APA Writing Sample: Extortion on the JobValorie J. King, PhDApril 2, 2014
Running Head: APA WRITING SAMPLE 1
Running Head: APA WRITING SAMPLE 5
Introduction
Writing as Anonymous (2003), the Chief Information Security Officer (CISO) of a major United States (US) corporation told a chilling tale of email based extortion attempts against employees who had received extortion threats via email sent to their corporate email addresses. The corporation, its managers, and the individual employees who were targeted faced a number of issues and dilemmas as they responded to security incident caused by the extortion attempts. In the following analysis, one issue–the enforcement of acceptable use policies–is discussed and critiqued.Analysis
The Attack
Drive by download attacks occur when a legitimate Web server has been infected with malware or malicious scripts which deliver malware, pornography, or other objectionable material along with the Web page content that the visitor was expecting to see (Microsoft, 2014; Niki, 2009). These types of attacks are difficult to detect and often result in the infection of large numbers of visitors before the infection is detected and removed from the Web site.
In this attack, computers used by the affected employees (victims) were compromised by a drive by download attack (Microsoft, 2014) which resulted in the download of pornographic materials while they were browsing websites which, in turn, had been compromised (Anonymous, 2003). The attackers also obtained each visitor’s email address from the Web browser. Extortion emails were sent to victims demanding credit card payment of hush fees. The extortionists told the victims exactly where the contraband files were located on the computer hard drive and assured the victims that it was impossible to remove those files.
Why the Problem Went Unreported
Anonymous (2003) discovered that he was dealing with “paranoid users who don't trust security people” (p. 1). There are many possible reasons why employees turn into paranoid users who are unwilling to self-report for security incidents, even those which are accidental. Two such reasons are enforcement of zero tolerance for violations and perceptions of unfairness or a lack of justice.
Zero tolerance. The previous CISO implemented a zero tolerance policy with respect to acceptable use policy (AUP) violations (Anonymous, 2003). Under this zero-tolerance policy, a number of employees were terminated (fired), without due process or hearings to establish guilt or innocence. When employees began receiving extortion emails and threats, they believed that their jobs could be placed at risk, regardless of their innocence or guilt with respect to downloading of pornography to company computers, if they reported the presence of pornographic files (pushed to the computer by the extortionists).
Perceptions of fairness and justice. When employees feel that IT policy enforcement is unfair, the situation is usually accompanied.
Russian Escort Service in Delhi 11k Hotel Foreigner Russian Call Girls in Delhi
APA Writing Sample Extortion on the JobValorie J. King, PhDApril .docx
1. APA Writing Sample: Extortion on the JobValorie J. King,
PhDApril 2, 2014
Running Head: APA WRITING SAMPLE 1
Running Head: APA WRITING SAMPLE 5
Introduction
Writing as Anonymous (2003), the Chief Information Security
Officer (CISO) of a major United States (US) corporation told a
chilling tale of email based extortion attempts against
employees who had received extortion threats via email sent to
their corporate email addresses. The corporation, its managers,
and the individual employees who were targeted faced a number
of issues and dilemmas as they responded to security incident
caused by the extortion attempts. In the following analysis, one
issue–the enforcement of acceptable use policies–is discussed
and critiqued.Analysis
The Attack
Drive by download attacks occur when a legitimate Web server
has been infected with malware or malicious scripts which
deliver malware, pornography, or other objectionable material
along with the Web page content that the visitor was expecting
to see (Microsoft, 2014; Niki, 2009). These types of attacks are
difficult to detect and often result in the infection of large
numbers of visitors before the infection is detected and removed
from the Web site.
In this attack, computers used by the affected employees
(victims) were compromised by a drive by download attack
(Microsoft, 2014) which resulted in the download of
pornographic materials while they were browsing websites
which, in turn, had been compromised (Anonymous, 2003). The
attackers also obtained each visitor’s email address from the
2. Web browser. Extortion emails were sent to victims demanding
credit card payment of hush fees. The extortionists told the
victims exactly where the contraband files were located on the
computer hard drive and assured the victims that it was
impossible to remove those files.
Why the Problem Went Unreported
Anonymous (2003) discovered that he was dealing with
“paranoid users who don't trust security people” (p. 1). There
are many possible reasons why employees turn into paranoid
users who are unwilling to self-report for security incidents,
even those which are accidental. Two such reasons are
enforcement of zero tolerance for violations and perceptions of
unfairness or a lack of justice.
Zero tolerance. The previous CISO implemented a zero
tolerance policy with respect to acceptable use policy (AUP)
violations (Anonymous, 2003). Under this zero-tolerance
policy, a number of employees were terminated (fired), without
due process or hearings to establish guilt or innocence. When
employees began receiving extortion emails and threats, they
believed that their jobs could be placed at risk, regardless of
their innocence or guilt with respect to downloading of
pornography to company computers, if they reported the
presence of pornographic files (pushed to the computer by the
extortionists).
Perceptions of fairness and justice. When employees feel that IT
policy enforcement is unfair, the situation is usually
accompanied by extreme and long-lasting negative feelings or
emotions (Flint et al., 2005). The overall result (consequences)
in this instance was an increase in unethical behavior as victims
attempted to hide or cover-up the extortion attempts (lying)
rather than asking their employer for assistance and protection
from harm (Moor, 1999). This undesirable result is, in part, due
to the employer’s failure to consider the consequences of the
application of the zero tolerance policy.
3. Incident Response
The new CISO treated the extortion situation as a security
incident rather than as an employee disciplinary problem
(Anonymous, 2003). He and his IT Security Staff investigated
the situation and learned that (a) the company’s employees
regularly received such threats and (b) some of them had paid
the extortionists rather than risk losing their jobs. The CISO
directed the IT Security Staff to reconfigure firewalls and other
network security appliances to block all further emails
containing extortion keywords or from the known IP addresses
for the extortionists. The CISO also met with IT staff members
to determine what additional protective actions could be taken.
Finally, the new CISO met with the IT staff and other selected
employees to determine what actions needed to be taken to
encourage employees to come forward (self-report) in the future
and decrease the atmosphere of fear and distrust that he had
inherited.Summary and Conclusions
In this article, the author highlighted some of the problems that
can arise when employers emphasize adherence to rules rather
than seeking a balance between rules and outcomes
(Anonymous, 2003). The company’s zero-tolerance enforcement
of its acceptable use policy resulted in undesirable outcomes,
particularly the creation of an atmosphere of fear and secretive
behavior. This, in turn, resulted in employees being unwilling to
report security incidents. To avoid this problem in the future,
corporate management should review the potential negative
consequences or outcomes of policy enforcement and address
specific circumstances with compassion rather than hardline
enforcement (Reynolds, 2007).
References
Anonymous. (2003, February 3). A sordid tale. Chief Security
Officer. CSO Online. Retrieved from https://web.archive.org/
web/20031119054351/http://www.csoonline.com/read/020103/
undercover.html
Flint, D., Hernandez-Marrero, P., & Wielemaker, M. (2005).
4. The role of affect and cognition in the perception of outcome
acceptability under different justice conditions. The Journal of
American Academy of Business, 7(1), 269-277.
Microsoft. (2014). Microsoft security intelligence report.
Retrieved from
http://www.microsoft.com/security/sir/glossary/drive-by-
download-sites.aspx
Moor, J. H. (1999). Just consequentialism and computing.
Ethics and Information Technology, 1(1), 61-69.
Niki, A. (2009, December). Drive-by download attacks: Effects
and detection methods. Paper presented at the 3rd IT Student
Conference for the Next Generation. Retrieved from
http://www.kaspersky.com/fr/images/drive-
by_download_attacks_effects_and_detection_methods.pdf
Reynolds, G. W. (2007). Ethics in information technology (2nd
ed.). Boston, MA: Thompson Course Technology.
Case Study #1: Why should businesses invest in cybersecurity?
Case Scenario:
A client company has asked your cybersecurity consulting firm
to provide it with a 2 to 3 page white paper which discusses the
business need for investments in cybersecurity. The purpose of
this white paper is to “fill in the gaps” in a business case that
was already prepared by the company’s Chief Information
Officer. The target audience for your paper is the company’s C-
suite executives. These executives will be meeting later this
month to discuss budget requests from department heads. The
company has requested that your white paper use the same
investment categories as are already in use for the CIO’s
business case: people, processes, and technologies.
Research:
1. Read / Review the Week 1 readings.
2. Find three or more additional sources which provide
information about best practice recommendations for
5. cybersecurity and other reasons why businesses should invest in
people, processes, and technologies related to cybersecurity.
These additional sources can include analyst reports (e.g.
Gartner, Forrester, Price-Waterhouse, Booz-Allen) and/or news
stories about recent attacks / threats, data breaches, cybercrime,
cyber terrorism, etc.
Write:
Write a two to three-page summary of your research. At a
minimum, your summary must include the following:
1. An introduction or overview of cybersecurity which provides
definitions and addresses the business need for cybersecurity.
This introduction should be suitable for an executive audience.
2. A separate section which addresses ethical considerations
which drive the business need for investments in cybersecurity.
3. A review of best practices and recommendations which can
be added to the existing business case to provide justification
for cybersecurity-focused investments in the three investment
categories identified by the company: people, processes, and
technologies.
Your white paper should use standard terms and definitions for
cybersecurity. See Course Content > Cybersecurity Concepts
Review for recommended resources.
Submit For Grading & Discussion
1. Submit your case study in MS Word format (.docx or .doc
file) using the Case Study #1 Assignment in your assignment
folder. (Attach the file.)
Formatting Instructions
1. Use standard APA formatting for the MS Word document that
you submit to your assignment folder. Formatting requirements
and examples are found under Course Resources > APA
Resources.
2. More than 3 sources must be used
6. Additional Information
1. You are expected to write grammatically correct English in
every assignment that you submit for grading. Do not turn in
any work without (a) using spell check, (b) using grammar
check, (c) verifying that your punctuation is correct and (d)
reviewing your work for correct word usage and correctly
structured sentences and paragraphs. These items are graded
under Professionalism and constitute 20% of the assignment
grade.
2. You are expected to credit your sources using in-text
citations and reference list entries. Both your citations and your
reference list entries must comply with APA 6th edition Style
requirements. Failure to credit your sources will result in
penalties as provided for under the university’s Academic
Integrity policy.