The effect of acquisition decision making on security posture

The purpose of this paper is to examine the effectiveness of decision making in IT acquisition and security, and the disparity between the two domains. The paper postulates that improving decision processes during acquisition increases decision makers' security consciousness and security posture.

Semi‐structured interviews were conducted with 15 IT decision makers of small‐to‐medium sized organizations using questions derived from previous research in psychology, HCI, and MIS. Questions from the security and acquisition areas were coded based upon a predefined rubric and correlation testing was performed. The author chose to focus on small‐to‐medium sized organizations since they often lack sufficient background and resources to address IT security concerns.

Analysis suggests a significant positive correlation between the effectiveness of acquisition decision making and organizational security posture and attitudes, further suggesting that small improvements in acquisition decision making may result in substantial improvements in an organization's security posture.

The sample size of 15 organizations is not sufficient for population generalization. This research instead focused on analyzing the effect of certain decisions, attitudes, and behaviours on acquisition and security.

Increased security concerns, such as cyber‐attacks and regulation, require organizations to proactively plan for and address security requirements. Tools/software are insufficient to properly address organizational security and do not address failure or flaws in human decision making. These findings can help organizations to better understand and improve their internal decision making processes and security consciousness, and avoid common pitfalls which allow for unaddressed risk.