Abstract: This talk describes findings based on six interviews performed by researchers at the RAND Corporation. In investigating how companies make decisions about whether and how to invest in cyber security, the RAND researchers asked chief information security officers from six Internet-related companies about their attitudes and actions. There was surprising consistency with a business school model of attitudes toward customers and the marketplace. Shari Lawrence Pfleeger will describe the hypotheses generated by this study.

Short Bio: Shari Lawrence Pfleeger is a senior researcher at the RAND Corporation, a not-for-profit company doing high-quality, high-impact research in the public interest. At RAND, she works on policy and decision-making issues that help organizations and government agencies understand whether and how information technology supports their mission and goals. From 1982 to 2003, Dr. Pfleeger was president of Systems/Software, Inc., a consultancy specializing in software engineering and technology. From 1997 to 2000, she was also a visiting professor at the University of Maryland's computer science department. Prior to that, she was founder and director of Howard University's Center for Research in Evaluating Software Technology (CREST), and was a visiting scientist at the City University (London) Centre for Software Reliability, principal scientist at MITRE Corporation's Software Engineering Center, and manager of the measurement program at the Contel Technology Center.

Her publications include 'Software Engineering: Theory and Practice' (3rd edition, with Joanne Atlee, 2005, Prentice Hall), 'Security in Computing' (4th edition, with Charles P. Pfleeger, 2007, Prentice Hall), 'Solid Software' (2001, with Les Hatton and Charles Howell, Prentice Hall), and 'Software Metrics: A Rigorous and Practical Approach' (2nd edition, with Norman Fention, 1996, Boyd and Fraser Publishers). Dr. Pfleeger is book review editor for IEEE Security and Privacy magazine. She was for several years the associate editor-in-chief of IEEE Software, where she edited the Quality Time column, and then associate editor of IEEE Transactions on Software Engineering. From 1998 to 2002, she was a member of the editorial board of Prentice Hall's Software Quality Institute series. She is a senior member of IEEE, the IEEE Computer Society, and the Association for Computing Machinery. She has been on the executive council of the IEEE Technical Council on Software Engineering, and is currently the vice chair of the executive committee for the Institute for Information Infrastructure Protection.