| A theoretical gap was identified in explaining the motivational factors behind private sector cybersecurity policy compliance in critical infrastructure industries. A constructivist grounded theory approach was used to collect and analyze qualified participant experiences, resulting in a theoretical model that frames these motivational constructs as event-driven actions. The full population for this study encompassed the private sector infrastructure owners and operators of the 16 recognized critical infrastructure industries within the United States. The sample frame for this study was the InfraGard Members Alliance, a national volunteer network of more than 55,000 public-private sector and academic associates. The recruited sample included 13 purposively selected participants from nine different critical infrastructure industries across five California counties with a variety of cybersecurity occupations and years of experience. An open-ended interview protocol was used to collect participant experiences, which were inductively analyzed using grounded theory's constant comparative processes for theory construction. The core variable emerging from the data represented reactive impulses towards compliance closely related to the design-time, run-time, and post-processing characteristics of event-driven processes. The results of this study support a new theory of event-driven cybersecurity compliance motivation (ECCM) that is grounded in the theoretical constructs of regulatory density, organizational maturity, and compliance return-on-investment. Attributes of these ECCM theoretical constructs included pre-existing regulatory conditions, capability enabling interactions, and compliance consequences as described by the private sector owners and operators of critical U.S. infrastructure industries. |
