Date of Award

Fall 10-2025

Document Type

Dissertation

Degree Name

Doctor of Philosophy in Cyber Defense (PhDCD)

First Advisor

Ahmad Al-Hammouri

Second Advisor

Kyle Cronin

Third Advisor

Scott Morstad

Abstract

The growing frequency and complexity of cyberattacks pose a serious and escalating risk to both individuals and organizations. Current cybersecurity assurance approaches often fall short in effectively measuring the adequacy of cybersecurity controls in terms of mitigating risks and providing measurable value to organizations. The current approaches are often focused on measuring compliance with predetermined requirements as defined in government regulation or an industry standard, thereby overlooking the need for a holistic approach that incorporates all aspects of security. This dissertation is an attempt to address this gap by developing a novel outcome-based cybersecurity assurance approach.

The research problem focused on the lack of a comprehensive, outcome-based cybersecurity assurance approach that effectively assesses whether cybersecurity controls are achieving their intended outcomes instead of simply verifying compliance. Existing cybersecurity assurance approaches fail to consider the human and process aspects of security controls, and the importance of ensuring that cybersecurity controls provide the intended value to the organizations. This limitation creates a scenario where organizations make significant investments in terms of their security controls but lack a way to determine whether those controls are actually providing the protection and value to the organization that they are meant to provide, or more importantly, if the controls are even truly warranted in the context of the organization.

This dissertation followed the design science research methodology, which includes iterative design and an evaluation process. Consistent with design science research methodology, the iterative process included multiple cycles of design and validation. Additionally, the Delphi Method was followed in collecting feedback from a panel of industry experts which was incorporated into the artifact design. The outcome of this  dissertation is an artifact in the form of a cybersecurity assurance approach, which is being termed as an outcome-based cybersecurity assurance approach.

The outcome-based approach provides a structured process for conducting comprehensive cybersecurity assurance analyses, including guidance on input considerations for each step such as selecting a relevant framework, determining the objectives of the assessment, identifying and articulating the intended outcome for a control, control evaluation criteria and success metrics etc. The approach was enhanced as part of multiple iterations to ensure that the final version is easy to follow and implement, and easy to adapt by any organization irrespective of its type, size, the industry it operates in. The outcome-based assurance approach is expected to empower and enable organizations to make informed decisions about security, enhancing their operational resilience, and improving overall security posture.

Download

Share

COinS