As mentioned in Part 1, I was hooded and commenced on Saturday,  I learned that you can earn a graduate degree at UT Austin without knowing all the words to “The Eyes of Texas.”

Meanwhile, I had to sort two things to begin research solving the ultimate question of Security/Compliance.  I considered a boring old literature review, but the top-notch academic literature on this specific topic was scarce.  I also considered a conducting a survey, but that seemed to present significant administrative headaches for what may provide little new insight, especially when compared to the attractive alternative that presented itself.

I talked with some folks at Nameless Company who opened up some of their experiences in compliance and security with me, and I used Nameless as a case study.  Nameless Company was a small/medium business dealing a handful of interesting issues, one of which involved becoming FISMA compliance.  In talking to the IT, audit, security folks at Nameless Company, I saw the opportunity to see how they approached security before and after the required compliance.  Nameless Company was also going through significant strategic changes and upheaval. I was able to collect some qualitative and quantitative data for the years before and after the compliance event.

Once I had a case study selected,  I had to build a theoretical methodology for my approach.  After some agonizing and panic (primarily due to my unfamiliarity in how academic papers work), I selected complexity theory.  Complexity theory has been used to explain murmurations of sparrows and organizational behavior and cool Mandelbrot sets.  I was going to approach the research from the information transmission and rules/schema of the regulator, the organization, and the security team.

Now I was ready to dig into the data, the interviews, and the corporate financials and see what I could see as far as security & compliance in Nameless’ microcosm.

I’m the one in the middle with the big smile and ritual diploma substitute with the Dean of the Information School and the Director of the Center for Identity. 

Here’s some biblio:

Power, M. (2009). The risk management of nothing. Accounting, Organizations and Society, 34(6), 849–855.    (This paper lead me to the complexity theory – good & provocative.)

Mitchell, M., (2009). Complexity: A Guided Tour. Oxford University Press (What it says on the tin.  Makes no distinctions between Complex Systems and Complex Adaptive Systems)

Julisch, K. (2008). Security Compliance: The Next Frontier in Security Research. In Proceedings of the 2008 New Security Paradigms Workshop(pp. 71–74). New York, NY, USA: ACM.  (Emblematic of the sort of research in Security and Compliance – focused largely on the how rather than the why.)