The document provides background on a research project investigating the data breach at the U.S. Office of Personnel Management in 2015. The project aims to interview OPM executives to understand the breach and analyze the relationship between cyber attacks and upgrades to the agency's technology. The researcher plans to enter the OPM for 3 weeks to conduct interviews and examine how often software/hardware patches are implemented each year.
1. Joseph White
Dr. Leland
PPOL 8622
June 16, 2015
Data Breach Causality Research Project
Research Project Introduction
In the spring of 2015, the United States Office of Personnel Management made a horrible
discovery. The Office of Personnel Management’s private and secured database had been
cyber attacked and data breached. The OPM announced to the media that they had lost the
private and personal data of over 4,200,000 people. These people that were affected were all
current or former employees of the federal government. Every federal agency was affected,
including the Federal Bureau of Investigation and the Central Intelligence Agency.
The mass majority of data that was stolen pertained to background information for the
recruiting and hiring of new employees. It was announced that social security numbers, home
addresses, alias names, phone numbers, and medical information were all taken by an
unknown source.
Even people attempting to apply for the federal government as applicants had their social
security numbers stolen. 21,500,000 individuals had their social security numbers extracted
from OPM databases.
Because of this damaging incident, the reputation of the federal government’s cyber security
network was destroyed for the present time being. The OPM began an interagency
investigation into the circumstances of the incident, and future actions to prevent the same
incident from happening twice.
The largest impact and image shattering point of this incident, was that this data breach
opened Americans’ eyes to the fact that the federal government was not as all knowing and in
control as they project themselves to be. Citizens now began to question cyber security in
general, and what measures are being taken to secure their accounts and private personal
information.
2. This project titled “Data Breach Causality Research Project” is important, interesting, and
necessary for several reasons. First, in order to defend against an enemy or threat, a person or
group must first understand the threat. By interviewing the key stakeholders and executives of
the Office of Personnel Management, key facts, opinions, trends, and research data can be
extracted and analyzed for increased clarity on the topic of cyber security. This project is
interesting, because technology is constantly changing every year, and it is becoming a larger
part of the American citizen’s everyday life. People are becoming incredibly dependent
technology, to the point that they cannot communicate, eat, or work without technical
assistance. This project is necessary, because the American citizen deserves answers from their
government officials as to why and how the data breach incident occurred. Also, the American
citizen deserves to be as protected as possible from cyber security threats and future attacks.
By utilizing qualitative research techniques such as deep dive interviews and focus groups, the
UNCC MPA research team hopes to gather significant evidence and data to assist the cyber
security and public administration community in their advancement of government data
protection and public policy. The topic area of cyber security is very large, vague, and complex.
By stepping up to the task at hand, and reaching out to assist the federal Office of Personnel
Management, the UNCC MPA research team hopes to lead and guide other local, state, and
federal government organizations, with their obtained and processed research findings.
3. Literature Review
Research Topic:
I would like to perform a research design on the executive branch of the United States federal
government’s knowledge base surrounding cyber threats and possible attacks, and whether
they have appropriate plans and resources in place to reduce, deny, mitigate, and investigate
potential future threats.
Research Question:
Is the “likelihood of a cyber-breach” to the “executive branch of the United States federal
government”, related to the “current status of upgrades” to its computer technology?
Research Question Variables:
Model study subject-Federal Office of Personnel
DV-Likelihood of a cyber-breach
-Likelihood defined as (Daily, Weekly, Monthly, Yearly, rarely, never)
-Cyber-breach defined as (the intentional or unintentional release of secure information
to an untrusted environment.)
EV-Current status of upgrades to technology
-Current status defined as last privacy software/hardware upgrade to infrastructure
(upgrade 2015, upgrade 2014, upgrade 2013, etc)
CV-Training
CV-Awareness
CV-Inside job
CV-Unknown technology
Unit of Analysis-Amount of software/hardware/malware patches per year
4. Current Articles Analyzed on Topic:
Lynne Rudasill, Jessica Moyer, (2004) "Cyber‐security, cyber‐attack, and the development of
governmental response: the librarian's view", New Library World, Vol. 105 Iss: 7/8,
pp.248 - 255
Harris, Shane, (2008) “China’s Cyber-Militia CHINESE HACKERS POSE A CLEAR AND PRESENT
DANGER TO U.S. GOVERNMENT AND PRIVATE-SECTOR COMPUTER NETWORKS AND
MAY BE RESPONSIBLE FOR TWO MAJOR U.S. POWER BLACKOUTS. Read on
http://www.triprosec.net/pdf/china_cyber_militia.pdf, June 16, 2015
Groves, Shanna. Information Management Journal37.3 (May/Jun 2003): 34-40. Read on
http://search.proquest.com/docview/227745315/abstract/EC2AE941DAE4238PQ/1?acco
untid=14605, June 16, 2015
Choo, Kim-Kwang Raymond. Computers & Security, Volume 30, Issue 8, November 2011, Pages
719–731, Read on http://ac.els-cdn.com/S0167404811001040/1-s2.0-
S0167404811001040-main.pdf?_tid=c108f522-1441-11e5-9356-
00000aab0f6b&acdnat=1434471014_3509d52eee7dceceb08ef7226b4e18f4, June 16,
2015
https://www.us-cert.gov/sites/default/files/publications/cyberspace_strategy.pdf
Studies show:
After reviewing several scholarly articles, I have noticed a trend that cyber-attacks are
increasing by the year. These attacks have been linked to several possible reasons including:
advanced software tools, lack of upgrades to infrastructure, lack of budget priority, lack of
training, lack of awareness, advancement in criminal intelligence.
Strengths:
These articles all discuss the various reasons to why cyber-attacks are becoming a bigger threat
on a global scale. Researchers have linked society’s dependence on technology for it positive
lifestyle as a main reason that criminals attack technical infrastructure. The researchers also
give several great examples of when cyber-attacks have caused serious problems to the
American government and private sector. Researchers discussed two electrical power outages
that were traced to cyber-attacks foreign countries. Researchers also discuss the threat to
information privacy for businesses and government personal records, while also giving direct
examples.
Weaknesses:
5. These articles tend to speak in generalities, which cover a lot of ground, but fail to touch on
grass root causes. I would like to see more researchers give specific cases, fromstart to finish,
that detail the who, what, where, when, why, and how of the incident. I would then like to see
the researchers show a before and after of the incident, after the cyber security concepts were
operationalized and applied to the problem. Overall, I would like to see the topic discussed in
greater detail. It is difficult for me to create a correlation and test a hypothesis without specific
data pertaining to data breaches. If I was able to find the amount of data breaches to an
agency, and the amount of computer software/hardware upgrades they patched in a given
year, or how often a software/hardware patch upgrade is generated, I could determine if there
is relevance to data breach.
Why this is important to study:
This topic is important to study and obtain more information about because our global society
is becoming more technical dependent by the day. The greater importance to a person’s daily
lifestyle an issue becomes, the more knowledge needs to be gained about the issue.
Technology presents numerous opportunities for people to advance themselves in this world
through several means including: health, wealth, business, education, work, pleasure, and
travel. Because of these amazing opportunities, lies the potential for risk and threats to our
way of existence. Proper security measures and governmental policy should be put in place to
safeguard our technological advancements. Scholarly studies need to be performed to test the
strength of our operations, and determine connections between critical events and potential
causes that lead to their development. It is smarter to stay ahead of the game, and learn about
potential threats and reasons for negative actions, before any of these possibilities become
disturbing realities.
6. Research Measurement
As stated early in this report, this research project’s unit of analysis will be the numeric amount
of software/hardware/malware patches per year, implemented by the United States federal
government. A patch can be defined as an upgrade or version increase to a computer, software
program, or anti-malware service. By adding up all the upgrades to the federal government
technical network, researchers may be able to quantify the results into a trend analysis.
Trend analysis reports may be able to show correlations to the rise of cyber-attacks on the
federal government, if patches have been occurring at a lowering trend. Also, time frames of
vulnerability may be able to be created, which may show times of the year that data breaches
are more likely to occur.
In addition to trend analysis, basic parameters can be created about technical patches. The
minimum and maximum ranges of patches per year can be established. An average of patches
over a half decade can be determined, as well as a standard deviation and mode.
By quantitatively ranking and qualitatively stratifying the amount of patches and the many
different areas of the patches, evidence may be created to show that certain agencies receive
more cyber defense attention and increased technical budgets over other areas of the federal
government.
Fieldwork Plan
Plan of entry into environment:
During time period beginning on September 7, 2015 and concluding on September 26, 2015, I
would like to enter the United States of America’s Federal Office of Personnel Management
located at 1900 E. Street NW, Washington DC, 20415, as a research consultant with the purpose
of interviewing procurement managers, risk managers, and cyber security managers on the
topic of cyber security. I would like to discuss the recent events surrounding the data breach
of government employees’ personal information, which started in July of 2014, and was
disclosed to the public in June of 2015.
I want to examine the correlation between data breach incidents at the OPM and their status of
software and hardware upgrades. Is there a connection between an increase in cyber-attacks
and a lowered level of technical security? Or is there another causal variable that is affecting
the rise in attacks on the OPM and other various government agencies? My unit of analysis for
this research study will be “the amount of software/hardware/anti-malware patches per year.
7. By developing relationships with managers within the OPM departments listed above, I believe
that I can initiate interview sessions that will allow me to gain a better understanding of what
the OPM is doing to protect their employees’ assets and personal information. I can also see
the exact steps and procedures that the OPM is following and creating to combat this critical
threat.
This fieldwork study should last no shorter than the three weeks currently planned, but may
need to be spread out longer, in order to accommodate schedules and vacations. In addition to
schedule accommodation, several of the fieldwork interview questions may be difficult to
answer without reaching out to other lines of business and organizational personnel. This may
account for longer response times, and a longer stay by the research team.
The research team shall stay off campus and organizational grounds, by lodging at the State
Plaza Hotel, located at 2117 E. St NW, Washington DC, 20037. The team shall attend the
agency during normal business hours, and be given access to a standard office. The research
team shall bring their own laptops, cellphones, and office supplies. Access to a bathroom, copy
machine, and drinking fountain shall be requested by the team, once entry has been granted.
Interviews shall be conducted with management resources as scheduled, and walkthroughs
shall be determined based on research need and on a need to know basis. All members of the
research team shall have a thorough criminal and travel history check performed on them, 2
weeks prior to the September 7, 2015 initiation date, by an independent company of the OPM’s
choosing.
8. Cover letter:
Dear Office of Personnel Management Staff,
My name is Joseph White, and I am a current graduate student at the University of
North Carolina at Charlotte. I have taken a strong interest into cyber security and the impacts
that cyber-attacks have played on the United States government sector over the past several
years.
Given the recent events at your agency over the past months, I would like to travel to
Washington DC, and work with your management team to discuss, analyze, and conceptualize
the policies, procedures, and actions that are necessary to investigate and reduce cyber-attacks
on your agency. I have a professional background in law enforcement, information technology,
and project management. I have worked internally for Charlotte-Mecklenburg Police
Department, Wells Fargo Bank, and Bank of America. I currently hold a bachelor’s degree in
Criminal Justice from Kent State University and will graduate with a Master of Public
Administration Degree from UNCC in August of 2015.
I would like to conduct my research during the month of September 2015. Over the
course of three weeks, I believe that I can achieve a potent understanding of your methods,
implementations, and risk reduction practices that are deployed to keep our nation safe and
secure. By utilizing a triangular research approach, implementing both qualitative and
quantitative methods, I want to analyze whether a connection exists between the amount of
data breaches on your agency, and your current status of software/hardware upgrades. This
research may help identify reasoning behind potential improvements to nationwide emergency
management plans and prevent future cyber-attacks.
The time commitment of your internal staff will be minimal, with face to face interviews
being conducted during times convenient to you, over the course of typical workday. My
research team will bring our own equipment, and will stay at a local hotel. All of our research
obtained can be subject for review by your interviewees and staff. I believe that reciprocity can
be achieved during this study, by showing stakeholders the final research conclusion, which
may clarify their understanding of the due diligence that is being completed in order to protect
the nation’s employees’ from cyber-attacks.
Obviously, this is a very complicated request to explain in an introductory letter, so I
would love to speak with you further over the telephone. My university telephone number is
980-288-2890 and my email is jwhit223@uncc.edu. I available throughout the week. Please
feel free to contact me at your convenience, and we can continue on the path to a potential
research breakthrough!
Thank you for your time,
Joseph White
9. Informed Consent for
Data Breach Causality Research Project
Project Purpose
You are invited to participate in a research study during the time period of September 2015,
conducted by the University of North Carolina at Charlotte-Master of Public Administration
Program. This amazing research study will attempt to draw correlations and connections
between the rising amount of cyber-attack data breaches, and how often computer
hardware/software upgrades are completed each year.
By successfully drawing conclusions of cause and effect, the United States government sector
may be able to decrease the amount of cyber-attacks, by implementing various new measures.
In the worst possible scenario, additional information, opinions, and beliefs from high level
government officials can be gathered and submitted to the general body of knowledge
surrounding cyber security defense and emergency management.
Researcher(s)
The researcher is Joseph White, W/M, 9/27/1985, 436 Beaumont Avenue, Charlotte, NC, 28202.
The researcher has 8 years of combined experience in law enforcement, computer science, and
public administration. Joseph is a former award winning law enforcement agent, a certified
project manager, and a current corporate financial cyber security project manager. Joseph has
high intellect in regards to communications and research. Research methods that he has crafted,
utilized, and applied are interviewing, interrogations, case study creation, data analysis, and
project management. Joseph will pass any background check, reference check, travel check, and
lie detector test available.
Joseph White may elect to bring a research team with him to conduct the study. The reasoning
behind this decision is to reduce interview bias, gain a better perspective, increase research
productivity and accountability. Joseph also understands that the more minds involved in a
research study, increases the potential for more creativity and enhanced results.
The additional researchers shall be identified, labeled, and referenced at a later date. A research
plan with an increased granular description may create a business need for more researchers to
create value to the overall project. These researchers will subject to the same stringent process
that Joseph White will be, in order to gain acceptance to this research project.
Overall Description of Participation
If you volunteer to participate in this study, you will be asked to meet with research consultants
from the University of North Carolina at Charlotte, to discuss topics and issues pertaining to
cyber security and data breaches. Discussions will occur in a one on one, face to face, office
interview. The interviews will last longer than two hours, but not longer than three hours.
Participants will have the opportunity to eat, drink, and use the restroom.
10. Interviews will be completed in a formal setting, with formal attire. Participants may be asked
to elaborate on their statements, opinions, and beliefs. Anonymity and privacy may be granted
at the participant’s request. All data will be gathers on paper, then transferred to computer
hardware, and finally transferred to a data storage stick.
Participation shall occur during normal business hours, during pre-scheduled times, of the
participant’s choosing. Meetings may be canceled without notice, however, a rescheduled
meeting will have to be completed by Friday of the same work week.
Length of Participation
Your participation will take approximately 6 total hours of face to face interviews with voluntary
attendance of introductory and final conclusions presentations by the research team.
Risks and Benefits of Participation
The project may involve risks that are not currently known.
Compensation/Payment/Incentives
You will be included in a drawing for three, $5 Food Lion gift cards at the completion of
participation.
Possible Injury Statement
If you are hurt during this study, we will make sure you get the medical treatment you need for
your injuries. However, the university will not pay for the medical treatment or repay you for
those expenses.
Volunteer Statement
You are a volunteer. The decision to participate in this study is completely up to you. If you
decide to be in the study, you may stop at any time. You will not be treated any differently if
you decide not to participate in the study or if you stop once you have started.
Confidentiality Statement
Any identifiable information collected as part of this study will remain confidential to the extent
possible and will only be disclosed with your permission or as required by law.
Statement of Fair Treatment and Respect
UNC Charlotte wants to make sure that you are treated in a fair and respectful manner. Contact
the university’s Research Compliance Office (704-687-1871) if you have questions about how
you are treated as a study participant. If you have any questions about the actual project or
study, please contact Joseph White (704-288-2890, jwhit223@uncc.edu).
11. Approval Date
This form was approved for use on June 17, 2015 for use for one year.
I have read the information in this consent form. I have had the chance to ask questions about
this study, and those questions have been answered to my satisfaction. I am at least 18 years of
age, and I agree to participate in this research project. I understand that I will receive a copy of
this form after it has been signed by me and the principal investigator of this research study.
______________________________________ _______________________
Participant Name (PRINT) DATE
___________________________________________________
Participant Signature
______________________________________ _______________________
Researcher Signature DATE
12. Initial Meetings with Gatekeepers
I believe that the introductory discussions with the gatekeeper and acceptance of this research
project will be a multi-step process. As listed in the chart below, the introduction, explanation,
feedback, rework, and acceptance of the project will take several weeks, prior to the start of
the project.
The best first step to any project, is to develop a social or business need for the work to be
completed and funded. For my project, the social and business need is the safety and security
of personal and business data. By studying and developing measures and actions around cyber
security and data breaches, a larger and stronger knowledge base can be form to better protect
our governmental agencies from attacks from criminals. Communication is a key foundational
block to any academic subject expansion or business partnership. Through performance of
qualitative interviews and quantitative analysis, a clearer understanding of governmental cyber
security may lead to smarter executive decisions and reduce the potential of risks in the future.
The second step to the start of a project is the research model and directional intent need to be
discussed with the client gatekeeper and the management staff. They will undoubtedly request
a rework and write up of the initial plan to better suit their privacy, abilities, interests, and
schedules.
Strategically, I would send one person to meet with the gatekeeper. I would perform a
background and demographic check on the gatekeeper in order to get the best possible synergy
between the two attendees. Whether it be a similarity such as: gender, race, ex-military,
ethnicity, regional inhabitant, age range, or political views, by having a common connection,
there is potential to reduce anxiety and distrust.
I would create a clearly defined scope statement surrounding the project, with the direction,
intent, costs, time allocation, personnel usage, and end result clearly discussed. It would be
proper to send this document to the gatekeepers, along with a shortened PowerPoint deck to
help explain the small print.
I would send the best possible representative with the work, in a professional attire, with a
small gift from the University of North Carolina at Charlotte campus. First impressions are
absolutely dire during this relationship construction.
With the completion of a successful initial meeting, I would ask for any client changes to the
initial research model. This will allow the client and research team to improve their relationship
and promote the client’s investment in the project. It is very important to have quick
turnaround time on the changes to the model, in order to lock down a confirmation from the
gatekeeper’s team. Any delay in time could potential cause the gatekeeper to lose interest or
focus on other matters.
13. A final meeting with the gatekeepers should be competed a few days after the initial meeting in
order to close the deal, and begin the research project. This can be a risky and stressful time
for the client and gatekeeper, so it is important for the research representative to remain calm,
understanding, positive, and supportive to the needs and questions that gatekeeper may
present.
With the idealistic assumption of an acceptance into the organization by the gatekeeper, it will
take at least a week to process background checks, secure equipment, secure human resources,
and travel to the client site. Extra time should be allotted for in regards to mistakes, accidents,
preparation, and environmental conformity.
After gatekeeper acceptance, create a high level timeline and schedule for both sides to
reference. By staying on the same page, people can properly prepare for meetings, interviews,
and work up sessions. It also allows the gatekeepers to see that the research team has put
time, thought, and effort into the project and the client’s needs. As listed below, a high level
project schedule can be created in Microsoft Excel or Microsoft Project, with times, dates,
places, and personnel documented for review.
14. DATA BREACH CAUSALITY RESEARCH PROJECT
TIMETABLE
Task Number Tasks 17-Aug 24-Aug 31-Aug 7-Sep 14-Sep 21-Sep
2 Initial Meeting with GK Thursday
4 Final Meeting with GK Monday
5 Acceptance/Decline by GK Wednesday
6 UNCC prep for project/trip
Thursday/
Friday
7 Travel to Washington DC Monday
11 1st round of Meetings begin Tuesday
12 Interview with CSO By Friday
13 Interview with RMO By Friday
15
Compile/Analysis Research
Data
Saturday
/Sunday
16 2nd round of Meetings begin Monday
17 Followup Interview with CSO By Friday
18 Followup Interview with RMO By Friday
20
Compile/Analysis Research
Data
Saturday
/Sunday
25 Travel back to UNCC Saturday
19
21
22
23
24
UNCC Research Project Schedule
1
3
8
9
10
14
Monday
By
Thursday
Friday
Rework Model based on GK
feedback
Thursday
/Sunday
Site Seeing /Hotel/
Equipment testing
Tuesday/
Thursday
Final Presentation to OPM
management
Develop Research Model and
Purpose Points
Introductions/Presentation to
OPMmanagement
Monday/
Thursday
Friday
Monday
By Friday
By Friday
Monday
Set up qaulitative meetings
with Managers
Interview with Procurement
Officer
Followup Interview with
Procurement Officer
Request Access for a tour of
premissis
Meeting with GK over
potential findings
Create Documentation
surrounding Research
Discoveries
15. Detailed Plan of Data Collection
1. Qualitative Analysis Tactic (In depth Interview Session)
My plan of action for data collection will consist of detailed qualitative interviews of several
management resources surrounding the cyber security efforts of the United States Federal
Office of Personnel Management. As listed above in the project schedule, my research team
will conduct separate interview sessions with the Chief Security Officer, the Chief Risk Officer,
the Chief Procurement Officer, Senior Network Administrator, Senior Database Administrator,
and the Compound Property Manager. These positions possess an extensive amount of
information regarding the knowledge base, efforts, preparations, investigations, upgrades,
purchases, recruitment, and management of cyber security methods within the Office of
Personnel Management.
The main purpose of these qualitative interviews is to obtain an internal first person account
and opinion of the topic of cyber security, as well as, any quantifiable data that can be
developed from these descriptive conversations with executives. Questions shall be developed
to gain knowledge around the amount of data breaches and cyber-attacks that happen to a
federal agency like the Federal Office of Personnel Management. Information pertaining to the
amount of attacks, the severity of attacks, the location of attacks, the timeframe of attacks, and
any quantitative factor to study shall be extracted from the qualitative interview techniques of
this project. Interviews shall discuss upgrades to technology, changes in procedures and
management, and possible issues that may increase the potential of a cyber-attack.
Each executive will be interviewed twice, over the course of two weeks. This will allow the
researchers to analyze the interviewee’s remarks and thought processes, outside of the
interview process. The separation period will allow researchers to form new and better
questioning, to can clarify areas of vagueness, doubt, confusion, and interest.
Each interview session should be conducted in the management resource’s office, in order to
make them feel comfortable. Food and beverages should be made readily available, with
access to restrooms and smoke breaks granted. Sessions should last longer than one hour, but
no more than three hours, due to potential interview fatigue.
Interview questions shall be open ended, and should allow the interviewee the opportunity to
take the conversation in the direction that they best feel can elaborate and illustrate their
point. Interviewee responses should be noted and documented word for word, in order to
properly analyze comments, questions, conclusions, and recommendations.
Interview times should be schedule to fit the hectic schedules of the executives been
interviewed. Whether interview times occur first thing in the morning, or one hour before
close of business, the researcher should be punctual to the needs of the client.
16. During the course of the interview, no use of technology by the interviewee or distractions
should be permitted by the researcher. No telephone calls, emails, music, or other actions
should break the concentration of the researcher and executive. The purpose of this measure
is to prevent threats to break an interviewee’s frame of thought and direction of conversation.
Special thought should be made and studied by the researcher into psychological aspects of an
interview. People lie and deceive intentionally and unintentionally. Deceptive cues and human
mannerisms should be studied and mastered by interviewers in order combat naïve and coy
answers. Difficult questions can be hard to answer for a variety of reasons, so the interviewer
should be aware of potential issues prior to the interview. Avoidance of difficult topics and
questions should not be tolerated, and questions maintain a focus on the cyber security issues
at hand.
Researchers should remain unbiased and follow the wishes of the interviewee. This is not a law
enforcement investigation, so researchers should not push issues or escalate questioning to
attempt to make a case or story. Interviewees should be allowed to drive the interview at
times, and a level of equality should constantly be maintained during the questioning.
Requested Executives to interview (7 total)
1. Chief Security Officer
-This executive is necessary to interview due to their experience in the
developing field of cyber security, and their hands on responsibilities
surrounding policy and procedures.
-Questions should be asked in regards to the worst scenario that they have
experienced, and the worst case scenario that the agency has planned for.
-The executives opinion on what actions should be taken to reduce cyber-attacks
should be examined in detail, and countered to solidify their argument.
TIME LIMIT: 2-3 hour interview session, twice over the course of two weeks
2. Chief Risk Officer
-This executive is necessary to interview due to their industry experience with
potential threats and risks in general. This executive can give a perspective to
the severity of cyber threat in comparison to other threats.
-This executive may be able to give quantifiable data to help secure an
understanding around the costs of risk, the ROI, and the balance of risk versus
reward.
17. -The executive opinion of the Chief Risk Officer may be crucial in regards to
present techniques and methods that are being utilized to prevent cyber threats.
The executive may be able to expand the researcher’s knowledge base of risk
management and introduce additional organizational positions and resources
into the scenario to study in the future.
TIME LIMIT: 2-3 hour interview session, twice over the course of two weeks
3. Chief Procurement Officer
-This executive will be necessary to interview due to their responsibilities
surrounding the purchases and upgrades to new versions and models of
technology. This person will be able to discuss in depth the factors that go into
upgrades, changes, and timing involving cyber security.
-This executive may also be able to garnish quantitative data surrounding the
increases and decreases in pricing and overhead costs. The initial investment
into a service may not be worth the assurance of the protection.
-This executive may be able to discuss the various collaborations and
partnerships that the agency has with other industries and groups in order to get
the best return on investment.
TIME LIMIT: 2-3 hour interview session, twice over the course of two weeks
4. Senior Systems Architect
-This executive may be able to provide valuable data in regards to how the Office
of Personnel Management developed their hardware and software
infrastructure. This executive would be the point person for all technical
questions about how the internal server nodes connect to the external internet.
This executive should be able to explain the network blueprints to researchers
and may be able to detect loose ends within the technical processes.
TIME LIMIT: 2-3 hour interview session, twice over the course of two weeks
18. 5. Senior Database Developer
-This specialist may be able to elaborate on the construction and day to day
operations of the databases that store the government employees’ personal
information. The developer may be able to provide hard numeric amounts in
regards to bytes of data, storage locations, age of equipment, and protective
measures, and upload/download procedures.
-Generally, whenever maintenance is completed on servers, web pages, hard
drives, and other technical services, the development team is the core group of
employees that executives the deliverables. By speaking with the senior lead on
the team, researchers may be able to uncover clues to potential risks and
patterns that lead to data breaches.
TIME LIMIT: 2-3 hour interview session, twice over the course of two weeks
6. Senior Network Administrator
-This crucial member of the organization is responsible for the monitoring of
network activities and who has access to certain folders and databases. This
executive could provide a list of possible threats and trends, or provide clarity in
to the location of various users. By performing qualitative analysis on this
executive’s interview, a link to stratifying the data into quantitative categories
may be easier to perform in the final review.
TIME LIMIT: 2-3 hour interview session, twice over the course of two weeks
7. Compound Property Manager
-This final member of the interview group is responsible for monitoring the
physical security mechanisms that provide protection to the organization’s
compound. This includes: door locks, key cards, security guards, finger print
scanners, blue prints, server room locations, and property control locations.
This executive might provide intelligence surrounding the physical target
hardening procedures involved in securing hardware and end user activities.
This executive may have knowledge in regards to visitor statistics, delivery
processes, and equipment disposition procedures.
TIME LIMIT: 2-3 hour interview session, twice over the course of two weeks
19. 2. Qualitative Analysis Tactic (Focus Group)
On Friday, September 18, 2015, researchers will request the seven listed executives from the
previous section to take time out of their day to conduct a one hour focus group meeting with
all executives attending.
The purpose of this focus group will be to determine if any of the executives differ in their
opinions and beliefs about general cyber security tactics and the possible causes and actions
taken during the incident that occurred in the Spring of 2015.
Researchers feel that the potential of collaboration and brainstorming during this focus group
could really help the overall outcome of the project. Researchers would like to determine if
there are any mutual or differing opinions and advice from the executive group. Often times,
executives do not know all of the facts and information during single interviews. By performing
this focus group, researchers can determine if executives’ overall perspective of the Spring 2015
data breach is matching or divided.
Joseph White will moderate the focus group conversation, while other researchers sit in the
background and document the executives’ answers and thoughts. The overall approach to this
meeting will be to let the group members speak for as long as they each want to, in response to
individual questions asked by Joseph White. Executives and agree or disagree with other
meeting members’ opinions, however, they must follow their stance with a logical and
reasoned narrative.
The narrator will strive to discourage dominant speakers from swaying the other group
members, and will encourage meek and short winded executives to speak up and elaborate on
their thoughts. A positive and ideal outcome of this focus group will be to see that advice the
executives can provide to the research team, and to see what the wisest and most agreed upon
opinion is of the seven executives invited.
Focus Group Attendance:
Chief Risk Officer
Chief Security Officer
Chief Procurement Officer
Senior Systems Architect
Senior Database Developer
Senior Network Administrator
Compound Property Manager
20. Exit dissemination
During the final interview week of September 21, 2015, conclusions shall be drawn by the
research team and discussed with the gatekeeper and management staff prior to a formal write
up. Conclusions may be positive, negative, or both. Anonymity and privacy shall be granted to
the Office of Personnel Management, should they request the treatment. A proper document
shall be drafted by researchers that specifically details the planning, execution, determinations,
and overall experience of the research study. An electronic and paper copy shall be delivered,
presented, and discussed with the OPM management team during the final week of the study.
Thank you cards and small mementos from UNCC shall be given to the interview participants,
for their successful participations in the stringent interview process. Researchers shall secure
all of the obtained research data onto an electronic data stick, which shall be secured by an
unnamed person, on a need to know basis. All paper notes shall be electronically scanned on
computers, and saved to the data stick. Following this step, the paperwork shall be shredded
on the premises of the OPM, and all computer files shall be recycled from the desktop
computer.
Researchers may be subjected to an exit interview by the client organization, to obtain
knowledge on better ways to conduct future interview and training sessions. Researchers shall
present all applicable opinions and advice to improve the process for future researchers and
organizational employees. This procedure shall be left in the responsibility of the client agency
to carry out, document, and save.
The final contact information to be provided to the Federal Office of Personnel Management
shall be as follows:
Joseph White/Dr. Suzanne Leland
Master of Public Administration Program Office
9201 University City Blvd,
Charlotte, NC, 28233
704-687-5937
http://mpa.uncc.edu/
21. Research Project Findings
The ideal findings for this research project would be show a negative correlation between
technical upgrades/patches, and the amount of data breaches successfully conducted on the
federal government’s network. It is obvious that there are numerous control variables and
possibilities that may affect the correlation, however, it will show the United States
government officials and citizens that more time, funding, personnel, and effort needs to be
leveraged to technical upgrades across the national government’s aging infrastructure.
In addition to hypothesis information, it would be a fascinating experience to investigate and
research the criminal event and crime scene that disclosed over four million personal bios of
government employees. By interviewing the Office of Personnel Management’s top executives,
researchers can really understand what happened, and not what is published by the clueless
media and writers. It could be possible that the facts reports are not completely accurate. It
could be possible that the situation was not as bad as displayed, or the situation could be way
worse and still going through damage control. Any research study that establishes additional
clarity to a unique and innovative government issue is viewed as a successful study.
Furthermore, by conducting this research, it will give the research team from UNCC additional
training and exposure to data breach policy, procedure, action planning, and disaster recovery.
With the relative originality of cyber security and data breaches, there are not enough educated
professionals in the United States to properly investigate and defend against further attacks.
By traveling to Washington D.C. and working shoulder to shoulder with technical executives, an
enormous amount of knowledge can be transferred to a younger generation. Unfortunately,
business continuity processes and disaster recovery plans can only be tested properly when a
malicious event occurs. Since malicious events do not occur every day, extra research and a
thorough break down must conducted when something actually happens. Due to the
unfortunate events that occurred in the Spring of 2015, it only makes sense to have an
enthusiastic research team from UNCC tackle this hot topic and growing issue.
Finally, by conducting qualitative analysis such as focus groups, it may be possible to uncover
executive opinions and disagreements that the Office of Personnel Management may not know
they have. It is entirely possible that the right questions may not have been asked, or that
certain executives may not have thought of every detail until months later. These types of
issues and events occur all the time. By conducting the focus group, researchers can gauge
responses and see where the vast strength of opinion is, and what may be viewed as an outlier
or questionable.
The most desired result to gather in this research study is clarity and openness of
communications. Sometimes, by discussing and venting about negative events and issues, it
sheds light on the roadway. With this added knowledge, future organizations may not fall into
the same pitfalls as the OPM, and that is the underlying hope and appeal of this project as a
whole.
22. Research Project Funding Sources
The ideal funding source for this project would be through financial assistance fromthe United
State of America federal government. By performing initial research, the UNCC research team
has discovered a funding grant from grants.gov. Grant.gov is a federally backed organization
that funds further research in a variety of topics and interests including: healthcare, science,
technology, sociology, and governmental studies. The federal organization’s webpage
attachment is listed below:
http://www.grants.gov/web/grants/search-grants.html
The grant title of interest is labeled “Secure and Trustworthy Cyberspace” and the grant is
funded by the National Science Foundation. The grant funding opportunity code is 15-575. The
grant was created on June 2, 2015 and allocates over 68,300,000.00 dollars for researchers to
advance cyber security initiatives within the federal government. The highest amount of
funding that can be awarded to a research team is 3,000,000.00 dollars, which will be more
than enough to cover a research team of four for five or more weeks of work, travel, and
research.
Joseph White will apply for the research grant on August 1, 2015 and make several calls to the
grant.gov support center at 1-800-518-4726. Joseph White will also generate emails to send to
support@grant.gov. By showing strong interest and following up with phone calls and emails,
the research team may have a strong chance of obtaining 100% funding for this project. Due
to the lack of experience managing grant funding, Joseph White will consult various senior
professors within the UNCC Master of Public Administration Program Office.
A running budget will be determined, and every expense will be documented and deducted
from the overall budget. Receipts will be gathered and stored for tax reporting and audit
purposes.