Date of Award

Spring 2015

Degree Type


Degree Name

Master of Science (MS)


Computer and Information Technology

First Advisor

Eric Dietz

Committee Chair

Eric Dietz

Committee Member 1

Kevin Dittman

Committee Member 2

Raymond Hansen


This research analyzes the idea of managing information security risk on projects, as well as the effectiveness and costs associated with this kind of management. Organizations today face a myriad of security risks given their increased use of information technology. New solutions to improve information security within organizations large and small need to be researched and analyzed. Review of relevant literature has determined that although organizations are managing security from the top down, there is a lack of security management at the project level and that most project managers and their teams rely on the organizational security measures to keep information secure. The concept of managing security risks at the project level is not well defined and there exists no concrete and widely accepted framework for it. This research examines if managing security at the project level within a multi-tiered defensive strategy can be effective and at what cost. It also seeks to determine if budgeting for security in projects will lead to more secure project assets and products. This qualitative study uses three sources of data to deduce conclusions and recommendations. One, literary sources, two, subject interviews of security and project management professionals, and three, a computerized model built to simulate a defense in depth strategy. The primary finding of this research is that the concept of managing information security in projects is valid, and that doing so will lead to more secure project assets and products. This type of management will increase the security posture of the project itself and the organization as a whole. Recommendations are made by the researcher as to what steps a project manager and the organization above it must take to leverage the management of information security risks on projects.