Securing the IT acquisition security chain: Security concerns and human factors in IT acquisition

This thesis research evaluates the extent to which IT decision makers consider security concerns and requirements while performing technology acquisition in small-to-medium sized organizations. The research sought to understand what factors influence decision maker attitudes on the role of security during acquisition and how these attitudes and decision strategies affect security throughout the system lifecycle. Through an interview based study with fifteen IT decision makers from small-to-medium sized organizations, decision maker attitudes and organizational practices were evaluated. The findings suggest that security is not often considered during the acquisition process and is not a crucial element of acquisition decision and selections strategies for a majority of the sample. There is, however, a significant relationship between acquisition and security throughout the system lifecycle and the findings further suggest that end-user consideration and involvement are crucial elements for both acquisition and security. The relative importance of security consideration by decision makers is discussed herein and suggestions are provided for steps organizations may undertake to improve their acquisition decision strategies and to better align and address security concerns and requirements.