Date of Conferral



Doctor of Information Technology (D.I.T.)


Information Systems and Technology


Gary Griffith


Some university data custodians lack information security strategies to prevent data security breaches. Reducing duplicitous use of personally identifiable information (PII) obtained maliciously from colleges and universities should be important to university data custodians, IT leadership of all levels, state legislators, and individuals that have an interest in moving into the cybersecurity space in higher education. Grounded in general systems theory, the purpose of this multiple qualitative case study was to examine information security strategies that university data custodians use to protect PII collected from staff, students, and other stakeholders. The participants consisted of 15 college and university data custodians in North Carolina and South Carolina, who implemented security strategies. Semistructured virtual interviews were used to collect data. The verbatim transcripts were analyzed using thematic analysis in conjunction with Tesch’s data coding process then compared to current literature as a control. There were 5 key emergent themes (a) adaptive security measures, (b) necessity for buy-in resources, or both (c) proper management and personnel, (d) requirements based on state/industry regulations, and (e) security education training and awareness. University data custodians should implement, promote, and monitor comprehensive information security strategies to protect university PII. The implications for positive social change include potential leadership awareness to protect university PII and minimize the adverse effects of a data breach.