Examination of Organizational Information Security Strategy: A Pilot Study

The prevailing approach to cyber security continues to be the implementation of controls—technical, formal, and informal. We have seen little departure from a fundamentally preventive strategy. The criminal justice field has called for an increased emphasis on deterrence strategies, specifically Situational Crime Prevention (SCP). This paper presents the results of an exploratory (pilot) study based on interviews of CISOs (or approximate equivalents). We found that while the balance of controls does appear to be improving, technical controls are still the priority— particularly in small organizations. We found that IS security strategies are still predominantly preventive; organizations do not view offender deterrence as a strategy. The respondents definitely see room for strategic improvement. By and large, the information security professionals interviewed believe that cyber offenders are rational decision makers, that reducing anticipated benefit would be the most lucrative influence, followed by perceived effort required and perceived risk of being caught, in that order.