Compliance Cautions: Investigating Security Issues Associated with U.S. Digital-Security Standards

Abstract

Digital security compliance programs and policies serve as powerful tools for protecting organizations’ intellectual property, sensitive resources, customers, and employees through mandated security controls. Organizations place a significant emphasis on compliance and often conflate high compliance audit scores with strong security; however, no compliance standard has been systemically evaluated for security concerns that may exist even within fully-compliant organizations. In the LASER workshop, I will discuss my approach for recruiting industry experts in compliance standards, penetration testing, and digital security to conduct a multi-part study to evaluate the security concerns associated with mandatory compliance programs. Research methods include shameless cold-calling, codebook development, determining inter-rater reliability, external validation of data, and working with industry partners to responsibly disclose our findings.

Speaker’s Biography

Rock Stevens is a lifelong student of information technology, earning his first certification as a network administrator at the age of 15. He served as a Madison Policy Forum Military-Business Cybersecurity Fellow and is pursuing a Ph.D. in Computer Science from the University of Maryland. Contact him at [email protected].