Date of Award

Spring 4-2022

Document Type


Degree Name

Doctor of Philosophy in Information Systems (PhDIS)


Business and Information Systems

First Advisor

Yong Wang

Second Advisor

Jun Liu

Third Advisor

Cherie Noteboom


Organizations Advanced persistent threats (APTs) are the most complex cyberattacks and are generally executed by cyber attackers linked to nation-states. The motivation behind APT attacks is political intelligence and cyber espionage. Despite all the awareness, technological advancements, and massive investment, the fight against APTs is a losing battle for organizations. An organization may implement a security strategy to prevent APTs. However, the benefits to the security posture might be negligible if the measurement of the strategy’s effectiveness is not part of the plan. A false sense of security exists when the focus is on implementing a security strategy but not its effectiveness. This research verifies whether organizations are in a false sense of security while preventing APT attacks, what factors influence the false sense of security, and whether organizational culture influences factors contributing to the false sense of security. The research method utilized was survey-based quantitative research. Confirmatory Factor Analysis (CFA) and Structural Equation Modeling (SEM) were employed in the research model evaluation and hypotheses testing. The data analysis found that the sense of security value among the employees is low, which proves that employees are not confident about their organization’s cybersecurity posture and organizations are in a false sense of security. Since Security Awareness and Training, Security Controls, Redundant IDS/IPS, and Cybersecurity Insurance positively influence the sense of security, recommendations were provided to enhance their effectiveness. The research study highlighted that sense of security of the employees is low when the security controls are ineffective. The contribution of this research is to highlight the paradigm shift required for organizations while setting up defenses against APTs. While organizations focus on setting up security controls to satisfy the compliance requirements, the research study outcome emphasizes the importance of the effectiveness of security controls. The dissertation includes limitations of the research and suggestions for further study.