Share these talks and lectures with your colleagues
Invite colleaguesResearch paper
Examining the relationship between formal RMF training and perceptions of RMF effectiveness, sustainability and commitment in RMF practitioners
Cyber Security: A Peer-Reviewed Journal,
3
(1),
25-36
(2019)
Abstract
The US Federal Information Systems Modernization Act (FISMA) included a mandate for the National Institute of Standards and Technology (NIST) to modernise and create new methods of strengthening the US Government’s cyber security posture. NIST answered this call with the creation of the risk management framework (RMF). RMF has received criticism and has been viewed as ineffective and a potential failure. This quantitative research investigated the relationship between receiving formal RMF training and perceptions of RMF effectiveness, RMF commitment and RMF sustainability. The research proposed that the receipt of formalised RMF training would increase the perceptions of RMF effectiveness, RMF commitment and RMF sustainability in RMF practitioners. A convenience sample of 81 RMF practitioners responded to an online survey assessing perceived competence of RMF effectiveness, RMF commitment and RMF sustainability as well as the amount of formal RMF training hours they had received. The data was analysed utilising statistical methods of descriptive statistics, analysis of variance (ANOVA) and Pearson’s correlations. Based on the results of this study, a significant, positive relationship exists between the receipt of formalised RMF training and perceptions of RMF effectiveness. Statistical significance can be seen in ANOVA tests where there was a significant difference in the mean effective perceived competency scales (PCS) scores among those with varied levels of formal RMF training (MS = 5.388), (F [2,78] = 3.645, p < .05). Pearson’s correlation also indicated that there was a significant positive association with the effective PCS score and the amount of training received category (r = .253, n = 81, p = .023). Understanding the relationship between perceptions of RMF effectiveness and the receipt of formalised RMF training may be helpful in driving effective RMF implementation throughout the US Government and contractor community, minimising the likelihood that US Government systems are compromised via cyber security breaches.
Keywords: risk management framework (RMF); National Institute of Standards and Technology (NIST); risk management framework training; risk management framework research
The full article is available to subscribers to the journal.
Author's Biography
Philip D. Schall PhD, CISSP, RDRP is an Associate Professor of Information Systems at Liberty University as well as Executive Director of Training for BAI information security and is a recognised authority in the area of information security risk management. Among his specific areas of expertise are certification and accreditation of federal government systems (RMF, FISMA, CSF), government security policies and guidelines, security assessment methodology and information security training. In addition to CISSP and RDRP certifications, Philip holds a PhD in information technology as well as an MS in information systems security from University of the Cumberlands and an MAEd in instructional design and technology from Virginia Polytechnic Institute and State University. Philip has served on a variety of academic boards and is active as a university professor, teaching in the fields of information systems and cyber security. Philip’s current research is focused on exploring the relationship between the receipt of formalised RMF training and the reduction in RMF project costs. Philip is dedicated to improving the real-world application of RMF with the goal of mitigating the idea that RMF is not a successful policy. Additional research interests include NIST’s cyber security framework (CSF) and the changing landscape of technology training in higher education.
Oludotun Oni PhD, CISSP is a Professor of Information Systems and Security at the University of the Cumberlands, where he also serves as PhD IT dissertation director. He obtained his PhD in information systems from Northcentral University. He also completed a Cybersecurity Risk Management programme at Harvard University. Oludotun has over 35 years’ technical and management experience, spanning four countries in three continents. He has held several leadership roles for over 16 years, including serving as Chair of the College of Information System and Technology. He has served as Mentor and Chair on several doctoral dissertation committees, including a ‘Dissertation of the Year’ award winner. Oludotun has also received many recognitions, such as ‘Distinguished Leadership in Experiential Education’ award (2012) and multiple ‘Distinguished Faculty of the Year’ awards (2010, 2015, 2016). Oludotun sits on the editorial board of several peer-reviewed journals and is a member of various international professional bodies. After working with a leading global telecommunications company for almost 17 years, he now engages in cyber security education consulting with several universities.
