Running head STUDY OF RANSOMWARE .docx

Running head: STUDY OF RANSOMWARE
1
STUDY OF RANSOMWARE
2
Study of Ransomware
by
Vinay Akula
Instructor: Dr Donnie Grimes
University of Cumberlands
Table of Contents
Title page
1
Introduction
3
Study of Ransomware
3
Impacts Caused by Ransomware Attacks
4
Management of Ransomware Attacks
6

References
9
Study of Ransomware
Introduction
Information technology is a department that has really
developed over the last decades' thanks to the advances that
have been in the field of technology. The gradual development
in technology that has also been reflected with the advances in
the internet connection in the world leading to the concept of
internet of things whereby the concept has really led to massive
benefits being made. The advances have resulted in various
benefits being made for the organizations that have resorted to
the use of internet and technology in running of their key
activities. However, these advances have come with numerous
challenges and ransomware attack is just one of the key
challenges that organizations face in their use of the internet in
the provision of quality services for the market
(Moschovitis, 2018).
Study of Ransomware
The success of any organization depends on its ability to
provide protection and security measures to its database and
some of the key activities that take place within its premises.
This is especially important in today`s world where technology
has become an effective tool in the daily execution of duties. In
this regard, it's clear that cybercrimes have rapidly increased in
the world as technology advances have been made in the world.
This has related to making the fight against cybercrimes and
internet warfare a nightmare, more challenging and difficult to
deal with.
Ransomware attack which is basically defined as a malware

attack on somebody`s smartphone or computer by holding
ransom some of the data for the user till he/she pays for the data
in order to gain access for the data that they have been blocked
to access. The advances made in the world have made it
difficult for the users of the internet as criminals have always
managed to change how they handle these issues. Therefore, in
most cases, criminals are ever on the win in the fight against
ransomware in the world. The increase in the ransomware
attacks in the world has to be attributed to an increase in the
computer learners in the world and the computer security
professionals who might unknowingly or knowingly share some
critical information leading to these malicious attacks being
carried out (Moschovitis, 2018).
Impacts Caused by Ransomware Attacks
Ransomware attacks have been known to cause devastating
effects to both individuals and organization that have ended up
being culprits of these security concerns. The impacts caused by
ransomware attacks are usually devastating for the
organizations as they lead to data loss. Data loss for an
organization is not a normal business for any organization due
to the impact that such a loss can lead to the development of the
organization. For instance, an increase in the ransomware
attacks means that there is damage to the host system, files and
data thus making it difficult for the organizations to
successfully carry on with their business.
Besides that, due to data loss, the ability to carry on with
business organization becomes a difficult task for such an
organization. This is because of the impact that the
organizations face when they lose such data. For instance, loss
of data leads to damage to the company`s reputation as some of
the information lost might have been some confidential
information about the customers this is especially in cases when
hospitals are attacked. The impact of such a loss of data is that
they might lead to the closure of the company due to the
negative impact created in society.
Additionally, there is also system downtime whenever such an

attack takes place in any organization. This is usually the case
whenever an attack takes place within an organization. The data
loss and the time spent in ensuring that there is an easy
resumption of the system. As a result, this means that there is
an enormous amount of time that is lost in the process of
restructuring the entire system into a formidable system once
again. Therefore, the system downtime leads to further loss of
resources that would have been used in the overall running of
the company towards meeting its goals (Campbell, 2016).
In addition, the attack also leads to the loss company`s
resources such as time and money. This is especially in
instances after an attack has been carried out and the ransom is
required so that services blocked can easily be accessed by the
user of the computer. In this case, there is wastage of time as
one tries to ensure that an amicable solution is achieved.
Besides that, there is also the use of money to help solve the
situation. Therefore the attack has really huge impacts on the
successful running of the organization due to the fact that there
is a lot of time that is spent on seeking solution rather than
making the company realize its goals. Besides that, upon
assumption of the company, it never recovers the fear of being
attacked which makes everyone working at such an environment
insecure in the daily delivery of their duties.
The mentioned impacts above have devastating effects on the
effective running of the organization. There is wastage of
resources and in worse cases leading to the ultimate closure of
the organization caused by these impacts. As a result, there is a
need for the organization to seek the best security measures that
can be used to ensure that such threats do not cause devastating
impacts on society. This is largely due to the fact that fighting
cybercrimes has become effective in the world by the increase
in the training offered and education to various individuals in
the world.
Management of Ransomware Attacks
Therefore, there must be a robust security measure that prevents
the attack on the modified ransomware attacks on the

information infrastructure that focuses on android devices. The
method should be able to detect any defects on the processing
units, detect any malicious attacks and this effectively help in
the elimination of such attacks as fast as possible so that at the
end the organization can efficiently continue with discharging
of its duties unaffected with the ransomware attacks that have
become rampant in the world today.
The management of the attacks will have to be done by the
incorporation of some of the best and modern tools in the fight
against ransomware attacks in the organization. The tools
should be able to detect any suspicious behavior in the overall
execution of their duties; this will then call for appropriate
measures that will result into easy elimination of the threats
posed by the ransomware attacks.
In this case, there is a need to use various ways to ensure that
the management of ransomware attacks is perfectly done to
prevent further damage to the organizations. First is the
installation of the updated antivirus software throughout the
entire business organization. The use of antivirus has just to be
the first line of defense for the organization in which there is
multi-faceted management of the insecurity issues. The multi-
faceted system should be able to provide better technologies in
the management of insecurity threats, the technologies used are
such as the firewalls, heuristics, and behavioral-based threats.
Besides that, by the fact that technology is ever-growing means
that there must be the use of updating of this software to ensure
that it does not become outdated and ineffective in
identification and management of ransomware attacks (Haber &
Hibbert, 2017).
Besides that, there is also a need to create internet usage
awareness among users. Security threats and possible ways
which security breaches might be prevented are through the
creation of awareness among internet users. The awareness has
to be through campaigns that stress the avoidance of clicking on
the emails that they don't know the senders. In this case,
internet users have to answer personal questions before clicking

on the emails that they receive. These are such as, do they
know the sender? Is there need to open the file? Was anything
ordered from the purported sender? Answering such questions
will help in managing the insecurity issues within the
organization. These are common phishing methods used to
ensure that there is effective prevention of ransomware attacks
to the unsuspecting employees.
In addition, backing up the data is also another important aspect
of managing data that can be used to prevent ransomware
attacks on the organization`s database. There are various ways
in which the system can be backed up. However, there is always
a need to settle on the best security measure that can be useful
in ensuring effective management of the ransomware attacks. In
this case, the use of external storage of data is crucial for the
management of these threats. This is because it enables the user
of the internet to effectively prevent an attack on these data by
simply making sure that the data is stored in a different external
storage site that ensures no harm is done on the critical data of
the organization. Therefore, in such incidences whenever an
attack takes place there is no damage done and the company can
easily continue with its key activities unaffected (Vallabhaneni,
2019).
It's indeed true that management of the ransomware attacks has
become a difficult task in the world, this hugely due to the fact
that there are different ways in which organizations get
attacked, especially with the increase in the computer experts in
the world. However, there are also other robust security
measures that ensure there is effective management of such
incidences within the organizations. Therefore, this calls for the
use of the most updated ant malware that detects and prevents
such attacks on the organization. The threats have to be easily
identified and taken care of at an early stage in order to prevent
the huge impacts that take place upon the attack takes place.

References
Campbell, T. (2016). Practical Information Security
Management: A Complete Guide to Planning and
Implementation. New York, NY: Apress.
Haber, M. J., & Hibbert, B. (2017). Privileged Attack Vectors:

Building Effective Cyber-Defense Strategies to Protect
Organizations. New York, NY: Apress.
Moschovitis, C. (2018). Cybersecurity Program Development
for Business: The Essential Planning Guide. Hoboken, NJ: John
Wiley & Sons.
Vallabhaneni, S. R. (2019). Wiley CIA Exam Review 2019
Focus Notes, Part 3: Business Knowledge for Internal Auditing
(Wiley CIA Exam Review Series). Hoboken, NJ: Wiley.
Discussion Rubric: Graduate
Your active participation in the discussion forums is essential to
your overall success this term. Discussion questions are
designed to help you make meaningful
connections between the course content and the larger concepts
and goals of the course. These discussions offer you the
opportunity to express your own
thoughts, ask questions for clarification, and gain insight from
your classmates’ responses and instructor’s guidance.
Requirements for Discussion Board Assignments
Students are required to post one initial post and to follow up
with at least two response posts for each discussion board
assignment.
For your initial post (1), you must do the following:
11:59 p.m.
Eastern Time.

Thursday at
11:59 p.m. of your local time zone.
other
discussion boards from the current module and previous
modules, when
appropriate.
-reviewed sources to support your
discussion
points, as appropriate (using proper citation methods for your
discipline).
For your response posts (2), you must do the following:
two different classmates outside of your own
initial post
thread.
at 11:59
p.m. Eastern Time.
Sunday at
11:59 p.m. of your local time zone.
agree” or
“You are wrong.” Guidance is provided for you in each
discussion prompt.

Critical Elements Exemplary Proficient Needs Improvement
Not Evident Value
Comprehension Develops an initial post with an
organized, clear point of view or
idea using rich and significant
detail (100%)
Develops an initial post with a
point of view or idea using
appropriate detail (90%)
Develops an initial post with a
point of view or idea but with
some gaps in organization and
detail (70%)
Does not develop an initial post
with an organized point of view
or idea (0%)
20
Timeliness Submits initial post on time
(100%)
Submits initial post one day late
(70%)
Submits initial post two or more
days late (0%)
10

Engagement Provides relevant and
meaningful response posts with
clarifying explanation and detail
(100%)
Provides relevant response posts
with some explanation and
detail (90%)
Provides somewhat relevant
response posts with some
explanation and detail (70%)
Provides response posts that are
generic with little explanation or
detail (0%)
20
Critical Thinking Draws insightful conclusions that
are thoroughly defended with
evidence and examples (100%)
Draws informed conclusions that
are justified with evidence (90%)
Draws logical conclusions (70%) Does not draw logical
conclusions (0%)
30
Writing
(Mechanics)

Initial post and responses are
easily understood, clear, and
concise using proper citation
methods where applicable with
no errors in citations (100%)
easily understood using proper
citation methods where
applicable with few errors in
citations (90%)
understandable using proper
citation methods where
applicable with a number of
errors in citations (70%)
Initial post and responses are not
understandable and do not use
proper citation methods where
applicable (0%)
20
Total 100%
Running head: THE CISO IN HIGHER EDUCATION

The Chief Information Security Officer in Higher Education:
How Organizational Structure Affects Breach Rate
A paper submitted in partial fulfillment of the requirements for
the degree of Doctor of
Philosophy (Ph.D.) in Information Technology
BY
Justin O. Hensley, B.S, MBA, M.S.
University of the Cumberlands
THE CISO IN HIGHER EDUCATION ii

THE CISO IN HIGHER EDUCATION iii
Acknowledgments
Nothing will work unless you do.
John Wooden
As a senior in high school, I took a walk through the Kingsport
Press with my father who
would put 38 years of hard work into that company. My father
had opportunities to go to college
but stayed home to work and take care of his mom and siblings.
My mother came from a large
family and did not have the resources to go to college. As we
walked the concrete floor of that
old factory, my father simply asked whether I wanted to
continue my dream of working in
technology or if I wanted to come work with him in the factory.
He knew the answer, but he
used the question as an encouragement for me to continue to
college and get my degree. As a
first-generation college student, I do not take lightly the
responsibility to make my family proud
and encourage my children and generations to come in the

importance of education. I owe a debt
of gratitude to my parents for sacrificing to ensure I had
opportunities that they did not.
A heartfelt thank you goes out to Dr. Jennifer Simpson and all
the faculty of the Graduate
School and the School of Computer and Information Sciences at
University of the Cumberlands
for their wisdom and expertise as we have walked through this
journey together. I am especially
grateful to my dissertation committee chair Dr. Charles Lively.
As an undergraduate student at
the Cumberlands, I never dreamed that I would have the
opportunity to continue my education
through to a terminal degree. Each professor along the way has
provided a unique viewpoint
which has helped to shape this dissertation. I would also be
remiss in not thanking the students I
have had the opportunity to teach and mentor over the years as
they also provided valuable
insight from their research.
THE CISO IN HIGHER EDUCATION iv

The only reason I can format a proper sentence or comprehend
the structure of the
English language is because of my high school English teacher,
Mrs. Strickland. Thank you for
always pushing me to learn more and showing me that I was
capable of more than I ever thought
or imagined. I still have my blue English Composition
Handbook and it still comes to mind
often. Thank you also to Mrs. Reed, who taught me to think
using the scientific method. Thank
you to all the other faculty and staff at Cedar View Christian
School who helped to shape my
mind to prepare for future education. To the many friends,
family, and colleagues that have
supported me throughout this journey, I say thank you as well.
Your texts, visits, and notes of
encouragement have not been in vain.
There is one person who has pushed me more than anyone else
to be the best I can be.
Dr. Donnie Grimes, thank you for being my mentor, my
confidant, my leader, and my friend.
You helped me get my first job, encouraged me to continue my
education and training, and
provided me with an atmosphere to grow in my career. Your

consistent friendship and guidance
are invaluable.
Most importantly, this dissertation is dedicated to my wife,
Lisa, and our four boys:
Micah, Kevin, Caleb, and Luke. They have sacrificed their time
to ensure I could complete this
journey. Lisa has been at my side the whole way through and
has pushed me to the end of this
trek. I thank God for you all and I love you.
THE CISO IN HIGHER EDUCATION v
Abstract
The topic of information security is on the rise in all sectors of
business. Higher
education is not immune to attacks against student and
employee data. While all sectors are at
risk for loss from a security event, higher education could
encounter irreversible reputational

consequences affecting donor giving and student applications
(Grama, 2014). A properly
positioned Chief Information Security Officer (CISO) in
colleges and universities may help to
create controls to mitigate data breaches. Therefore, this study
evaluated relationships between
the CISO and similar information security officer titles in
higher education related to reporting
structure, time on task, and membership on the president’s
cabinet. Additionally, this study
evaluates the differences in breach rates in higher education
related to CISO reporting structure.
The results of this study revealed that there is a high likelihood
that the CISO will report to the
Chief Information Officer (CIO) than any other high-level
officer. The study also revealed that
there is not a significant difference in breach rate based on
CISO reporting structure in higher
education. However, limited data and research in this area
lends this topic to further study.
THE CISO IN HIGHER EDUCATION vi

Table of Contents
Title Page i
Approval for Recommendation ii
Acknowledgment iii
Abstract v
Table of Contents vi
List of Figures and Tables viii
Chapter One: Introduction 1
Overview 1
Background and Problem Statement 1
Purpose of the Study 2
Research Questions 3
Limitations 3
Assumptions 4
Definitions 4
Summary 5
Chapter Two: Review of the Literature 6

Introduction 6
The History of Information Security 7
The Evolution of the CISO 9
The Position of the CISO in Organizational Structure 12
Data Breaches and Effects 15
Information Security in Higher Education 18
Comparison of Data Breaches in Higher Education and Other
Sectors 21
Literary Gaps 23
Summary 24
Chapter Three: Methods and Procedures 25
Introduction 25
THE CISO IN HIGHER EDUCATION vii
Research Paradigm 25
Research Design 27
Data Collection 28
Data Analysis Techniques 31

Summary 33
Chapter Four: Research Findings 34
Introduction 34
Participant Demographics 34
Analyses of Research Questions 35
Question One 35
Question Two 36
Question Three 38
Question Four 39
Summary 41
Chapter Five: Summary, Discussion, and Implications 43
Introduction 43
Practical Assessments of Research Questions 44
Limitations of the Study 47
Implications for Future Study 48
Summary 49
References 51

Appendix A: Educause CDS Survey Demographics Chart 55
Appendix B: Educause CDS Survey Questions 56
Appendix C: IRB Approval Letter 58
Appendix D: Educause CDS Survey Contract 59
Appendix E: Privacy Rights Clearinghouse Data Use Permission
65
Appendix F: Raw Data for t tests 66
THE CISO IN HIGHER EDUCATION viii
List of Figures and Tables
Figure 1: Verizon 2018 DBIR: Summary of Findings 16
Figure 2: Industry Sectors in PRC Data 21
Figure 3: Steps for Data Protection 23
Figure 4: Educause CDS Survey Demographics 31
Table 1: Chi Square for Relationship of Reporting Structure 36
Table 2: Chi Square Relationship Between Title and Full Time
Percentage 37
Table 3: Relationship Between CISO and CIO as Member of
President's Cabinet 38

Table 4: Difference Between Number of Records Breached and
Reporting Structure 40
Table 5: Difference Between Number of Records Breached and
Reporting Structure 40
THE CISO IN HIGHER EDUCATION 1
Chapter One
Introduction
Overview
Information security and its relationship with information
technology (IT) and business
has changed drastically in the last decade. With this change has
come the need for a high-level
officer to manage the threats and risks associated with today’s
connected world. In the health
care industry alone, over ninety percent of IT managers found
vulnerabilities that could be
exploited by insider threats (Alexander & Cummings, 2016).
Businesses have been and are
continuing to see the need for the creation of an office for
information security.

Information security in higher education is a mostly unexplored
realm. Colleges and
universities see the need to protect their student and employee
data but do not have a good
understanding of how to organize and manage an information
security office. Guidance for
higher education hiring managers and CEOs is necessary to
place a security officer within the
proper organizational structure to provide security across the
institution.
Background and Problem Statement
While all industries are subject to the exploitation of
vulnerabilities by cyber threat
agents, education (specifically higher education) industries have
seen an alarming increase in
cyber-attacks in attempts to gain personally identifiable data of
students and employees. From
2005 to 2014, educational institutions in the US suffered 727
breaches involving more than 14
million records (Grama, 2014). While the records affected per
breach is lower than most

industries, the increase in breach rate and records affected year-
over-year increased 7% in the
2005 to 2014 study (Brooks & Grama, 2017). Research shows
that the delegation of security
initiatives and responsibility to an individual in the institution
can provide for better
communication and security (Brooks & Grama, 2017). Research
also shows that the position of
this individual within the institution’s organization chart could
affect breach rate (Higgs et. al.,
2016).
Studies for multiple industries show the need for the chief
information security officer
(CISO) or equivalent to act as this responsible individual for
security. Much research also shows
the responsibilities and characteristics of the typical CISO (e.g.
Ashenden & Sasse, 2013; Kouns,
2014; Karanja & Rosso, 2017; Whitten, 2008). However,
research relating to higher education
and the CISO or equivalent is uncommon. While research by
Wilson (2016) indicates the need
for better security training within higher education institutions,
the research does not review the

position of the CISO or equivalent and associated breach rate.
Brooks and Gramma (2017)
review breach data and specifically relate it to the title of the
CISO or equivalent, but do not look
directly at the organizational chart position of that leader.
The scarcity of research surrounding the position of the CISO or
equivalent and the
relationship between that position and breach rate is an obvious
next step to research completed
by Brooks and Gramma (2017). This new research provides
higher education institutions with
the information needed to make informed decisions on the
placement of information security
professionals within the organizational structure.
Purpose of the Study
This study analyzes the position of the CISO or equivalent with
in the higher education
institution’s organizational structure and any relationships with
that position to the number of

known breaches. The multiple possibilities of positions will be
considered, including the CISO
or equivalent reporting to the board of directors, CEO, CIO,
CFO, CRO, or another officer.
Research Questions Answered in the Study
The study will answer the following research questions:
1. Is there a relationship between the titles of highest-ranking
person in charge of
information security and to whom they report?
2. Is there a relationship between the titles of the highest-
ranking person in charge of
information security and the percentage of time on task?
3. Is there a relationship between the CISO and the CIO in
having cabinet-level
membership?
4. Is there a difference in the number of records breached and
the reporting structure of the
CISO or equivalent title?
Limitations
Notwithstanding the efforts of this researcher, some results of
the study may be affected

by the following limitations:
1. The data provided to Educause via the CDS survey is self-
reported and may contain
fallacies due to respondent error.
2. A database containing breach data directly associated with
college and university
information security statistics is not available, therefore data
was combined from two
separate sources for this purpose. The results may be skewed as
part of this process.
3. This research is limited to the higher education sector.
Assumptions
As part of this research, several assumptions are provided:
1. Participants answered the survey honestly.
2. Educause and the Privacy Rights Clearinghouse properly
reported the data as it was
provided.
3. Since research in this area for higher education is sparse,
industry norms have been

applied to higher education for certain perspectives.
4. The title of the individual in charge of information security
may vary (e.g., CISO,
Director of Information Security, Information Security Officer,
Information
Assurance Officer, etc.).
Definitions
The following definitions were used in the study:
Chief Information Security Officer: “An executive specifically
hired to be in charge of the IT
security function” (Karanja & Russo, 2017, p.24).
Data breach: “A compromise of the confidentiality, integrity, or
availability of sensitive
information” (Waddell, 2013, p.16).
Information security: “Deals with the entire infrastructure,
organization, personnel, and
components that collect, process, store, transmit, display,
disseminate, and act on information”
(de Leeuw et al., 2007, p.2).

Summary
This chapter provides the background of the study, research
questions, problem
statement, limitations, assumptions, and definitions of key
terms. As data breaches continue to
increase across all sectors of business, it is important for the
higher education community to
understand the controls necessary to mitigate risks associated
with attacks by threat agents.
While there is no silver bullet that controls all data breaches,
higher education officers should
desire to hire information security professionals who understand
the current risk climate and can
protect the institution from harm (Brooks & Grama, 2017).
Very little research has been
completed on the position of the CISO within higher education
organizational structure and its
effect on breach rate. Therefore, the purpose of this study was
to analyze the position of the
CISO or equivalent with in the higher education institution’s
organizational structure and any
relationships with that position to the number of known
breaches. The results of this study will

assist higher education officers and boards as they hire
information security personnel,
specifically the CISO. The following section provides a review
of the literature that supports the
need for this study. Specifically, it focuses on the history of
information security, the evolution
of the CISO, the position of the CISO within organizational
structure, data breaches and their
effects, information security in higher education, differentiation
of breaches in higher education
and other sectors, and literary gaps.
Chapter Two
Review of the Literature
Introduction
Information security is a rather new topic in the history of
computing and technology.
While the use of modern computing technology to modify raw
data into information has been a
staple of the business economy since the 1960s, the need to
secure data from would-be attackers

has only entered mainstream news in the last two decades.
Securing personal data and ensuring
the privacy of customers has become a top priority for
businesses across all sectors. With this
increase for a need to secure data has also come the need for
specific persons inside the
organization to be responsible for that task. Although these
officers may have different titles,
most often the office is directed by the chief information
security officer (CISO). The higher
education sector is not as forward thinking as other sectors in
this matter, but the need to secure
student and employee data at these institutions still exists.
Unfortunately, research focusing on
information security within higher education and other sectors
is sparse at best (Karanja &
Russo, 2017).
Throughout this chapter, various facets of information security
are discussed to lead to
the understanding for the need for further research in
information security. The topics include
the history of information security, the position of the CISO
within organizational structure, data

breaches and their effects, information security within higher
education, differentiations in
breaches within higher education and other sectors, and current
literary gaps relating to these
topics. This review begins with an overview of the history of
information security.
The History of Information Security
Securing data began long before the information age. An early
example of information security
can be found in 17th century Dutch history before William III
became King of Britain. In this
piece of history, William III was able to intercept and decrypt
encoded messages between the
Dutch and the French in order to gain important intelligence
about the impending war.
Cryptography and other methods of securing information can be
traced back to civilizations of
the ancient world, including the Roman Empire and the Caesar
cipher (de Leeuw & Bergstra,
2007).
The era of modern information security began in 1918 when

Polish cryptographers
created the enigma machine. During World War II, the enigma
machine was used by the
Germans to encrypt communications and was eventually broken
by the work of mathematician
Alan Turing in 1930. As the information age began to grow in
the 1960s, the United States
Department of Defense created ARPANet, the beginning of our
modern internet. Not long after
in the 1980s, cyberattacks on internet entities began to develop.
Famous cyberattackers such as
Ian Murphy (stolen information from military machines), Robert
Morris (the Morris Worm), and
Kevin Mitnick (committed the largest computer-related crime in
United States history) became
known in the 1980s and 90 (Daya, 2013).
Although the sophistication of cyberattacks has changed over
the years, the types of
attacks have not greatly changed. The Privacy Rights
Clearinghouse classifies attacks leading to
data breaches using eight categories: payment card fraud,
unintended disclosure, hacking or
malware, insider, physical loss, portable device, stationary
device, or unknown/other. Methods

such as social engineering are prevalent in all these types of
attacks. One author defines social
engineering as “a hacker’s clever manipulation of the natural
human tendency to trust” (Granger,
2001, p.2). Once an attacker can gain information from the
unwitting user, they can then begin
to gain access into their system and other systems that may have
access to personally identifiable
information (PII).
Cyber terrorism, cyber war, and other cyber threats are now
mainstream events in
technology and information security. Lewis (2002) defines
cyber terrorism as “the use of
computer network tools to shut down critical national
infrastructures (such as energy,
transportation, government operations) or to coerce or
intimidate a government or civilian
population.” While terrorism is not a new topic, the ability to
use technological resources to
disable infrastructure is a rather new paradigm. A full-on attack
of infrastructure may only be

feasible for nation-states looking for an act of war. Lewis
(2002) also notes other “annoyances”
that can be achieved by targeted cyber attacks:
A virus in 2000 infected 1,000 computers at Ford Motor
Company. Ford received
140,000 contaminated e-mail messages in three hours before it
shut down its network. E-
mail service was disrupted for almost a week within the
company. Yet, Ford reported,
“the rogue program appears to have caused only limited
permanent damage. None of its
114 factories stopped, according to the automaker.
Computerized engineering blueprints
and other technical data were unaffected. Ford was still able to
post information for
dealers and auto parts suppliers on Web sites that it uses for
that purpose.” Companies
now report that the defensive measures they have taken meant
that viruses that were
exceptionally damaging when they first appeared are now only
“nuisances.” (p.7)
Entire government agencies such as the Central Intelligence
Agency (CIA) and the National

Security Agency (NSA) in the United States and Joint
Intelligence Organization (JIO) in the
United Kingdom are tasked with counter-terrorism in the
cybersecurity realm.
As information security has matured over the years, many
standards and guidelines have
been created by private, public, and federal entities alike. The
Office of Standard Weights and
Measures, created in 1824 long before the modern information
security age, eventually morphed
into the National Bureau of Standards (NBS) in 1901. In
the1950s, the NBS began to take on
more digital computing work and became the primary computer
security standards setting body
for the United States federal government in 1965. The NBS
changed names in 1990 to the
National Institute of Standards and Technology (NIST) and
continues to be the primary provider
of information security standards and guidelines today (de
Leeuw & Bergstra, 2007). The NIST
specifically provides standards and guidelines for information

security and privacy controls in
the SP 800-53 publication “Security and Privacy Controls for
Federal Information Systems and
Organizations”. While entities outside of federal space are not
required to follow these
standards, they provide a baseline for information security
professionals to begin to secure their
environment.
For the information security professional, the history of
information security shows the
brevity of the future for the industry. De Leeuw and Bergstra
(2007) make this final comment in
their conclusion on the history of information security:
While security products abound and leading ones create some
degree of standardization,
the reality that no product or system is impenetrable becomes
all the more clear.
Increasing the dialog about the historically subverted topic of
computer security, both
publicly, and when necessary, in closed settings such as leading
international
corporations becomes all the more important. (p.619)
The Evolution of the CISO

Historically, the CISO has not held an executive-level position
in organizations. The
creation and promotion of security professionals within
organizations has mostly amplified due
to increased breach rates across all business sectors. Target, a
major international retailer,
encountered a major breach in 2013 that affected over 70
million customers’ personally
identifiable information (PII). Target hired their first CISO
after the major breach. Neiman
Marcus, another retailer, also encountered a breach in 2013 and
hired its first CISO after the
breach (Karanja & Russo, 2017).
Information security was originally the responsibility of all
employees. Businesses
expected employees of each unit to understand their data and
how and when to protect it. While
it is important that every employee realizes they are responsible
for the security of company data,
this model did not allow for a single person to have primary
responsibility over information

security practices or for the organization to have a budget for
securing data. Additionally,
information security in this model is distributed and not
centralized making organization-wide
decisions challenging. Due to these difficulties, information
security eventually migrated into
the information technology (IT) office. Information security
officers (ISOs) were hired to review
the security of company data and work with access controls.
Mainly, these ISOs were IT
professionals with network and/or systems administration skills.
As the role of the ISO matured,
technical skills became insufficient for the role and the CISO
title became more prevalent.
Instead of just being concerned with technical and operational
controls such as firewalls and
access control devices, the CISO now gained responsibility of
organization-wide strategic
functions (Kouns, 2014).
The road to the CISO role is not one without struggles.
Karanja and Russo (2017)
continued research and “found that CISOs struggle to gain
credibility in their organizations due

to perceived lack of power, confusion about their role identity,
and their inability to engage
effectively with company employees” (p. 28). One reason for
the lack of credibility was the
need for a new skillset for the ISO moving to the CISO role.
Increased management and soft
skills are new requirements for this transition. However, the
CISO still needs to consume and
digest relevant technological information. According to
Whitten (2008), the CISO must have a
combination of these skillsets and “should first think of
themselves as business professionals and
secondly as security specialists” (p.15). In his 2008 research,
Whitten found that 58% of CISO
job listings required management duties. Management duties
were bookended by the ability to
oversee IT security policy at 78% and IT security education at
42%.
Continuing education for security professionals is both
necessary and required in most
businesses. Professional certifications such as the Certified
Information Systems Security

Professional (CISSP), the Certified Information Systems
Auditor (CISA), and the Certified
Information Security Manager (CISM) are common
requirements for CISO roles (Kouns, 2014).
Additionally, more advanced management certifications such as
those offered by the SANS
Institute and the EC-Council Certified Chief Information
Security Officer certification are a plus
for those looking to obtain a CISO role. Higher education is
taking a more practical role in
CISO and other security professional education as well.
Degrees in information assurance,
information security, and cybersecurity are offered online by
several colleges and universities
throughout the United States and provide working professionals
the opportunity to complete
varying levels of degrees while continuing to protect their
organization.
The newest CISO candidates must be seen credible by their
organization, its employees,
and its stakeholders. While writing about critical success
factors for the CISO in 2016, Klimoski
narrowed this credibility factor into four areas: being seen
trustworthy, creating confidence,

having a good track record, and building an extensive
professional network. These credibility
factors lead to a CISO who “exhibits skills listening to
executives’ needs and matching them to
information security objectives” (Klimoski, 2016, p.15). When
these critical success factors are
matched with soft skills, the CISO can communicate effectively
at all levels of the organization.
Looking back to Whitten’s (2008) research, 61% of CISO job
listings required communication
skills as required background experience. Those skills were
only trumped by IT security skills at
71%, and were followed by system experience, leadership skills,
and investigate experience.
Today’s CISO is a researcher, technician, visionary, and leader.
Alexander and
Cummings (2016) state that the “CISO has to keep up with the
breakneck speed of technological
change, and also have a Herculean aptitude for leading
courageously, moving nimbly, and
understanding the right level of risk needed to make an

organization safe while still innovating”
(p.12). Kouns (2014) sums up the role of the today’s CISO:
Realistically, the odds are against the CISO; even if the CISO
can control all technology-
related risks, hackers can take advantage of the human factor—
the employees, vendors,
and customers who sometimes fail to heed the advice of the
CISO and place the
organization at unnecessary risk. (p.57)
The Position of the CISO within Organizational Structure
While literature on the CISO is scarce, several pieces of
literature focus on the position of
the CISO within the corporate structure. As learned in the
previous section, the CISO comes
from a historically technical background. Other popular
backgrounds of the CISO can include
previous business leaders and/or political leaders (Alexander &
Cummings, 2016). Often, the
technically adept CISO finds difficulty migrating to an
executive-level position as they are
required to “broaden their approach” to cybersecurity initiatives
beyond just looking at the
technological solution (Alexander & Cummings, 2016).

Literature reveals several possible
combinations for the CISO reporting structure: chief executive
officer (CEO), chief information
officer (CIO), chief financial officer (CFO), chief risk officer
(CRO), board of directors, and
others. Since information technology and information security
have historically been the
responsibility of the CIO, many of today’s CISOs report
directly to the CIO. According to a
study from Karanja and Russo (2017), CISOs in newly created
positions are more likely to report
to the CEO than the CIO.
A disturbing problem results when the CISO reports to the CIO.
The CIO is responsible
for the continuation and efficiency of IT operations within the
organization. The CISO is
responsible for the security of all organizational assets as they
pertain to data and information.
These initiatives often come in conflict with one another
(Karanja & Russo, 2017). Similarly,
the role of the CIO has not been immune to the issues of

reporting structures. Banker et. al.
(2008) found that less than 5% of CIOs reported to the chief
operating officer (COO) while most
reported to either the CFO or CEO depending on the business
type. Businesses with a cost-
leader strategy often had the CIO report to the CFO. Just as in
the case with the CISO reporting
to the CIO, the CIO reporting to the CFO often entangles the
CIO from making necessary
business decisions because of cost factors. Even with all the
current research, Karanja and Russo
(2017) state that “there is little consensus regarding who the
CISO should be reporting to” (p
.23).
Organizational structure can also affect how employees see the
CISO as both a leader and
a change agent. Ashenden and Sasse (2013) completed a study
that reviewed the effectiveness of
the CISO and stated that “there has been little information
security research that helps us to
understand the impact of the CISO on organizational change”
(p.2). As part of their research, the
position of the CISO within the organizational structure was
identified. The researchers found

that the CISO needs to “develop an identity within the
organization where they are seen to help
employees discuss, and make decisions about, information
security” (p.17). In order to maintain
this identity, the CISO should maintain a position of authority
over information security policy
across the organization.
The reporting structure of the CISO is different among
industries. Kouns (2014) finds
that “while regulated industries, including financial services,
recognize the benefits of an
independent CISO reporting to a chief risk officer, some
industries, notably higher education,
continue to place the CISO in the IT department under the
direction of the CIO” (pp.55-56). The
author also continues to point out that some information
technology and information security
experts do not believe that organization placement matters at
all, while others believe the CISO
should report to the CEO or work in conjunction with the CIO
on security matters. The author

goes on to state that “in the author’s experience, placement of
the CISO function is very
dependent on the type of business and overall security
knowledge of the organization” (pp.56-
57). The relationship between the CISO and the organization’s
board is of importance. Higgs et.
al. (2016) found that there is a significant relationship between
board-level technology
committees and reported security breaches. Kouns (2014) found
that only 8% of CISOs report
directly to a board, while only 14% report to a CEO.
The ability for the CISO to have visibility across the
organization is paramount. Karanja
and Rosso find that “CISOs struggle to gain credibility in their
organizations due to a perceived
lack of power, confusion about their role identity, and their
inability to engage effectively with
company employees” (p.27). The authors continue to state that
“the review of the existing
literature on the position of CISO reveals a lack of clarity
regarding the role of the CISO in the
organization, as well as a lack of consensus as to where CISOs
in general should report in the

organization” (p.29). In order for the CISO to be found as an
agent of change, research must
continue in this area.
Data Breaches and Effects
Mainstream news is riddled with reports of data breaches across
all sectors of business.
At the time of Grama’s (2014) research, the Privacy Rights
Clearinghouse documented over
4,200 breaches in the United States. Shockingly, over 850
million records were affected as part
of those breaches. According to research found by Waddell
(2009), 90% of US bases businesses
are affected by a data breach annually and 74% of United
Kingdom (UK) businesses reported a
data breach in 2004. While these statistics seem staggering,
they continue to grow. As of March
14, 2019, the Privacy Rights Clearinghouse documented 9,094
data breaches since 2005 with
over 11.5 million records affected. With this growth, the reality

of a breach is not “if” it occurs
but “when” it will occur.
The Verizon Data Breach Investigations Report was first
publicized in 2007 and has
since provided an annual “state of the union” for cybersecurity
and the state of breaches across
all sectors. According to the 2018 report, over 53,000 incidents
and 2,216 confirmed data
breaches are included in the report. The 2018 report
summarizes the findings as seen in Figure
1. Notable items in the summary include that 73% of breaches
were perpetrated by outsiders and
50% were operated by organized criminal groups. Additionally,
while only 14% of breaches
affected public sectors entities, 58% of breaches targeted small
businesses. Lastly of note, 68%
of breaches took more than two months to discover.
Figure 1. Verizon 2018 DBIR: Summary of Findings

The Verizon DBIR also gathers more detailed information on
the types of attacks that
lead to breaches. Denial of Service (DoS) attacks topped this
list for more than 21,000 incidents
in the breach report. According to the 2018 report, a DoS
attack is “intended to compromise the
availability of networks and systems. Includes both network and
application attacks designed to
overwhelm systems, resulting in performance degradation or
interruption of service” (p.23).
Other incidents that made the top five included loss of data,
phishing, misdelivery of data, and
ransomware. Loss and misdelivery are directly associated with
user error. The report states that
“over half of the breaches in this [miscellaneous errors] pattern
were attributable to misdelivery
of information—the sending of data to the wrong recipient.
Misconfigurations, notably
unsecured databases, as well as publishing errors were also
prevalent” (p.24).
One mitigation to breaches is policy which is administrated by
the CISO. While policy is

not the only mitigation for breaches, it is a first step to ensuring
the security of company data.
Brooks and Grama (2017) concluded in their research in higher
education data breaches that
“information security is an institutional issue and must be
addressed from an institutional
perspective, not from a silo. An institutional policy based on
recognized best practices sets the
foundation for improving the institution’s information security
posture” (p.7). Along with a
generic information security policy, an incident response policy
is also recommended. The
incident response policy should identify roles for information
security personnel and be tested
and reviewed annually. Personnel should also know how to
handle breach incidents and how to
follow proper digital forensics procedures along with contacting
and communicating with law
enforcement (Brooks & Grama, 2017).
While breaches of PII always lead to a financial cost, Wilson
(2016) points to an
additional and possibly more worrisome loss of consumer
confidence. Consumers are less likely

to associate with an organization that has a public breach.
Higgs et. al. (2016) conclude their
research on security breaches with the understanding that
“security breaches are costly to firms
and the cost continues to increase. Firms are increasingly
recognizing this phenomenon and
considering governance mechanisms in response” (p.94).
Governance mechanisms of this type
can include board-level committees (Higgs et.al., 2016).
Designation of a CISO or equivalent
role is also a mechanism for reducing breaches. Brooks and
Grama (2017) point out that the
CISO should be an “effective leader who can communicate
information security issues across the
institution is essential for information security program
success” (p.7). The Verizon DBIR
(2018) sums up breach mitigation:
Attackers are constantly developing new tactics to help them
access your systems and
data. But what’s clear from our research is that too many
organizations continue to make

their job easy. Some companies are failing to take the most
basic of security measures
like keeping anti-virus software up to date or training staff on
how to spot the signs of an
attack (p.7)
Information Security in Higher Education
While little research has been completed on information
security and the CISO in general
across all sectors, research in the higher education sector is
especially lacking. Public opinion
and news media concerning breaches and other information
security and privacy issues have
been primarily focused on the private sector. Recently, the
spotlight has widened to include both
public and private educational institutions (Culnan & Carlin,
2009). Higher education was
founded in academic freedom, creativity, and openness; all of
which are antonyms of data
security and privacy.
Waddell (2013) studied the effect of policies on breaches in
higher education. In this
unique study, Waddell points out the importance that “colleges
and universities face the same
types of privacy and security challenges as other types of

businesses” (p.25). Sales, donations,
online portals, and the transfer and storage of PII is common
and necessary in higher educational
institutions. Culnan and Carlin (2009), along with Waddell
(2013), emphasize that, while other
business sectors may keep data for a pre-determined period,
higher education often retains
records indefinitely. It is the opinion and experience of this
researcher that it is not unusual for
these records to be stored in multiple physical locations both
on-premises and in the cloud.
Many of today’s systems are Software-as-a-Service (SaaS) or
even Infrastructure-as-a-Service
(IaaS) which are designed to provide resources to higher
education institutions without the need
for major on-premise datacenter operations. Moving data to the
cloud via SaaS or IaaS can
provide a cost-savings overtime, but data security risk must be
assessed prior to this decision.
Academic freedom and creativity provide security challenges
for higher education

information security professionals. In their research into online
privacy practices in higher
education, Culnan and Carlin (2009) state that “academic
departments often operate their own
servers and run their own Web sites. Individual faculty, students
and student organizations also
have personal Web sites that run on department servers or
servers managed by the school”
(p.126). This decentralized environment produces a breeding
ground for unsecure data and
makes policy implementation difficult. Implementation of well-
formed and actionable security
policies are paramount in these scenarios (Waddell, 2013).
Colleges and universities are required to comply with several
federal regulations
regarding the security and privacy of both employee and student
data. The Family Educational
Rights and Privacy Act of 1974 (FERPA) pertains to
educational entities that receive federal
funding via the Department of Education. Beaudin (2015)
writes the following in a legal
overview of the data covered by FERPA:
The information covered includes education records, defined as
records that “contain

information directly related to a student” and are maintained by
the educational
institution. Additionally, directory information is covered,
defined as information “that
would not generally be considered harmful or an invasion of
privacy if disclosed.”
Because directory information is not harmful, all that is
required of a covered college or
university is “public notice of the categories of information
which it has designated as
such information.” (p.673)
In this legal research, Beaudin also found that the use of cloud
services (e.g. Saas and IaaS) and
other online educational services can be of interest in FERPA
cases. At the time of Beaudin’s
research, the Department of Education had provided little
direction for FERPA as it relates to
cloud computing other than providing that educational
institutions must have direct control over
any third party which uses or processes its PII. Beaudin states
that “it will be important for

colleges and universities to assess each online service and
determine whether to notify students
and identify the information, if any, that falls under FERPA”
(p.674).
In addition to FERPA, many colleges and universities are
required to abide by regulations
in the Health Insurance Portability and Accountability Act of
1996 (HIPPA). According to
Beaudin (2015), “HIPAA focuses on health insurance portability
and on the prevention of health
care fraud and abuse by adoption of standards and requirements
for electronic transmission of
health information” (p.667). Higher education institutions
which provide healthcare for anyone
besides its own students in any capacity are considered a
covered entity by HIPPA. Institutions
may be exempt if they only provide medical services to student
as this data would fall under
FERPA instead of HIPPA. Covered entities are required to
provide safeguards for sensitive data
including administrative, physical, and technical controls.
HIPPA also institutes monetary
penalties for data breaches that can range from $100 to
$1,500,000 depending on the severity of

the incident. According to research by Beaudin, two universities
have recently encountered
breaches that have resulted in fines: Idaho State University
($400,000) and Columbia University
($1,500,000).
Higher education institutions may also fall under the Gramm-
Leach-Bliley Act (GLBA),
also known as the Financial Modernization Act of 1999.
According to Beaudin (2015), higher
education institutions can fall under GLBA and the Federal
Trade Commission (FTC) when they
“participate in financial activities, such as making federal
loans” (p.677). The Safeguards Rule
of GLBA requires institutions to have an information security
program designed to guarantee the
privacy of customer data. Additionally, the FTC Red Flags
Rule requires college and
universities that disperse federal financial aid to be able to
identify, detect, and respond to breach
attempts.

The desired significance of these regulations on higher
educational institutions is to force
the use of good policies and procedures for information
security. Higher education entities are
not so different from other sectors. Every college and
university has customers (students) who
are purchasing a service (education) from a business that
maintains employees. Additionally, the
consequences of failure in information security in higher
education are like that of any other
business sector. Grama (2014) states: “Particularly important
for higher education institutions
are reputational consequences, which could result in a loss of
alumni donations and even a
reduction in the number of students choosing to apply to or
attend the institution” (p.1).
Comparison of Data Breaches in Higher Education and Other
Sectors
In an earlier section on data breaches, information was
presented from the Privacy Rights
Clearinghouse (PRC) for all sectors. In addition to breach type,
the PRC also breaks down
breaches by organization type (see Figure 2). Grama (2014)
pulled PRC data from 2005-2014

for research on breaches in higher education.
Figure 2, Grama (2014)
Grama’s research found that, while education had a larger
number of breaches than all other
sectors except healthcare, the average number of affected
records exposed per breach was lower
than in any other sector. Grama provided a possible explanation
for this phenomenon.
Many speculate that higher education’s culture of openness and
transparency encourages
breach reporting by institutions, even when such reporting is
not legally necessary. This
culture does not exist in other industry sectors, where breach
reporting could damage an
organization’s ability to be competitive in that industry. In
these instances, a breach may
only be reported when it is required by a law or some other
regulation, and even then,
only when the breach circumstances clearly fall within the
purview of the underlying

regulation (p.6).
Higher education is a unique situation for breaches compared to
other industries. Most
other industries are heavily regulated. Higher education,
however, has historically provided a
more open and collaborative environment based on research and
information sharing.
Decentralization of data is common in colleges and universities
and provides a struggle for
information security and information technology personnel to
control PII (Patton, 2015).
Additionally, many larger universities provide medical services
and often have an entire medical
hospital overseen by the institution. Adherence to regulations
and proper compliance is vital in
all these scenarios (Beaudin, 2015).
While there are differences with higher education breaches and
those of other sectors,
there are also many similarities. Colleges and universities must
utilize administrative, physical,
and technical controls to protect PII. As explained earlier in
this research, the NIST provides
standards for information security policies and procedures that

meet and exceed current
regulations. Patton (2015) provides research from Casey
O’Brien that specifies four steps every
college and university should take to protect its data (see Figure
3). Of these objectives,
understanding that a data breach is a question of “when” and not
a question of “if” is of
importance.
1) Prioritize academic objectives and figure out the institution’s
risk tolerance
2) Make sure the college has a proactive security plan
3) Prepare for the inevitable: you are going to be attacked
4) Promote a culture of security within the college
Figure 3, Patton (2015)
Literary Gaps
Both Whitten (2008) and Karanja and Russo (2017) admit to a
scarcity of research on the
CISO, the role they play, and their position within the

organizational chart. While their research
did fill obvious initial gaps in literature, further research is
needed. Educause has recently
supported the research of CISO and information security
implementation in higher education.
Grama (2014) and Brooks and Grama (2017) completed research
on data breaches in higher
education and began to link those findings back to leadership in
information security in that
industry. However, these two articles are currently the only
research in this field of the CISO
and data breaches as related to higher education. Additionally,
while Brooks and Grama (2017)
do research the existence of a CISO or equivalent officer and
higher education breach rate, the
research stops short of looking at the organizational structure of
the CISO within the institution
and how breach rate is affected by that variable. Brooks and
Grama (2017) finish their research
by stating that higher education institutions should promote an
individual who is solely

responsible for security and can be “an effective leader who can
communicate information
security issues across the institution is essential for information
security program success.” (p.7).
Summary
This chapter attempted to describe the importance of
information security, the role of the CISO,
and the effect of data breaches across all business sectors with a
focus on higher education. Due
to its infancy in modern technology, information security has
little associated academic research.
A further understanding of how the placement of the CISO
affects breach rate may assist all
business sectors to make better hiring decisions. Research may
also improve the ability of
colleges and universities to bridge the gap between academic
freedom and data security. The
following chapter describes the methodology and procedures
used to conduct this research on the
relationship between the organizational position of the CISO
within higher education and breach
rate.

Chapter Three
Methods and Procedures
Introduction
A review of the literature in Chapter Two suggests that the
position of the CISO within
organizational structure varies among business sectors.
Additionally, the literature suggests that
research about the CISO is limited in higher education. This
study can fill gaps in the research
by providing more information on how the organizational
structure of information security and
the position of the CISO in higher education affect breach rates.
This chapter outlines the
methodologies and statistical analyses used to observe the
position of the CISO within

organizational structure in higher education and how it affects
breach rate. This study directly
observes the differences in reporting structures between CISOs
and other similar job titles while
making comparisons to the position of CIOs in higher education
institutions. Additionally, the
study uses publicly-accessible breach rate data in comparison
with organizational structure. This
chapters also defines the research paradigm, the research
design, and data collection and analysis
tools and procedures.
Research Paradigm
The research paradigm for this study was quantitative. This
study built on the work of
Grama (2014) and Brook and Grama (2017) to further determine
the relationship between the
position of the CISO within organizational structure in higher
education and breach rate.
Additional relationships including time spend on task and the
ability to report directly to the
institution’s president and board were also analyzed. Survey
data collected from Educause and

publicly-accessible data breach data from the Privacy Rights
Clearinghouse were utilized for the
study.
Grama (2014) specifically studied data breached in higher
education. The purpose of the
study was to determine if higher education breaches were
exposing as many records as other
sectors. Grama was attempting to dispute the claim that higher
education should be singled out
as the most susceptible to data loss due to the number of
breaches occurring in that sector.
Grama found that the number of breaches and their relationship
to the number of records
breached was different in higher education than other sectors.
Specifically, the study found that
“education has some of the lowest counts of records exposed per
breach incident” (p. 6). While
the study was not the first to take data breaches in education
(with an emphasis on higher
education) into account, the study did not elaborate on the
reasons for the lower number of
breached records. Additionally, the study did not research any
reason for the unusually high

number of breach rates in education.
Brook and Grama (2017) continued the 2014 study by
researching Educause CDS survey
data and Privacy Rights Clearinghouse (PRC) data and
identifying points in the dataset that
might affect breach rates. The study was the first in higher
education to research the role of the
CISO and its affect on breach rate. While the study researched
areas of training, prevention,
detection, policies, and risk management, it did not study the
relationship of the position of the
CISO in organization structure and breach rates. Additionally,
the study did not determine a
relationship existed when a title other than CISO was used for
an information security officer.
This study used the quantitative research method to utilize
survey and publicly-accessible
data. Qualitative and mixed methods were also considered for
this study but were rejected. A
qualitative method would require the researcher to interview
CISOs and other security

professionals throughout the field and ask questions relating to
their perception of their
environment and how that affected breach rate. While this
method could be used and be
beneficial in answering some research questions, the data found
that directly related to this study
would not have been used. A mixed method could be affective
for this study. Jick (1979)
provides a case study on how interviews and survey data were
used together to provide usable
conclusions. This method was ultimately rejected due to the
same reason as the qualitative
method. The need to interview CISOs in higher education
concerning breach rates at their
institutions is difficult since breaches can be legal challenges
and information may be
confidential.
The quantitative research method provided this study with the
basis to research
relationships between variables. Quantitative tests designed to
reveal correlations and
differences between means were used to provide an analysis of
the data. This descriptive (or

observational) study “observed subjects without otherwise
intervening” (Hopkins, 2008, p. 2).
The survey tool provided by Educause reduced the chance of
confounding which can occur when
attempting to find cause and effect as was present int his study.
Confounding was controlled in
the Educause CDS survey by ensuring all subjects met the
requirements of being an accredited
US institution.
Research Design
This quantitative research was based on causal-comparative
design and was appropriate
to determine relationships between the position of the CISO
within higher education
organizational structure and breach rates. Causal-comparative
design includes independent
and/or dependent variables. This research could also be
classified as nonexperimental research
as it utilizes independent variables over which the researcher
has no control as they have already
occurred (Johnson, 2001). While this research is causal-

comparative in design, it is important to
note that definite relationships cannot be determined from this
research. Cook and Cook (2008)
conclude the following when discussing nonexperimental
quantitative research:
Because neither surveys nor correlational research incorporate
the defining features of
group experimental research (i.e., random assignment of
participants to groups and active
introduction of an intervention), they cannot be used to
determine definitively causal
relationships and should therefore not be relied on to establish
whether a practice is
evidence based. This is not to suggest that survey and
correlational research methods are
less important than experimental research; they are simply
designed to answer different
questions. (p. 103)
However, survey was determined by the researcher to be the
best way to gain data for the
variables to be tested.
Other research designs were also considered for this study.
Descriptive research and

experimental research designs did not meet the requirements of
this study. In descriptive
research, the researcher does not typically have a hypothesis.
In this study, the hypothesis of the
researcher is clear. Experimental studies require an experiment
using the scientific method
which is also no applicable. Correlational research could have
been utilized for this study as it is
used to review variables in their natural environment. While
some of the questions of this study
do lend themselves to correlational research, the overall study is
causal-comparative as it seeks
to determine if the position of the CISO in higher education
affects breach rate.
Data Collection Sources
Following approval from the Institutional Review Board (see
Appendix C) at University
of the Cumberlands, data were requested from the Educause
Core Data Service. Specifically, the
information security module of the CDS survey was utilized.
The survey data were gathered in
2015-2018. Additionally, data were gathered from the Privacy
Rights Clearinghouse (PRC) via

the online database. The Educause contract for data (see
Appendix D) and the communication
from PRC for data use (see Appendix E) were both requested in
February 2019.
Educause produces the Core Data Service (CDS) annual survey
which is populated by
750 higher education institutions. The Educause CDS survey
contains several modules including
the information security module used for this study. The
information security module of the
CDS survey contains questions about the organization, staffing,
policies, and practices related to
information security within higher education. The questions
utilized from this survey included
one multiple choice question describing staffing, one multiple
choice question regarding
percentage of time on task, one multiple answer question
regarding report structure, and one
binary question regarding cabinet-level membership. The
Educause CDS data was chosen over a
survey created by the researcher. Many of the questions in the
survey were similar to the

questions the originally crafted by the researcher. Additionally,
the survey is a tested tool for
data that is used by higher education institutions and other
researchers for similar purposes.
Without an additional researcher-led survey, Educause CDS
provides the only other collection of
data applicable to this study.
The Privacy Rights Clearinghouse is a nonprofit organization
that collects data from
publicly-accessible sources and compiles it into usable
information. Breach data are separated
by breach type, organization type, and year of breach. For this
study, data were requested for the
higher education sector for all breach types between 2015-2018.
Only publicly-reported
breaches are privy to the PRC database. It is plausible that
some higher education institutions
have encountered breaches that were not published in the
database and are therefore not a part of
this study or its findings. Other breach databases also exist
including The Campus Computing
Project, Breach Level Index, and the Center for Higher
Education Chief Information Officer

Studies, Inc. However, these resources did not provide the
granularity or scope of data that was
provided by the PRC database.
This study utilized the 2018 Educause Core Data Service Survey
which contained data
from 750 respondents from a pool of 3,816 eligible institutions.
Higher education uses the
Carnegie Classification framework to classify colleges and
universities according to their type of
degree granted. All colleges and universities listed in the
Carnegie Classification and
respondents of the Educause CDS survey are accredited with the
US Department of Education
and represented in the National Center for Education Statistics
Integrated Postsecondary
Education Data System (IPEDS). Doctoral degree institutions
provided the largest set of data
with 134 responses while institutions outsides the US provided
the smallest set of data with 53
responses. See Figure 4 for a breakdown of the Carnegie
Classification for the Educause CDS
survey data.

This study also utilized the Privacy Rights Clearinghouse
database. Out of 3065 total
records representing data breaches in all sectors from 2015 to
2018, 111 records characterized
education and 70 records related specifically to higher
education. Of those 70 records, 42
associated directly to an institution that also completed the
information security module of the
2018 Educause CDS Survey.
Carnegie
Class
Participating
Institutions
Eligible
Institutions
Response

Rate (%)
AA 114 1044 10.9
BA 109 524 20.8
MA Pub 110 267 41.2
MA Priv 100 396 25.3
DR Pub 134 201 66.7
DR Priv 61 123 49.6
Other U.S. 69 842 8.2
Non-U.S. 53 419 12.6
Mean 93.8 477.0 29.4
Median 104.5 407.5 23.1
Sum 750 3816
Figure 4 Educause CDS Survey Demographics
Data Analysis Techniques
Chi square tests were used to determine if significant
relationships existed between the
CISO or similar title in several areas including time spent on

task, reporting structure, and
cabinet membership. Two t-tests were used to determine if the
number of breached records were
different dependent upon the organization reporting structure of
the CISO.
McHugh (2013) states that “the Chi-square test of
independence (also known as the
Pearson Chi-square test, or simply the Chi-square) is one of the
most useful statistics for testing
hypotheses when the variables are nominal” (p. 143). The chi
square test was chosen for the
research questions that involved a relationship:
1. Is there a relationship between the titles of highest-ranking
person in charge of
information security and to whom they report?
2. Is there a relationship between the titles of the highest-
ranking person in charge of
information security and the percentage of time on task?
3. Is there a relationship between the CISO and the CIO in
having cabinet-level

membership?
The Fisher’s exact test could be used as a substitute for the chi
square test but requires that the
test have two rows and two columns only (McHugh, 2013).
Since some of the tests needed for
this study required more rows and columns, the chi square test
was chosen for all relationship
tests for consistency. Sufficiently large sample sizes and
randomized data were used for the tests
to provide best results.
A t test was also utilized for one research question:
4. Is there a difference in the number of records breached and
the reporting structure of the
CISO or equivalent title?
Two sample datasets were gathered from a combination of
Educause CDS survey data and
breached records data from the PRC database. Specifically,
data from two questions in the
Educause CDS survey were combined: what is the title of the
highest-ranking person in charge
of information security, and to whom does this person report.
Reporting structure was combined
into two categories: CISO reporting to CIO, and CISO reporting

to another high-level officer.
The total number of breached records related to the higher
education institution was then entered
for the corresponding row and column. A row containing a zero
indicated that no records had
been breached for that specific institution. Data for this table
was gathered by matching 22
breach incidents associated with institutions that completed the
Educause CDS survey with their
corresponding breached records report in the PRC database and
by using the same Educause
CDS survey data from 22 randomly selected institutions that
were not part of a breach according
to the PRC database. In compliance with the researcher’s
contract, the data was anonymized
before being used for any statistical tests. See Appendix F for
raw data table.
A two-sample t test was chosen for its ability to compare two
populations based on
sample data. Although other types of t tests could have been
utilized, Ruxton (2006) concludes

that “the unequal variance t-test should always be used in
preference to the Student’s t-test or
Mann–Whitney U test” (p. 690). Due to the distribution of the
populations used for this test,
both equal and unequal variance tests were utilized.
Summary
This chapter outline the methodology for this research. The
literature review specified
gaps in understanding the role of the CISO in higher education
and how different factors,
including breach rate, could be affected by the position of the
CISO within the organization. A
quantitative, causal-comparative study was conducted to
evaluate the organization structure of
the CISO and its effect on breach rate in higher education.
Survey data from the Educause CDS
and publicly-accessible breach data from the Privacy Rights
Clearinghouse were used in this
study. Chi square and t-tests were used to used analyze the
data. A summary of the results is
presented in Chapter Four.

Chapter Four
Research Findings
Introduction
Chapter Four provides an analysis of the research findings
related to the relationships in
reporting structures between CISOs and other similar job titles
while making comparisons to the
position of CIOs in higher education institutions. As previously
stated in Chapter Three, the
purpose of this quantitative study was to provide an analysis of
how the organizational structure
of information security and the position of the CISO in higher
education affect breach rates. The
Educause CDS annual survey data and breach rate data from the
Privacy Rights Clearinghouse
were used to find relationships between the CISO and similar
titles, their reporting structure, and
its effect on breach rate in higher education. Chapter Four
includes specific information

pertaining to the statistical analysis used to study the research
questions found in Chapter One.
Participant Demographics
The sample population from the Educause CDS survey
contained 471 records from
higher education institutions that had completed the 2018
information security module. The
sample population from the Privacy Rights Clearinghouse
(PRC) contained 70 records derived
from educational institutions that had suffered a breach between
2015-2018. The PRC data were
narrowed to 42 records in order to match information back to
the CDS survey. The primary job
title for respondents was CISO (29%) followed by CIO (26%),
information security officer (ISO)
(15%), director of information security (8%), and information
technology security officer (5%).
All other respondent title groups were less than 5% and can be
seen in Appendix A. A further
breakdown of the Educause CDS survey data demographics can
be seen in Figure 4 in Chapter

Three.
Analyses of Research Questions
Data were collected from the information security module of the
Educause CDS survey
and publicly-accessible data from PRC as described in Chapter
Three. The highest-ranking
information security staff member was identified by a 16-option
multiple choice question that
also provided space for a write-in option. Percentage of time on
task was identified by a 7-
option multiple choice question. Reporting structure was
provided by multiple answer question
which presented 17 options including a provided space for a
write-in position. Reporting to the
university cabinet was provided as a binary yes/no question set.
The write-in options were not
calculated as part of this research. The PRC dataset contained a
record for each breach incident
at a higher education institutions and included the institution
name, number of breached records,
breach type, and supporting sources.
Question One. Is there a relationship between the titles of
highest-ranking person in

charge of information security and to whom they report? The
highest-ranking security officer is
most often called a CISO but this can vary among institutions.
All relevant titles that would
fulfill the same role as the CISO were included in the
calculations. In order to understand how
the CISO or similar title is positioned within the institution, the
data was categorized into
reporting to the CIO or other officer. Officers in the other
category included the president, CFO,
CRO, and other similar positions. Since literature shows that
the CISO most often reports to the
CIO, that position was listed as its own variable. A Chi Square
test was conducted on the survey
data. The test found the results were not significant, (X2 [2, N=
503] = 0.48, p > .05). Table 1
shows the results of the Chi Square test as described.
Table 1
Chi Square for Relationship of Reporting Structure

Observed Values Expected Values
CISO
Similar
Title Sum CISO Similar Title
CIO 118 265 383 CIO 114.98 268.0239
Other 33 87 120 Other 36.024 83.97614
151 352 503
Observed Expected (O-E)2 (O-E)2 /E
Variable 1 A 118 114.9761 9.14371 0.079527
Variable 1 B 265 268.0239 9.14371 0.034115
Variable 2 A 33 36.02386 9.14371 0.253824
Variable 2 B 87 83.97614 9.14371 0.108885
X
2 0.476351
P Value 0.49008
This analysis concluded that the title of the person responsible
for information security in

higher education is insignificant when paired with reporting
structure. While the CISO is the
most common title in the respondent survey (see Appendix A), a
change from that title does not
provide any indication that organization structure will change.
While titles are important, just
changing the title of the information security administrator may
not increase the ability for that
person to participate at a higher level in the organizational
chart.
Question Two. Is there a relationship between the titles of the
highest-ranking person in
charge of information security and the percentage of time on
task? A Chi Square test was
utilized to determine if a relationship existed between the title
of the security officer and the time
that was spent in that role. In order to place the data into a 2x3
Chi Square test, the time on task
percentages were modified from the original data. All
categories below 80% were combined to
represent a single variable. The test found this relationship

insignificant (X2 [3, N= 314] = 1.70,
p > .05). Table 2 shows the results of this Chi Square test as
described.
Table 2
Chi Square Relationship Between Title and Full Time
Percentage
Observed Expected
CISO Similar Title Sum Var A Var B
100% 94 112 206 Variable 1 88.567 117.43 206
80-99% 14 23 37 Variable 2 15.908 21.092 37
Below 80% 27 44 71 Variable 3 30.525 40.475 71
135 179 314 135 179 314
Observed Expected (O-E)2
(O-E)2
/E
Variable 1 A 94 88.5669 29.519 0.3333
Variable 1 B 112 117.433 29.519 0.2514 df= 4
Variable 2 A 14 15.9076 3.6391 0.2288

Variable 2 B 23 21.0924 3.6391 0.1725
Variable 3 A 27 30.5255 12.429 0.4072
Variable 3 B 44 40.4745 12.429 0.3071
X
2 1.7002
P Value 0.7907
Each survey respondent was asked “what percentage of full
time did this person devote to
information security?” (see Appendix B). Many different types
of higher education institutions
were represented by the Educause CDS survey. Independent
colleges and universities and other
types with low enrollment may have staff that handle several
roles simultaneously. This test
analyzed the relationship between the time the person
administrating information security spent
on just that role alone. As the test was insignificant, the

conclusion lends that a change in title of
the person administrating information security does not
significantly affect time on task.
Additionally, the data from this test indicates that many
information security administrators,
regardless of their title, are dedicated to information security
only.
Question Three. Is there a relationship between the CISO and
the CIO in having
cabinet-level membership? A Chi Square test was utilized to
determine if a relationship exists
between a CISO and a CIO reporting to a cabinet-level position
in higher education using binary
variables. The test found this relationship to be significant (X2
[2, N= 259] = 60.35, p < .001).
The CIO is much more likely to be a cabinet member than the
CISO. Table 3 shows the results
of this Chi Square test as described. Table 3 shows the results
of this Chi Square test as
described.
Table 3
Relationship Between CISO and CIO as Member of President's
Cabinet

Observed Values Expected Values
CISO CIO Sum CISO CIO
Yes 16 69 85 Yes 45.2895753 39.71042
No 122 52 174 No 92.7104247 81.28958
138 121 259
Observed Expected (O-E)2 (O-E)2 /E
Variable 1 A 16 45.28958 857.8792 18.94209
Variable 1 B 69 39.71042 857.8792 21.60338
Variable 2 A 122 92.71042 857.8792 9.25332
Variable 2 B 52 81.28958 857.8792 10.55337
X
2 60.35216
P Value 7.93E-15
While reporting structure was tested in the first research
question, this question relates to

a different data point. In the survey, respondents were asked “is
this person a member of the
president/chancellor’s cabinet?”. For this test, the researcher
reduced the dataset to just those
respondents with the specific title of CISO or CIO. The
significance of this analysis shows that
the CISO is less likely to sit on the president’s cabinet than the
CIO. As noted in Chapter Two,
this scenario can create a security concern for the organization
as the CIO and the CISO may
have differing agendas. The position of the CISO or CIO in
organizational structure is irrelevant
in this test.
Question Four. Is there a difference in the number of records
breached and the reporting
structure of the CISO or equivalent title? Reporting structure
data from the information security
module of the Educause CDS survey was combined with known
breach data from PRC which
included number of records breached. The number of breached
records was the included in a
two-sample t test assuming equal variances. The number of
breaches that occurred when a CISO
reported to a CIO (M = 22597.92) were not significantly

different than the number of breaches
that occurred when a CISO reported to a different cabinet-level
officer (M = 1216.37), (t [40] =
1.0810, p > .05). There is not a significant difference in breach
rates between the reporting
structures. Table 4 shows the results of this t test as described.
Table 4
Difference Between Number of Records Breached and Reporting
Structure
t-Test: Two-Sample Assuming Equal Variances
CISO to CIO CISO to Other
Mean 22597.92308 1216.375
Variance 6195248036 7531018.383
Observations 26 16
Pooled Variance 3874854155

Hypothesized Mean Difference 0
df 40
t Stat 1.081019395
P(T<=t) one-tail 0.143081573
t Critical one-tail 1.683851013
P(T<=t) two-tail 0.286163147
t Critical two-tail 2.02107539
In addition to the above test, the same data was analyzed by a
two-sample t test assuming
unequal variances. In this analysis, the number of breaches
result (t [25] = 1.3838, p > .05)
remained insignificant. Table 5 shows the results of this t test
as described.
Table 5
Difference Between Number of Records Breached and Reporting
Structure
t-Test: Two-Sample Assuming Unequal Variances
CISO to CIO CISO to Other
Mean 22597.92308 1216.375

Variance 6195248036 7531018.383
Observations 26 16
Hypothesized Mean Difference 0
df 25
t Stat 1.383782862
P(T<=t) one-tail 0.089328216
t Critical one-tail 1.708140761
P(T<=t) two-tail 0.178656431
t Critical two-tail 2.059538553
This researcher found that a primary variable that was excluded
from Brooks and
Grama’s (2017) research was the position variable. Question
four is the focal point of this
research as it attempts to determine if breaches in higher
education are affected by the reporting
structure of the CISO or equivalent title. Literature from
Chapter Two indicates that security

could be more likely to be compromised if the CISO reports to
the CIO instead of the CEO.
Chapter Three provides details for the layout of these tests and
the raw data for the test can be
seen in Appendix F. While neither of the test results were
significant, the researcher notes that
the unequal variances t test is very close to significance. A
limited number of data points for this
question may have affected the outcome of the tests.
Summary
Data from the information security module of the Educause
CDS survey and publicly-
accessible data from the Privacy Rights Clearinghouse were
analyzed to determine how the
CISO and similar positions relate in organization structure in
higher education. The data from
the security module of the Educause CDS survey included 471
institutions. The primary title of
the highest-ranking security officer was CISO (29%) followed
by CIO (26%). The survey used
multiple choice, multiple answer, and binary questions to gather
data.
Three Chi Square tests, a two-sample t test assuming equal
variances, and a two-sample t

test assuming unequal variances were used to evaluate the
relationships of the CISO within
organizational structure in higher education and its relation to
breach rate. The relationship
between the titles of the highest-ranking security officers and to
whom they report was analyzed
by a Chi Square test and found to be insignificant (X2 [2, N=
503] = 0.48, p > .05). A Chi Square
test also analyzed the relationship between titles of the highest-
ranking security officer and time
on task. The results of this test were also insignificant (X2 [3,
N= 314] = 1.70, p > .05). The
final Chi Square test analyzed the relationship between the
CISO and the CIO as a cabinet-level
member. This test was found to be significant (X2 [2, N= 259]
= 60.35, p > .05) and shows that
the CIO is more likely to be a member of the president’s cabinet
than the CISO.
Two t tests were utilized to determine if differences in number
of breached records were
present when a CISO reported to the CIO verses when a CISO

reported to another cabinet-level
officer. In the first t test, equal variances were assumed. The
test was insignificant and
concluded that the number of breaches that occurred when a
CISO reported to a CIO (M =
22597.92) were greater than the number of breaches that
occurred when a CISO reported to a
different cabinet-level officer (M = 1216.37), (t [40] = 1.0810,
p > .05). A t test assuming
unequal variances was also performed. While this test was
much closer to being significant, the
result (t [25] = 1.3838, p > .05) remained insignificant.
While the results of all but one of the tests are insignificant, the
analysis do yield several
conclusions. The title of the person administrating information
security is not an overarching
concern. A change in title in not likely to change the position
of that role in organizational
structure. The CISO is much less likely to have a presence on
the cabinet than the CIO. The
lack of a CISO or similar role on the president’s cabinet could
affect information security by
reducing the level of information provided to the cabinet
members. There is a need for more

data about data breaches in higher education and their
relationship to reporting structure of the
CISO. While the t tests relating to organizational structure and
number of breached records were
insignificant, the conclusions showed a need for more data for
comparison. The practical
implications of the analyses in this chapter are further
suggestions for study are discussed in
Chapter Five.
Chapter Five
Summary, Discussion, and Implications
Introduction
The purpose of this study was to research the position of the
CISO in higher education
organizational structure and how that positioning affects breach
rate. Additionally, the study
evaluated relationships between the CISO and the CIO and the
differences in their reporting

structure. The overall goal of this research was to expand other
studies about the CISO in higher
education that used factors other than position in organization
structure and potentially provide
higher education colleges and universities with data needed to
make informed decisions when
hiring and promoting the CISO. Brooks and Grama (2017)
stated that their research in higher
education has found that “no single measure of prevention is
enough by itself to prevent a
breach” (p. 8). This research can add another measure to
provide defense in depth for higher
education institutions.
The frequency at which data breaches occur in all industry
sectors, including higher
education, is rising and shows no slowing rate. Higher
education institutions are not immune to
data breaches. While research by Grama (2014) shows the
number of records per breach in
higher education is traditionally lower than other sectors, this
should not lull colleges and
universities into a false sense of security. A capable leader for
information security is necessary

to combat attacks with administrative and technical controls
that are applicable to the entire
organization.
Chapter Two provided an overview of literature related to the
history, importance, and
function of the CISO in all sectors. The overview also provided
a focus on the CISO in higher
education and the challenges faced in that sector. The need for
an effective leader at the helm of
information security in higher education is necessary for any
college or university (Brooks and
Gramma, 2017). This need provides the basis for this and
similar studies. As discussed in
Chapter Three, data from the information security module of the
Educause Core Data Survey
(CDS) was paired with publicly-accessible data from the
Privacy Rights Clearinghouse (PRC)
and utilized for this research questions for this study. Chapter
Four provides a detailed analysis
of the data collection and research findings of this study.
Chapter Five presents the practical

significance and implications of the research results discussed
in Chapter Four along with the
limitation of the study and opportunities for further research.
Practical Assessment of Research Questions
This quantitative research was based on causal-comparative
design and was intended to
fill gaps in previous research pertaining to the CISO and
information security within higher
education. Four research questions were developed and used for
this study.
The first research question asked if there is a relationship in
reporting structure when a
title other than CISO is used for the top-ranking security officer
at a higher education institution.
Two responses from the information security module of the
Educause CDS were utilized that
provided the title of the highest-ranking person responsible for
information security and to whom
they reported. The Chi Square test was configured to observe
how the CISO or similar title
reported to the CIO or other high-level officer. The test results
were insignificant, (X2 [2, N=
503] = 0.48, p > .05).

These findings are not abnormal. Across all sectors of
business, Karanja and Rosso
(2017) found that the newly-hired CISO was less likely to
report to the CIO than another high-
level officer such as the CEO. However, with older CISO
positions, they found that 63% of
CISOs report directly to the CIO. The test results suggest that
higher education may be behind
the normal trend in organizational structure tactics for the CISO
and CIO seen in other sectors.
This also would not be abnormal as research into the CISO and
the advent of information
security in higher education is lacking.
The second research question asked if there is a relationship
with time spent on task when
a title other than CISO is used for the top-ranking security
officer at a higher education
institution. Two responses from the information security
module of the Educause CDS were
utilized that provided the title of the highest-ranking person
responsible for information security

and the associated time spent on task. The Chi Square test was
configured to observe if the
CISO or similar title spent 100%, 80-99%, or less than 80% of
job time on information security
related tasks. The test results were insignificant, (X2 [3, N=
314] = 1.70, p > .05).
According to Brooks and Grama (2017), the use of the CISO
title in higher education is
still rare. According to their research from 2014, only 34% of
administrators in higher education
information security devoted 100% of their time to that task and
only 32% of that group held the
title CISO. The findings of this test parrot that of the earlier
research from Brooks and Grama
(2017). The test indicates that the title of the highest-ranking
information security officer does
not seem to affect time spent on task.
The third research question asked if there is a relationship with
the CISO or the CIO and
serving as a member of the college or university president’s
cabinet. Two responses from the
information security module of the Educause CDS were utilized
that provided the title of the

Running head STUDY OF RANSOMWARE .docx

Running head STUDY OF RANSOMWARE .docx

Recommended

Recommended

More Related Content

Similar to Running head STUDY OF RANSOMWARE .docx

Similar to Running head STUDY OF RANSOMWARE .docx (20)

More from jeanettehully

More from jeanettehully (20)

Recently uploaded

Recently uploaded (20)

Running head STUDY OF RANSOMWARE .docx