Close
About
FAQ
Home
Collections
Login
USC Login
Register
0
Selected
Invert selection
Deselect all
Deselect all
Click here to refresh results
Click here to refresh results
USC
/
Digital Library
/
University of Southern California Dissertations and Theses
/
Utilizing data analytics in the field of physical security: an exploratory study
(USC Thesis Other)
Utilizing data analytics in the field of physical security: an exploratory study
PDF
Download
Share
Open document
Flip pages
Contact Us
Contact Us
Copy asset link
Request this asset
Transcript (if available)
Content
Utilizing Data Analytics in the Field of Physical Security: An Exploratory Study
by
Farhad Tajali
Rossier School of Education
University of Southern California
A dissertation submitted to the faculty
in partial fulfillment of the requirements for the degree of
Doctor of Education
May 2021
© Copyright by Farhad Tajali 2021
All Rights Reserved
The Committee for Farhad Tajali certifies the approval of this Dissertation
Allison Keller Muraszewski
Jennifer Phillips
Helena Seli, Committee Chair
Rossier School of Education
University of Southern California
2021
iv
Abstract
Security professionals face mounting challenges by the various threats targeting their respective
organizations. The digital revolution has introduced many benefits, and inadvertently created
multitude of additional threats and challenges (Foynes & Fuller, 2018). To combat new and
existing emerging threats, security professionals can utilize data generated by the same digital
revolution to proactively identify security gaps, mitigate risks and take a proactive approach to
protecting their organizations. The purpose of this study was to assess the knowledge,
motivation, and organizational influences (KMO) impacting security professionals’ ability to
utilize data analytics in the field of physical security. To explore potential assets and needs, this
study utilized Clark and Estes’s (2008) Gap Analysis Framework to assess the KMO influences
that contribute to the use of data analytics to inform data driven decision making. An explanatory
sequential mixed methods research design was conducted to obtain quantitative and qualitative
data for analysis. Survey data was obtained from 258 security professionals from the United
Stated and 43 other countries globally. Additionally, data from seven security professionals were
obtained through interviews. This study found security professionals have a common
understanding of data analytics and value its use, however, fail to effectively utilize data
analytics in the field of physical security. Data analysis process (procedural knowledge) self-
efficacy (motivation), and provision of resources (organizational influence) were identified as
needs during this study. Clark and Estes’s (2008) Gap Analysis Framework was used to generate
solutions and recommendations. The implementation of the recommendations outlined in
Chapter five will enable security professionals to effectively utilize data analytics and
proactively protect their organizations.
v
Dedication
To Lily and Rose, knowledge is endless; pursue it with the aim to change the world. The journey
is not easy, but grit and passion will lead you there.
“There are two who are never satisfied, the lover of the world and the lover of knowledge.”
― Rumi Jalalud-Din, ﻣﺜ ﻨ ﻮ ی ﻣ ﻌﻨ ﻮ ی
vi
Acknowledgements
The journey of pursuing my doctoral degree and the completion of this dissertation,
especially during a global pandemic, has been a challenging endeavor. This journey would not
have been completed without the support the guidance of my dissertation chair, Dr. Helena Seli.
Thank you for your endless support during all hours and giving me the confidence and guidance
to complete this journey. I also want to thank my committee members, Dr. Jennifer Phillips, and
Dr. Alison Keller Muraszewski who challenged me to refine and execute my research.
I also want to thank my classmates, OCL Cohort 12. It has been a pleasure being on this
journey with you. To Jamie Bone, Chinako Belanger, Jordan Chroman, and Astin Godwin, I will
always treasure your friendship. Without your constant support, this journey would have been far
more difficult. Thank you and fight on!
Last, and most important, to my wife Hamila. Thank you for your endless support and
encouragement during this long journey and patience while I spent many hours on the computer
each night. And to the rest of my family and friends, thank you for believing in me and
understanding when I missed many gatherings. Your support made this goal possible.
vii
Table of Contents
Abstract ........................................................................................................................................... iv
Dedication ........................................................................................................................................ v
Acknowledgements ........................................................................................................................ vi
List of Tables ................................................................................................................................... x
List of Figures ................................................................................................................................. xi
Chapter One: Overview of the Study .............................................................................................. 1
Background of the Problem ................................................................................................. 1
Importance of Addressing the Problem ............................................................................... 3
Field Context and Mission ................................................................................................... 4
Field Global Goal ................................................................................................................ 5
Description of Stakeholder Groups ..................................................................................... 5
Stakeholder Group for the Study ......................................................................................... 6
Field and Stakeholder Group’s Performance Goals ............................................................ 7
Purpose of the Study and Research Questions .................................................................... 8
Overview of the Conceptual and Methodological Framework ........................................... 8
Definitions ........................................................................................................................... 8
Organization of the Project .................................................................................................. 9
Chapter Two: Review of the Literature ......................................................................................... 10
Security Metrics ................................................................................................................. 10
Utilization of Data Analytics ............................................................................................. 13
Clark and Estes’s (2008) Knowledge, Motivation and Organizational Influences’
Framework ............................................................................................................. 17
Security Professionals’ Knowledge, Motivation and Organizational Influences .............. 18
viii
Conceptual Framework ..................................................................................................... 31
Summary ............................................................................................................................ 33
Chapter Three: Methodology ........................................................................................................ 34
Research Questions ........................................................................................................... 34
Overview of Methodology ................................................................................................ 34
Data Collection, Instrumentation and Analysis Plan ......................................................... 36
Ethics and Role of Researcher ........................................................................................... 44
Chapter Four: Results and Findings .............................................................................................. 47
Participating Stakeholders ................................................................................................. 48
Research Question 1: What is the Security Professionals’ Knowledge in the Context of
Using Data Analytics to Inform Data-Driven Decision Making? ......................... 51
Research Question 2: What is the Security Professionals’ Motivation in the Context of
Using Data Analytics to Inform Data-Driven Decision Making? ......................... 61
Research Question 3: How Do the Organizational Context and Culture Either Facilitate or
Hinder Their Efforts in Implementation and Use of Data Analytics? ................... 70
Summary of Knowledge, Motivation and Organizational Influences’ Data ..................... 77
Chapter Five: Recommendations and Discussion ......................................................................... 82
Discussion of Findings and Results ................................................................................... 82
Recommendations for Practice .......................................................................................... 85
Limitations and Delimitations ........................................................................................... 96
Recommendations for Future Research ............................................................................. 97
Conclusion ......................................................................................................................... 97
References ..................................................................................................................................... 99
ix
Appendix A ................................................................................................................................. 106
Appendix B .................................................................................................................................. 112
Appendix C .................................................................................................................................. 116
Appendix D ................................................................................................................................. 118
Appendix E .................................................................................................................................. 119
x
List of Tables
Table 1: Field Mission, Field Goal and Stakeholder Group’s Performance Goal 7
Table 2: Knowledge Influences 24
Table 3: Motivation Influences 27
Table 4: Organizational Influences 30
Table 5: Data Sources 35
Table 6: Demographic Characteristics of Participants (Survey) 49
Table 7: Demographic Characteristics of Participants (Interviews) 50
Table 8: Security Professionals’ Responses to Definition of Security Metrics 53
Table 9: Distribution of Participant Responses to Knowledge Items 56
Table 10: Distribution of Participant Responses to Organizational Influence Items 57
Table 11: Distribution of Participant Responses to Self-Efficacy Items 63
Table 12: Distribution of Participant Responses to Self-Efficacy Items 65
Table 13: Distribution of Participant Responses to Motivation Items 67
Table 14: Security Professionals’ Responses to Utility Value Items 69
Table 15: Distribution of Participant Responses to Organizational Influence Items 72
Table 16: Distribution of Participant Responses (Importance of Metrics) 72
Table 17: Distribution of Participant Responses (Leadership Support) 74
Table 18: Knowledge, Motivation and Organizational Assets or Needs 80
Table 19: Summary of Influences and Recommendations 89
Table 20: Distribution of Participant Responses to Security Programs Measured 94
Table 21: Online Courses Focused on Data Analytics and Data Driven Decision Making 95
xi
List of Figures
Figure 1: Conceptual Framework 31
1
Chapter One: Overview of the Study
Security professionals are entrusted with protecting organizations, including its
employees, assets and brand from all threats, including mitigation of risks and ensuring life
safety. From the physical security standpoint, security professionals are the “gatekeepers” who
are entrusted with organizations’ safety and security. Lack of effective physical security
measures can expose organizations and its employees to life safety risks, liability and significant
monitory loss. In 2009, workplace violence, among other crimes impacting organizations,
accounted for approximately 572,000 nonfatal violent crimes (Harrell, 2011). Such crimes
include rape, sexual assault, robbery, aggravated and simple assault, which occurred against
persons age 16 or older while they were at work, reported by National Crime Victimization
Survey (Harrell, 2011). Additionally, a study by Hiscox (2017) found that businesses in the
United States effected by employee theft lost an average $1.13 million in 2016. An effective
physical security program utilizing data analytics can identify security gaps and trends of
incidents allowing proactive risk mitigation. In the field of physical security, data analytics can
be used to gauge security programs’ effectiveness by measuring key performance indicators,
incident trends (Campbell, 2014) and ultimately, inform security professionals’ decision-making
process and enhance the security posture of the organization. The problem addressed in this
study is the limited use of data analytics within the field of physical security to proactively
identify security gaps and mitigate risks.
Background of the Problem
Security professionals are facing mounting challenges by a multitude of inadvertently
created threats as a result of the digital revolution such as social media which has resulted in
numerous mass-casualty incidents (Foynes & Fuller, 2018). Therefore, to combat new and
2
existing emerging threats, security professionals must be proactive in identifying security gaps
and risks using data analytics. The limited utilization of data analytics in the field of physical
security is a problem because nearly 70% of security professionals in a Security Executive
Council survey reported that they do not collect security program metrics (Campbell, 2015).
Security metrics, a context specific term used in the security field to measure
performance, can be used to tell a compelling story of security program’s effectiveness. Without
security metrics, security professionals often rely on the intuition of organization’s leadership
(Ohlhausen et al., 2014). In a survey conducted by Foynes and Fuller (2018), 80% of physical
security leaders identified big data and analytics as a critical component of the field of physical
security and a top investment category. In the field of physical security, there are also risks that
are often mitigated due to security layers in place that are challenging to measure. Such mitigated
risks save the organization not only monetarily, but also in form of reputation (Campbell, 2009).
However, physical security is often regarded as a cost center, rather than a profit center
(Campbell, 2009). With the use of data analytics, security professionals can translate their daily
security program’s effectiveness into business terms to inform their organizations’ leaders and
show their security program’s value.
In the field of physical security, incident response is traditionally reactive such as acting
in response to an incident rather than proactively mitigating risks (Campbell, 2014). More often
than not, proactive threat management becomes a challenge due to complexity of addressing
current threats (Foynes & Fuller, 2018), and therefore leaving less time for proactive data
analysis. Additionally, lack of knowledge in effective use of data analytics in the physical
security field is apparent as a survey of ASIS International members revealed 78% of security
professional who are currently not utilizing data analytics stated they would use security metrics
3
if they knew more about the topic and how to use security metrics effectively (Ohlhausen et al.,
2014). Therefore, advancing security professionals’ knowledge and training in data analytics and
access to appropriate tools and application is paramount.
Importance of Addressing the Problem
It is important to explore the field performance with regard to the goal of utilizing data
analytics in the field of physical security for several reasons. The threat landscape is ever
changing, specifically given the digital revolution which has inadvertently enabled new threats
(Foynes & Fuller, 2018). Use of data analytics and intelligent applications can help security
professionals sift through large amounts of data that cannot be processed at the human level,
while failure to transform, may expose organizations, people, brand and their reputation to risk
(Foynes & Fuller, 2018). Additionally, failure to measure key performance indicators in the field
of physical security hinders the discovery of performance gaps among security personnel to
enhance operational workflows, as key performance indicators are used by organizations to
evaluate their success in reaching their organizational goals (Campbell, 2009). Finally, failure to
use data analytics further grounds the current nature of physical security in reactive response to
security threats, rather than proactive mitigation of emerging threats (Ohlhausen et al., 2014).
Security metrics are critical in identifying security gaps and protecting organizations from
threats, yet there are only a few tested metrics in this field and minimal guidance in effective use
of security metrics (Ohlhausen et al., 2014). Therefore, security metrics play a critical role in
creating an effective physical security program to ensure life safety and shield organizations and
people from threats.
4
Field Context and Mission
The field of focus in this research study was that of physical security. The US
Department of Defense (2005) defines physical security as measures to safeguard personnel,
including prevention of unauthorized access to equipment, installations, material and documents
and further safeguarding against espionage, sabotage, damage and theft. The physical security
field mission is to safeguard organizations, its personnel and assets from unauthorized access and
further safeguarding against espionage, sabotage, damage and theft.
The most prominent professional association in the field of physical security is ASIS
International. This organization defines its mission to advance the practice of security utilizing
the knowledge and expertise of ASIS International membership and the security industry through
the development of risk mitigation guidelines (Chief Security Officer Guideline, 2004). ASIS
International was founded in 1955 as a global community of security practitioners with roles in
protecting organizations, employees, assets and information (ASIS International, n.d.a). ASIS
International members include 34,000 global security professionals from 240 regional chapters
worldwide who network and collaborate to enhance physical security operations globally (ASIS
International, n.d.b). Furthermore, ASIS International members have access to vast array of
educational content and resources with a focus on the field of physical security, including
security innovations to mitigate risk, global developments and latest trends in this field (ASIS
International, n.d.b). ASIS International also offers four distinct ASIS certification programs that
are recognized worldwide as a mark of excellence in managing security operations (ASIS
International, n.d.b).
5
Field Global Goal
The focus of this research study was the field of physical security. ASIS International’s
strategic goal was used to operationalize the field goal and where the field is heading, although
this research study did not directly focus on ASIS International as an organization. The physical
security field goal is to proactively identify security gaps and mitigate security risks by utilizing
data analytics. This field goal is consistent with the strategic plan of ASIS International, the most
prominent association in the field of physical security. The field goal is that by January 2024, the
field will accelerate digital transformation, and utilization of data analytics as part of this
transformation to elevate the security function to influence organizational success, and service
global needs. The field’s strategic goal to accelerate digital transformation is directly related to
this study’s problem of practice focused on utilization of data analytics to guide data-driven
decision making in the field of physical security.
Description of Stakeholder Groups
The success of utilizing data analytics to guide data-driven decision making in the field of
physical security is highly dependent on the stakeholders’ commitment towards this goal.
Performance goals cannot be reached, without the support of the stakeholders (Hill et al., 2009).
There are three stakeholder groups who directly contribute to and benefit from the digital
transformation of physical security using data analytics. The first stakeholder group is the field
uniformed security officers who are entrusted with carrying out the daily security tasks.
Uniformed security officers are involved in responding to security calls for service, incidents and
monitoring security technology systems such as surveillance, access control, incident
management system and many others. Uniformed security officers are also the primary group
who is responsible for collecting data from multitude of security technology systems which can
6
be used as input data for future analysis. The second stakeholder group is physical security
professionals who manage the uniform security staff and the daily security operation of the
organization. This group is also responsible for security technology tool selection and data
analysis to identify any trends and clusters of security gaps, performance issues and potentials
risks. The third stakeholder group is the organizations’ executive team who rely on the
interpretation and analysis of the security metrics program as a guide for data-driven decision-
making process. The executive team determines the allocation of resources and funds towards
addressing required security technology needs and identified security gaps for implementation
and mitigation of risks to the organization.
Stakeholder Group for the Study
While the joint efforts of all stakeholders will contribute to the achievement of the overall
field goal of utilizing data analytics to guide data-driven decision making in the field of physical
security, only one stakeholder group was the focus of this research study. It was critical to
explore the physical security professionals’ capacity with regard to implementation of a security
metrics program, and their knowledge of data analytics and ability to identify security gaps using
a data-driven mindset. Therefore, the stakeholders of focus in this study were physical security
professionals in a management role such as managers, directors, vice presidents and chief
security officers. Their specific capacity that was explored in this study is the utilization of data
analytics to guide data-driven decision making in order to measure security program’s
effectiveness. Failure to accomplish this goal is likely to lead to unidentified security gaps,
leaving organizations exposed to multitude of risks to life safety, assets, reputation and brand.
7
Field and Stakeholder Group’s Performance Goals
The table below describes the mission of physical security field holistically, as well as
field performance goal and stakeholder group’s performance goal. The stakeholder group’s goal
of utilizing data analytics to guide data-driven decision making has a direct impact on field
performance goal of digital transformation of physical security, as well as field mission of
safeguarding organizations from harm.
Table 1
Field Mission, Field Goal and Stakeholder Group’s Performance Goal
Field Mission
The physical security field mission is to safeguard organizations, its personnel and assets from
unauthorized access and further safeguarding against espionage, sabotage, damage and theft.
Field Performance Goal
By January 2024, the field will accelerate digital transformation, and utilization of data
analytics as part of this transformation to elevate the security function to influence
organizational success, and service global needs.
Security Professionals’ Goal
By January 2024, security professionals will utilize data analytics to inform data-driven
decisions making in order to measure security program’s effectiveness.
8
Purpose of the Study and Research Questions
The purpose of this research study was to explore the utilization of data analytics by
security professionals and their decision-making process. The analysis focused on security
professionals’ knowledge, motivation and organizational influences related to utilization of data
analytics in their organization. The research questions that guided this research study are the
following:
1. What is the security professionals’ knowledge in the context of using data analytics to
inform data-driven decision making?
2. What is the security professionals’ motivation in the context of using data analytics to
inform data-driven decision making?
3. How do the organizational context and culture either facilitate or hinder their efforts in
implementation and use of data analytics?
Overview of the Conceptual and Methodological Framework
Clark and Estes’s (2008) gap analysis, a systematic, analytical method that helps to
clarify organizational goals and identify the knowledge, motivation and organizational
influences, was adapted to an exploratory model and implemented as the conceptual framework.
Assumed knowledge, motivation and organizational influences that impact security
professionals’ capacity in utilizing security metrics was generated based on both context-specific
and general learning and motivation theory. These influences were explored via a mixed
methodological framework consisting of survey and individual interviews.
Definitions
• Data Analytics refers to a set of procedures utilized to gather and process digital data.
9
• Data-Oriented Company refers to companies that utilize data analytics as a central
component of their strategic decision-making process.
• Key Performance Indicators is the evaluation of the success of an organization or of a
particular activity (such as projects, programs, products and other initiatives) in which it
engages.
• Metrics is the measures of quantitative assessment commonly used for assessing,
comparing, and tracking performance or production.
• Physical Security refers to security measures that are designed to deny unauthorized
access to facilities, equipment and resources and to protect personnel and property from
damage or harm (such as espionage, theft, or terrorist attacks).
• Security Professional is a person responsible for security and protection of organization’s
employees, assets and brand.
Organization of the Project
Five chapters are used to organize this study. This chapter provided the reader with the
key concepts and terminology commonly found in a discussion about data analytics and security
metrics. The field of physical security’s mission, goals and stakeholders and the framework for
the project were also introduced. Chapter Two provides a review of current literature
surrounding the scope of the research study. Chapter Two also presents security professionals’
knowledge, motivation and organizational influences that were explored via the study. Chapter
Three details the methodology when it comes to choice of participants, data collection and
analysis. In Chapter Four, the data are assessed and analyzed. Chapter Five provides a discussion
and recommendations for implementation of a security metrics program and for future research.
10
Chapter Two: Review of the Literature
Chapter Two of this dissertation outlines the review of the literature which defines
security metrics and evaluates the history and current utilization of data analytics in the field of
physical security. Additionally, critical elements in utilization of data analytics, as well as
security metrics best practices are included in the literature review. The first section of this
chapter discusses the knowledge influences in utilization of data analytics by security
professionals. The second section discusses the motivational factors, such as utility value and
self-efficacy that affect the utilization of data analytics by security professionals. Finally, the
third section of this chapter reviews organizational influences that impacts the implementation of
a security metrics program and a data-oriented organizational culture.
Security Metrics
The term metrics is often used interchangeably with measures and analytics. Metrics are
standards of measurement which provide evidence of performance, effectiveness, and efficiency
of an organization and a critical aspect of today’s management (Campbell, 2014; Enoma &
Allen, 2006; Knoke & Peterson, 2015; Wailgum, 2005). The term metrics is a measurement
based on a reference involving two points, the measure and the reference (Brotby, 2009). Metrics
can be referred to as a gauge on an organization’s dashboard and therefore utilized by security
professionals to identify warning signs, measuring, and preventing various inventory of risks
(Campbell, 2014). Similarly, the National Institute for Standards and Technology (NIST), a non-
regulatory agency which promotes and maintains measurement standards, defines metrics and
measures as the result of data collection, analysis and reporting (Chew et al., 2008). Metrics can
be used to measure the performance and effectiveness and of a physical security program, similar
to various other industries who utilize data analytics to drive decisions.
11
Definition of Security Metrics
Security metrics is defined by Carnegie Mellon University (1995) as metrics focused on
reduction of risks to loss of reputation, theft of information or money, and impact on business
continuity when security defenses are breached. Additionally, Ohlhausen et al. (2014) expanded
on this definition to include the protection of people, property and information. Security metrics
as a system of measurement also focus on the effectiveness of security programs through the
measurement of key performance indicators (Campbell, 2014). Even though the term metrics is
used interchangeably with measures and analytics, this dissertation standardizes on the term
“security metrics” to refer to the process of data collection, analysis and reporting in the field of
physical security.
The measurement of key performance indicators is another component and a critical
factor in a security metrics program. Metrics can facilitate insight into performance and
operations (Knoke & Peterson, 2015). Similarly, Campbell (2009) posited that key performance
indicators are used by organizations to measure their success towards reaching long term
organizational goals. Additionally, performance measurement is used by management teams as a
benchmark to measure effectiveness, identify gaps and plan for improvements (Enoma & Allen,
2006). In the field of physical security, performance measurement relates to performance of
uniformed security staff and identification of gaps which could potentially pose a risk to the
organization. Measurable key performance indicators can help demonstrate the value of the
security program and the significant contribution to providing safety and security to the
organization (Moulton, 2004).
Incorporating a discipline of performance measure among management staff to identify
gaps are important to the overall success of the organization and crucial to the successful
12
delivery of the operations concerned (Varcore, 1996). Therefore, management staff can utilize
the results of performance indicators to analyze past performance to inform the decision making
and resource allocation (Enoma & Allen, 2006). Similarly, measurement of key performance
indicators by security professionals would allow for data-driven decision making and
identification of security program gaps.
History of Security Metrics
Research indicates that the digital transformation of physical security, which includes the
use of data analytics, is at various levels of maturity and at worst a decade behind (Foynes &
Fuller, 2018). Furthermore, the historic disconnection between security programs and core
business functions they serve has created a gap in development of established metrics and
measures in the physical security industry (Campbell, 2014; Ohlhausen et al., 2014).
Additionally, historic use of data analytics by security professionals and established security
metrics programs in the field of physical security is very limited (Campbell, 2014). Therefore,
physical security as an industry is long overdue for a digital transformation (Foynes & Fuller,
2018).
Campbell (2014) provided the most thorough documented security metrics review, as
well as limited research efforts by ASIS International, a prominent organizational in the field of
physical security. However, the lack of available research on security metrics for the field of
physical security, coupled with research indicating nearly 70% of security professionals do not
collect security data (Campbell, 2015) highlights a significant gap in this field and therefore, an
opportunity for the field to embrace utilization of data analytics.
13
Utilization of Data Analytics
Measurement is a key driver in performance (Chupa, 2014, as cited in Knoke &
Peterson, 2015) highlights the importance of measurement to gain results. Utilization of data
analytics enables such measurement to show the effectiveness of a program, identify
performance trends, including gaps, and demonstrate return on investment (Knoke & Peterson,
2015). Similarly, security metrics are vital to measure the effectiveness of a security program,
yet the field of physical security offers few tested metrics or benchmarks (Guidelines and
Metrics Working Group, ASIS Defense and Intelligence Council, 2012, as cited in Ohlhausen et
al., 2014). The limitation in digital transformation of physical security, including the use of data
analytics is a setback for the field (Foynes & Fuller, 2018).
Limited Use of Metrics in the Field of Physical Security
Though there is dearth of literature about metrics in general focused on various
industries, there are existing studies about security metrics in the field of information technology
security (IT security) and limited research in the field of physical security. These studies are
relevant for the field of physical security because both fields have a focus on providing security
to organizations and assets. While the field of physical security has a focus on protection of
organizations, including its employees, assets and brand, the field of IT security is focused on
protection of networks and computer systems from theft and damage (Schatz et al., 2017).
However, physical security and IT security both mitigate risks and respond to incidents (Beck et
al., 2019) and proactive utilization of data analytics to identify and mitigate risks would be
beneficial to both industries.
Even though the available research places an emphasis on criticality of security metrics,
utilization of metrics in the field of physical security is a new phenomenon and appears as an
14
unfamiliar tool to the average security professional (Knoke & Peterson, 2015). Furthermore, the
field of physical security offers limited tested metrics or benchmarks (Guidelines and Metrics
Working Group, ASIS Defense and Intelligence Council, 2012, as cited in Ohlhausen et al.,
2014). In fact, a research conducted by Microsoft and Accenture titled Future of Physical
Security which included a survey of 200 senior physical security leaders found that although
security leaders see the opportunity in digital transformation of physical security, the industry is
at various levels of maturity and a decade behind (Foynes & Fuller, 2018). This confirms the
findings by Payne (2006) which indicated that security metrics are in their early stages of
development, and therefore difficult to design. The lack of availability of research and
knowledge of metrics in the field of physical security has been detrimental to this field and has
contributed to the lack of data-driven decision making.
Data-Driven Decision Making
The notion of utilizing Data-Driven Decision Making (DDDM) in the field of physical
security is originally derived from successful practices in the manufacturing industry such as
Total Quality Management, Organizational Learning and Continuous Improvement (Marsh et al.,
2006). Such processes emphasize that responsiveness to various types of data results in
organizational improvements (Marsh et al., 2006). Similarly, utilization of data analytics and
measurement of security metrics can guide security professionals’ decision- making process. In
fact, metrics are a driving force behind business decisions and behavior (Ohlhausen et al., 2014).
A survey conducted by Luftman et al. (2012) found more than half of executives who
participated in the survey indicated their decision-making process would improve if their
organization incorporated the use of analytics into their practice. Similarly, Enoma and Allen
(2006) argued that analyzing the results of past performance indicators can inform the decision
15
making and resource allocation. Therefore, security professionals can utilize data analytics to
gauge their security programs’ effectiveness by measuring security metrics, key performance
indicators, incident trends (Campbell, 2014) and ultimately guide their decision-making process.
Kiron and Shockley (2011) argued organizations reside in three stages of analytics
utilization cycle: aspirational, experienced, and transformed. Organizations in the aspirational
stage use data analytics sparingly or at times, not at all. Organizations in the experienced stage
utilize data analytics as a tactical tool. However, strategic impact of data analytics to the
organization and change is limited. Transformed organizations utilize data analytics to its full
potential and are able to change their business as needed (Kiron & Shockley, 2011).
In the field of physical security, lack of data-driven decisions can lead to a reactive
decision-making process. Respondents in a survey conducted by Microsoft and Accenture on the
future of physical security reported reactive threat management and intuition-led decision-
making based on subjectivity as two leading challenges facing physical security professionals
(Foynes & Fuller, 2018). The reactive decision making prevents security professionals to be
proactive and therefore places organizations, its employees, brand and reputation at risk (Foynes
& Fuller, 2018). Campbell (2014) argued metrics can directly aid the consideration of options
which leads to making effective and defensible decisions. To reach this stage, organizations must
utilize benchmarking to establish best practices and learning across the organization (Ohlhausen
et al., 2014).
Security Metrics Best Practices
Security metrics best practices can be beneficial to security professionals measuring their
security program’s effectiveness. If defining and collecting metrics is not properly planned, it
can be a challenging (Knoke & Peterson, 2015). As security data is inherently disparate and
16
fundamentally disorderly, such as various types of data relating to tasks, calls for service,
incidents and risks, organizing such disparate data can be challenging (McIlravey, 2009).
Additionally, if the information does not pass the “who cares?” test and there is no need for
consumption of the information, then the data is not relevant (Rathburn, 2009).
Utilization of data analytics allows the security function to ground itself on measurable
results and communicate with leaders of the organization in common business language
(Ohlhausen et al., 2014). However, according to Campbell (2011), the field of physical security
has a challenge communicating the value of security to the organization. Therefore, security
metrics must be meaningful, easily understood and communicate security’s value contribution to
senior management and the organization (Campbell, 2011). The value of the data does not matter
if it cannot be understood by the stakeholders. Without security metrics, security professionals
often rely on their intuition and fail to tell their organization’s story (Ohlhausen et al., 2014).
The use of SMART criteria is another best practice to assess metric value. SMART
metrics are defined as Specific, Measurable, Attainable, Relevant, and Timely (Campbell, 2014;
Knoke & Peterson, 2015; Martin et al., 2011; Ohlhausen et al., 2014; Payne, 2006). If the
specific measures are not properly defined, collected, analyzed and applied, the metrics program
can be a waste of resources to the organization (Knoke & Peterson, 2015). Therefore, security
professionals must prepare to collect and analyze actionable metrics to avoid adding to the noise
such as quantitative data that does not mean anything alone and cannot be used for informed
decision making. Actionable metrics lead to informed decisions, in contrast to vanity metrics
which are metrics that fail to accurately reflect the key drivers of the business (Ries, 2014).
Implementing a centralized reporting system is also critical in building a robust security
metrics program. Campbell (2014) stated that the lack of an effective incident reporting system is
17
a “show-stopper” and must be a priority (p. 12). The use of an incident reporting system has
many benefits such as delivering timely, orderly and accurate security data (McIIravey &
Ohlhausen, 2012, as cited in Ohlhausen et al., 2014). Use of an incident reporting system also
enables data automation which is a factor in determining metric effectiveness (Azuwa et al.,
2012). Most importantly, the use of such systems generates compelling results to identify
potential security vulnerabilities, drive efficiencies, increase cost savings as well as preserving
privacy and security (Foynes & Fuller, 2018).
Clark and Estes’s (2008) Knowledge, Motivation and Organizational Influences’
Framework
This study utilized the Clark and Estes’s (2008) gap analysis model as its conceptual
framework. The Clark and Estes’s (2008) Gap Analysis Framework is a systematic, analytical
method that helps clarify organizational goals and identify the gap between the actual
performance level and the preferred performance level within an organization. The focus of
Clark and Estes’s (2008) framework is on organizational goals, performance gaps, and strategies
for improvement and addresses three primary sources of performance gaps such as knowledge,
motivation and organizational barriers (Clark & Estes, 2008).
Clark and Estes’s (2008) gap analysis process incudes several critical steps. The first step
is defining measurable goals, second, determining gaps in performance, third, hypothesizing
possible causes for those gaps, fourth, validating and prioritizing causes, fifth, developing
solutions, and finally, evaluating outcomes (Clark & Estes, 2008). In gap analysis, potential
causes for performance gaps are studied in the areas of knowledge, motivation and
organizational influences.
18
According to Clark and Estes (2008), the primary cause of problems is often based on
assumptions and may lack careful analysis. As a result, individuals may omit or misdiagnose
critical causes for performance gaps and implement inappropriate solutions. Gap analysis is
designed to avoid creating inappropriate solutions via a thorough study of the potential causes for
performance issues. The implementation and evaluation plan creation is the final step in the gap
analysis process.
This study is designed as an exploratory study following the general steps of gap
analysis. The study’s goal was to identify both assets and needs that impact performance,
specifically, in the field of physical security related to the utilization of data analytics to guide
data-driven decision making. Once the stakeholder goal and competency were determined,
knowledge, motivation and organizational influences that impact stakeholder capacity were
generated based on context-specific as well as general learning and motivation literature. These
influences are presented next.
Security Professionals’ Knowledge, Motivation and Organizational Influences
Clark and Estes’s (2008) Gap Analysis Framework addressed three sources of
performance gap: knowledge, motivation and organizational barriers. The purpose of this section
of the study is to review the literature relevant to knowledge, motivation and organizational
influences pertinent to the stakeholder’s goal of utilizing data analytics to guide data-driven
decision making in the field of physical security by January 2024. The successful completion of
the stakeholders’ goal which is performed by security professionals is impacted by the
knowledge of those security professionals. An evaluation of security professionals’ knowledge
influences is followed by an evaluation of the motivation influences impacting stakeholders’
19
goal. Finally, organizational influences impacting stakeholders’ goal was evaluated to gain a
holistic view of the data analytics performance gap in the field of physical security.
Knowledge Influences
This section reviewed the literature with focus on knowledge-related influences that are
pertinent to exploring stakeholders’ competency of focus, utilizing data analytics to guide data-
driven decisions making in order to measure security program’s effectiveness. There are several
types of knowledge influences that are responsible for affecting a stakeholder’s goal. In order to
explore security professionals’ knowledge about utilizing data analytics in a comprehensive
manner, Krathwohl’s (2002) framework was utilized. Krathwohl (2002) categorized knowledge
into factual, conceptual, procedural, and metacognitive types. Factual and conceptual knowledge
is also referred to as declarative knowledge and represent first and second knowledge dimensions
respectively. Factual knowledge includes knowing the details such as information and facts
relating to a particular area (Anderson & Krathwohl, 2001). The understanding of definitions and
terminology would be considered factual knowledge (Aguinis & Kraiger, 2009). Conceptual
knowledge can be described as more complex, organized knowledge which includes
classifications and categories, principles, theories, models and structures (Krathwohl, 2002).
Procedural knowledge describes how to perform a specific task, criteria for using skills, methods
and techniques (Krathwohl, 2002). Procedural knowledge is also referred to as the third
knowledge dimension (Krathwohl, 2002). Metacognitive knowledge is the fourth and last
dimension of knowledge and is the knowledge of one’s own cognition (Krathwohl, 2002).
Metacognition focuses on self-reflection, self-regulation and self-knowledge of the individual’s
learning (Krathwohl, 2002). Using metacognition, individuals can self-asses their personal
learning process and identify gaps and areas of improvement. Metacognition enhances the
20
transfer of knowledge, coupled with application of new knowledge in the individual’s
environment (Krathwohl, 2002). It is important to explore knowledge in a comprehensive
manner in order to gain a complete understanding of security professionals’ capacity to utilize
data analytics.
Security Professionals’ Foundational Knowledge of Data Analytics
In order to effectively utilize data analytics and make informed decisions, it is important
for security professionals to have the foundational knowledge of data analytics. The lack of
foundational knowledge may translate into ineffective use of data and lead to reactive practices
in identifying security gaps and potential risks. To maximize effective use of data, security
professionals need to have a working understanding of theory of action for data use to
successfully use data to inform their data-driven decision-making process. The theory of action
for data use indicates data alone do not ensure effective use (Marsh & Farrell, 2015). Instead,
this theory states data must be collected, organized and analyzed at which time it will become
information (Marsh & Farrell, 2015). This information combined with stakeholder understanding
and expertise will become actionable knowledge (Marsh & Farrell, 2015).
The definitions, terms and foundational knowledge data analytics can be categorized as
declarative knowledge. The digital revolution has transformed the world and this transformation,
has paved the way to an overwhelming amount of available data to organizations that cannot be
processed at the human level (Foynes & Fuller, 2018). Additionally, data analytics includes the
process of storing data, manipulation of data using various software, and the transfer of data (Wu
et al., 2015). Therefore, in order to be effective in utilizing data analytics, security professionals
will benefit from understanding key terms and principles of data analytics. There is a clear
benefit in understanding and utilizing data analytics. Chen et al. (2014) found 60% of
21
organizations that had a clear understanding of data analytics and utilized it effectively also
improved their efficiency and therefore, financial performance. Therefore, security professionals
who possess a foundational knowledge of data analytics are positioned to effectively collect and
analyze data to inform their data-driven decision-making process.
There are also complex conceptual fundamentals of data analytics which can be
categorized as conceptual knowledge. Such conceptual fundamentals can be divided into four
phases of data processing cycle: data generation, data acquisition, data storage and data analysis
(Chen et al., 2014). In a physical security environment, the data processing cycle would translate
to capturing security calls for service and incidents, collection of such data, storing this data and
analyzing the data to inform security professionals’ decision-making process. Campbell (2015)
found lack of security staff’s understanding of data analytics to be one of the roadblocks to
development of security metrics within security organizations. Additionally, data analytics
environment is complex and presents numerous challenges (Chen et al., 2014). Therefore,
security professionals’ understanding of the declarative knowledge influences such as data
analytics fundamentals enhances the successful adoption and utilization of data analytics to
identify security gaps, potential risks and guides their decision-making process.
Security Professionals’ Knowledge of Data Analysis Process
The process of data collection and analysis requires the knowledge of necessary steps and
best practices to successfully analyze data. The ability to successfully collect and analyze data
would be considered procedural knowledge. It is important for security professionals to
understand the data collection and analysis process in order to effectively collect security data
and carry out analysis to identify performance gaps and risks.
22
In order to be effective in collection and analysis of data, security professionals can
utilize training and development programs related to utilization of data analytics. In a research
conducted by Ohlhausen et al. (2014), of the respondents who reported they were not using
security metrics, 78% stated they would use security metrics if they knew more about the topic
and how to use security metrics effectively, highlighting the lack of procedural knowledge in
effective use of data analytics in this field. Research found that on the job training leads to
greater innovation and tacit skills (Barber, 2004). In fact, training affects both declarative
knowledge and procedural knowledge and may also enhance strategic knowledge such as the
understanding when to apply specific knowledge or skill (Kozlowski et al., 2001; Kraiger et al.,
1993). Similarly, Hopkins et al. (2011) found data is not the biggest obstacle that organizations
experience when faced with adopting analytics. The leading obstacle to adopting analytics was
lack of understanding of data analytics and its use to improve the business (Hopkins et al., 2011).
Therefore, establishment of professional development programs by organizations’ human
resources leaders is critical and will be discussed in the organizational influences section of this
dissertation.
Security professionals’ understanding of the benefits and the value data analytics provide
to identify security gaps and risks is also critical in reaching the goal of utilizing data analytics to
inform data-driven decision making. The use, perceived value and communicability of security
metrics benefits has increased interest in the use of security metrics by security professionals
(Ohlhausen et al., 2014). Therefore, basic knowledge of data analytics is a required component
for effective use and recognizing the value of data analytics. Expertise requires experience which
is developed over time. Hopkins et al. (2011) found that an efficient approach to utilizing data
analytics is the gradual use and analysis of data over time. Additionally, use of visualization
23
tools and dashboards is a best practice to convey the value of data analytics, communicate the
key information and findings to an audience (Campbell, 2014; Campbell, 2015; Hopkins et al.,
2011; Ohlhausen et al., 2014). In a study conducted by Ohlhausen et al. (2014), only 44% of
respondents using security metrics reported using a dashboard tool to communicate the value of
metrics. Therefore, security professionals can benefit from an ability to use such best practices to
communicate the value of security metrics to their colleagues and senior management within
their organizations to enhance the security posture of their environment. Both declarative
knowledge in understanding basic principles of data analytics and procedural knowledge of how
to implement and use data analytics are critical to effective use of data analytics to inform data-
driven decision making.
Security Professionals’ Ability to Reflect on Their Use of Data Analytics to Inform Data-
Driven Decision Making
In order to be effective in utilizing data analytics, security professionals’ self-assessment
of their knowledge is critical. Metacognition refers to an individual’s ability to regulate their
learning which includes self-assessment of their skills, monitoring and evaluating (Medina et al.,
2017). Metacognitive knowledge is the knowledge of individual’s own cognition and includes
strategic knowledge, knowledge regarding cognitive tasks and self-knowledge (Krathwohl,
2002). Security professionals’ self-evaluation of their knowledge can identify potential gaps in
learning and therefore increase security professional’s awareness to seek additional learning.
Metacognition guides individuals’ learning strategies during the learning process and therefore,
individuals are aware of gaps in their knowledge (Krathwohl, 2002). Ultimately, metacognition
can enable security professionals to focus on gaining the knowledge they are lacking.
Additionally, in order to be effective in utilizing data analytics, security professionals need to
24
know to seek help and acquire the knowledge they are lacking. Examples of areas in which
security professionals may need support includes additional training in understanding
foundational knowledge of data analytics as well as critical data analysis processes.
Metacognitive knowledge plays a key role the adoption of declarative knowledge, procedural
knowledge and transfer of learning in data analytics by security professionals. Table 2 represents
a summary of knowledge influences impacting security professionals’ knowledge of utilizing
data analytics.
Table 2
Knowledge Influences
Assumed Knowledge Influence
Knowledge Type
Security professionals’ foundational knowledge of data
analytics.
Declarative
Security professionals’ knowledge of data collection
and analysis
Procedural
Security professionals’ ability to reflect on their use of
data analytics to inform data-driven decision making.
Metacognitive
25
Motivational Influences
In addition to knowledge, motivation is a key influence on performance (Clark & Estes,
2008). Individuals’ motivation is manifested in their active choice, persistence, and mental effort
(Schunk & Pajares, 2006). In order to explore motivational influences, this section reviews
literature with a focus on motivational influences related to stakeholders’ goal of utilizing data
analytics to inform data-driven decision making in the field of physical security. Engagement in
reaching a particular goal as well as cognitive biases in reaching such goal is addressed and
fueled by motivation (Mayer, 2011). Task value, expectancy outcome, self-efficacy, attribution,
and goal orientation are all underlying motivational factors (Clark & Estes, 2008; Pintrich,
2003). The two motivational factor that were examined and correlate with the stakeholders’ goal
are self-efficacy theory and utility value. Learning and motivation is enhanced when a learner
values the task through intrinsic value, extrinsic value, entertainment value or cost value (Clark
& Estes, 2008). Value alone is not sufficient to motivate behavior. Self-efficacy is an
individual’s confidence in achieving a particular goal (Bandura, 2005) and critically contributes
to choice, persistence and mental effort invested in a task.
Security Professionals’ Self-Efficacy
According to Bandura (2005), in order for individuals to engage in tasks, they need to
feel confident in their ability to succeed. This study explored the level of self-efficacy of security
professionals in utilizing data analytics. Self-efficacy theory defines an individual’s level of
expectation in their ability to perform a task (Pajaras, 2006). Therefore, high levels of self-
efficacy results in enhanced learning and motivation (Pajaras, 2006). In contrast, low self-
efficacy can negatively impact learning and motivation. In the context of this study, the degree to
which security professionals feel confident in their ability to succeed in utilizing data analytics
26
has an impact on their likelihood of effectively utilizing data analytics to inform data-driven
decision making. Specifically, self-efficacy predicts security professionals’ likelihood to engage
in utilizing data analytics as well persisting at such task and their investment of efforts.
Security Professionals’ Utility Value
Based on expectancy-value theory, an individual’s level of active choice, persistence, and
mental effort is dependent upon the individual’s perceived value of the outcome (Eccles, 2006;
Rueda, 2011). The two dimensions of the expectancy-value theory are expectancy and value.
Expectancy as the first dimension refers to an individual’s belief in successful completion of a
specific task or goal. Task value is the second dimension of the expectancy-value theory. Based
on the value construct, when an individual attaches value to a task or goal, the individual will be
more likely to engage in the task or goal and eventually completing it (Eccles, 2006; Rueda,
2011). There are four value constructs: intrinsic, attainment, utility and cost value. This study
will focus on the utility value construct. Utility value refers to individuals finding a task relevant
and useful (Eccles, 2006; Pintrich, 2003; Rueda, 2011). In order for security professionals to
effectively utilize data analytics, they need to see value in use of data analytics related to security
metrics. This value could be manifested in enhancing organizations’ security posture, measuring
security operational performance to identify and address security gaps and mitigating risks.
Table 3 represents a summary of motivation influences impacting security professionals’
motivation in utilizing data analytics.
27
Table 3
Motivation Influences
Motivation Construct
Motivation Influence
Self-efficacy
Security professionals’ confidence in their ability to
utilize data analytics
Utility value
Security professionals’ value for utilization of data
analytics
Organizational Influences
In addition to knowledge and motivation influences, Clark and Estes’s (2008) gap
analysis includes organizational influences as one of the three determinants of performance.
Security professionals’ ability to achieve the goal of utilizing data analytics will be impacted by
organizational influences. Performance gaps that are caused by organizational influences include
the lack of efficient organizational work process, and material resources (Clark & Estes, 2008).
Process and material resources are influenced by organization’s culture and climate (Clark &
Estes, 2008). While climate refers to visible procedures and processes of organizations, culture
refers to beliefs, values and rituals within those organizations (Schein, 2004). Organizational
culture is the most important work process in organizations as it dictates how people work
together towards a common goal (Clark & Estes, 2008). Work process barriers include
inadequate, missing policies and processes as well as unavailability of needed tools or materials
(Clark & Estes, 2008). Performance problems occur when organizational goals and policies do
not align with organizational culture (Clark & Estes, 2008).
28
Organizational Climate
In order for security professionals to utilize data analytics to inform data-driven decision
making, their organizations of employment must believe data analytics provides valuable insight
to their business and therefore set the appropriate climate. Ohlhausen et al. (2014) found there is
a lack of understanding by security organizations in optimization of metric value. Similarly,
Davenport and Harris (2010) found organizations that simply report the past performance do not
understand the value of analytics. Organizations need to clearly communicate the value of data
analytics and that use of data analytics is a priority. Organizational cultures that resist the use of
data analytics also fail to improve business strategies and operational efficiencies (Kiron &
Shokley, 2011). Traditionally, security organizations rely on intuition and experience in decision
making. Foynes and Fuller (2018) found reactive threat management and intuition-led decision-
making based on subjectivity as two leading challenges facing physical security professionals
today. This study explored the degree to which security professionals feel that their organizations
embrace data analytics and its benefits.
Leadership Support
There are two cultural setting influences that the study explored in impacting the security
professionals’ capacity to utilize data analytics. The first cultural setting influence is leadership
support of security professionals in utilization of data analytics. Leaders who communicate
organizational goals and vision to stakeholders can produce powerful results (Lipton, 1996).
Therefore, clear communication of benefits and use of data analytics by organizational leaders
can produce a positive impact on the use of data analytics by security professionals. Lipton
(1996) argued managing with a clear vision can enhance performance measures, promote
change, provide a basis for a strategic plan, motivate individuals, and help with the decision-
29
making process in organizations. Therefore, leadership support to utilize data analytics in the
field of physical security can be a key driver to promote change in this field and motivate
security professionals to implement and embrace security metrics to inform their data-driven
decision-making process. Additionally, leaders’ support in ensuring employees have the
adequate resources need to achieve the organization’s goal increased organizational effectiveness
(Waters et al., 2003). Leaders are responsible for providing resources such as training, funding
and structure to prepare security professionals for success. Establishment of professional
development programs by organizations’ human resources leaders is critical to support the digital
acumen of organizations and provide the knowledge and the necessary skills required (Halaweh
& Massry, 2015). Research found there is a correlation between meeting employees’ resource
needs and increased learning outcomes (Waters et al., 2003). Leaders’ support in use of data
analytics enables security professionals to successfully achieve their performance goal.
Provision of Resources
The second cultural setting influence is organizations’ need to provide adequate resources
to support the collection and analysis of data. Resources include systems, application, head count
as well as related training to support security professionals’ technology acumen development.
The success of organizational development is dependent upon preparing people to handle its
unique challenges (Clark & Estes, 2008). Additionally, the use of technology such as incident
reporting systems have several benefits to accurately capture security data (McIIravey &
Ohlhausen, 2012, as cited in Ohlhausen et al., 2014). Therefore, availability of such resource is a
pre-requisite to effective utilization of analytics. Using information derived from data analytics,
organizations reported improvement within their business processes (Kiron & Shockley, 2011).
Therefore, availability of resources is critical to successfully achieve stakeholder’s goal.
30
Additionally, organizations need to support security professionals’ development of technology
acumen and facilitate adequate training in effective use of data analytics. Table 4 contains a
summary of the organizational influencers impacting security professionals’ motivation in
utilizing data analytics.
Table 4
Organizational Influences
Organizational Influence Category
Organizational Influences
Cultural model influence 1
Organizations must believe data analytics
provides valuable information to the business.
Cultural setting influence 1
Leaders must support the utilization of data
analytics in the workplace.
Cultural setting influence 2
Organizations need to provide adequate
resources to support the collection and analysis
of data.
31
Conceptual Framework
A conceptual framework is a presentation of key ideas in a study and the relationship
among them (Maxwell, 2013). A framework is also the underlying structure of the study
consisting of concepts and theories which inform the study (Maxwell, 2013). This study’s
conceptual framework is derived by from Clark and Estes’s (2008) Gap Analysis Framework.
Clark and Estes’s (2008) Gap Analysis Framework indicates performance problems can be
identified and addressed by assessing stakeholder gaps in knowledge, motivation and
organizational influences. The conceptual framework for this study describes security
professionals’ knowledge, motivation and organizational influences impacting their utilization of
data analytics. Figure 1 depicts the conceptual framework used in this research study.
Figure 1
Conceptual Framework
Note. Conceptual framework adapted from Marsh, Pane and Hamilton (2006)
32
The conceptual framework in Figure 1 depicts the interaction between knowledge,
motivation and organizational influences impacting security professionals in utilizing data
analytics to inform their decision-making process. This conceptual framework was adapted from
Marsh et al. (2006) to organize the relationship between security professionals’ KMO influences
and data-driven decision making while utilizing data analytics.
The utilization of data analytics in the field of physical security is impacted by security
professionals’ knowledge, motivation and organizational influences. Those influences directly
impact security professionals’ decision-making process. The conception of data-driven decision
making may be informed by several types of data in the field of physical security such as
security calls for service, incidents, investigations, guard tour inspections, risk assessment and
security satisfaction data. Furthermore, this conception indicates the existence of data alone is
not useful. Once data is collected, the next step is to organize and combine data with
understanding of the situation through analysis to yield information (Marsh et al., 2006). When
data users synthesize the information, apply their judgement and weigh merits of possible
solutions, information becomes actionable knowledge (Marsh et al., 2006). Finally, actionable
knowledge can inform security professionals’ decisions. Such decisions include security
deployment changes based on incident data, allocation of resources based on security calls for
service, and remediation of security gaps found through risk assessment. Marsh et al. (2006)
found decision can fall into two categories, such as decisions that use data to inform, identify or
clarify and those that use data to act. The decision to act triggers new data collection to assess the
effectiveness of those actions and therefore leads to the continuous cycle of data collection,
organization and synthesis to support decision making (Marsh et al., 2006). This conceptual
framework also recognizes that data-driven decision making is impacted by both security
33
professionals and the field of physical security. Therefore, the adoption of this process within
both the field and security professionals is critical for successful achievement of the field and
stakeholder goals.
Summary
The literature review found the field of physical security is trending behind many
industries in utilization of data analytics, despite the many benefits the use of data analytics
presents. Additionally, existence of a security metrics program demonstrates the value of the
security program and the many contributions to the organization (Moulton, 2004). The limitation
in utilization of data analytics creates a reactive approach to physical security and risk
mitigation. Reactive threat management and intuition-led decision-making based on subjectivity
as two leading challenges facing physical security professionals today (Foynes & Fuller, 2018).
Clark and Estes’s (2008) Gap Analysis Framework was used to assess knowledge, motivation
and organizational influences impacting security professionals use of data analytics.
Furthermore, the conceptual framework provided a visual understanding of the relationship
between KMO influences and data-driven decision making, recognizing the impact by both the
field of physical security and security professionals.
34
Chapter Three: Methodology
Chapter three of this dissertation outlines the methodology used during the data collection
process. This research study focused on security professionals’ knowledge, motivation and
organizational influences related to utilization of data analytics to inform data-driven decision
making. The first section of this chapter discusses the overview of methodology and design,
followed by data collection instruments and analysis plan. Next, the ethics and role of researcher
impacting the study will be discussed. Finally, the possible limitations and delimitations of the
study is reviewed.
Research Questions
The following research questions guided this study:
1. What is the security professionals’ knowledge in the context of using data analytics to
inform data-driven decision making?
2. What is the security professionals’ motivation in the context of using data analytics to
inform data-driven decision making?
3. How do the organizational context and culture either facilitate or hinder their efforts in
implementation and use of data analytics?
Overview of Methodology
This study used a mixed methodological design method using interviews and surveys to
answer research questions. Mixed methods combine the use of qualitative research (open-ended
data without predetermined responses) and quantitative research (close-ended responses found
on questionnaires) in a research study (Creswell, 2018). The mixed methods’ approach is
advantageous compared to either qualitative and quantitative research alone in that mixed
methods research draws on both qualitative and quantitative data, and therefore neutralizes the
35
weaknesses in both methods by triangulating the data and checking for validity among findings.
(Creswell, 2018). Thus, mixed methods research provides a significant enhancement compared
to both qualitative and quantitative research studies (Creswell, 2014). Specifically, in this study,
an explanatory sequential mixed method design was used to collect survey and interview data. In
an explanatory sequential mixed method design, the quantitative data are collected first, followed
by qualitative data (Creswell, 2018).
The size of the “X” in Table 5 (survey and interview columns) indicates the amount of
emphasis on survey questions with the respective data collection instrument. In regard to survey
questions, increased emphasis was placed on self-efficacy and utility value, while the interview
questions were designed to place increased emphasis on declarative, procedural and
metacognitive knowledge, as well as organizational influences such as cultural models and
cultural settings.
Table 5
Data Sources
Study Questions
Survey
Interviews
What is the security professionals’
knowledge in the context of using data
analytics to mitigate risks?
x X
What is the security professionals’
motivation in the context of using data
analytics to mitigate risks?
X x
How do the organizational context and
culture either facilitate or hinder their efforts
in implementation and use of data analytics?
X X
36
Data Collection, Instrumentation and Analysis Plan
The data collection process in this study includes the use of interviews and survey
related to utilization of data analytics. Data collection is necessary to obtain information that
provides answers to important research questions (Johnson & Christensen, 2015). Interviews and
survey were selected as instruments for this research study as the best mechanism to understand
knowledge, motivation and organizational factors influencing the utilization of data analytics in
the field of physical security. Utilization of both methods provides triangulation of data which
allows for substantiation of the findings by comparing results (Merriam & Tisdell, 2016).
Additionally, use of data collection instruments keeps focus on research questions as well as sets
boundaries for the study (Creswell, 2018). The purpose of data collections instruments is to
gather information on knowledge, motivation and organizational influences of security
professionals on utilization of data analytics based on Clark and Estes’s (2008) gap analysis.
Survey
The first data collection instrument in this study was the use of survey which was
administered prior to the interview stage of this study. A list of survey questions is included in
Appendix A of this study. Creswell (2018) indicates a survey is the study of a population sample
which provides quantitative description of trends attitudes and opinions of that population.
Furthermore, there are three questions that are answered using survey designs: descriptive
questions, questions on relationships between variable, and questions on predictive relationships
between variables over time (Creswell, 2018). The goal of survey as a data collection instrument
in this study was to conduct a survey of security professionals to understand their knowledge,
motivation and organizational influences in utilizing data analytics to inform data-driven
decision making.
37
Participating Stakeholders
The target population for the survey was physical security professionals in a management
role such as managers, directors, vice presidents and chief security officers. The target sample
size was 50-75 participants, and the participants were recruited by purposeful sampling via
several prominent security organization blogs online such ASIS International, International
Security Management Association (ISMA) and the use of researcher’s network in the physical
security community on LinkedIn. Security professionals who were willing to participate in the
survey were provided a Qualtrics link to complete the survey. Qualtrics is an online application
that collects survey responses anonymously and protests the confidentiality of participants
(Pazzaglia et al., 2016). Additionally, all participants who took the survey were invited to
participate in an interview by submitting their contact information through the Qualtrics link not
connected to their survey responses.
Instrumentation
Survey protocol is used to collect quantitative data, are relatively easy to administer and
provide data quickly (Creswell, 2018). This mixed method study utilized both survey and
interviews to answer the research questions. Using both methods provide triangulation of data
and allows to substantiate the results by comparing both data sets (Marriam & Tisdell, 2016).
The survey questions are related to the three research questions in this study as well as Clark and
Estes’s (2008) Gap Analysis Framework to understand KMO factors. The key constructs that
were examined using the survey questions include declarative and procedural knowledge,
metacognitive strategies, self-efficacy and utility value, and organizational influences. To
address the first research question, survey questions were designed to preliminary understand
security professionals’ knowledge in use of data analytics to inform data-driven decision making.
38
Additionally, an emphasis was placed on research questions two and three using survey
questions to understand security professionals’ motivational influences and organizational
culture and context in utilizing data analytics to inform data-driven decision making. The survey
questions for motivational influences were adapted from existing valid and reliable motivation
scales.
Data Collection Procedures
The survey was created in Qualtrics and the survey link was distributed online via
physical security blogs and LinkedIn post to recruit participants, as well as emails with a 14-day
response window. Online surveys are helpful to accelerate and improve the research process
(Creswell, 2018). Additionally, online surveys help facilitate data collection and analysis,
therefore reducing errors and accelerate hypothesis testing (Creswell, 2018). The survey
designed for this study included an introductory message indicating the goal of the study and
approximate time of completion. The self-administered survey was easily accessible via a
desktop or a mobile device online and took approximately five minutes to complete. There were
22 survey questions directly related to the research questions, including two questions regarding
demographic data. Demographic data such as tenure in the field of physical security and position
were collected as part of the survey in order to determine whether any differences exist in
security professionals’ knowledge, motivation or perception of organizational influences based
on those factors. There were 19 multiple choice questions including Likert-type items based on a
four-point scale as well as two open ended questions. Multiple choice surveys are easy to use and
analyzed due to the consistency in responses (Fink, 2013). Additionally, reminders were sent to
the participants who were recruited via email to complete the survey on the seventh day of the
14-day response window as well as reposting of the survey link on physical security blogs and
39
LinkedIn. The participants were assured the survey responses would remain anonymous and
information provided for this study would not be identifiable. Finally, survey data was collected
via Qualtrics application by generating various available survey reports on the application.
Data Analysis
Quantitative data analysis was utilized in this study to interpret and provide context to the
collected data via survey. An interpretation of quantitative data includes drawing conclusions
from the results for the research questions as well as hypotheses and meaning of the results
(Creswell, 2018). The quantitative data analysis process commenced upon collection of
quantitative data via closed-ended items from the survey. Data analysis includes the use of
descriptive statistics such as mean, median and mode to analyze data collected via surveys
(Salkind, 2017). Additionally, percentage, mode and frequency of collected data was calculated
as majority of the survey questions in this study included closed-ended ordinal items. The
findings were reported both in the narrative format as well as displayed via tables and figures.
The open-ended survey items were coded and tallied suing ATLAS.ti software. The open-ended
survey items were coded and categorized via the same coding process as the qualitative
interviews. The survey was administered through Qualtrics and the data was analyzed via
reporting functions provided by in this application. The data was analyzed via a data set based on
security professionals’ responses to analyze the means and standard deviations and use of
existing valid and reliable motivation scales. Survey results were analyzed using descriptive
statistics to find patterns to identify the semi-structured interviews that followed. The analysis of the
survey data provided additional insight regarding security professionals knowledge, motivation and
organizational influences in using data analytics to inform data-driven decision making.
40
Validity and Reliability
Validity and reliability are crucial to ensure the integrity of the study. Reliability is the
consistency in results of measurement (Salkind, 2014). Validity and reliability also include the
process in which the data is collected, analyzed, and interpreted, and the presentation of findings
(Merriam & Tisdell, 2016). In order to ensure reliability, the survey questions were reviewed by
several security professionals from the target population who will not participate in the survey to
ensure wording of survey questions are unambiguous and can be interpreted consistently.
Validity is defined by Salkind (2014) as the property of an assessment tool indicating the results
of the tool are valid. There are several threats to validity such as internal validity threats and
external validity threats that questions the outcome of the study and therefore the study must be
designed to minimize those threats (Creswell, 2018). To address internal validity, this study used
triangulation during the data analysis process by collecting two different sets of data. Merriam
and Tisdell (2016) posited triangulation as a strong tool to address internal validity. Content
validity is established by reviewing survey with subject matter experts (Salkind, 2014). To
ensure content validity, survey questions were reviewed by dissertation chair and committee
members of this study.
Interviews
Interviews are one of two data collection instruments for this study. Interviews in
qualitative research can be described as a conversation between a researcher and participant,
focused on research study questions (Merriam & Tisdell, 2016). Interviews are commonly
carried out person-to-person where one person elicits information from another (Merriam &
Tisdell, 2016). The goal of interviews as a data collection instrument in this study was to
interview eight security professionals currently employed in the field of physical security to
41
understand their knowledge, motivation and organizational influences in using data analytics to
inform data-driven decision making. The interviews were semi-structured with open-ended
questions to evoke meaningful conversations about use of data analytics. In a semi-structured
interview, questions are flexible, or the interview includes less structured questions (Merriam &
Tisdell, 2016). During the interview, additional measures were carried out to ensure data
integrity such as audio recording, taking notes, and asking follow up questions. Use of follow up
questions allows the researcher to clarify the information received (Merriam & Tisdell, 2016).
Appendix B provides a list of questions asked during the interview.
Participating Stakeholders
The stakeholders of focus in this study were physical security professionals in a
management role such as managers, directors, vice presidents and chief security officers. Their
specific capacity to utilize data analytics to inform their decision-making process was the focus
of the interview. Stakeholders’ vision and strategies impacts the physical security field goal to
proactively identify security gaps and mitigate security risks by utilizing data analytics.
Performance goals cannot be reached if stakeholders’ support is absent (Kogler et. al, 2009). The
target population was recruited by purposeful sampling via an initial survey sent to security
professionals. Purposeful sampling is based on the assumption that the researcher has a goal to
gain insight in a particular subject and therefore must select a sample that such insight can be
learned (Merriam & Tisdell, 2016). All participants who take the survey were then invited to
participate in an interview by submitting their contact information via Qualtrics link not
connected to their survey response.
Selected participants were security professionals (in a security management role) in the
field of physical security. Additionally, a network sampling strategy was utilized to locate
42
participants who meet the criteria of a security professional. Network sampling involves locating
key participants who meet the defined criteria, by asking early interview participants for a
referral (Merriam & Tisdell, 2016). The goal of interviews was to locate, and interview eight
security professionals currently employed in the field of physical security in-person or in a
virtual setting, if in-person format is not suitable. Security professionals were located using
networking sites such as LinkedIn and professional security organization blogs such as ASIS
International, and International Security Management Association (ISMA).
Instrumentation
Interview protocol was used to collect qualitative data. Qualitative interviews consist of
open-ended questions to obtain in-depth information regarding participants’ beliefs, knowledge,
reasoning, motivation and feelings regarding a topic (Johnson & Christensen, 2015). Krueger
and Casey (2009) indicate the effective interview items are those that are clear, short, open
ended, easy to say and evoke a conversation. The interview questions were focused on
understanding the knowledge, motivation and organizational influences around using data
analytics to inform data-driven decision making in the field of physical security. These questions
were aligned with Clark and Estes’s (2008) gap analysis which was used as the conceptual
framework for this research study. The interview questions were designed to understand the
security professionals’ knowledge of data collection, analysis and reporting in the field of
physical security. Additionally, questions regarding motivation of security professional in using
data analytics and the value of security metrics was administered. Finally, a set of questions
regarding organizational influences in implementing a security metrics program was
administered to understand organizational related barriers and support.
43
Data Collection Procedures
Each participant was interviewed once, in a 30-minute interview session. A detailed
interview guide was utilized to ensure participants have a clear understanding of the interview
process and what to expect. Participants were asked for their permission to record the interview
via an audio recording device for transcription. Weiss (1994) indicates recording interviews
allows the interviewer to stay focused on the interview, knowing that if they miss any content, it
can be retrieved via the recording. Participants were also advised that the recording is transcribed
and anonymized. The interviews were conducted in a private setting and virtually via Zoom (an
online application to facilitate meetings) and was recorded with participants’ permission.
Recording via Zoom also allows for transcription which was useful during the data analysis
phase.
Data Analysis
In addition to quantitative data analysis, qualitative data analysis was also utilized in this
study to interpret and provide context to the collected data via interviews. Qualitative data
analysis provided meaning to the previously collected data and is a dynamic process which includes
coding, categorization of data and identifying themes (Merriam & Tisdell, 2016). The coding and
categorization for this study was linked to KMO influences indicated in the research questions and
the conceptual framework. The knowledge influences included declarative, procedural and
metacognitive; motivational influences included self-efficacy and utility value and organizational
influences included cultural model and cultural setting. Each interview was transcribed and prepared
for analysis once collected. Upon generating the audit trail and reflection memos, interviews were
coded for further analysis. The focus of the coding in support of the conceptual framework was
placed on knowledge and motivation of the security professionals and organizational influences to
44
discover emerging themes identified by data analysis. Finally, the qualitative theme and the
quantitative responses were compared and contrasted in an effort to triangulate the data.
Credibility and Trustworthiness
When conducting a study, trustworthiness of the research is paramount as the results of
the study may impact people’s lives (Merriam and Tisdell, 2016). The credibility and
trustworthiness of a study indicated the study was conducted in a rigorous and ethical manner
(Merriam and Tisdell, 2016). Additionally, the trustworthiness of the data is also tied to the
trustworthiness of the researcher who collects and analyzes data (Merriam & Tisdell, 2016). The
credibility and trustworthiness of this study was addressed by outlining the procedures and
guidelines clearly. This included keeping a journal to provide further reflection based on the
interview responses. Additionally, triangulation was utilized to increase the credibility of the
study. Collection of rich, thick descriptive data during the interviews and full transcriptions was
another strategy to ensure the data credible and trustworthy (Creswell, 2018), which was carried
out in this study.
Ethics and Role of Researcher
Researchers are responsible for conducting studies in a professional and ethical manner
and to protect participants from harm as well as protection of involved institutions (Creswell,
2014; Merriam & Tisdell, 2016). To ensure researchers conduct studies in an ethical manner,
entities such as governments, universities and professional societies have created a set of formal
code of ethics (Ruben & Ruben, 2012). Additionally, research institutions have established
institutional review boards (IRBs) and formal committees to approve or disapprove research
proposal (Ruben & Ruben, 2012). As the principal investigator of this study, the researcher
seeked approval from University of Southern California’s IRB to ensure the study is conducted
45
in an ethical manner and without harm to the participants. Furthermore, no data was collected
prior to University of Southern California’s IRB approval. In order to conduct this study in a
responsible and ethical manner, four principles defined by Ruben and Ruben (2012) were
followed: treat participants with respect, honor promises, do not pressure, and do not harm the
participants. All participants in this study were treated with respect, were not pressured to take
part in the study, promised of anonymity are honored and participants were not harmed.
Additionally, an information sheet for exempt studies (Appendix C) set forth by University of
Southern California’s IRB was completed for this study and provided to interview participant in
advance of the interview session. Participants were advised that the study is voluntary,
participants could withdraw at any time during the survey or interview protocols, and all
information collected were kept confidential and secured (Glesne, 2011; Ruben & Ruben, 2012).
During the interviews, participants were asked for permission to record the interview session in
advance.
Remaining neutral in the data collection efforts is an important factor (Creswell, 2014;
Marriam & Tisdell, 2016). All data files in paper-based documentation and digital format were
archived and all personal identifiable information of the participants were removed. Data files in
paper and digital format were stored in locked storage, both physically and electronically. Digital
files were stored in cloud-based storage with two-factor authentication for retrieval. Principal
researcher’s interest in the results of this study was to identify knowledge, motivation and
organizational influences of security professionals in utilization of data analytics to inform data-
driven decision making. Therefore, the evaluation of these influences helped to identify
performance gaps and potential opportunities for improvement. The researcher must be mindful
of any power imbalances in the study (Creswell, 2014). The principal researcher was a security
46
professional in the field of physical security and received no direct personal benefit from this
study. The study served as a professional interest to the principal researcher to further contribute
to the success of security professionals and field of physical security. Any potential bias arising
from the principal researcher’s role as a security professional was addressed by using a mixed-
method study and use of anonymous survey design. Additionally, peer reviews of the study were
conducted to identify any biases or assumptions overlooked by the principal researcher.
47
Chapter Four: Results and Findings
Chapter Four presents the results and findings of this study. The purpose of this study
was to evaluate the assets and needs impacting security professionals’ utilization of data
analytics in the field of physical security. The findings for this study are comprised of
quantitative data (surveys) and qualitative data (interviews) regarding the assumed knowledge,
motivation and organizational influences impacting security professionals’ utilization of data
analytics. The research questions that guided the study were as follows:
1. What is the security professionals’ knowledge in the context of using data analytics to
inform data-driven decision making?
2. What is the security professionals’ motivation in the context of using data analytics to
inform data-driven decision making?
3. How do the organizational context and culture either facilitate or hinder their efforts in
implementation and use of data analytics?
The explanatory sequential mixed method research design was utilized: first, the survey was
distributed amongst security professionals and data collected, followed by the qualitative phase
of the study. During the quantitative phase of this study, the survey was shared within the
physical security community via online blogs of several prominent security organizations as well
as researcher’s own network in the physical security community via LinkedIn. In total, 258
survey results were received, and upon completion of the quantitative phase, seven security
professionals who expressed interest to take part in the qualitative phase of this study were
interviewed.
48
Participating Stakeholders
The participants for this study were security professionals in the field of physical security
and recruited online via several prominent security organizations’ blogs and online communities.
The participants represented various positions and a wide range of tenure within the field of
physical security. Participation in both the quantitative and qualitative phases of this study was
voluntary.
Survey Participants
During the quantitative phase of this study, on September 5, 2020, the survey recruitment
flyer including the survey link with an explanation of the study’s purpose and eligibility was
posted on several online blogs such as community.asisonline.org and communities of prominent
security organizations. Additionally, the survey recruitment flyer was posted on LinkedIn.com
where it was shared amongst a network of physical security professionals. Survey participation
included security professionals from the United States and 43 other countries globally (Appendix
E).
The survey officially closed on October 25, 2020, prior to the first qualitative interview.
The survey was completed by 258 participants with various tenure in the physical security field.
The majority of respondents held a tenure of more than 10 years (77.2%), followed by seven to
10 years (9.6%), one to three years (7.2%) and four to six years (6.0%). The majority of
respondents held a position as a Manager (33.6%) in the physical security field, followed by
Director (22.0%), and Chief Security Officer (10.4%). To maintain the confidentiality of the
survey participants, no further demographics are provided. A more comprehensive demographics
table can be found in Table 6 below.
49
Table 6
Demographic Characteristics of Participants (Survey)
Characteristics
n %
Security tenure (N = 250)
1-3 years
4-6 years
7-10 years
10+ years
18
15
24
193
7.2
6.0
9.6
77.2
Position (N = 250) Manager
Director
Chief Security Officer
Other
Consultant
Vice President
CEO
Supervisor
Advisor
Analyst
84
55
26
26
16
15
13
7
4
4
33.6
22.0
10.4
10.4
6.4
6.0
5.2
2.8
1.6
1.6
Interview Participants
During the qualitative phase of this study, seven participants were randomly selected for
the qualitative interviews from a list of participants who had volunteered upon completing the
survey. All interviews were completed individually during November 2020. All participants
were provided an information sheet for exempt research (Appendix C), outlining the purpose,
participant involvement, and confidentiality.
All seven participants held a tenure of more than 10 years in the field of physical
security. All participants held security management positions as security professionals ranging
from manager to chief security officer and majority of the participants had 10 years or more of
50
experience utilizing data analytics in their field. Table 7 presents the demographic characteristics
of the qualitative interview participants.
Table 7
Demographic Characteristics of Participants (Interviews)
Tenure
Position Data Analytics Experience
Participant # 1
Participant # 2
Participant # 3
Participant # 4
Participant # 5
Participant # 6
Participant # 7
10+ years
10+ years
10+ years
10+ years
10+ years
10+ years
10+ years
Director
Director
Vice President
Chief Operating Officer
Vice President
Manager
Chief Security Officer
10+ years
10+ years
7-9 years
10+ years
7-9 years
10+ years
10+ years
51
Research Question 1: What is the Security Professionals’ Knowledge in the Context of
Using Data Analytics to Inform Data-Driven Decision Making?
For this study, three knowledge influences were assessed for security professionals
regarding their utilization of data analytics: declarative, procedural and metacognitive. For
declarative knowledge, this study assessed whether security professionals had the foundational
knowledge of data analytics via qualitative interviews. In order to effectively utilize data
analytics, it is important for security professionals to have a foundational knowledge of
collection and analysis of data. Additionally, assessment of whether procedural knowledge was
present for security professionals to know how to engage in collection and analysis of data was
conducted. Lastly, this study assessed security professionals’ metacognitive knowledge in
whether they had the ability to self-evaluate their knowledge of data analytics to identify
potential gaps in learning and therefore, increase their awareness to seek additional learning.
The standard of asset and gap for the knowledge influences was determined by analyzing
the results (quantitative) and thematic findings (qualitative), indicating the level of knowledge
for utilization of data analytics. For qualitative findings regarding knowledge influences, if five
out of seven participants reported a high level of knowledge, this influence was coded as an
asset. Participant responses less than five would constitute a gap. For quantitative results, this
study used a mean of 3.3 on a four-point scale or better as the standard of categorizing the
knowledge influences as an asset. Therefore, a mean of 3.2 or lower would constitute a need in
this study.
Security Professionals Possess a Shared Understanding of Security Metrics
Security professionals’ understanding of security metrics and the foundational knowledge
of what they are intended to do are critical in utilization of data analytics. As part of the
52
qualitative interviews, participants were specifically asked if they could describe security metrics
in their own words. As illustrated in Table 8, all seven participants were able to offer a definition
of security metrics. After analyzing the findings, a theme emerged that all seven participants had
a shared meaning to describe security metrics as security-related data used to measure and
improve security programs. Additionally, another theme emerged as several participants offered
more specific definitions of security metrics to include the type of security data that is more
frequently collected. Participant #1 stated,
We could be looking at, I think any kind of data, right, that we can capture, whether it be
through video analytics, right, where you're looking at things like that, that could be
trends and things that come out of case management system, you know, something as
simple as volumes, trends, it could be intelligence that we get in terms of alerting whether
it be from third party sources or through our own.
Similarly, other participants described the types of data as “the number of responses to
disturbances,” “Means to quantify risk and quantify the ability to respond to those risks,” and
“Key performance indicators.” All participants offered a description of security metrics as
security data that is utilized to mitigate risk, to drive security program improvements, measure
performance and to reach security program goals. The participants’ definition of security metrics
is in line with the findings during the literature review of this dissertation defining security
metrics as metrics focused on reduction of risk, protection of organization, and a system of
measurement focused on the effectiveness of security programs (Campbell, 2014; Carnegie
Mellon University, 1995; Ohlhausen et al., 2014).
53
Table 8
Security Professionals’ Responses to Definition of Security Metrics
Role
Security Metrics Definition
Participant #1
Director
“So, any data associated with the security program that could
be leveraged in an aggregate, I think, to either be used for
data for transformation of the security program or to leverage
in the security program in terms of aggregating that data.”
Participant #2
Director
“The number of responses to disturbances, it may be made it
could be a whole host of different things from those metrics
what I'll do is I'll grab that information, try to analyze it, and
then make decisions of how can I intervene, or change or
improve the processes in place to reduce the number of
injuries to healthcare workers.”
Participant #3
Vice President
“For me, security metrics are a means to quantify risks and
quantify the ability to respond to those risks in a meaningful
way where you can set certain targets based on your strategies
and assess as to whether you are making progress or whether
the metrics lead you to a different conclusion and you have to
adjust downstream.”
Participant #4
Chief Operation
Officer
“[It’s] any type of security data to really gauge the
effectiveness of security measures. When it comes to
mitigating threats prevention of known or unknown threats
and really ways and again there are many different security
metrics, but just ways where we can really gauge how
effective the security program is.”
Participant #5 Vice Present “I guess the measurement of, goals against, or the
measurement achievement against goals, like, like how stuffs
handled. Like for us in metrics, we set goals, and we look at
how, I guess measuring against the goal, seeing how we're
doing on a time-by-time basis.”
54
Table 8 (Continuation)
Security Professionals’ Responses to Definition of Security Metrics
Role
Security Metrics Definition
Participant #6
Manager “So, I would say metric is one that is, of course related to
security. But yet is brings about something that is actionable,
right? So sometimes we see a lot of metrics being designed
and followed that are not actionable. So, a metric should be
something that is not only related to security, but also one that
can drive a solution or let you know what's going on or help
identify potential gaps in the security of a program or site.”
Participant #7
Chief Security
Officer
“For us it's a measurement of two things, one what are we
doing so that we know the quantity. And then it's also a
measurement of how we're actually performing so the quality
of the work that we're doing.”
Security Professionals Lack a High Level of Mastery in Data Analytics’ Utilization
The knowledge influence survey items measured participants’ responses on a four-point
Likert-scale ranging from “not at all familiar,” “slightly familiar,” “moderately familiar,” and
“extremely familiar.” Descriptive analysis was conducted and includes frequencies which
measured the knowledge influences. Additionally, this study used a mean of 3.3 or better as the
standard of categorizing the knowledge influences as an asset. Therefore, a mean of 3.2 or lower
would constitute a need in this study. Participants reported a low level of procedural knowledge
in utilization of data analytics (M = 3.1; SD = 0.6; n = 239). The knowledge influence survey
results are presented in Table 9.
Collection of security data emerged as the area in which the levels of familiarity reported
are the highest (M = 3.3; SD = 0.7; n = 246). The data suggested that almost half of participants
55
(46.9%) indicated their familiarity as “extremely familiar” in collection of security data (e.g.,
performance, turnover, budget, calls for service, incidents and risk assessment). Although
statistical significance tests were not run, it appeared that collection of security data could
emerge as the area in which the participants had the highest level of knowledge.
Knowledge of data analysis process and effective use of tools and applications emerged
as the area in which the lowest levels of familiarity were reported. The data suggested that
participants possessed the lowest level of familiarity with knowledge of data analysis process (M
= 2.9; SD = 0.8; n = 250) with only 20.6% of participants indicating their familiarity as
“extremely familiar” in this area. Additionally, only 27.7% of participants reported their
familiarity as “extremely familiar” with the use of tools and applications that are often utilized to
collect and analyze data, indicating a low level of familiarity in this area (M = 2.9; SD = 0.9; n =
248). Although inferential analytics were not implemented, it appears that there may be
statistically significant differences between the familiarity in collection of security data (M = 3.3,
SD = 0.7) versus analysis and utilization of data (M = 2.9, SD = 0.8). The knowledge influence
survey results related to knowledge of data analysis and utilization of analytical tools and
applications are presented in Table 9.
The data also suggested participants lack a high level of mastery in utilization of security
metrics and the use of analytical graphs. As illustrated in Table 9, 63.1% of participants indicated
they are either “not at all familiar,” “slightly familiar,” or “moderately familiar” in utilizing
security metrics, while 36.7% of participants reported they were “extremely familiar” in this
area. Similarly, 61% of participants reported they are either “not at all familiar,” “Slightly
familiar,” or “Moderately familiar” in use of analytical graphs, while 38.7% of participants
reported their familiarity as “Extremely familiar” in this area.
56
Table 9
Distribution of Participant Responses to Knowledge Items (1 - 4 scale)
Survey Item
Mean
SD Response
n %
How familiar are you with the
following?
• Data analysis process
(N = 247)
2.9
0.8
Not at all familiar
Slightly familiar
Moderately familiar
Extremely familiar
10
54
132
51
4.0
21.8
53.4
20.6
• Utilization of security
metrics (N = 245)
3.1 0.8 Not at all familiar
Slightly familiar
Moderately familiar
Extremely familiar
6
48
101
90
2.4
19.5
41.2
36.7
• Collection of security
data (N = 243)
3.3
0.7
Not at all familiar
Slightly familiar
Moderately familiar
Extremely familiar
4
28
97
114
1.6
11.5
39.9
46.9
• Tools and applications
that are often used to
collect and analyze data
(N = 245)
2.9
0.9
Not at all familiar
Slightly familiar
Moderately familiar
Extremely familiar
13
59
105
68
5.3
24.0
42.8
27.7
• The use of analytical
graphs (N = 245)
3.2 0.8 Not at all familiar
Slightly familiar
Moderately familiar
Extremely familiar
7
36
107
95
2.8
14.6
43.6
38.7
During the quantitative phase of this study, an additional survey item associated with
organizational influences emerged as being related to knowledge influences. Participants who
responded they currently do not perform data analysis were asked to identify barriers in using
57
security metrics in their organization. This question was posed in a multiple-choice format. As
illustrated in Table 10, participants reported lack of knowledge as the primary barrier in utilizing
security metrics by security professionals. Response answer “Lack of knowledge” was selected
43 times (25.2%) by respondents, indicating a gap in knowledge as a barrier for security
professionals who currently do not collect or analyze security data. Similarly, survey results
indicated security professionals who currently utilize data analytics, lack a high level of mastery
in certain areas (data analysis process and use of tools/application).
Table 10
Distribution of Participant Responses to Organizational Influence Items
Survey Item
Response
n %
What are the barriers in using
security metrics in your
organization? (N = 170)
Lack of knowledge
Lack of resources
Organizational resistance to change
Individual resistance to change
Lack of leadership support
Other
43
42
27
23
22
13
25.2
24.7
15.8
13.5
12.9
7.6
58
During the qualitative interviews, in order to gauge their procedural knowledge of
utilizing data analytics, participants were asked to describe how they use security metrics within
their organization and how security metrics are used in their decision-making process. The
findings revealed the following themes: all seven participants used security metrics to measure
their respective security programs, identify gaps and implement solutions. However, not all
participants use a single standard of measure or a defined set of security metrics.
Although there were similarities between the types of metrics being measured (i.e.,
incidents, risk, and response time), each participant reported using security metrics tailored to
their own security program. Participant #3 described using security metrics as “a function
coming out of assessing what our key risks are, adapting the strategy to focus on the highest
risks, and then setting initiatives that have specific metrics associated with them so that we can
measure progress over time.” In contrast, participant #4 discussed their use of security metrics as
“a number of KPIs that we use are very customizable…one of the key metrics that we use is post
coverage is an authorized licensed fully trained fully qualified security officer present on that
post.” Using security metrics to drive solutions was a common theme that emerged in the
interviews.
Participant #6 provided details on how security metrics are used to mitigate risks, and
then implemented solutions, indicating possession of procedural knowledge in utilization of data
analytics to improve their security program:
So, in my current organization, we're looking at crisis response, threat management,
incident response, especially events, and so forth. And for the incident response piece is
where the metrics kind of help drive a lot of what we're doing and helping our security
partners… And then we can usually dive into those metrics and say, hey, is this an actual
59
key problem? Or is this a process problem? and that allows us then to go ahead and work
with those teams as far as trying to dive into the metrics and really get the true story of
what their issues are, and then delivering those to them.
Similarly, Participant #2 provided details on how security metrics are used in their
organization to drive solutions, indicating possession of procedural knowledge in utilization of
data analytics. One specific example of how security metrics were used provided a solution to a
problem created by the COVID-19 pandemic:
And so, I'll use different metrics across, I use it for staffing…My most recent one I'm
doing is, I was asked to implement a visitor management program for COVID [COVID-
19] … For instance, one of my entrances, I have 6000 people a week, Monday through
Friday coming through this entrance and it's overwhelmed. How do I reduce the volume?
When I started using the metrics, I could see how many staff members came in that door,
compared to patients and visitors, but what that told me is I needed to open a staff
entrance. By doing that, I reduced 3000 people off that entrance. Now I reduced the
number of staff I needed at the entrance and I had a better flow.
All participants who took part in the qualitative interviews reported data analytics
experience of seven years or more and therefore, findings revealed a moderate level of
competency and experience in collection and analysis of data. Quantitative data analysis
suggested participants possess a higher level of familiarity in collection of data and use of
analytical graphs but a lower level of familiarity in use of analytical tools and applications, and
data analysis process. Analysis of both quantitative and qualitative data suggested security
professionals lack a high level of mastery in utilization of data analytics.
60
Security Professionals Who Utilize Data Analytics Frequently Reflect on Use of Security
Metrics
Metacognitive knowledge plays a key role the adoption of declarative knowledge,
procedural knowledge and transfer of learning in data analytics by security professionals.
Participants’ metacognitive knowledge was assessed using qualitative interviews in this study.
During the qualitative interviews, participants were asked to reflect on a time when they were
challenged or had issues using security metrics, and how they addressed the issue. All
participants who took part in the qualitative interviews indicated they actively utilized data
analytics. Furthermore, participants often reflected on how best to use security metrics with a
goal to improve their security program. All participants expressed the importance of evaluating
existing security metrics to ensure those metrics add value to the security program and
identifying new security metrics that improves the overall program.
Participant #4 possessed metacognitive knowledge and reflected on use of security
metrics that are valuable to the security program by asking “are they actually valuable to compile
and analyze? So, the way that I've approached that…is getting them to sort of dig a little bit
deeper into the data and how that may allow them to drive future decisions.” Participant #2
reflected on a similar challenge regarding identification and measurement of valuable metrics to
improve their security program and noted, “we recognize that we may fail, or not have the right
metrics… but when we started talking to others, we found that we were missing some things, and
we needed to go back and reestablish what the metrics needed to be.”
An additional theme emerged during the qualitative interviews regarding benefits of
security metrics and gaining others’ acceptance and willingness to actively engage in utilization
of data analytics and use security metrics as a measurement to improve their security program.
61
During the interviews, four of seven participants shared the problem of stakeholder buy-in for
use of security metrics, as well as buy-in from other security professionals within their team and
reflected on how they solved this problem. During the interview, Participant #4 reflected on this
challenge as “one of the biggest challenges, even though the customer sees a benefit in it, is
really getting someone internally and externally really to buy into security metrics.” Participant
#4 reflected on the same challenge and added how they resolved this challenge by “getting them
to sort of dig a little bit deeper into the data and how that may allow them to drive future
decisions and really see that they're actually getting something for their investment so there is
sometimes some resistance.” Participant #7 reflected on the same challenge in gaining the
security team’s acceptance and willingness to engage with the data “was the one challenge I had,
and resolving it was just getting them to understand the importance of the requirement… and
explaining how I was using that information to better the security department and the company
kind of helped.”
Qualitative interview findings indicated those security professionals who engage in
utilization of data analytics frequently reflect on their use of security metrics and how the
measurement of those metrics add value to their program. All participants indicated
measurement of security metrics is a tool to improve their programs. In doing so, there are
challenges to gain stakeholder acceptance and willingness, both internally and externally, to
engage in utilization of data analytics.
Research Question 2: What is the Security Professionals’ Motivation in the Context of
Using Data Analytics to Inform Data-Driven Decision Making?
For this study, two motivation influences impacting security professionals’ utilization of
data analytics were assessed: self-efficacy and utility value. For self-efficacy, this study assessed
62
whether security professionals had the belief that they are confident in their ability to utilize data
analytics. Self-efficacy predicts security professionals’ likelihood to engage in utilizing data
analytics as well persisting at such task and their investment of efforts. For utility value, this
study assessed whether security professionals value the use of data analytics related to security
metrics. This value could be manifested in enhancing organizations’ security posture, measuring
security operational performance to identify and address security gaps and mitigating risks.
The standard of asset and gap for the motivation influences was determined by analyzing
the results (quantitative) and thematic findings (qualitative), indicating the level of motivation
for utilization of data analytics. For quantitative results, this study used a mean of 3.3 or higher
on a four-point scale as the standard of categorizing the motivation influences as an asset.
Therefore, a mean of 3.2 or lower constituted a need in this area. For qualitative findings
regarding motivation influences, if five out of seven participants reported a high level of self-
efficacy or utility value, this influence was coded as an asset. Participant responses less than five
would constitute a gap.
Security Professionals Lack Self-Efficacy in Utilizing Data Analytics
The self-efficacy-related survey items measured participants’ responses. Descriptive
analysis was conducted and includes both measures of central tendency (mean and standard
deviation) and frequencies, which measured the motivation influences. On a four-point Likert-
type scale, the data suggested that participants lack self-efficacy (M = 3.0; SD = 0.7; n = 249) in
utilization of data analytics.
As illustrated in Table 11, 28.9% of participants reported their confidence in performing
data analysis as “extremely confident” as a security professional while 71.1% of participants
reported their confidence as “not at all confident,” “slightly confident,” or “moderately
63
confidence” in their ability to perform data analysis. Similarly, only 23.7% of participants
reported their ability to perform data analysis to measure their security program’s effectiveness
as “extremely adequate” while 76.3% of participants rated their ability to perform data analysis
as “not at all adequate,” “slightly adequate” or “moderately adequate.” Quantitative data
suggested a mean of less than 3.3 in both self-efficacy survey items illustrated in Table 11,
indicating lack self-efficacy in their ability to perform data analysis and measure their security
program’s effectiveness.
Table 11
Distribution of Participant Responses to Self-Efficacy Items (1 - 4 scale)
Survey Item
Mean
SD Response
n %
How confident are you with
your ability to perform data
analysis as a security
professional? (N = 246)
3.0
0.8
Not at all confident
Slightly confident
Moderately confident
Extremely confident
11
38
128
72
4.4
15.3
51.4
28.9
How would you rate your
ability to perform data
analysis to measure your
security program's
effectiveness? (N = 250)
2.9 0.8 Not at all adequate
Slightly adequate
Moderately adequate
Extremely adequate
14
51
128
60
5.5
20.2
50.6
23.7
64
Additionally, to gauge security professionals’ engagement in utilization of data analytics,
survey participants were asked if they currently perform data analysis by collecting and
analyzing security metrics within their organization, followed by a question to gauge their self-
efficacy. The data suggested that most participants perform data analysis by collecting and
analyzing security metrics within their organization. As illustrated in Table 12, 66.5% of
participants reported performing data analysis, while 33.5% of participants reported not engaging
in any form of data analysis. Those participants who identified as not performing data analysis
(33.5%) were asked if they would use security metrics if they knew more about how to use them
effectively, to solely gauge the self-efficacy of participants who currently do not engage in data
analysis. The data suggested an overwhelming majority of those participants would use security
metrics if they knew how to use them effectively. As illustrated in Table 12, 94% of participants
reported they would use security metrics if they knew how to use them effectively, while only
6% of participants reported they would not engage in use of security metrics. Data suggested an
overwhelming gap in knowledge exists for those security professionals who do not currently
perform data analysis, therefore, hindering the self-efficacy of those security professionals.
65
Table 12
Distribution of Participant Responses to Self-Efficacy Items
During the qualitative interviews, participants were asked to describe confidence in their
ability to use security metrics to reach their goals. After analyzing the findings, the following
theme emerged: most participants described their confidence in the use of security metrics as
moderate, or work in progress, while only two out of seven participants described their
confidence in use of security metrics as very confident. Most participants described their
confidence in using security metrics as “generally pretty good,” “pretty good, I would say I’m
work in progress,” and “reasonably confident.” Participant #2 described a mixed level of
confidence in interpretation of data analytics versus development of data, citing “for interpreting
them, I'm great, for developing them, and actually utilizing it, you know, like really looking at
them, I need somebody that has the expertise.”
These qualitative interview findings are similar to quantitative survey data results. The
quantitative data results found only 28.9% of participants reported extreme confidence in their
ability to perform data analysis and 23.7% of participants rated their ability to measure their
Survey Item
Response
n %
Are you currently performing data analysis
by collecting and analyzing security
metrics within your organization?
(N = 250)
Yes
No
169
85
66.5
33.5
Would you use security metrics if you
knew more about how to use them
effectively? (N = 83)
Yes
No
78
5
94
6
66
security programs effectiveness as extremely adequate. Both quantitative and qualitative data
suggest security professionals lack self-efficacy in utilization of data analytics. The level of self-
efficacy appears to be driven by lack of knowledge in this area.
Security Professionals Possess High Utility Value in Utilization of Data Analytics
The utility value-related survey items measured participants’ responses on a four-point
Likert scale and descriptive analysis was conducted and includes both measures of central
tendency and frequencies which measured the motivation influences. On a four-point Likert-type
scale, the data suggested that participants possess high level of utility value (M = 3.6; SD = 0.5;
n = 164) in utilization of data analytics. As illustrated in Table 13, most participants (63.6%)
indicated the use of security metrics as “extremely important” as a security professional.
Similarly, most participants (57%) reported security metrics are “extremely helpful” in
measuring the effectiveness of their physical security program.
Data also suggested security professionals perceive high utility value in using security
metrics to inform their decision-making process. Most participants (53.9%) reported security
metrics would “extremely likely” inform their decision-making process, followed by 42.4% of
participants who reported security metrics would “likely” inform their decision-making process.
Similarly, most participants (56.3%) reported they would “extremely likely” attend a training
program on security metrics, if one was offered by their organization, followed by 37.2%
reporting they would likely attend a training program on security metrics, stressing security
professionals’ high utility value in utilizing data analytics. Table 13 illustrates the results.
67
Table 13
Distribution of Participant Responses to Motivation Items (1 - 4 scale)
During the qualitative interviews, participants were asked to describe the value of
collecting and analyzing security metrics, if any. The findings revealed all seven participants
who currently utilize data analytics within their organization communicated a high level of utility
value in use of security metrics, similar to the quantitative analysis results. The findings revealed
the following theme: the most significant value of collecting and analyzing security metrics by
Survey Item
Mean
SD Response
n %
How important is it for you
as a security professional to
use security metrics?
(N = 250)
3.5
0.7
Not at all important
Slightly important
Moderately important
Extremely important
4
23
65
161
1.6
9.1
25.7
63.6
How helpful is the use of
security metrics in
measuring the effectiveness
of your physical security
program? (N = 162)
3.5 0.7 Not at all helpful
Slightly helpful
Moderately helpful
Extremely helpful
0
15
56
94
0
9.1
33.9
57.0
How likely would the
security metrics results
inform your decision-
making process?
(N = 162)
3.5 0.6 Extremely unlikely
Unlikely
Likely
Extremely likely
0
6
70
89
0
3.6
42.4
53.9
How likely would you
attend a training program
on security metrics, if one
was offered by your
organization? (N = 244)
3.5
0.7
Extremely unlikely
Unlikely
Likely
Extremely likely
8
8
92
139
3.2
3.2
37.2
56.3
68
security professionals is the ability to make informed decisions. In regard to decision making,
Participant #3 added, “metrics takes away some of the emotion and some of the conjecture away
and becomes a little bit more scientific in terms of how you are applying the organization's
investment against its risks.” Similarly, Participant #4 noted, “the biggest inherent value in
analyzing and collecting data as part of security metrics is really guiding and driving future
decisions.” Participant #2 described the value of security metrics in two folds, “one is to analyze
and to look at the data to try to make improvements” and “it is an integral part in our decision
making.”
An additional theme emerged regarding the value of security metrics in terms of
identification and mitigation of risk. Several participants described the measurement of security
metrics as a way to mitigate risk to the organization. Participant #1 noted the value of security
metrics can be seen when deciding “what are the things that are posing the greatest risk to our
operation in reality, so that we can target.” Participant #3 also described using security metrics to
understand organization’s investment against risk.
During the qualitative interviews, in order to gauge their utility value, participants were
also asked to describe the importance in utilization of security metrics as a security professional
as well as to rank the use of security metrics in comparison to other priorities. As illustrated in
Table 14, five participants described security metrics as very important to them as a security
professional, while two participants described security metrics as a medium priority. Similarly,
most participants ranked utilization of security metrics as a high priority in comparison to other
priorities as a security professional. Qualitative interview responses to both importance and
priority ranking of security metrics indicates a high level of utility value, similar to quantitative
69
survey results. Overall, the data demonstrated that security professionals value the collection and
analysis of data to improve security programs.
Table 14
Security Professionals’ Responses to Utility Value Items
Role
Importance
Level
Importance of
Security Metrics
Rank of Security
Metrics Versus Other
Priorities
Participant #1
Director
High
Data is very import to
me
I rank it pretty high
Participant #2
Director
High Its way up there… it’s
very important to me
Very important, high
Participant #3
Vice
President
High The holy grail…it’s a
really critical part of
our program
Metrics are probably
concurrent to the
strategy
Participant #4
COO
High
I think its vitally
important
I’d rank it high
Participant #5
Vice
Present
Medium It’s pretty important
Right in the middle
Participant #6
Manager High It’s key to what we’re
doing
That’s our primary
thing
Participant #7
Chief
Security
Officer
Medium It is important…to
keep your operation
running efficiently
Medium importance
level for us
70
Research Question 3: How Do the Organizational Context and Culture Either Facilitate or
Hinder Their Efforts in Implementation and Use of Data Analytics?
For this study, organizational influences such as cultural model and cultural setting and
how they impact security professionals’ utilization of data analytics were assessed.
Organizational influences are one of the three determinants of performance which impacts
security professionals’ ability to achieve the goal of utilizing data analytics. There are two
cultural setting influences and one cultural model influence assessed in this study. The standard
of asset and need for the organizational influences was determined by analyzing the results
(quantitative) and thematic findings (qualitative) indicating the level of organizational support
for utilization of data analytics. For qualitative findings regarding organizational influences, if
five out of seven participants reported a high perceived level of support in terms of
organizational climate, leadership or resources, this influence was coded as an asset. Participant
responses less than five would constitute a gap. For quantitative results, this study used a mean
of 3.3 or higher on a four-point scale as the standard of categorizing the organizational influences
as an asset. Therefore, a mean of 3.2 or lower would constitute a need in this study. For questions
using a dichotomous scale, this study used a response rate of 50% or better as the standard of
categorizing the organizational influence as an asset. Therefore, a response rate of 50% or lower
would constitute a need in this area.
Organizational Climate Supports Utilization of Data Analytics
Three survey questions measured the organizational climate relating to utilization of data
analytics. Two survey items measured participants’ responses on a dichotomous scale, while one
survey item measured participants’ responses on a four-point Likert scale. Descriptive analysis
71
was conducted and includes both measures of central tendency (Mean and Standard Deviation)
and frequencies which measured the organizational influences.
The quantitative data suggested that security professionals perceived their organizational
climate as being supportive of data analytics utilization. This perception was self-reported by
security professionals as part of this study. As illustrated in Table 15, 66.5% of participants
indicated they are currently performing data analysis by collecting and analyzing security metrics
within their organization, while 33.5% of participants reported they do not perform any form of
data collection or analysis. The high percentage of participants indicating actively utilizing data
analytics indicates a perception of a supportive data-driven culture within their organizations.
The data also suggested similar results relating to reoccurring review of security metrics
results with participants’ executive team. As illustrated in Table 15, 64.2% of participants
reported a reoccurring security metrics review with their organization’s executive team to present
findings while 35.8% reported not engaging in any form of metrics review with their
organization’s executive team. The analysis of survey items relating to organizational climate
presents two similar results: 66.5% of participants reported collecting and analyzing data,
similarly, 64.2% of participants reported engaging in security metrics reviews with their
respective executive team. This suggested there is a relationship between data collection and
analysis by security professionals, and engagement in security metrics review with their
respective executive team. The results indicate it is possible that security professionals’
engagement in security metrics review with the executive team is a driver in utilization of data
analytics in their organization to report program improvements and the effectiveness of their
respective security programs.
72
Table 15
Distribution of Participant Responses to Organizational Influence Items
On a four-point Likert-type scale, the data suggested that participants have a moderate
perception of how important security metrics are in their organization (M = 3.2; SD = 0.8; n =
241). As illustrated in Table 16, most participants (41.1%) reported the use of security metrics as
being “extremely important” in their organizations. Data suggests most organizations support the
utilization of data analytics in the field of physical security.
Table 16
Distribution of Participant Responses to Organizational Influence Items (Importance of Metrics,
1 - 4 scale)
Survey Item
Response
n %
Are you currently performing data analysis
by collecting and analyzing security metrics
within your organization? (N = 250)
Yes
No
169
85
66.5
33.5
Is there a reoccurring security metrics review
meeting with your organization's executive
team to present findings? (N = 162)
Yes
No
106
59
64.2
35.8
Survey Item
Mean
SD Response
n %
How important is the use of
security metrics in your
organization? (N = 238)
3.2
0.8
Not at all important
Slightly important
Moderately important
Extremely important
4
47
91
99
1.7
19.5
37.8
41.1
73
During the qualitative interviews, participants were asked to describe their organization’s
climate and support for utilization of data analytics. The findings revealed the following theme:
among those security professionals who currently engage in collection and analysis of security
data, all participants reported they received adequate support from their organization to engage in
utilization of data analytics, highlighting a supportive organizational climate for collection and
analysis of security data.
Participants were asked to describe any form of organizational resistance or barriers in
utilizing security metrics within their organizations. The findings revealed the following theme:
four of seven participants reported some type of resistance from other security professionals
regarding organizational change to adopt utilization of data analytics. The organizational change
referred to the adoption of collection and analysis of data to inform decision making. Participant
#3 explained,
So, you know I've had members of my team that have been with me for quite some quite
some time so a real tenured organization and some who have been practitioners for a long
time. And so, convincing them to go along on this journey I needed to get the team rallied
around the mesh can be just me getting tougher. And there were some resistances like
why do we need to do that? we do a great job for the organization already… so, I think
the first level was our own team had overcome the resistance there.
Similarly, other participants described the resistance to adopt the use of security metrics
mostly from fellow “long-term security professionals [who say] I’d rather just handle it, why do I
have to go somewhere else and put a checkmark.”
Analysis of both quantitative and qualitative data suggested organizational climate
provided support for utilization of data analytics. While quantitative data results suggested
74
organizational climate provides a moderate level of support for utilization of data analytics,
qualitative findings found the seven participants experienced a high level of support from their
respective organizations. It is worth noting all seven qualitative interview participants reported
they are currently engaged in utilization of data analytics, which could explain the organizational
climate and support within their environment.
Organizational Leaders Support Utilization of Data Analytics
Participating security professionals reported that their organizational leaders support the
utilization of data analytics (M = 3.3; SD = 0.7; n = 248). As illustrated in Table 17, most
participants (88.4%) either “agree” or “strongly agree” that their organizations’ leaders are
supportive of utilization of data analytics, compared to 11.7% who either “strongly disagree” or
“disagree” that their organization’s leaders are supportive in this area. This result highlights a
strong leadership support for utilization of data analytics and that leadership support is not one of
the barriers to utilization of data analytics by security professionals.
Table 17
Distribution of Participant Responses to Organizational Influence Items (Leadership Support, 1-
4 scale)
Survey Item
Mean
SD Response
n %
My organization's leadership is
supportive of using security
metrics (N = 245)
3.3
0.7
Strongly disagree
Disagree
Agree
Strongly agree
6
23
110
109
2.4
9.3
44.4
44.0
75
During the qualitative interviews, participants were asked if their respective
organizations’ leadership is supportive of using security metrics. The findings revealed a theme
similar to quantitative survey results. Five of seven participants credited their direct leader for
supporting them in utilizing data and identifying valuable security metrics. Participant #5
credited their direct leader and noted,
I think when Bob came in and kind of did that metrics mandate, and we took a look, and
we really studied it, and made adjustments… So, he really pushed us to kind of take those
metrics and really think outside the box on how you can measure stuff.
Similarly, participant #3 credited their push to utilize data analytics to their “new CFO
who came in… [and said] I'm empowering you… what resources do I have to put behind you in
order for us to go out and find every dollar we spend on security around the world?” Other
participants noted their leaders’ support as “it has become more important [security metrics] and
a lot of that I have to credit to leadership”, and “I mean, my boss is a big fan of them [security
metrics].”
Both quantitative data results and qualitative interview findings revealed most
organizational leaders support the utilization of data analytics. This finding indicates leadership
support is not a gap in reaching the goal of utilizing data analytics by security professionals.
Therefore, leadership support is an asset in reaching this goal in the field of physical security.
Organizations Offer Inadequate Resources to Support Utilization of Data Analytics
The organizational influences survey item focused on barriers in utilization of data
analytics provided participants a multiple choice, multiple answer scale format. Those
participants who responded they were currently not performing data analysis were asked to
identify barriers in using security metrics. Quantitative data suggested lack of resources as the
76
second most identified barrier in using security metrics by security professionals. As illustrated
in Appendix D, lack of resources was selected 42 times (24.7%) by respondents, indicating
organizations offer inadequate level of resources to support the utilization of data analytics by
security professionals.
During the qualitative interviews, participants were asked to describe the resources
offered by their organization to facilitate the use of security metrics. The findings revealed a
mixed level of support in terms of resources to facilitate and drive the utilization of security
metrics in the field of physical security. While four of seven participants identified resources that
helped them engage in utilization of data analytics, three participants noted they did not receive
any form of support. Participant #2 described the intention of support by his leadership, however
the lack of tangible support which forced him to become creative in soliciting help from other
entities within the organization:
No [in response to receiving resources], I hijack all my help, if I reach out and say, I need
somebody for a specific project and say this is what I really need, they [leadership]
evaluate and say does somebody have the bandwidth to help Doug do this, but I don't do
that, I just go around and say, hey Jeff can you help me do this, or Derek can you help me
do this; I'm trying to do this, and they'll just make time and help me out.
Participant #7 also noted lack of resources has forced his team to operate in a manual
environment, citing their organization “didn’t provide any type of tools or databases or anything
to help them, again we’re still a manual process, they send me emails with information.”
Similarly, Participant #5 described the same lack of support in terms of resources but noted the
use of internal programs such as Microsoft Excel and other software program to support the
utilization of data analytics to “track data internally…We use Veoci [incident management
77
software program] for a lot of data tracking, but besides that, there's no specific thing that they
gave us to help…most of the stuff is tracked in an Excel spreadsheet or PowerPoint to present.”
Participant #4 and #6 both described receiving resources such as electronic incident
reporting systems which helped better track and analyze data. Participant #4 described this
resource as “advancements in the security industry…Electronic incident reports that can really
start to compile these KPIs. So, one of the biggest resources we've taken advantage of… we've
invested in those incident analytic systems, electronic touring, and it's really paid off.”
Similarly, Participant #6 described the best resource they have received is funding for a
similar system and noted,
Yeah, the resources have been the support and funding for a case management system
was the primary one, and then being able to utilize other open source or I guess, I would
say, available platforms within the organization such as Tableau to be able to tap into
those and utilize them as needed to take that data and manipulate and play around with it
as needed.
The quantitative results and qualitative findings revealed resources offered by
organizations appear inadequate and fail to fully support the adoption of utilizing data analytics.
While several participants described the benefits of technical resources in their journey to
successfully collect and analyze security metrics, others were forced to use assistance from
various resources or existing tools that may not be well suited for this task.
Summary of Knowledge, Motivation and Organizational Influences’ Data
The findings stemming from this explanatory sequential mixed methods study centered
on determining the knowledge, motivation and organizational influences impacting security
professionals in utilization of data analytics. The quantitative and qualitative data collected from
78
security professionals in the field of physical security captured and described in rich detail the
KMO influences impacting security professionals’ utilization of data analytics in their field. The
Clark and Estes’s (2008) Gap Analysis Framework served as the conceptual framework for the
study. Using this framework, the study examined security professionals’ declarative, procedural
and metacognitive knowledge associated with utilization of data analytics, specifically the
collection and analysis of security metrics; security professionals’ motivation associated with
their self-efficacy and utility value; and organizational influences associated with organizational
climate, leadership and resources supporting the utilization of data analytics.
Qualitative interviews found security professionals have a common understanding of
security metrics and the foundational knowledge of what security metrics are intended to do.
Security professionals also shared a common meaning of security metrics as a security program
improvement tool. Although security professionals shared the same meaning of security metrics,
they all used difference variations of security metrics to measure their programs and lacked a
common standard of measurement.
Procedural knowledge of utilizing data analytics emerged as a gap among security
professionals. Quantitative data results and qualitative data findings presented a mixed level of
knowledge in this area. While collection of security data emerged as the highest area of
familiarity among security professionals, data suggested knowledge of data analysis process and
utilization of tools and applications as the lowest level of familiarity. Additionally, participants
identified lack of knowledge as the primary barrier in utilizing security metrics within their
organization. Qualitative data findings revealed participants had a higher level of procedural
knowledge as all interview participants reported seven or more years of experience utilizing data
79
analytics. This finding could be due to self-selection bias as participants who volunteered to take
part in the interviews all reported utilizing data analytics, therefore causing a bias sample.
Metacognition appeared as an asset among security professionals as they often reflected
on their use of security metrics and how the measurement of those metrics add value to their
program. Qualitative data revealed security professionals frequently reflect on the type of
security metrics they use and how this metric adds value to their security program. Security
professionals also reflect on how best to use security metrics to solve various problems.
Self-efficacy appeared low among participants in utilization of data. Most participants
reported lack of confidence in their ability to perform data analysis as well as the ability to
measure their programs’ effectiveness. During the qualitative interviews, security professionals
described their confidence in the use of security metrics as moderate to work in progress.
Data also suggested high utility value in using security metrics to inform decision making
process. The quantitative data suggested most participants find the use of security metrics
extremely important as a security professional. Additionally, most security professionals reported
security metrics are extremely helpful in measuring the effectiveness of their security program.
Similarly, participants’ qualitative interview responses to both importance and priority ranking of
security metrics indicates a high level of utility value.
The study found organizational climate provided mixed level of support for utilization of
data analytics. While quantitative data results suggested organizational climate did not provide a
high level of support for utilization of data analytics, qualitative data revealed high level of
support from participants’ respective organizations. The high level of support found during the
qualitative interview appears to exist as all seven interview participants reported active
engagement with utilization of data analytics during this study.
80
Both quantitative and qualitative data suggested leaders provide adequate support for the
utilization of data analytics. Most participants either “agreed” or “strongly agreed” that their
leadership staff is supportive of using security metrics. Similarly, interview participants credited
their leaders with use of security metrics within their organization. Data suggested leadership
support is not a gap in utilization of data analytics among security professionals.
Finally, despite a general sense of support from leadership, findings revealed resources
offered by organizations appear inadequate and failed to fully support the adoption and
engagement in utilizing data analytics within both the field and security professionals. While
several participants identified access to technical resources to collect and analyze data, other
participants revealed the lack of any resource to adequately engage in utilization of data
analytics. Table 18 present the knowledge, motivation and organization influences explored in
this study and their determination as an asset or a need.
Table 18
Knowledge, Motivation and Organizational Assets or Needs as Determined by the Data
Assumed Influence
Asset or Need
Security professionals’ foundational knowledge of data
analytics
Asset
Security professionals’ knowledge of data analysis
process
Need
Security professionals’ ability to reflect on their use of
data analytics
Asset
81
Table 18 (Continuation)
Knowledge, Motivation and Organizational Assets or Needs as Determined by the Data
Assumed Influence
Asset or Need
Security professionals’ confidence in their ability to
utilize data analytics
Need
Security professionals’ value for utilization of security
metrics
Asset
Organizations must believe data analytics provides
valuable information to the business
Asset
Leaders must support the utilization of data analytics in
the workplace
Asset
Organizations need to provide adequate resources to
support the collection and analysis of data
Need
Chapter five of this dissertation will address the needs of the assumed influences and
present recommendations for solutions for these influences based on empirical evidence. The
objective of the recommendations is to support the field performance goal and security
professionals’ goal of effective utilization of data analytics to inform data-driven decision
making to identify gaps and mitigate risks.
82
Chapter Five: Recommendations and Discussion
The purpose of this study was to evaluate the assets and needs impacting security
professionals’ utilization of data analytics in the field of physical security. The previous chapter
identified assets and needs using quantitative data (surveys) and qualitative data (interviews).
Chapter Five integrates the results and findings derived from the explanatory sequential mixed
method research and presents recommendations for practice to address knowledge, motivation
and organizational influences. The next section will discuss findings and results, followed by
recommendations for practice for knowledge, motivation and organizational influences. The
chapter then concludes with a discussion of the limitations and delimitations and a discussion of
recommendations for future research.
Discussion of Findings and Results
The results and findings of this study will be discussed in the context of key findings
from the literature review. Chapter Two of this dissertation outlined the review of the literature
regarding definition of security metrics and discussed the history and current utilization of data
analytics in the field of physical security. Chapter Three of this dissertation outlined the
methodology used during the data collection process. The results and findings of this study were
discussed in Chapter Four and alignment between the literature review and results and findings
are reviewed in this chapter.
The results and findings of this study are aligned with findings from the literature
review. As the literature review indicated, the field of physical security is trending behind many
industries in utilization of data analytics, despite the many benefits the use of data analytics
presents. Digital transformation of physical security, which includes the use of data analytics, is
at various levels of maturity and at worst a decade behind (Foynes & Fuller, 2018). Those fields
83
include information security, cyber security and many others. Additionally, historic use of data
analytics by security professionals and established security metrics programs in the field of
physical security is very limited (Campbell, 2014). Similarly, this study found that security
professionals’ procedural knowledge, self-efficacy and perception of organizational support in
procuring resources to drive the utilization of data analytics emerged as gaps. While there are
several validated assets in knowledge, motivation and organizational influences, there are also
validated gaps in these assumed influences, hindering security professionals’ effective utilization
of data analytics.
This study found that security professionals possess a shared understanding of security
metrics as security data that is utilized to mitigate risk, drive security program improvements,
measure performance and to reach security program goals. Similarly, sources from the review of
literature defined security metrics as metrics focused on reduction of risks, the protection of
people, property and information and a system of measurement to focus on the effectiveness of
security programs through the measurement of key performance indicators (Campbell, 2014;
Carnegie Mellon University, 1995; Ohlhausen et al., 2014). Findings from this study regarding
security professionals’ foundational knowledge and understanding of the purpose of data
analytics is consistent with information presented via scholarly sources.
Despite the foundational understanding of purpose and importance of data analytics, this
study also found security professionals lack high level of mastery in data analytics utilization.
Data suggested participants possessed the lowest level of familiarity in knowledge of data
analysis process with only 20.6% of participants indicating their familiarity as “extremely
familiar” in this area. While the study found collection of security data emerge as the area in
which the levels of familiarity were the highest, knowledge of data analysis process and effective
84
use of tools and applications emerged as the area with the lowest levels of reported familiarity.
These findings are aligned with the literature review that indicated the field of physical security
offers limited tested metrics or benchmarks, therefore utilization of metrics in the field of
physical security is a new phenomenon and an unfamiliar tool to the average security
professional (Guidelines and Metrics Working Group, ASIS Defense and Intelligence Council,
2012, as cited in Ohlhausen et al., 2014; Knoke & Peterson, 2015)
The lack of high level of mastery in data analytics found by this study indicates a possible
relationship to lack of data-driven decision making. The literature review found security
professionals rarely engage in data-driven decision making, even though they understand the
criticality and value of utilizing data analytics (Knoke & Peterson, 2015; Ohlhausen et al., 2014).
Similarly, research conducted by Microsoft and Accenture found that although security leaders
see the opportunity in digital transformation of physical security, the industry is at various levels
of maturity (Foynes & Fuller, 2018). Additionally, scholarly sources found security professionals
often focus on counting events rather than creating meaningful and risk-based security metrics
(Ohlhausen et al., 2014).
This study found security professionals value the collection and analysis of data to
improve security programs and possess a high utility value in utilization of data analytics. The
quantitative results of this study found 66.5% of security professionals actively engage in
collection and analysis of security data. However, security professionals lack a high level of self-
efficacy in utilization of data analytics and seldom make decisions based on the information
derived from the collected data.
85
Recommendations for Practice
There are three recommendations identified to address the key gaps related to knowledge,
motivation and organizational influences in this study. The recommendations include the
development of data analytical skills for security professionals (knowledge influence), increase
security professionals’ self-efficacy in utilization of data analytics (motivation influence), and
provision of adequate resources to support the utilization of data analytics (organizational
influence). This section is followed by integrated recommendations which detail a
comprehensive program to integrated knowledge, motivation and organizational influence
recommendations.
Develop Security Professionals’ Data Analytical Skills
This study found security professionals lack a high level of mastery in data analytics
utilization. Therefore, increasing security professionals’ procedural knowledge is critical in
effective utilization of data analytics. This gap is also aligned with the findings in the literature
review as utilization of security metrics in the field of physical security is a new phenomenon
and appears as an unfamiliar tool to the average security professional (Knoke & Peterson, 2015).
One key recommendation to increase security professionals’ procedural knowledge in
utilization of data analytics is training in collection and analysis of security data. Hopkins et al.
(2011) found the leading obstacle to adopting analytics was lack of understanding of data
analytics to improve the business, and not data itself. Training affects both declarative
knowledge and procedural knowledge and may also enhance strategic knowledge such as the
understanding when to apply specific knowledge or skill (Kozlowski et al., 2001; Kraiger et al.,
1993).
86
There are numerous data analysis training programs offered online, as well as most
organizations have an in-house data analytics team that can provide insight into collection and
analysis of data. The training can develop data analytical skills required to collect data, how to
build a database of desired data, how to analyze the data, and best practices in effective
presentation of selected security metrics. Clark and Estes (2008) posited that training is often
required when employees need demonstration, guided practice, and feedback to perfect the new
procedure. Therefore, training is necessary when individuals are faced with a goal that is new
and they would not benefit from a checklist job aid or a procedural job aid (Clark & Estes, 2008).
The training should involve guided practice when applying new knowledge as well as corrective
feedback during practice (Clark & Estes, 2008).
Training on collection and analysis of security data can include guided identification and
collection of specific security metrics to improve a process within the security program. The
training call be followed by guided analysis of the collected data to make sense of the
information and ability to tell a story based on the collected and analyzed data. Addressing the
procedural knowledge gaps will facilitate the data analytics’ adoption by security professionals.
Increase Security Professionals’ Self-Efficacy in Utilization of Data Analytics
This study found security professionals possess a moderate level of self-efficacy in
utilization of data analytics and therefore, this is an area that can be reinforced and sustained.
This is evident as 94% of survey participants of this study reported they would use security
metrics if they knew more about how to use them effectively. In order for individuals to engage
in tasks, they need to feel confident in their ability to succeed (Bandura, 2005). Self-efficacy
theory defines an individual’s level of expectation in their ability to perform a task and therefore,
high levels of self-efficacy result in enhanced learning and motivation (Pajaras, 2006).
87
Individuals who believe they cannot succeed at a specific goal, will not choose to start (Clark &
Estes, 2008). Individuals’ belief about whether they have the skills to succeed at a goal is the
most important factor in their commitment (Clark & Estes, 2008).
There are several recommendations outlined by Clark and Estes (2008) as individual
confidence builders and can enhance security professionals’ self-efficacy in utilization of data
analytics. Those recommendations include assignment of specific, short term and challenging but
achievable goals as an individual confidence builder. Another recommendation is to provide a
way for individuals to access information, training or job aids that are directly related to the goal.
Additionally, focus on corrective feedback should be on faulty strategy, not on the individual
using the faulty strategy. One specific recommendation is to increase security professionals’ self-
efficacy by engaging in frequent practice as well as modeling the task of utilizing security data.
Provision of Adequate Resources to Support the Utilization of Data Analytics
This study found security professionals’ perception is that organizations did not provide
adequate resources to support the collection and analysis of data. The two other organizational
influences (organizational belief in utilization of data analytics and leadership support) were
found to be an asset. However, this study recommends the reinforcement of both of these
influences as well to provide the required organizational support for security professionals to
engage in effective utilization of data analytics.
Provision of adequate resources to support the utilization of data analytics is a critical
component of the stakeholder goal. Both survey results and interview findings identified
resources as a barrier in utilization of data analytics. Resources include utilization of incident
reporting systems to collect and analyze incident data, calls for service, risk assessment and other
aspects of the security program identified for measurement and program improvement. Incident
88
reporting systems are applications and methods of reporting incidents, near misses or adverse
events to enable improvements (Muller, 2014). During the quantitative phase of this study,
security professionals identified security incidents as the most important security metric to
measure. A few examples of applications available for tracking and analyzing security incidents
in the field of physical security include D3 Security, Intelex, Omnigo, Resolver, and Trackforce.
Many of these programs can also be used to measure other aspects of a security program such as
risk assessment and security budget.
Another advantage of utilizing incident reporting systems is the ability to present data
findings via dashboards for better understanding and decision making. During the quantitative
phase of this study, only 58% of respondents who reported utilizing data analytics indicated the
results are reviewed or shared via dashboards while 42% of respondents reported they do not
utilize any form of dashboard to review findings. Other types of resources include staffing
support such as trained data analysts dedicated to the security organization to support the data
analysis needs of the security program, as well as related training to support security
professionals’ technology acumen development. The success of organizational development is
dependent upon preparing people to handle its unique challenges (Clark & Estes, 2008).
Integrated Recommendations
This section details the integrated recommendations to address the knowledge,
motivation and organizational gaps that emerged from this study into a comprehensive program.
This comprehensive program will begin by addressing motivational gap followed by
organizational gap and finally, knowledge gap. Clark and Estes (2008) recommended addressing
motivational and organizational processes before implementing knowledge and skills solutions.
89
Therefore, Clark and Estes’s (2008) framework will be used to detail integrated
recommendations for achieving effective utilization of data among security professionals.
As previously stated, learning and motivation are enhanced when learners have positive
expectancies for success (Clark & Estes, 2008). In order to achieve effective engagement and
utilization of data analytics, security professionals must be confident in their ability to engage in
data collection and analysis of security data as well as using analytics to implement program
improvements. To enhance security professionals’ self-efficacy, it is beneficial for security
professionals to engage in short term, achievable data analytics goals. These tasks should be
challenging but allow opportunities for success. Security professionals can be assigned a specific
security metrics, such as response time to calls, or incidents to be measured over a short period
of time. This includes collection of such data and analysis to identify trends and tell a compelling
story. Security professionals should also be provided with goal-directed practice coupled with
frequent, and targeted feedback. Finally, rewards should be linked with goal achievement. A list
of context specific recommendations for all three influences can be found in Table 19.
Table 19
Summary of Influences and Recommendations
KMO
Influence
Assumed
Influence
Principle and Citation
Context Specific
Recommendation
Motivation
Increase security
professionals’
self-efficacy in
utilization of data
(Self-Efficacy).
Learning and motivation
are enhanced when
learners have positive
expectancies for success
(Schunk & Pajares, 2006)
Assign specific, short-term, and
challenging tasks (e.g.,
collection and analysis of
security incidents over period of
time).
90
Table 19 (Continuation)
Summary of Influences and Recommendations
KMO
Influence
Assumed
Influence
Principle and Citation
Context Specific
Recommendation
Provide access to information and
training directly relevant to the
goal (e.g., access to data analytics
training, library of security metrics
to utilize, metrics templates to
input data and generate metrics
dashboards).
Provide positive feedback on
ability and effort (e.g., security
leaders can catch security
professionals making progress on
collection and analysis of specific
security metrics and
complementing them on their
efforts.
Focus corrective feedback on
faulty strategy, not the person who
used the faulty strategy (e.g., when
security professionals fail to
connect the dots using data
analytics, focus the feedback on
the strategy used to collect and
analyze the specific security
metric, not the security
professional).
Remember past success and refer
to them when individuals face
similar tasks (e.g., reflect on
security professionals’ past
success on data-driven decision
making tied to a specific security
metric).
91
Table 19 (Continuation)
Summary of Influences and Recommendations
KMO
Influence
Assumed
Influence
Principle and Citation
Context Specific
Recommendation
Organizational
Provision of
adequate
resources to
support the
utilization of
data analytics
(Cultural
Setting:
Resources).
Effective change
efforts
ensure that everyone
has the resources
(equipment,
personnel, time, etc.)
needed to do their
job, and that if there
are resource
shortages, then
resources are aligned
with organizational
priorities (Clark &
Estes, 2008).
Solicit feedback from security
professionals regarding required
support and resources to engage
in utilization of data analytics.
Provide adequate technology
resources to collect and analyze
security data and development of
key security metrics (e.g., use of
incident reporting systems to
collect, and analyze data).
Provide access to data analytics
training to further enhance
security professionals’ self-
efficacy and procedural
knowledge in collection and
analysis of security data (e.g.,
basic data analytics training, such
as short-term online courses, and
assigning data analytics training
as a performance goal).
Establish a library of identified
security metrics to measure
security program’s effectiveness,
gaps and risks to support and
guide security professionals (e.g.,
incident trends, calls for service
volume and trend, response time
to incidents, incident escalation
time to appropriate entities, guard
tour completion rate, overtime
rate, security budge versus billed,
etc.).
92
Table 19 (Continuation)
Summary of Influences and Recommendations
KMO
Influence
Assumed
Influence
Principle and Citation
Context Specific
Recommendation
Knowledge
Development of
security
professionals’
data analytical
skills
(Procedural
Knowledge).
Facilitating transfer
promotes learning
(Mayer, 2011).
Provide data analysis training,
including job aids on use of data
collection tools and analysis via
brief videos, articles, with
detailed steps on data collection
and analysis.
Encourage security professionals
to take advantage of online data
analytics courses (see Table 21
for a comprehensive list of online
courses).
Add data analytics training to
security professionals’ annual
performance goal to help further
develop their data analytical
skills.
Provide incentives to security
professionals when data analytics
certificates or degrees are
successfully acquired to promote
learning.
Provision of adequate resources to support the utilization of data analytics is a critical
factor in security professionals’ engagement in data collection and analysis of security data. The
success of organizational development is dependent upon preparing people to handle its unique
93
challenges (Clark & Estes, 2008). In order to achieve effective engagement and utilization of
data analytics, security professionals must be supported with adequate resources. This study
recommends organizational leaders to solicit feedback from security professionals regarding
required support and resources based on organization’s data analytics goals. One critical resource
is a tool for collection and analysis of security data. Lack of an effective incident reporting
system is a “show-stopper” and must be a priority (Campbell, 2014). Incident reporting systems
are applications and methods of reporting incidents, near misses or adverse events to enable
improvements (Muller, 2014). The use of incident reporting system has many benefits such as
delivering timely, orderly and accurate security data (McIIravey & Ohlhausen, 2012, as cited in
Ohlhausen et al., 2014).
Additionally, establishing a library of identified security metrics to measure security
program’s effectiveness, gaps and risks would support and guide security professionals. A
database of security metrics would be examples for security professionals to follow, further adapt
and eventually develop their own security metrics to measure their own programs effectiveness
(Ohlhausen et al., 2014). This library of security metrics can include metrics that measure a
variety of issues and can differ based on the organization and maturity of the security program. A
few examples include incident response time, incident notification time to a particular entity
(security operations center, stakeholder groups, etc.), and guard tour completing rate.
During the quantitative portion of this study, participants were asked to identify aspects
of their security program that are measured in their organizations to determine the security
program’s effectiveness. A comprehensive list provided by the participants can be seen in Table
20 to provide an example of areas which security professionals often measure.
94
Table 20
Distribution of Participant Responses to Security Programs Measured
Finally, this study recommends development of data analytical skills for security
professionals for effective collection and analysis of security data. This study found 94% of
participants who currently do not engage in collection and analysis of data reported they would
use security metrics if they knew more about how to use them effectively. Similarly, Ohlhausen
et al. (2014) found 78% of the respondents who reported they were not using security metrics
stated they would use security metrics if they knew more about the topic, highlighting a
procedural knowledge gap in this area.
As indicated in Table 19, procedural knowledge gap can be addressed by providing data
analysis training to security professionals. This training could include job aids on use of data
collection tools and analysis, webinar, interactive online training as well as instructor-led
Survey Item
Response
n %
What aspect of the security
program are measured in your
organization to determine the
security program’s
effectiveness?
Incidents
Risk assessment
Training
Security budget
Systems performance
Investigations
Security tasks
Projects
Calls for service
Performance (turnover and overtime)
Security awareness program
Guard Tour program
Other
144
118
110
104
97
95
95
95
91
87
75
67
20
12
9.8
9.1
8.6
8.1
7.9
7.9
7.9
7.6
7.2
6.2
5.5
1.6
95
workshops (Ohlhausen et al., 2014). Hopkins et al. (2011) found that an efficient approach to
utilizing data analytics is the gradual use and analysis of data over time. Additionally, there are
numerous online training programs on data analytics (Table 21), that could provide security
professionals with the required skills to begin collecting and analyzing security data.
Table 21
Online Courses Focused on Data Analytics and Data-driven Decision Making
Institution
Format
Topic Site URL
edX
Online
Library of Data
Analysis Courses
https://www.edx.org/learn/data-
analysis
John Hopkins
University
Online Data Science
Specialization
https://www.coursera.org/specializati
ons/jhu-data-science
PWC
Online
Data-driven Decision
Making
https://www.coursera.org/learn/decisi
on-making
IBM
Online
Data Analytics Basics
for Everyone
https://www.edx.org/course/data-
analytics-for-everyone
Bx
Online
Data Analysis
Essentials
https://www.edx.org/course/data-
analysis-essentials
IBM
Online
Data Visualization and
Building Dashboards
with Excel and
Congos
https://www.edx.org/course/data-
visualization-and-building-
dashboards-with-excel-and-cognos
BABSON
Online
Analytics for Decision
Making
https://www.edx.org/course/analytics-
for-decision-making
RIT
Online Data Analysis for
Decision Making
https://www.edx.org/professional-
certificate/ritx-data-analysis-for-
decision-making
96
Limitations and Delimitations
Limitations often relate to the methods of a study such as inadequate sample size,
difficulty in recruitment, and other factors that presents weaknesses in the study (Creswell,
2018). These limitations are factors that researchers cannot control. Such limitations create a risk
of producing inaccurate or unrepresentative data (Merriam & Tisdell, 2016). The purpose of this
study was to assess the knowledge, motivation and organizational influences impacting security
professionals in utilizing data analytics. There were several limitations in this study. The study
was limited to a short timeframe due to the timing of this dissertation and caused a limitation in
the number of surveys and interviews. A longer timeframe may have yielded a higher response
rate and therefore more detailed results. Additionally, survey and interview data were self-
reported data by security professionals; therefore, there was a limitation to the truthfulness of the
data such as participants true opinions, perceptions and experiences. The participants self-
selection to participate in interviews and surveys was another limitation, including the social
desirability factor impacting their responses. Social desirability refers to misrepresentation of
respondents and aligning responses based on socially positive qualities and limitation of negatives
qualities (Preti & Miotto, 2011).
Delimitations refers to the elements in the study that are controlled by the researcher
(Nenty & Nenty, 2009). Delimitations in this study occurred regarding the researcher’s selection
of stakeholder group. The stakeholder group selected for this study were security professionals in
a management role. This selection helped narrow the scope of this study to the stakeholder group
that would most benefit utilizing data analytics to inform data-driven decision making.
Additionally, the study was limited to Clark and Estes’s (2008) Gap Analysis Framework
impacting participants’ knowledge, motivation and organizational influences in utilizing data
97
analytics which introduced selected aspects of the participants’ experience. Other factors may be
involved that are not part of this study.
Recommendations for Future Research
This study prompts a need for future research into utilization of data analytics in the field
of physical security. In order to keep pace with the everchanging threat landscape inadvertently
created by the digital revolution, the future of physical security must include the adoption of
advanced technology. Therefore, additional studies will need to examine the journey of digital
transformation of physical security and identify gaps and needs to reach this goal. The digital
transformation of physical security includes the collection and analysis of data to identify risks,
predict threats and mitigation of threats proactively.
Future research on utilization of data analytics in the field of physical security can further
outline the many benefits of using data to measure security programs and provide a set of tested
security metrics. The awareness of the many benefits of using data may lead to an increased
interest and engagement of security professionals in this field. Finally, further research will need
to examine the development of metrics standards for the physical security field. This study found
a gap in security metrics standards and the field of physical security can benefit from a
comprehensive security metrics standard to measure security programs’ effectiveness.
Conclusion
The purpose of this study was to evaluate the utilization of data analytics by security
professionals in the field of physical security. The evaluation was completed using Clark and
Estes’s (2008) Gap Analysis Framework and explored knowledge, motivation and organizational
influences impacting the utilization of data analytics. Triangulation of both survey and interview
data allowed for substantiation of the results and findings by comparing both data types to
98
identify assets and needs within each of the three influences. This study found assets and needs
in all three influences impacting security professionals’ utilization of data analytics. Security
professionals’ foundational knowledge of data analytics (declarative knowledge), and ability to
reflect on use of data analytics (metacognition) were identified as assets while knowledge of data
analysis process (procedural knowledge) was identified as a need. Security professionals also
lacked confidence (self-efficacy) in their ability to utilize data analytics, while showed high
utility value in this area. Finally, organizational support for utilization of data analytics and
leadership support was perceived adequate by security professionals, while lack of adequate
resources to support the utilization of data analytics was present. The integrated
recommendations provided solutions to address the knowledge, motivation and organizational
gaps that emerged from this study into a comprehensive program. Finally, this study enables
security professionals to improve their utilization of data analytics to drive security program
improvements and shift their operation from reactive to proactive.
99
References
Aguinis, H., & Kraiger, K. (2009). Benefits of training and development for individuals and
teams, organizations, and society. Annual Review of Psychology, 60, 451–474.
Ambrose, S., Bridges, M., DiPietro, M., Lovett, M., & Norman, M. (2010). How learning works:
seven research-based principles for smart teaching (1st ed.). Jossey-Bass.
Anderson, L., & Krathwohl, D. (2001). A taxonomy for learning, teaching, and assessing: A
revision of Bloom’s taxonomy of educational objectives (Abridged ed.). Longman.
ASIS International (2004). Chief Security Officer Guideline
ASIS International (n.d.). Strategic Plan 2020-2024.
https://www.asisonline.org/globalassets/internal/asis-strategic-plan-2020-2024.pdf
Azuwa, M., Ahmad, R., Sahib, S., & Shamsuddin, S. (2012). Technical security metrics model in
compliance with ISO/IEC 27001 standard. International Journal of Cyber-Security and
Digital Forensics, 1(4), 280-288.
Bandura, A. (2005). The evolution of social cognitive theory. In K. G. Smith & M. A. Hitt
(Eds.), Great minds in management (pp. 9–35). Oxford University Press.
Barber, J. (2004). Skill upgrading within informal training: Lessons from the Indian auto
mechanic. International Journal of Training and Development, 8(2), 128–139.
https://doi.org/10.1111/j.1468-2419.2004.00202.x
Beck, D., Gips, M., Adams, D., & Florence, L. (2019). The state of security convergence in the
Unites States, Europe, and India. ASIS Foundation.
Brotby, W. K. (2009). Information security management metrics: A definitive guide to effective
security monitoring and measurement. Taylor & Francis Group, LLC.
100
Campbell, G. (2009). Don’t neglect key performance indicators. Security Technology
Executive,19(10), 19.
Campbell, G. (2011). Good metrics tell a story. Security Technology Executive, 21(5), 18-.
Campbell, G. (2012). Tracking protective services key performance indicators. Security
Technology Executive, 22(1), 17.
Campbell, G. (2014). Measures and metrics in corporate security (2nd ed.). Elsevier.
Campbell, G. (2015). Measuring and communicating security’s value: a compendium of
metrics for enterprise protection. Elsevier.
Carnegie Mellon University. (1995). Security metrics. In systems security engineering-capability
maturity model. http://web.archive.org/web/20120423172421/http:/www.sse-
cmm.org/metric/metric.asp.
Chen, M., Mao, S., & Liu, Y. (2014). Big data: A survey. Mobile Networks and Applications,
19(2), 171-209.
Chew E., Swanson, M., Stine, K., Bartol, N., Brown, A., & Robinson, W. (2008).
Performance measurement guide for information security. NIST Special Publication
800-55 Rev. 1. National Institute of Standards and Technology.
Clark, R. E., & Estes, F. (2008). Turning research into results: A guide to selecting the right
performance solutions. CEP Press.
Creswell, J. W. (2014). Research design: qualitative, quantitative, and mixed methods
approaches (4th ed.). Sage Publications.
Creswell, J. W, & Creswell, J. D. (2018). Research design: Qualitative, quantitative, and mixed
methods approaches. (5th ed.). Sage Publications.
Davenport, T., & Harris, J. (2010). Analytics and the bottom line: How organizations build
101
success. Harvard Business Review.
United States Department of Defense. (2021). DOD Dictionary of military and associated terms.
The Joint Staff.
Eccles, J. (2006). Expectancy value motivational theory.
http://www.education.com/reference/article/expectancy-value-motivational-theory/
Enoma, A., & Allen, S. (2007). Developing key performance indicators for airport safety and
security. Facilities, 25(7/8), 296–315. https://doi.org/10.1108/02632770710753334
Fink, A. (2013). Chapter 2: The survey form. In how to conduct surveys: A step-by-step guide (5th
ed.) (pp. 29–56). SAGE Publications.
Foynes, M., & Fuller, M. (2018). Future of physical security, extending converged digital
capabilities across logical & physical environments. [White paper]. Microsoft
Corporation and Accenture LLP.
Glesne, C. (2011). But is it ethical? Considering what is “right.” In becoming qualitative
researchers: An introduction (4th
ed.). (pp.162-183).
Halaweh, M., & El Massry, A. (2015). Conceptual model for successful implementation of big
data in organizations. Journal of International Technology and Information Management,
24(2), 21-II.
Hopkins, M., LaValle, S., Lesser, E., Shockley, R., & Kruschwitz, N. (2011). Big data,
analytics and the path from insights to value. (The New Intelligent Enterprise). MIT
Sloan Management Review, 52(2), 21–32.
Johnson, B., & Christensen, L. (2014). Educational research: Quantitative, qualitative, and
mixed approaches (6th ed.). Sage Publications.
Kiron, D., & Shockley, R. (2011). Creating business value with analytics. MIT Sloan
102
Management Review, 53(1), 57-63.
Knoke, M., & Peterson, E. (2015). Physical security principles. ASIS International.
Kovacich, G., & Halibozek, E. (2006). Security metrics management how to measure the costs
and benefits of security. Butterworth-Heinemann.
Kogler Hill, S., Thomas, E., & Keller, L. (2009). A collaborative, ongoing, university strategic
planning framework, process, landmines, lessons. Society for College and University
Planning.
Kozlowski, S., Gully, S., Brown, K., Salas, E., Smith, E., & Nason, E. (2001). Effects of
training goals and goal orientation traits on multidimensional training outcomes and
performance adaptability. Organizational Behavior and Human Decision Processes,
85(1), 1–31.
Kraiger, K., Ford, J., & Salas, E. (1993). Application of cognitive, skill-based, and affective
theories of learning outcomes to new methods of training evaluation. Journal of Applied
Psychology, 78(2), 311–328.
Krathwohl, D. R. (2002). A revision of Bloom’s Taxonomy: An overview. Theory Into
Practice, 41(4), 212–218.
Krueger, R. A., & Casey, M. A. (2009). In focus groups: A practical guide for applied research
(4th ed.). Sage Publications.
Leadership Toolkit (n.d.). University of Southern California.
Lipton, M. (1996). Demystifying the development of an organizational vision. Sloan
Management Review, 37(4), 83-92.
Luftman, J., Zadeh, H. S., Derkesen, B., Santana, M., Rigoni, E. H., & Huang, Z. (2013). Key
103
information technology and management issues 2012-2013: An internal study. Journal of
Information Technology, 28, 354-366.
Marsh, J. A., & Farrell, C. C. (2015). How leaders can support teachers with data-driven decision
making: A framework for understanding capacity building. Educational Management
Administration & Leadership, 43(2), 269-289.
Marsh, J. A., Pane, J. F., & Hamilton, L. S. (2006). Making sense of data-driven decision
making in education. RAND Education occasional paper. RAND Corporation.
https://doi.org/10.7249/OP170
Martin, C., Bulkan, A., & Klempt, P. (2011). Security excellence from a total quality
management approach. Total Quality Management, 22(3), 345-371.
Mayer, R. E. (2011). Applying the science of learning. Pearson Education.
Maxwell, J. A. (2013). Qualitative research design: An interactive approach (3rd ed.). Sage.
McIlravey, B. (July 2009). Security information management: The foundation of enterprise
security. [White paper]. PPM 2000 Inc.
Medina, M., Castleberry, A., Persky, A., & Medina, M. (2017). Strategies for improving learner
metacognition in health professional education. American Journal of Pharmaceutical
Education, 81(4), 78–78.
Merriam, S. B., & Tisdell, E. J. (2016). Qualitative research: A guide to design and
implementation (4th ed.). Jossey-Bass, a Wiley Brand.
Moulton, R. E. (2004). Security Business Practices Reference. ASIS International.
Muller, M. (2014). Risiko- und fehlermanagement in der luftfahr, kann die medizin davon
profitieren [Risk and error management: can medicine benefit from lessons learned in
aviation?] https://rd.springer.com/article/10.1007%2Fs00103-014-2077-2
104
Nenty, H., & Nenty, H. (2009). Writing a quantitative research thesis. International Journal of
Educational Science, 1(1), 19-32.
Ohlhausen, P., Poore, M., McGarvey, D., & Anderson, L. (2014). Persuading senior
management with effective, evaluated security metrics. ASIS International.
Payne, S. (2006, June 19). A guide to security metrics. SANS Institute.
www.sans.org/reading_room/whitepapers/auditing/guide-security-metrics_55
Pazzaglia, A. M., Stafford, E. T., & Rodriguez, S. M. (2016). Survey methods for educators:
Analysis and reporting of survey data (Part 3 of 3) (REL 2016-160). U.S. Department of
Education. https://files.eric.ed.gov/fulltext/ED567753.pdf
Phippen, A., & Sheppard, S. F. (2004). A practical evaluation of web analytics. Internet
Research, 14(4), 284-293.
Preti, A., & Miotto, P. (2011). Self-deception, social desirability, and psychopathology.
Behavioral and Brain Sciences, 34(1), 37.
Ransbotham, S., Kiron, D., & Prentice, P. K. (2015). Minding the analytics gap. MIT Sloan
Management Review, 56(3), 63-68.
Rathburn, D. (2009, October 7). Gathering security metrics and reaping the rewards. SANS
Institute. www.sans.org/reading_room/whitepapers/leadership/gathering-security-
metrics-reaping-rewards_33234
Ries, E. (2011). The lean startup: How today’s entrepreneurs use continuous innovation to
create radically successful businesses (1st ed.). Crown Business.
Rubin, H., & Rubin, I. (2012). Qualitative interviewing the art of hearing data (3rd ed.). Sage
Publications.
Rueda, R. (2011). The 3 dimensions of improving student performance: Finding the right
105
solutions to the right problems. Teachers College Press.
Salkind, N. J. (2014). Statistics for people who (think they) hate statistics. SAGE.
Schatz, D., Bashroush, R., & Wall, J. (2017). Towards a more representative definition of
cyber security. Journal of Digital Forensics, Security and Law 12(2).
https://doi.org/10.15394/jdfsl.2017.1476
Schein, E. H. (2004). Organizational culture and leadership. Jossey-Bass.
Schunk, D., & Pajares, F. (2006). Self-efficacy theory. Routledge/Taylor & Francis Group.
Weiss, R. S. (1994). Learning from strangers: The art and method of qualitative interview
studies. The Free Press.
Wu, L., Yuan, L., & You, J. (2015). Survey of large-scale data management systems for big
data applications. Journal of Computer Science and Technology, 30(1), 163-183.
106
Appendix A
Survey Questions
Introduction
Dear participant:
My name is Farhad Tajali and I am a doctoral student at University of Southern California. For
my dissertation, I am examining the utilization of data analytics by security professionals in a
management role. The following questionnaire will require approximately 5 minutes to
complete. There is no compensation for responding nor is there any known risk. All information
will remain confidential and no personal identifiable information will be gathered. At the end of
the quantitative survey, you will be asked if you are willing to participate in a 30-45 minute
online interview. Participation is strictly voluntary, and you may refuse to participate at any time.
The data collected will provide useful information regarding utilization of data analytics in the
field of physical security and will benefit security professionals and the field of physical security.
107
Survey Questions
1. How many years have you been employed in the field of physical security?
(Demographics)
a. 1-3 years
b. 4-6 years
c. 7-10 years
d. 10+ years
2. What is your current position in your security organization? (Demographics)
a. Manager
b. Director
c. Vice President
d. Chief Security Officer
e. Other (please specify)
3. How familiar are you with the following? (1. Not at all familiar, 2. Slightly familiar, 3.
Moderately familiar, 4. Extremely familiar):
a. Data Analysis (RQ1-K)
b. Security Metrics (RQ1-K)
c. Collection of security data (performance, turnover, budget, calls for service,
incidents, risk assessment, etc.) (RQ1-K)
d. Tools and applications that are often used in Security Metrics programs to collect
security data (RQ1-K)
e. Use of analytical graphs (bar chart, pie chart, line graph, scatter plot, etc.) (RQ1-
K)
108
4. How confident are you with your ability to perform data analysis as a security
professional? (Data analysis is a process of analyzing raw data in order to make
conclusions about that information)? (RQ2-M)
a. 1. Not at all confident, 2. slightly confident, 3. moderately confident, 4. extremely
confident
5. How would you rate your ability to perform data analysis to measure your security
program's effectiveness? (RQ2-K)
a. 1. Not at all adequate, 2. slightly adequate, 3. moderately adequate, 4. extremely
adequate
6. How important is it for you as a security professional to use security metrics (Security
metrics are quantifiable measurements of a security program, including data collection
and analysis to help organizations protect their employees, assets and information)?
(RQ2-M)
a. 1. Not at all important, 2. Slightly important, 3. Moderately important, 4.
Extremely important
7. Are you currently performing data analysis by collecting and analyzing security metrics
within your organization? (RQ1-O)
a. Yes
b. No
8. (Display logic, if “No” to Q7) Would you use security metrics if you knew more about
how to use them effectively? (RQ2-M)
a. Yes
b. No
109
9. (Display logic, if “Yes” to Q7) How helpful is the use of security metrics in measuring
the effectiveness of your physical security program? (RQ2-M)
a. 1. Not at all helpful, 2. slightly helpful, 3. moderately helpful, 4. extremely
helpful
10. (Display logic, if “Yes” to Q7) How likely would the security metrics results inform your
decision-making process? (RQ2-M)
a. 1. Extremely unlikely, 2. Unlikely, 3. Likely, 4. Extremely likely
11. How likely would you attend a training program on security metrics, if one was offered
by your organization? (RQ2-M)
a. 1. Extremely unlikely, 2. Unlikely, 3. Likely, 4. Extremely likely
12. My organization's leadership is supportive of using security metrics. (RQ3-O)
a. 1. Strongly disagree, 2. Disagree, 3. Agree, 4. Strongly agree
13. (Display logic, if “Yes” to Q7) Is there a reoccurring security metrics review meeting
with your organization's executive team to present findings? (RQ3-O)
a. Yes
b. No
14. (Display logic, if “Yes” to Q13) How often are security metrics reviewed by the
executive team? (select all that apply) (RQ3-O)
a. Daily, weekly, monthly, quarterly, annually, other (please specify)
15. (Display logic, if “Yes” to Q7) How often are security metrics reviewed with internal
security teams? (select all that apply) (RQ3-O)
a. Daily, weekly, monthly, quarterly, annually, other (please specify)
16. How important is the use of security metrics in your organization? (RQ3-O)
110
a. 1. Not at all important, 2. Slightly important, 3. Moderately important, 4.
Extremely important
17. (Display logic, if “No” to Q7) What are the barriers, if any, in using security metrics in
your organization? (select all that apply) (RQ3-O)
a. Lack of knowledge, lack of leadership support, lack of resources, organizational
resistance to change, individual resistance to change, other (please specify)
18. (Display logic, if “Yes” to Q7) What aspects of the security program, if any, are
measured in your organization to determine the security program's effectiveness? (select
all that apply) (RQ3-O)
a. Security calls for service, incidents, investigations, guard tour program,
performance, security tasks, security projects, security budget, training, security
awareness program, systems performance, risk assessment, other (please specify)
19. (Display logic, if “Yes” to Q7) Are security metrics reviewed and shared via a data
analytics dashboard? (RQ3-O)
a. Yes
b. No
20. (Display logic, if “Yes” to Q19) How was this dashboard developed? (RQ3-O)
a. Developed in-house
b. Third party application/tool
21. (Display logic, if “Yes” to Q7) What elements or metrics does your organization view as
most important? (RQ3-O)
a. Open-ended
111
22. (Display logic, if “Yes” to Q7) Why are those elements viewed as most important? (RQ3-
O)
a. Open-ended
112
Appendix B
Interview Questions
Introduction to survey questions to recruit interview participants:
Thank you for volunteering to take part in a brief interview. My study is examining the
utilization of data analytics to inform data-driven decision making by security professionals in
the field of physical security. I will use pseudonyms to replace all references to the organization,
people, or any other personally or organizationally identifiable information produced in the
dissertation. All information provided in this interview will remain confidential. Participation in
this study is voluntarily, there is no penalty for refusing to take part or terminating the interview
at any time. The interview will take approximately 30-45 minutes.
Survey questions to recruit interview participants
1. How many years have you been employed in the field of physical security?
(Demographics)
a. 1-3 years
b. 4-6 years
c. 7-10 years
d. 10+ years
2. What is your current position in your security organization? (Demographics)
a. Manager
b. Director
c. Vice President
d. Chief Security Officer
e. Other (please specify)
113
3. Are you currently collecting and analyzing security metrics within your organization
(Security metrics are quantifiable measurements of a security program, including data
collection and analysis to help organizations protect their employees, assets and
information.)?
a. Yes
b. No
4. How many years have you been using security metrics as a security professional?
(Display logic, dependent on Q3)
a. 1-3 years
b. 4-6 years
c. 7-9 years
d. 10+ years
5. Please provide your contact information below to take part in a brief interview:
a. Name
b. Email address
Introduction
I am Farhad Tajali, a doctoral student at the University of Southern California.
This study is examining to use of data analytics by security professionals to inform data-
driven decision making.
All information provided in this interview will remain confidential. Participation in this
study is voluntarily, there is no penalty for refusing to take part or terminating the study
at any time.
114
Do you have any questions concerning the purpose of the study, the protection, and
anonymity of information, and your voluntary right to participate or terminate your
participation at any time?
With your permission, I will be recording and transcribing this interview to facilitate
analysis. A copy of which will be provided to you. Again, if you decide to end the
interview, you may do so at any time. Finally, I anticipate the interview to last about
30 minutes.
Do you have any questions at this time? Let me turn on the recorder.
Interview Questions
1. In your own words, could you describe what security metrics are (RQ1-K)
a. Probe for a few examples.
2. What do you see as the value of collecting and analyzing security metrics, if any? (RQ2-
M)
3. Could you describe how you use security metrics in your organization? (RQ1-K)
a. Probe for a few examples.
4. How important is it for you to use security metrics in your organization? (RQ2-M)
a. Probe with why?
5. Where would you rank the use of security metrics comparison to other priorities? (RQ2-
M)
6. How important do you feel it is for your organization to use security metrics? (RQ3-O)
7. What are the goals related to using security metrics within your organization? (RQ2-K)
8. How confident are you in ability to use security metrics and reach those goals? (RQ2-M)
115
9. How do you use information derived from security metrics to inform your decision-
making process? (RQ1-K)
10. Please provide an example of how security metrics were used in your decision-making
process. (RQ1-K)
11. In what ways, if at all, did your organization facilitate change to encourage security
professionals to use security metrics? (RQ3-O)
a. What changes were made?
12. Overall, how were the changes received by security professionals in your organization?
(RQ3-O)
13. Could you describe any form of organizational resistance or barriers to change in the
process of utilizing security metrics within your organization? (RQ3-O)
14. Tell me about a time when you felt challenged or had issues using security metrics. How
did you address the issue? (K).
a. What contributed to the challenge?
15. What resources did your organization offer to facilitate change in use of security metrics
by security professionals? (RQ3-O)
16. In your organization, what elements or security metrics does senior management view as
the most important? (RQ3-O)
116
Appendix C
USC Information Sheet
INFORMATION SHEET FOR EXEMPT RESEARCH
STUDY TITLE: Utilizing Data Analytics to Guide Data-Driven Decision Making in the Field
of Physical Security: An Exploratory Study
PRINCIPAL INVESTIGATOR: Farhad Tajali
FACULTY ADVISOR: Helena Seli, Ph.D.
You are invited to participate in a research study. Your participation is voluntary. This document
explains information about this study. You should ask questions about anything that is unclear to
you.
PURPOSE
The purpose of this study is to assess the needs and requirements associated with the knowledge,
motivation, and organizational resources needs to achieve the use of data analytics by security
professionals. We hope to learn the barriers in use of data analytics by security professionals.
You are invited as a possible participant because you are a security professional in the field of
physical security.
PARTICIPANT INVOLVEMENT
If you decide to take part, you will be asked to participate in a 30-minute recorded online
interview. You do not have to answer any questions you don’t want to; if you don’t want to be
recorded, you can decline and continue participating in the study. You do not have to answer any
questions you prefer not to answer. You can stop the interview at any time.
PAYMENT/COMPENSATION FOR PARTICIPATION
You will not be compensated for your participation.
CONFIDENTIALITY
Any identifiable information obtained in connection with this study will remain confidential.
Your responses will be coded with a false name (pseudonym) and maintained separately. The
online recording will be destroyed once they have been transcribed. The members of the research
team, and the University of Southern California Institutional Review Board (IRB) may access the
data. The IRB reviews and monitors research studies to protect the rights and welfare of research
subjects.
INVESTIGATOR CONTACT INFORMATION
If you have any questions about this study, please contact the principal researcher Farhad Tajali
at tajali@usc.edu and the dissertation chair Helena Seli, Ph.D. at Helena.seli@rossier.usc.edu
117
IRB CONTACT INFORMATION
If you have any questions about your rights as a research participant, please contact the
University of Southern California Institutional Review Board at (323) 442-0114 or email
irb@usc.edu.
118
Appendix D
Barriers in Using Security Metrics Question
Survey Item
Response
n %
What are the barriers in using
security metrics in your
organization? (N = 170)
Lack of knowledge
Lack of resources
Organizational resistance to change
Individual resistance to change
Lack of leadership support
Other
43
42
27
23
22
13
25.2
24.7
15.8
13.5
12.9
7.6
119
Appendix E
Country Demographic of Participants (Survey)
County n % N
US
Canada
Nigeria
United Kingdom
India
France
Mexico
Australia
Brazil
Colombia
Hong Kong
Peru
Poland
Spain
Honduras
Netherlands
Qatar
Romania
Singapore
South Korea
Thailand
United Arab Emirates
Venezuela
Afghanistan
Argentina
Austria
Bahrain
Belgium
Chile
Ghana
Greece
Iraq
Ireland
Israel
141
14
7
7
6
5
5
4
3
3
3
3
3
3
2
2
2
2
2
2
2
2
2
1
1
1
1
1
1
1
1
1
1
1
57.3%
5.7%
2.8%
2.8%
2.4%
2.0%
2.0%
1.6%
1.2%
1.2%
1.2%
1.2%
1.2%
1.2%
0.8%
0.8%
0.8%
0.8%
0.8%
0.8%
0.8%
0.8%
0.8%
0.4%
0.4%
0.4%
0.4%
0.4%
0.4%
0.4%
0.4%
0.4%
0.4%
0.4%
120
Italy
Jamaica
Kuwait
Panama
Saudi Arabia
South Africa
Switzerland
Trinidad and Tobago
Turkey
Ukraine
1
1
1
1
1
1
1
1
1
1
0.4%
0.4%
0.4%
0.4%
0.4%
0.4%
0.4%
0.4%
0.4%
0.4%
Abstract (if available)
Linked assets
University of Southern California Dissertations and Theses
Conceptually similar
PDF
One to one tablet integration in the mathematics classroom: an evaluation study of an international school in China
PDF
Data-driven culture in the consumer goods industry
PDF
The utilization of data analytics in the entertainment sector
PDF
The implementation of data driven decision making to improve low-performing schools: an evaluation study of superintendents in the western United States
PDF
The moderating role of knowledge, motivation, and organizational influences on employee turnover: A gap analysis
PDF
A qualitative examination of the methods church leaders use to increase young adult attendance in Christian churches: an evaluation study
PDF
Violence experienced by registered nurses working in hospitals: an evaluation study
PDF
Nonprofit donor retention: a case study of Church of the West
PDF
Stop the revolving door: the influence of emotionally intelligent leadership practices on employee retention in non‐profit human service organizations
PDF
Supporting faculty in preparing entrepreneurship: an exploration in the context of active learning
PDF
Factors contributing to student attrition at a healthcare university: a gap analysis
PDF
Satisfactory academic progress for doctoral students: an improvement study
PDF
Job placement outcomes for graduates of a southwestern university school of business: an evaluation study
PDF
A school for implementing arts and technology: an innovation study
PDF
Full-time distance education faculty perspectives on web accessibility in online instructional content in a California community college context: an evaluation study
PDF
Learners’ perceptions of the microlearning format for the delivery of technical training: an evaluation study
PDF
Institutional advancement in higher education: managing gift officer performance and turnover
PDF
An improvement study of leading a sustainable electric utility future through organizational change effectiveness
PDF
The impact of advanced technologies on the workplace and the workforce: an evaluation study
PDF
The role of professional development and certification in technology worker turnover: An evaluation study
Asset Metadata
Creator
Tajali, Farhad
(author)
Core Title
Utilizing data analytics in the field of physical security: an exploratory study
School
Rossier School of Education
Degree
Doctor of Education
Degree Program
Organizational Change and Leadership (On Line)
Publication Date
04/16/2021
Defense Date
04/08/2021
Publisher
University of Southern California
(original),
University of Southern California. Libraries
(digital)
Tag
data,data analytics,gap analysis framework,key performance indicators,KMO,KPI,metrics,OAI-PMH Harvest,physical security,Security,security metrics,security operations,security professional
Language
English
Contributor
Electronically uploaded by the author
(provenance)
Advisor
Seli, Helena (
committee chair
), Muraszewski, Allison Keller (
committee member
), Phillips, Jennifer (
committee member
)
Creator Email
ftajali@gmail.com,tajali@usc.edu
Permanent Link (DOI)
https://doi.org/10.25549/usctheses-c89-446489
Unique identifier
UC11668622
Identifier
etd-TajaliFarh-9487.pdf (filename),usctheses-c89-446489 (legacy record id)
Legacy Identifier
etd-TajaliFarh-9487.pdf
Dmrecord
446489
Document Type
Dissertation
Rights
Tajali, Farhad
Type
texts
Source
University of Southern California
(contributing entity),
University of Southern California Dissertations and Theses
(collection)
Access Conditions
The author retains rights to his/her dissertation, thesis or other graduate work according to U.S. copyright law. Electronic access is being provided by the USC Libraries in agreement with the a...
Repository Name
University of Southern California Digital Library
Repository Location
USC Digital Library, University of Southern California, University Park Campus MC 2810, 3434 South Grand Avenue, 2nd Floor, Los Angeles, California 90089-2810, USA
Tags
data
data analytics
gap analysis framework
key performance indicators
KMO
KPI
metrics
physical security
security metrics
security operations
security professional