Date of Award

Spring 3-2019

Document Type


Degree Name

Doctor of Philosophy in Cyber Operations (PhDCO)


Computer Science

First Advisor

Kyle Cronin

Second Advisor

Aaron Heath

Third Advisor

Stephen Krebsbach

Fourth Advisor

Judy VondruskaRobert Warren


Healthcare providers have a responsibility to protect patient’s privacy and a business motivation to properly secure their assets. These providers encounter barriers to achieving these objectives and limited academic research has been conducted to examine the causes and strategies to overcome them. A subset of this demographic, businesses with less than 10 providers, compose a majority 57% of provider organizations in the United States. This grounded theory study provides exploratory findings, discovering these small healthcare provider organizations (SHPO) have limited knowledge on information technology (IT) and information security that results in assumptions and misappropriations of information security implementation, who is responsible for security, and what the scope of security is to address organizational cyber risk. A theory conveying the interrelationship among concepts, illustrating these barriers, is visually communicated. This research can be leveraged by researchers to further understand the dimensions of the identified barriers and by practitioners to develop strategies to improve organizational information security for this demographic. The study’s findings may apply to SHPOs in other states as the criteria of South Carolina based SHPOs did not seem to influence the findings.

Intensive interviewing was conducted on nine SHPOs in the state of South Carolina to elicit their thoughts and perspectives on information security at their business, how decisions are made regarding information security, how threats and risks to their business are perceived, and to understand financial activities associated with providing information security at their organization.

The concepts and categories, and how they interrelate to each other compose the “flashlight in a dark room” theory. This theory claims the current IT and information security knowledge of staff responsible for information security at these SHPOs produces a narrow scope of what is required for proper information security and informs their perceived cyber risk exposure. These personnel are only “seeing” what the flashlight illuminates in a dark room full of cyber risk. They are committed to secure their organization appropriately and are confident in their current cyber security posture. This causes an organizational cyber risk reality versus perception misalignment, resulting in unknown, accepted risk exposure.

SHPOs support information security and are motivated to be ‘as secure as possible’ with a strong emphasis on protecting their patient’s protected health information. This suggests if ‘the “overhead light in the dark room” could be turned on, and illuminate the scope of cyber risk, these organizations would begin to work toward implementing security controls that align to their actual cyber risk.