Electronic Theses and Dissertations

Date of Award


Document Type


Degree Name

Ph.D. in Business Administration


Management Information Systems

First Advisor

Brian J. Reithel

Second Advisor

Tony Ammeter

Third Advisor

John P. Bentley

Relational Format



The last decade has seen a dramatic increase in the number, frequency, and scope of cyberattacks, both in the United States and abroad. This upward trend necessitates that a significant aspect of any organization’s information systems strategy involves having a strong cybersecurity profile. Inherent in such a posture is the need to have IT managers who are experts in their field and who are willing and able to employ best practices and educate their users. Furthermore, IT managers need to have awareness of the technology landscape in and around their organizations. After many years of cybersecurity research, large corporations have come to implicitly understand these factors and, as such, have invested heavily in both technology and specialized personnel with the express aim of increasing their cybersecurity capabilities. However, large institutions are comprised of smaller organizational units, which are not always adequately considered when examining the cybersecurity profile of the organization. This oversight is particularly true of colleges and universities where IT managers who are not affiliated with the institution’s central IT department employ their own information security strategies. Such strategies may or may not represent a threat to the institution’s overall level of cybersecurity readiness. Therefore, this research examines the responses of workgroup IT managers who are employed at the school or department level at institutions of higher learning within the United States to determine their perceptions of their cybersecurity readiness. The conceptual model that is developed in this study is referred to as the Practice and Awareness Cybersecurity Readiness Model (PACRM). It examines the relationships between an IT manager’s perceived readiness to detect, prevent, and recover from a cyberattack, and four base factors. Among the factors studied are the manager’s previous level of experience in cybersecurity, the extent of the manager’s use of best practices, the manager’s awareness of the network infrastructure in and around the organizational unit, and the degree to which the manager’s supported user community is educated on topics related to information security. First, a survey instrument is proposed and validated. Then, a Confirmatory Factor Analysis (CFA) is conducted to examine the relationships between the observed variables and the underlying theoretical constructs. Finally, the model is tested using path analysis. The validated instrument will have obvious implications for both cybersecurity researchers and managers. Not only will it be available to other researchers, it will also provide a metric by which practitioners can gauge their perceptions of their cybersecurity readiness. In addition, if the underlying model is found to have been correctly specified, it will provide a theoretical foundation on which to base future research that is not dependent on threats and deterrents but rather on raising the self-efficacy of the human resource.



To view the content in your browser, please download Adobe Reader or, alternately,
you may Download the file to your hard drive.

NOTE: The latest versions of Adobe Reader do not support viewing PDF files within Firefox on Mac OS and if you are using a modern (Intel) Mac, there is no official plugin for viewing PDF files within the browser window.