studies made the data more compelling and, therefore, gave added strength to final output of

the study (Yin, 2014).

Data Analysis

This study made use of a methodology appropriate for case study design with results

derived from multiple-case studies (Yin, 2014). The case study approach allowed the researcher

to identify meaningful characteristics of real-life events, including organizational and managerial

processes, which made it an ideal research method for this study, and for subsequent theory

building (Yin, 2014). The analysis of multiple-case study data as with most qualitative data

tends to be iterative in nature (Krueger & Kearney, 2006). The researcher subjected all data,

once transcribed and redacted, to the same analysis process in nVivo 10. The researcher used the

analysis process recommended by Florian Kohlbacer in her 2006 paper “The Use of Qualitative

Content Analysis in Case Study Research.”

Import: Gathered data was labeled as per the case study and individual identifier then

imported into the nVivo 10 software.

Explore: To begin to build the nVivo coding structure the researcher reviewed each data

set at import.

Code: The data set was coded along the key factors and case study coded by individual

indicators using the key defined in chapter 4.

Query: To determine commonality the researcher queried each case study data set along

established codes

Reflect: The researcher queried each case study data for code commonality and

subsequent clustering around key factors as identified by the coding.

Visualize: With each case study data set imported, coded, and queried the research built

and expanded word trees around relevant wording.

Annotate: The researcher annotated the study with the insights gained through the

process of each transcript.

The researcher used the above analysis process to iterate through all case study data sets.

Instruments

In this multiple case study, the researcher utilized direct observation and historic

document review combined with a semi-structured one-on-one interview methodology for each

of the participating organizations and respective one-on-one interview subjects (Yin, 2012). The

semi-structured interview methodology is a viable form of qualitative data collection (Creswell,

2007; Halaweh, 2012; Yin, 2014). The researcher used interview questions designed to provide

a general guideline for each interview. The researcher designed the interview questions using a

review of the current information assurance policy and procedures as a guide. The researcher

designed each question to address a specific aspect of the research question (Creswell, 2009;

Yin, 2012).

The questions were developed from a review of the current literature (Creswell, 2007;

Wilson, 2009) and designed to probe the participants’ perception of the effectiveness of

information assurance controls as applied in the current operating environment of the subject

organization (Yin, 2009; Yin, 2012; Yin, 2014). The researcher designed the questions to guide

the interview into discussion areas that provided the researcher with the information necessary

for categorizing the responses appropriately for data analysis (Creswell, 2009; Yin, 2012). The

questions were field tested using these and other questions, ensuring that the context of the

questions was clear and understandable. By use of the field test, the researcher determined the

appropriateness of the questions for each distinct group of interview subjects: senior decision

makers, information assurance auditors, and information security professionals (Creswell, 2009).

The feedback from the field test indicted that the research questions would be more effective if

each question was broken down into the structure of main question with three sub-questions.

The researcher adopted the recommendations of the field test. The question structure provided

the researcher with a framework for keeping the face-to-face interviews on topic while covering

all research aspects of the interview. In an effort to minimize researcher bias, interpretation of

the data collected during the one-on-one interviews relied solely upon verbal responses and did

not include the interpretation of non-verbal or visual clues (Creswell, 2009; Yin, 2012).

The Role of the Researcher

The research study utilized semi-structured interviews, direct observation, and document

reviews for data collection. The researcher made use of an interview protocol developed to

guide the interview process (Yin, 2012). It was the goal of the researcher to keep the interview

open-ended and to allow for flexibility to collect as much detail as possible (Creswell, 2009; Yin,

2014). It was the researchers’ intent to use the interview protocol to facilitate the introduction

and development of the topical discussions (Yin, 2012).

Guiding Interview Questions

To field test the proposed questions the researcher enlisted the assistance of an on-shore

Naval command and a member of the defense industrial complex. From each of these

organizations the researcher requested and was granted access to 2 senior decision makers, 2

information assurance professionals and 2 information security practitioners. Over a three-week

period, the researcher conducted on-site face-to-face interviews with the selected sample.

During these interviews the researcher sought feedback on the content and structure of the

proposed questions. The feedback from the field test indicted that the research questions would

be more effective if each question was broken down into the structure of main question with

three sub-questions. The adoption of the field test recommendations resulted in the following

interview questions.

Pre-interview Demographic Questions:

 What is your age?

 What is your gender?

 What is your role in the organization?

 Please provide information about your educational background, starting with the latest or

currently pursuing degree.

Interview questions:

Q1. What are the key factors in the organization’s IA posture using the existing IA

control framework that are effective in the big-data environment? What should be changed?

What should be added? What should be dropped?

Q2. What are the key factors in the organization’s decision-making cycle using the

existing IA control framework that are effective in the big-data environment? What should be

changed? What should be added? What should be dropped?

Q3. What are the key factors in the organization’s IA processes using the existing

framework that were effective prior to the adoption of the big-data environment and have

remained effective post adoption? What should be changed? What should be added? What

should be dropped?

Q4. What are the key factors in the organization’s IA regulatory compliance using the

existing framework that have remained effective with the adoption of a big-data environment?

What should be changed? What should be added? What should be dropped?

Q5. Are there any other aspects of your information assurance framework that you

would like to discuss with the interviewer?

Ethical Considerations

The researcher conducted all research in a manner that minimized any potential harm to

those involved in the study. For any ethical issues that may have arisen during data collection,

the researcher remained sensitive and aware and was prepared to take the necessary steps to

address any such issues (Creswell, 2009; Yin, 2012). Such issues included confidentiality,

anonymity, and information security of both individuals and organizations. The researcher

maintained responsibility for informing and protecting the study participants. Research

participation was voluntary, and the researcher took the necessary steps to ensure the participants

understood the purpose of the research through informed consent (Creswell, 2009; Yin, 2014).

Participation in the study was not a requirement of employment, and at the beginning of each

interview, written consent was required to proceed (Creswell, 2009; Yin, 2012). Additionally,

the researcher kept all organization and participants’ identity anonymous. All interview

responses are confidential and secure. To ensure information security, confidentiality, and

anonymity, the organizations and interviewees the researcher assigned random identification

numbers to each interviewee, and the participant’s demographic information was not stored with

responses (Creswell, 2009; Yin, 2009).

Summary

The purpose of this qualitative study was to identify those factors that influence

perceived effectiveness of traditional IA control frameworks. The study endeavored to determine

the effectiveness of the identified IA frameworks factors when applied to a big-data

environment. The study identified the possible changes required to increase the effectiveness of

traditional IA frameworks in a big-data environment.

CHAPTER 4. PRESENTATION OF THE DATA

Introduction: The Study and the Researcher

This chapter presents the results of the qualitative multi-case case study designed to

identify those factors that influence perceived effectiveness of traditional information assurance

(IA) control frameworks. The study endeavored to determine the effectiveness of the identified

IA frameworks factors when applied to a big-data environment. The study identified the

possible changes required to increase the effectiveness of traditional IA frameworks in a big-data

environment. For this study the researcher utilized multiple-case study approach using semi-

structured interviews, direct observation, and historic document reviews for data collection (Yin,

2012). The researcher attempted to use of an interview protocol developed to guide the

interview process. It was the goal of the researcher to keep the interviews open-ended and to

allow for flexibility to collect as much detail as possible (Creswell, 2009; Yin, 2012). However,

there were instances where organizational restrictions and interview participant’s demands

hindered the open-ended approach. Those instances are noted in the following data presentation.

In those instances, the interview protocol simply facilitated the introduction and development of

the topical discussions (Yin, 2009). The research study sought to answer the question: What are

the key factors of effectiveness for an IA control framework and what modifications would make

an IA control framework more effective when applied to a big-data paradigm.

For this study the researcher was the sole instrument of data gathering and performed all

of the face-to-face interviews, direct observations, and historic document reviews (Yin, 2012).

The researcher has 30 years of experience in information technology with the last fifteen in

information assurance/information security. The researcher holds multiple industry specific

certifications including the Certified Information Systems Security Professional (CISSP),

Certified Information Systems Auditor (CISA), Certified Information Security Manager (CISM),

Certified Internal Auditor (CIA), Information Technology Infrastructure Library v3 (ITIL v3).

The researcher was the sole data analyst for this research study. During the researcher’s career

he has seen and been an active part of, many major operating shifts in the information

technology (IT) domain. The researcher was part of the move from centralized data center

computing to distributed networks. The researcher was involved with the adoption of relational

data base management systems (RDBMS) as the information processing standard. The

researcher took part in the push to open standard as opposed to proprietary systems as a viable

method of capability delivery. Over all of these shifts in operating paradigm the researcher noted

that there was usually a lag in the adaptation of the information assurance (IA) control

framework and information security (IS) practices that were required to maintain effectiveness in

the new operating paradigm. Johnston and Hale (2009) identified this lag in effectiveness in

their work, “Improved Security through Information Security Governance.” The above

mentioned experience caused the researcher to pay special attention to the evolution of the IA

control frameworks as the big-data paradigm began to gain a foothold in the information service

domain of industry and the US Government. This experience motivated the researcher as well as

impressed upon the researcher the need to remain aware regarding preconceived notions as to the

effectiveness of IA control frameworks deployed into a big-data environment. The researcher

must take special care to avoid or mitigate the possibility of experience based bias being

introduced into this study (Creswell, 2009; Yin, 2012). In preparation for this study the

researcher performed extensive research into literature of IA controls and IS practices. In

professional experience the researcher has performed four case studies in the IS and IA controls

domain as well as five case studies in the process of systems architecting and design. This

previous experience performing case studies gave the researcher a foundation in case study

methodology. The researcher augmented this experience with readings of the work of Robert K.

Yin and other case study experts. With 27 years of IA and IS experience and a long-time CISA

and CISSP the researcher brings a deep knowledge of current and historic IA controls

frameworks and IS practices implementation in the evolving IT domain. This experience is a

strength as well as a weakness. During this study the researcher was especially cognizant to

report on the actual data analysis findings as opposed to the experience and expectations of the

researcher, thus mitigating researcher experience bias (Qin & Li, 2013).

Description of the Sample

This study focuses on the senior decision makers, IA audit professionals and IS

practitioners in those defense industrial complexes and US Government agencies that are

responsible for the operation, assurance, and security of their respective organizations. The

defense industrial complex is a service provider to the US Government, and involved in the

strategic decision making of the Department of Defense (DoD). The study focused on one

Department of the Navy (DoN) on-shore command and two defense industrial complex

commercial organizations. The direct interviews target included senior decision makers, IA

professionals, and IS practitioners as well as the management of the specific entity.

The researcher recruited IA professionals from each of the case study target

organizations. Given the Department of Defense Directive 8570 (DoD 8570) that government

employees who conduct information assurance functions in assigned duty positions hold one of

specified certifications, to include, the Information Systems Audit and Control Association

(ISACA) Certified Information System Auditor (CISA) certification the researcher assumed a

base-level of domain knowledge. As in the case of the IA professionals, the researcher recruited

information security (IS) practitioners from the target case study organizations. DoD 8570

requires that all level III IS professionals hold the ISC2 Certified Information System Security

Professional certification (CISSP) to insure a foundational level of domain understanding. The

recruitment of the senior decision makers proved to be the most challenging of the identified

recruitment efforts. The researcher selected senior decision makers from the target case study

organizations based upon their decision-making authorities.

As a qualifier for case study target selection, the researcher selected organizations that

had adopted a big-data operating environment and had gone through at least one auditing cycle

post adoption of a big-data environment. The researcher selected interview candidates from

organizations in each segment that currently operate in a big-data environment or were working

in an organization that regularly audits organizations operating in a big-data environment. The

researcher excluded organizations that fit into the case study segmentation but did not meet the

identified case study qualifiers. The reason for the exclusion as defined above was that if the

organizations were not governed by the IA requirements of the DoD domain the subject would

not meet the criteria of the population (Kyburz-Graber, 2004; Patton, 2001). Further, these

organizations would most likely not share a set of common guidelines that defined required IA

control performance with the others in the sample selection.

Research Methodology Applied to the Data Analysis

The case study methodology typical makes use of six evidence/data sources:

documentation, archival records, interviews, direct observation, participant observation, and

physical artifacts (Baškarada, 2014; Yin, 2014). Due to disclosure restrictions with the case

study target domains of the DoD and the defense industrial complex as well as time and financial

constraints this multiple case study used three of these evidence/data types: interviews, direct

observation, and documentation.

The researcher conducted all interviews in a one-on-one setting (Gerring, 2005; Yin,

2009). The individual response to the interview questions provided data indicating the user

perceptions of the key factors of effectiveness of an organization’s IA controls frameworks

concerning decision making, IA posture, IA process, and IA compliance as well as which factors

of those IA controls frameworks are perceived as effective in a big-data environment. Further,

the interview process enabled the researcher to establish a user perception of what should be

changed, added, or dropped from the current IA controls framework (Creswell, 2009; Yin, 2012).

The documentation review gave the researcher a picture of the organization reasoning that went

into selecting the IA control framework as implemented by the organization. The data acquired

during the documentation review supported the assessment of the intended effectiveness of the

selected IA controls framework applied to a big-data environment (Baxter & Jack, 2008; Yin,

2012). Reviewing the archival records associated with the IA audit history of the organization

provided the researcher insight into the historic effectiveness of the organizations IA controls

framework. This historic insight provided the researcher with the background information

needed to track any changes in the effectiveness of the IA controls frameworks as the

organization adopted a big-data environment (Creswell, 2009; Yin,2012). The use of multiple

case studies made the data more compelling and gave added strength to final output of the study

(Yin, 2014).

This study made use of a methodology appropriate for case study design with results

derived from multiple case studies (Yin, 2012). The case study approach allowed the researcher

to identify meaningful characteristics of real-life events, including organizational and managerial

processes, which made it an ideal research method for this study, and for subsequent theory

building (Yin, 2014). The analysis of multiple-case study data as with most qualitative data

tends to be iterative in nature (Krueger & Kearney, 2006). The researcher subjected all data,

once transcribed and redacted, to the same analysis process in nVivo 10.

Presentation of Data and Results of the Analysis

The researcher made use of multiple case studies. Each of the three case studies included

face-to-face interviews, direct observation, and review of historical documentation. The face-to-

face interviews were conducted with a senior executive, an IA professional, and an IS

practitioner from each case study. The researcher found that the existence of historical

documentation was not consistent across the three case study subject organizations. The

following tables break down and distill the research data by question.

Table 1

Question 1 distillation.

Q1 - What are the key factors in the organization’s IA posture using the existing IA control

framework that are effective in the big-data environment? What should be changed? What

should be added? What should be dropped?

Interview Strata Key Themes

Executives  Frameworks are functionally sound but lack effective risk reduction

in a big data environment.

 There is need for greater risk reduction controls added to offset the

increased risk of operating in a big data environment.

 The human in loop audit concepts are not effective in a big data

environment.

 There is need for training explaining the value of big data and how

to effectively use the paradigm.

IA Professionals  The frameworks documentation and guidance is effective.

 Frameworks cannot be relied upon for attestation of data

provenance.

 There needs to be a reduced dependency on human in the loop

audits.

 Checklists need to be replace with scenario based controls

verification.

 There needs to be increased big data training demands for IA

professionals

IS Practitioners  The frameworks are not effective in a big data environment.

 They lack the controls necessary trust relationships.

 Frameworks lack the technical controls necessary on a big data

environment.

 There needs to increased operational user training covering the big

data model.

Table 2

Question 2 distillation

Q2 - What are the key factors in the organization’s decision-making cycle using the existing

IA control framework that are effective in the big-data environment? What should be

changed? What should be added? What should be dropped?

Interview

Strata

Key Themes

Executives  Decision makers rely on framework consistency and backing by

governing body.

 There needs to expanded verification of data provenance at the

organizational level.

 Big data requires expanded trust relationship governance.

 Increase in PII data aggregation risk reduction controls.

IA Professionals  The consistent guidance from standards bodies allow the frameworks

to be applied in a consistent manner from environment to

environment.

 The frameworks need to drop the point in time audit in favor of

continuous audit.

 The framework should require scenario based training for auditors.

 The use of static checklists is not effective in a big data environment.

IS Practitioners  The framework is useful as a consistent baseline for IS.

 The framework does not cover the technical controls needed to verify

trust relationships.

 The controls need to be re-engineered to consider the geographically

diverse nature of a big data environment.

Table 3

Question 3 distillation

Q3 - What are the key factors in the organization’s IA processes using the existing

framework that were effective prior to the adoption of the big-data environment and have

remained effective post adoption? What should be changed? What should be added? What

should be dropped?

Interview

Strata

Key Themes

Executives  The support of standards bodies remains effective when a framework

is applied to a big data environment.

 The provenance attestation controls must be redesigned to

accommodate the big data paradigm.

 Increased PII controls.

 There is a reduced need for human in the loop auditing.

IA Professionals  The support of recognized governing bodies remains a key factor of

the framework.

 In a big data environment, the static checklist approach is not

effective this should be changed to a scenario based set of controls.

 The community needs a better set of controls the protect PII in a big

data environment.

IS Practitioners  The support of recognized governing bodies remains a key factor of

the effectiveness for IS controls.

 In a big data environment, the static checklist is not an effect means

of verifying the health of an IS infrastructure.

Table 4

Question 4 distillation

Q4 - What are the key factors in the organization’s IA regulatory compliance using the

existing framework that have remained effective with the adoption of a big-data

environment? What should be changed? What should be added? What should be

dropped?

Interview

Strata

Key Themes

Executives  The concept that there are security levels balanced against

operational need, regulatory guidance, records management; and

reporting imperatives.

 Rely more heavily on existing concepts and terminologies while

training, education, and empowering an information assurance

workforce venturing into the world of big data.

 There is a need for automated tools that help leadership identify,

assess, and promptly address cases where humans or machines

are acting in a manner that deviates from balanced rulesets.

 The frameworks should drop the manual processes for

identifying, assessing, and addressing potential security incidents

stemming from human and/or machine deviations from rulesets.

IA Professionals  The concept of classification levels remains sound in a big data

environment.

 Frameworks in the big data environment require automated tools.

 Manual processes lack the responsiveness required to govern a

big data environment.

 There is a need for user training as to the operational value of big

data.

IS Practitioners  The control that requires an organization to keep patches and

security updates compliant.

 The framework control for verification of patching and security

updates should be a systematic process as opposed to a manual

process.

 System patch status should be made a continuous process as

opposed to a snapshot in time.

 The excessive number of manual audits should be dropped from

the framework as they are not indicative of a healthy system.

Table 5

Direct Observation distillation

Direct Observation

When given a choice of depending on the legacy data environment to meet their tasks those

individuals that had been with an organization prior to the adoption of the big-data paradigm

would revert to the legacy system while those that had joined the organization post migration

or joined during the migration to the big-data solution were more comfortable with the new

environment.

Table 6

Historic Document Review distillation

Historic Document Review

Historic audit documentation showed no significant difference in the IA audit findings

between those audits performed prior and post big-data paradigm adoption.

What follows is the detailed data gathered at each of the three case studies. Case study A

and part of case study B were collected, documented, and indexed by the narrative process as

intended by the methodology designed discussed in chapter 3. Due to demands of some

interview subjects and the constraints placed on the research by the legal department of case

study C, parts of case study B and all of case study C were collected, documented, and indexed

in a more structured and directly quoted manner. This difference in collection is evidenced in

the following presentation of detailed data. The following detailed results are grouped by case

study and indexed with in each group by the data index key represented in figure 3.

Case study A: The subject organization of case study A was an on-shore naval

command. All naval commands must comply with DoD 8510.01 Risk Management Framework

(RMF) for DoD IT. The RMF includes a complete specification of information assurance and

security controls and system categorization methodology. The target organization began

adoption of a big-data environment three (3) years prior to this study, in October of 2012. The

organization has been through two (2) audit cycles while operating in a big-data environment.

The case study of subject organization A included face-to-face interviews, direct observation,

and review of historical audit documentation. The data of case study A was collected and

recorded through a narrative process.

Face-to-Face Interviews

The researcher conducted face-to-face interviews using the structured question as defined

in the Data Collection section of Chapter 3 of this study. Demographic question defined in the

same section preceded by the interviews. Interviews were conducted in narrative process with a

senior executive, and IA professional and a IS practitioner.

Senior Executive

The senior executive selected for the face-to-face interview was the command Chief

Information Officer (CIO). When asked what are the key factors in the organizations IA posture

using the existing IA control framework that are effective in the big-data environment (A-SE-

Q1a), the CIO responded with marking/tagging of structured and unstructured intelligence

products at the portion level (paragraph, record, etc.) to reflect classification, compartmentation,

special access controls, and associated caveats (A-SE-A1a). Implying that from his perspective

the classification and tagging structure associated with the IA controls are a key attribute of

effectiveness. When asked what should be changed (A-SE-Q1b), the CIO expressed the need

for well-documented controls that support a trust-based presumption of accuracy, enable

discovery, access, analysis, and cross-domain dissemination (A-SE-A1b). To the question of

what should be added to traditional IA control frameworks when applied to a big-data

environment (A-SE-Q1c), the CIO recommended a set of risk reduction controls that enforced

more accountable for the tags that data owner applies or causes to be applied (A-SE-A1c). To

the finale section of question 1, what should be dropped (A-SE-Q1d) from the existing IA

control frameworks, the CIO identified the layering-in of first reviews, second reviews, and other

quality control inspectors that add little value and, in fact, hinder analysis and dissemination (A-

SE-A1d).

The second question in the face-to-face interview was aimed at identifying those key

factors of an IA control that support the decision making cycle of the command (A-SE-Q2a). In

response, the CIO identified policy documents aimed at shaping individual human and machine

actions relative to the marking/tagging (A-SE-A2a). When asked what should be changed (A-

SE-Q2b), he responded that policy documents should be tied to specific data sets vice systems

(A-SE-A2b). When asked what should be added to the IA controls to support the command

decision-making cycle (A-SE-Q2c), the CIO asked for controls that would hold data owners

accountable for the tagging and release of the data with in their charge (A-SE-A2c). To the

question of what control structure should be dropped in support of the command decision make

cycle (A-SE-Q2d), the CIO identified those controls that enforce a structure that require a

“relatively large and diverse community of data owners (A-SE-A2d).

The third question had to do with which control attributes remained effective post

adoption of a big-data paradigm (A-SE-Q3a). The CIO referenced those controls that required

analyst to be deliberate in identifying sources and methods and equally deliberate in using the

sources and methods data to make decisions (A-SE-A3a). The CIO cited changes that would

enhance the effectiveness of the IA controls (A-SE-Q3b) as those in the automation of the

application of rule sets that govern data aggregation (A-SE-A3b). When queried as to those

controls that should be added to increase the effectiveness of the IA control framework (A-SE-

Q3c), the CIO spoke of controls that would verify data provenance through automation and

reduce the data aggregation factor associated with big-data (A-SE-A3c). The CIO was clear as

to what should be dropped (A-SE-Q3d). He felt that to enhance the effectiveness of the

traditional IA control framework when applied to a big-data environment the framework should

drop manual, off-line processes, particularly those that involve multiple, largely subjective

human reviews, often by personnel without sufficient expertise related to the specific sources

and/or methods (A-SE-A3d).

IA Professionals

For the IA professional face-to-face interview, the researcher, choose a Senior IA auditor

that held the required credentials. When asked to identify the key factors in the organizations IA

posture using the existing IA control framework that are effective in the big-data environment

(A-IAP-Q1a), the Senior IA Auditor called out regulatory body support of the framework (A-

IAP-A1a). When asked what should be added to framework the Senior IA Auditor talked of an

established body of auditing knowledge (A-IAP-A1b). The Senior IA Auditor identified audit

check lists (A-IAP-A1c) as those attributes of an IA framework that were not effective in a big-

data environment (A-IAP-Q1c) and should be dropped from any IA controls framework used in a

big-data environment (A-IAP-Q1d) (A-IAP-A1d).

The Senior IA Auditor identified attestation documentation (A-IAP-A2a) as an attribute

of the IA framework that is a key factor of framework influencing the decision making cycle of

the organization (A-IAP-Q2a). The Senior IA Auditor could not identify any attributes of the

framework that if changed or dropped would affect the decision making cycle of the organization

(A-IAP-Q2b). The Senior IA Auditor felt that the addition of a data governance matrix would

enhance the impact of the framework on the decision making cycle (A-IAP-Q2c) (A-IAP-A2c).

When asked what were the key factors in the organizations IA processes using the

existing framework that were effective prior to the adoption of the big-data environment and

have remained effective post adoption (A-IAP-Q3a), the Senior IA Auditor implied that the

regulatory body support of the framework as well as the governance matrix were those key

factors that remained effective post big-data adoption (A-IAP-A3a). As for what should be

changed (A-IAP-Q3b), the Senior IA Auditor cited the audit automation and continuous audit

practices (A-IAP-A3b). In the closing question of the interview, the Senior IA Auditor cited the

need for auditor training in how to effectively audit a big-data environment. The Senior IA

Auditor had no response to question four. However, when asked if there any other aspects of

your information assurance framework that you would like to discuss with the interviewer (A-

IAP-Q5a), the Senior IA Auditor felt that traditional IA control frameworks were not designed to

mitigate data aggregation risks in a big-data environment (A-IAP-A5a).

IS Practitioner

While the researcher went into the IS practitioner interview session with a plan to ask the

same set of structured questions it quickly became obvious to the researcher that IS practitioner

needed to express their concern with and lack of confidence in the application of traditional IA

control frameworks to a big-data environment in their own manner. The IS practitioner cited the

lack of any testing of the validity of trusted network relationships and the absence of edge

controls as factors that negatively impact the effectiveness of an IA control framework in a big-

data environment (A-ISP-Q1a) (A-ISP-A1a). The IS practitioner went on to identify the need for

training at all levels as something that would need to added to any framework in a big-data

environment in the framework were to be effective in a big-data environment (A-ISP-Q5a) (A-

ISP-A5a).

Direct Observation

The researcher conducted direct observation at the regular operating location over an

eight-hour period of normal operations. During the direct observation stage of the case study the

researcher observed an employee of the organization produce a report from a data source that

was held on his desk top, when asked why he used the desktop data source as opposed to the

enterprise data store he stated that since going to a big-data solution he did not trust accuracy of

the data in the operational data store. When asked why he did not trust the enterprise data source

he explained that he did not know the source of that data; there is so much data that the report

takes too long to run. The researcher asked about the data audit and did that not increase

confidence in the reliability of the enterprise big-data store. The person responded that he did

not see how the same auditors and audit approach could work for data that was not stored in the

old data bases. The researcher asked the person how long he had been with the organization.

The person responded that he had been there way before the command switched to this big-data

thing. The researcher observed similar behaviors in many of the longtime employees. There

were however, a number of the longtime employees that did trust the output from the big-data

environment. It seems that the differentiator between those that trust the big-data environment

and those that did not was training. All of the longtime employees that trusted the big-data

environment had attended training on the use and operation of the organizations big-data

environment. The researcher observed that those that had joined the organization during or after

the transition to a big-data environment were confident in the data products produced by the big-

data environment. The attributes of time with the organization and training held consistent with

those behaviors that implied confidence in or the lack of confidence in the organization’s big-

data environment. The demographic of age did not seem to affect confidence of the

organizations big-data environment.

Historical Document Review

The historical document review section of the case study entail reviewing the

documentation produced during the four most recent IA controls audit cycles. This sample

selection covered the timeframe of two audits cycles prior to the adoption of a big-data paradigm

and two cycles post big-data adoption. The researcher found no difference in the audit findings

across all four cycles. The researcher determined that a different auditor using consistent audit

checklists performed each audit.

Case study B: The subject organization of case study B is a data aggregator and

information provider to the Department of Defense (DoD). The target organization began

adoption of a big-data environment four (4) years prior to this study, in October of 2011. The

organization has been through Three (3) audit cycles while operating in a big-data environment.

As a member of the defense industrial complex the organization has chosen to comply with DoD

8510.01 Risk Management Framework (RMF) for DoD IT and the Information Assurance

Minimum Security Control Checklist (SCC).

The SCC defines a set of minimum security requirements agencies must meet, defined

through the use of security controls described in National Institute of Standards and Technology

(NIST) Special Publication (SP) 800-53r4 Recommended Security Controls for Federal

Information Systems and Organizations, DoD Instruction (DoDI) 8500.2 Information Assurance

Implementation, FIPS 200 Minimum Security Requirements for Federal Information and

Information Systems associated documents.

The SCC encompasses 157 information assurance (IA) controls from which each agency

must establish a baseline set. Each IA control describes an objective IA condition achieved

through the application of specific safeguards, or through the regulation of specific activities.

The objective condition is testable, compliance is measurable, and the activities required to

achieve the objective condition for every IA Control are assignable, and thus accountable. The

IA Controls specifically address availability, integrity, and confidentiality requirements, but also

take into consideration the requirements for non-repudiation and authentication.

The SCC encompasses 157 IA controls. The RMF includes a complete specification of

information assurance and security controls and system categorization methodology. The case

study of subject organization B included face-to-face interviews, direct observation, and review

of historical audit documentation.

Face-to-Face Interviews

The researcher conducted face-to-face interviews using the structured question as defined

in the Data Collection section of Chapter 3. The demographic question defined in the same

section preceded the interviews. Interviews were conducted with a senior executive, and IA

professional and a IS practitioner.

Senior Executive

The senior executive selected for the face-to-face interview was the organizations Chief

Data Officer (CDO). When asked what are the key factors in the organizations IA posture using

the existing IA control framework that are effective in the big-data environment (B-SE-Q1a), the

CDO cited four key factors of effectiveness for an IA controls framework that seemed to be

effective in the current big-data environment: Establishing a data tagging strategy, creating a data

governance structure, consistent guidance, and support from authoritative governing bodies (B-

SE-A1a). When asked what the CDO felt should be changed (B-SE-Q1b), she cited a weakness

in provenance verification (B-SE-A1b). As for what should be added to the control frameworks

to increase effectiveness (B-SE-Q1c), she felt that in addition to the afore mentioned provenance

verification weakness the IA control framework needed some level of data tagging enforcement

control (B-SE-A1c). To the second question of what are the key factors in the organizations

decision-making cycle using the existing IA control framework that are effective in the big-data

environment (B-SE-Q2a), the CDO cited the controls that establish a data ownership and data

steward entity and supporting structures (B-SE-A2a). The CDO did not have any response to the

questions of what to add, change, or drop. When asked about the key factors in the organizations

IA processes using the existing framework that were effective prior to the adoption of the big-

data environment and have remained effective post adoption (B-SE-Q3a), the CDO referenced

the risk mitigation structure of the SCC. The CDO felt that the SCC risk mitigation structure,

while needing to be tuned, essentially remained effective in the big-data environment (B-SE-

A3a). The CDO cited the internal IT audit and data access controls (B-SE-A4a) as those IA

controls that have remained effective with the adoption of a big-data environment (B-SE-Q4a).

When asked if there were any other aspects the organization’s information assurance framework

that she would like to discuss with the interviewer (B-SE-Q5a), the CDO cited the need for more

training, at all levels, specific to operating in a big-data environment (B-SE-A5a). When asked

to elaborate the CDO cited the need to train staff and executives how to ask questions of a big-

data store.

IA Professionals

The researcher chose a Senior IA Auditor that held the CISA certification for the IA

professional face-to-face interview. When asked to discuss the key factors in the organization’s

IA posture using the existing IA control framework that are effective in the big-data environment

(B-IAP-Q1a), the auditor cited the tagging of structured and unstructured data at the portion level

(paragraph, record, etc.) to reflect the level of criticality and classification as a key factor in the

effectiveness of the IA control framework (B-IAP-A1a). To the question of what should be

changed (B-IAP-Q1b), the auditor felt that the organization could do more training to encourage

the organization to trust the accuracy of the applied tags across the human and machine

components of the IA posture (B-IAP-A1b). The auditor felt that the addition (B-IAP-Q1c) a

metric of accountability for the data owners with regard to accuracy of data tagging would be a

key factor in the effectiveness of an IA framework for a big-data environment. He felt that to

improve effectiveness the framework should empower data owners through not only training but

trust, and enable them to work through greater automation. (B-IAP-A1c). To the question of

what to drop from the existing frameworks (B-IAP-Q1d), the auditor cited the layering-in of

multiple layers of desk-audit types of review; ostensibly aimed at verifying the accuracy of

applied tags (B-IAP-A1d). He felt that the post-production inspection steps add little value and,

in fact, hinder the effectiveness of the IA processes. The IA auditor identified the guidance

structures and related policy documents (B-IAP-A2a) as key factors of an effective IA control

framework in a big-data environment that influence the decision making cycle of the

organization (B-IAP-Q2a). As for changes that would increase the influence on the decision-

making cycle (B-IAP-Q2b), the auditor recommended that guidance and associated policies

should tie to data objects as opposed to systems. The auditor stated that tying the guidance to

systems introduces ambiguity to the guidance. For the question of what should change, (B-IAP-

Q2c) the auditor recommended the addition of a structure that enforces level of data owner

accountability and responsibility for the validity of the data object provenance and tagging (B-

IAP-A2c). When asked what should be dropped from the IA framework (B-IAP-Q2d) the

auditor echoed the feelings of previous interview subjects that multiple levels of desk audits and

simple checklists are not effective (B-IAP-A2d). When asked if there was anything else the

auditor wanted to talk (B-IAP-Q2e) about the auditor continued the theme of increased training

for auditors and users (B-IAP-A2e). The third question asked the auditor to discuss the key

framework factors that were effective prior to the adoption of the big-data environment and have

remained effective post adoption (B-IAP-Q3a). The auditor responded that the elements of the

framework that compel analyst to be deliberate in identifying sources and methods and equally

be deliberate in using the source and method data to make decisions (B-IAP-Q3a). The question

of needed changes (B-IAP-Q3b), additions (B-IAP-Q3c), and deletions (B-IAP-Q3d) in the

framework, elicited responses from the auditor that continued the common themes of change the

way audits are performed (B-IAP_A3b), develop training for how to gain maximum value for the

big-data environment (B-IAP-A3c), and drop ineffective manual desk audits and checklist

compliance (B-IAP-A3d). The fourth interview question discussed the key factors in the

organizations IA regulatory compliance using the existing framework that has remained effective

with the adoption of a big-data environment (B-IAP-Q4a). The auditor cited the framework

factors that support classification of data, those factors that govern the transport of data, and the

constructs that ensure regulatory compliance as the factors that remain effective (B-IAP-A4a).

The auditor indicated that the automated tools need change (B-IAP-Q4b) (B-IAP-A4b), while

training in how to use and audit the controls in a big-data environment was a necessary addition

to the framework (B-IAP-Q4c) (B-IAP-A4c). The auditor cited manual processes for

identifying, assessing, and addressing potential IA incidents as those controls that should be

dropped from IA frameworks (B-IAP-A4d) when that framework is implemented in a big-data

environment (B-IAP-Q4d). When asked if there was anything else the auditor would like to

discuss with regard to the effectiveness of the current framework in a big-data environment (B-

IAP-Q5a) he expressed concern that IA practitioners were losing sight of keeping with the basics

of IA audit. In addition, he expressed a concern with the effectiveness of traditional IA

frameworks reducing that risk of data aggregation in a big-data environment (B-IAP-A5a).

IS Practitioner

The IS practitioner chosen for this interview is the Senior IS Engineer for the

organization. The engineer expressed his desire to conduct and document the interview in a

highly structured manner as opposed to the narrative approach used in the previous interview

sessions of this case study. The engineer insisted that his responses to the structured questions

be documented in a quoted format as opposed to best interpretation by the interviewer. In

accordance with the engineers wishes this section will be structured in strict question/answer

format with all answers presented as a direct quote. Given the restrictions placed on the

researcher by the study organization B IS practitioners the responses to the one-on-one interview

are presented in table format as opposed to the narrative format used in prior case-studies.

Table 7

Case Study B -- IS Practitioner Interview Question 1 and Responses

Question Index Interview Question Response Index Interview Response

B-ISP-Q1a What are the key factors in

the organizations IA

posture using the existing

IA control framework that

are effective in the big-data

environment?

B-ISP-A1a “The [required] use of

scheduled technical system

scans with tools such as

NESSUS remains an

effective control in a big-

data environment.”

B-ISP-Q1b What should be changed? B-ISP-A1b “The scanning would be

more effective if done as

part of a continuous

monitoring as opposed to

scheduled.”

B-ISP-Q1c What should be added? B-ISP-A1c “The framework should

require a set of technically

accurate drawings

documenting the

organizations environment.

These drawings should

include inter-connects to

trusted networks.”

B-ISP-Q1d What should be dropped? B-ISP-A1d “The framework should

drop the desk audit

checklist approach to

verification of controls.”

Table 8

Case Study B -- IS Practitioner Interview Question 2 and Responses

Question Index Interview Question Response Index Interview Response

B-ISP-Q2a What are the key factors in

the organizations decision

making cycle using the

existing IA control

framework that are

effective in the big-data

environment?

B-ISP-A2a “The control that calls for

the verification of the

required IA controls at the

provisioning end of a new

data provider prior to

adoption of a new data

feed.”

B-ISP-Q2b What should be changed? B-ISP-A2b “Increase the requirements

for continuous audit of

trusted network inter-

connects.”

B-ISP-Q2c What should be added? B-ISP-A2c “The framework needs to

require additional training

with regard to the IS

responsibilities of the user

community.”

B-ISP-Q2d What should be dropped? B-ISP-A2d “The multiple manual

audits.”

Table 9

Case Study B -- IS Practitioner Interview Question 3 and Responses

Question Index Interview Question Response Index Interview Response

B-ISP-Q3a What are the key factors in

the organizations decision

making cycle using the

existing IA control

framework that are effective

in the big-data

environment?

B-ISP-A3a “The use of attribute based

access control (ABAC) to

control access to the data

and systems of the

organization.”

B-ISP-Q3b What should be changed? B-ISP-A3b “The upkeep of the ABAC

structure should be audited

on a continuous basis.”

B-ISP-Q3c What should be added? B-ISP-A3c “Training, training, training

(sic).”

B-ISP-Q3d What should be dropped? B-ISP-A3d “Human-only based

auditing.”

Table 10

Case Study B -- IS Practitioner Interview Question 4 and Responses

Question Index Interview Question Response Index Interview Response

B-ISP-Q4a What are the key factors in

the organizations IA

regulatory compliance

using the existing

framework that have

remained effective with the

adoption of a big-data

environment?

B-ISP-A4a “The requirement to keep

patches and security updates

compliant.”

B-ISP-Q4b What should be changed? B-ISP-A4b “Verification of patching

and security updates should

be a systematic process as

opposed to a manual

process.”

B-ISP-Q4c What should be added? B-ISP-A4c “System patch status should

be made a continuous

process as opposed to a

snapshot in time.”

B-ISP-Q4d What should be dropped? B-ISP-A4d “The excessive number of

manual audits should be

dropped from the

framework as they are not

indicative of a healthy

system.”

Table 11

Case Study B -- IS Practitioner Interview Question 5 and Response

Question Index Interview Question Response Index Interview Response

B-ISP-Q5a Are there any other

aspects of your

information assurance

framework that you would

like to discuss with the

interviewer?

B-ISP-A5a “The IA and IS disciplines

need to get back to the

basics of confidentiality,

integrity, and availability of

data and the supporting

systems. The big-data

approach seems to

encourage things like over

classification of the data,

mishandling operationally

critical systems, and

ignoring the importance of

realistic control structures

and practices.”

Direct Observation

The researcher conducted the direct observation portion of this case study at the study

subject regular operating location over an eight-hour period of normal operations. Over an eight-

hour period the researcher observed the staff of the study subject B perform assigned analysis,

generate management reports, perform data maintenance tasks, and perform data verification

audits. It is significant to note that at the time of this case study the organization was running

and using both a big-data environment and the legacy traditional data base environment for the

daily operations of the organization. The researcher observed a definite separation between

those staff members that relied on the big-data environment to perform their daily tasks and

those that remained in the legacy environment. The researcher noted that there were three

demographics that differentiated those staff members that made use of the big-data environment

from those that relied on the legacy environment. Those staff members that remained working in

the legacy environment tended to be long-term employees (10 or more years with the

organization) that had been in same position prior to the organizations adoption of a big-data

paradigm. There appeared to be no differentiation across age or education level. When the staff

using legacy systems was asked why they did not use the big-data solution, these staff gave

responses that implied lack of trust in the data associated with the big-data environment. They

perceived a lack of adequate governance controls and as stated that they did not trust where the

data came from. When asked why they did not trust the big–data systems responses ranged

from not knowing where the data originated to not understanding how access to the data was

controlled. One analyst stated that he “did not have confidence in the history [provenance] of the

data.” Another analyst felt that she “had no idea who had tampered with the data.” A third

analyst remarked that “no one could prove to them that the data was taken from the authoritative

source.” All these reasons are indictors of a lack of confidence in the IA control framework as

applied to big-data. Further querying of the analyst community uncovered the belief that the deep

understanding of the data used by the individual was part of the value that person gave to the

organization and sharing that data threatened their feeling of importance to the organization.

By contrast, those staff members that embraced the big-data paradigm were those that

had joined the organization in the last ten (10) years or had recently been placed in their current

position. The big-data adopters tended to have post graduate degrees and be below the age of

forty (40). When the researcher engaged this group it became apparent that they had confidence

in the IA control framework. The analysts that embraced the big-data paradigm made statements

that “having this much data only makes our response better,” and “this is great all data should be

discoverable and made available to whoever wants to analyze it[sic].” Further, the same group

expressed a belief that data should be exposed across a domain.

Historical Document Review

The organization has been through three (3) audit cycles while operating in a big-data

environment. As a member of the defense industrial complex the organization has chosen to

comply with DoD 8510.01 Risk Management Framework (RMF) for DoD IT and the

Information Assurance Minimum Security Control Checklist (SCC). The historical document

review section of the case study entailed reviewing the documentation produced during the three

(3) IA controls audit cycles. The researcher found no difference in audit note across all three (3)

audit cycles. All audit reports were scored as meets control standards.

Case study C: The subject organization of case study C is a staffing and services

provider to the Department of Defense (DoD). The target organization began adoption of a big-

data environment five years prior to this study, in May of 2010. The organization has been

through four (4) audit cycles while operating in a big-data environment. As a member of the

defense industrial complex the organization has chosen to comply with DoD 8510.01 RMF for

DoD IT” and the Information Assurance Minimum Security Control Checklist (SCC).

The SCC defines a set of minimum security requirements agencies must meet, defined

through the use of security controls described in National Institute of Standards and Technology

(NIST) Special Publication (SP) 800-53, “Recommended Security Controls for Federal

Information Systems and Organizations,” DoD Instruction (DoDI) 8500.2, “Information

Assurance Implementation,” FIPS 200 “Minimum Security Requirements for Federal

Information and Information Systems” associated documents.

The SCC encompasses 157 information assurance (IA) Controls from which each agency

must establish a baseline set. Each IA control describes an objective IA condition achieved

through the application of specific safeguards, or through the regulation of specific activities.

The objective condition is testable, compliance is measurable, and the activities required to

achieve the objective condition for every IA control are assignable, and thus accountable. The IA

controls specifically address availability, integrity, and confidentiality requirements, but also

take into consideration the requirements for non-repudiation and authentication.

The SCC encompasses 157 IA controls. The RMF includes a complete specification of

information assurance and security controls and system categorization methodology. The case

study of subject organization B included face-to-face interviews, direct observation, and review

of historical audit documentation.

Face-to-Face Interviews

The researcher conducted face-to-face interviews with a selected senior executive, an IA

professional, and an IS practitioner using the structured questions defined in the Data Collection

section of Chapter 3. The demographic question defined in the same section preceded the

interviews. Interviews were conducted with a senior executive, an IA professional, and a IS

practitioner.

The legal department of study subject C insisted that the finale interview content for all

interviews be approved by their office prior to inclusion in this multiple case study. They further

requested that all content from the case C interviews be collected and presented in a question and

quoted answers format as opposed to common narrative format. To ensure compliance with the

conditions required by the legal department the researcher presented the interview questions in

written form. In order to answer any questions, the interview subject could request that the

researcher sit with the subject while the subject wrote out their responses to the questions. Given

the restrictions placed on the researcher by the case study target organization the responses to the

one-on-one interview are presented in table format as opposed to the narrative format used in

prior case-studies.

Senior Executive

The senior executive selected for the face-to-face interview was the organizations Deputy

Chief Information Officer (DCIO). The DCIO has been with the organization for 15 years and

was the driving force for the organizations adoption of a big-data paradigm.

Table 12

Case Study C – Senior Executive Interview Question 1 and Responses

Question Index Interview Question Response Index Interview Response

C-SE-Q1a What are the key factors in

the organizations IA

posture using the existing

IA control framework that

are effective in the big-data

environment?

C-SE-A1a “Marking/tagging of

structured and unstructured

intelligence products at the

portion level (paragraph,

record, etc.) to reflect

classification,

compartmentation, special

access controls, and

associated caveats.”

C-SE-Q1b What should be changed? C-SE-A1b “We need to do more to

trust the accuracy of the

applied tags across the

human and machine

components of the IA

posture. A trust-based

presumption of accuracy

will do much to enable

discovery, access, analysis,

and cross-domain

dissemination.”

C-SE-Q1c What should be added? C-SE-A1c “We should hold individual

intelligence producers

more accountable for the

tags that they apply or

cause to be applied,

empower them through not

only training but trust, and

enable their work through

greater automation.”

C-SE-Q1d What should be dropped? C-SE-A1d “The layering-in of first

reviews, second reviews,

and other quality control

inspectors; ostensibly

aimed at verifying the

accuracy of applied tags,

the post-production

inspection steps add little

value and, in fact, hinder

analysis and

dissemination.”

Table 13

Case Study C – Senior Executive Interview Question 2 and Responses

Question Index Interview Question Response Index Interview Response

C-SE-Q2a What are the key factors

in the organizations

decision making cycle

using the existing IA

control framework that

are effective in the big-

data environment?

C-SE-A2a “Generating and staffing

data owner’s guides and