Running head: STUDY OF RANSOMWARE 1
STUDY OF RANSOMWARE 2
Study of Ransomware
by
Vinay Akula
Instructor: Dr Donnie Grimes
University of Cumberlands
Table of Contents
Title page 1
Introduction 3
Study of Ransomware 3
Impacts Caused by Ransomware Attacks 4
Management of Ransomware Attacks 6
References 9
Study of Ransomware
Introduction
Information technology is a department that has really developed over the last decades' thanks to the advances that have been in the field of technology. The gradual development in technology that has also been reflected with the advances in the internet connection in the world leading to the concept of internet of things whereby the concept has really led to massive benefits being made. The advances have resulted in various benefits being made for the organizations that have resorted to the use of internet and technology in running of their key activities. However, these advances have come with numerous challenges and ransomware attack is just one of the key challenges that organizations face in their use of the internet in the provision of quality services for the market (Moschovitis, 2018).
Study of Ransomware
The success of any organization depends on its ability to provide protection and security measures to its database and some of the key activities that take place within its premises. This is especially important in today`s world where technology has become an effective tool in the daily execution of duties. In this regard, it's clear that cybercrimes have rapidly increased in the world as technology advances have been made in the world. This has related to making the fight against cybercrimes and internet warfare a nightmare, more challenging and difficult to deal with.
Ransomware attack which is basically defined as a malware attack on somebody`s sm ...
This Paper is Submitted to Fulfill The English 2 Task Study Program Software Engineering 4th Semester Buddhi Dharma University. Tangerang. Lecturer: Dra. Harisa Mardiana, M.Pd.
Running Head MALWARE1MALWARE2MalwareName.docxcowinhelen
Running Head: MALWARE 1
MALWARE 2
Malware
Name
Institution
Course
Date
Malware Attacks
Potential Malicious Attracts Against the Network Organization
In the world of technology, everything can just happen. Information can pass from one region to another with ease meaning that everything has been simplified. However, the information technology has also been affected by a few challenges that seem to recur from time to time. They include;
Trojan horse virus- Typically, a computer virus has been a challenge for most organizations, but the most common especially in such a company is the Trojan horse virus. The virus is not self-replicating like the majority of others, but it has terrible consequences if it affects the network server of an organization (Durairajan, Saravanan, & Chakkaravarthy, 2016). Apparently, the virus is used by hackers to get access to data from a specified user illegally. With the installation of the video game, other competitor servers can access such kind of data and reproduce a copy even before the initially programmed game gets into the market.
Effects of Trojan horse virus
The data within a user’s computer can be deleted or be modified by the hacker. With new businesses cropping out day in day out, the problem may affect the video game company. A hacker may eliminate valuable data from the program and install a fake one which will, in turn, nullify the whole project. The virus can also be used to steal valuable information from a company that is supposed to be classified.
Computer worms- The worst thing about computer worms is that they are self-replicating. Apparently, they utilize the space in the computer network and dispatch it there where they replicate. The copies of the worms are multiplied and therefore displace the data that was there. Additionally, computer worms don’t need to be attached to the case of Trojan horse virus, but they develop from the network of equipment bit by bit (Anwar, Bakhtiari, Zainal, Abdullah, & Qureshi, 2015). The video game is a program that is used by a lot of people, and there is a high possibility that some computer worms begin to develop slowly.
Impact of computer worms
One of the major troubles with the computer worms is that they replicate themselves on the host server and hence, eliminate valuable files. They apparently take the place of a file which will automatically cause a breakdown in the network system of a company. For instance, the video game has been programmed and is made of various files. If a computer worm takes the place of one of the critical files, it would be nearly impossible for the program to function normally.
Blended threat-The case happens when both the Trojan horse and the computer worms all attack at the same time. The attack by both can have very grave consequences as they require no human efforts. Apparently, the threat uses the internet vulnerabilities and the user to initiate and spread an attack within the system. Importantly, the attack is a ...
Introduction Over the past years, there have been increasing ca.docxnormanibarber20063
Introduction
Over the past years, there have been increasing cases of information security threats. As the information technology professionals stay up to date with the latest technologies, they navigate through complicated playing field. There has been a newly introduced terminology that has brought a lot of confusion in the area of technology. This paper focuses on the background of information security. It also looks at the information technology threats as well as the importance of planning policies to mitigate these risks.
History of Information Security
The computers were initially created to facilitate the swift exchange of information from one person to another (Jouini, 2014). The initial information technology infrastructure was created around the mainframe computers while others were established around the personal computers. At first, it seemed impossible to advance these computers to the present generation computers and information technology gadgets. However, as information technology revolutionize, new avenues are opening for the possibility of crimes. Cyber criminals take advantage of these opportunities to steal the passwords of the computers and get access to the private information as well as make devastating effects on computers and networks.
The nature of the use of computers has changed over the years. Various networks have been developed to enable the sharing and circulation of information and data. Regulating the access to these possessions is problematic as one need to stabilize the need for access to free information with the value of the content of the data he or she receives (Layton, 2016). Most of the information today is very sensitive while others are not. The information technology has today progressed over just the usernames and passwords. The field today encompasses digital strategies, the process of biometric identification and integrated security strategies.
The Need for Security
Many organizations agree that putting up the policies for information security is expensive and time-consuming. Most users also get interrupted by the substantial security policies that complicate their works and in turn develop bad politics within organizations (Omar, 2017). As such, it is essential to plan an audit policy on large networks that may consume a lot of time and money. Most users believe that there is no need to implement the security policies if there is no secret work done.
Developing a poor security plan can lead to detrimental effects and even devastating disasters. A password policy which enables the users to use weak or poor passwords is the paradise for the hackers (Von Solms, 2013). The absence of firewall or protection for the proxy between the firm and the local area network is a loophole for the company to become a cybercrime target.
Organizations should figure out the amount it may take them to efficiently implement the information security policies to safeguard their information as well as their ass.
10 web application security best practices for 2020developeronrents
We all know how important Web Application is in today’s business world. Web applications continue to make a huge impact in the way businesses are thought about and taken forward. But with every innovative web application developed, it is also very vital and important to keep it secured in the best possible ways from data hackers as well as numerous different types of viruses. Let us take a look at the various new options for web application security best practices, this year 2020 has, to suggest to us.
Week 1 Answer It is important to understand human beings and t.docxjessiehampson
Week 1 Answer :
It is important to understand human beings and technology interact in all information systems. This is important because when humans understand their interaction with technology, they will embrace its importance and help in managing and controlling their use(Mjolsnes, 2011). In addition to that, this knowledge helps humans to come up with innovative means to make sure that their interaction with technology is profitable to them.
It is important and necessary for businesses to educate their employees on security matters. This is because when employees understand the security of systems, they will avoid behaviors that might risk the safety of their systems (Seigneur, 2009). They will avoid sharing passwords of the systems to unauthorized people.
References
Mjolsnes, S. F. (2011). A Multidisciplinary Introduction to Information Security. Boca Raton, FL: CRC Press.
Seigneur, J. (2009). Collaborative Computer Security and Trust Management. IGI Global.
Week 2 answer :
Just give me 4 sentences. Not able to find prev. answer.
Week 3 Answer :
A secure system needs a good and effective antivirus program. Some antivirus is free so you do not need any cash to get the protection. The antivirus programs are active each moment on your computer to protect your files and your personal information is always private and confidential. It also helps in the scanning of documents. It is also not a must you log in to windows for you to install the antivirus tool you can use a computer that is functioning and use the antivirus tool that is free to boot and then run on the computer that is infected. An antivirus program with the scanning option is very good, very important and very secure to your computer because the scanning option helps identify a problem or a virus and stops it before it erodes the computer. There are different types of free antivirus programs: Some includes Aviva’s free software, Smadav free software, Avast free software, and Bit defender free software Antivirus (Ariwa & El-Qawasmeh, 2011).
The antivirus known as Bit defender provides protection to your computer instantly against threats, worms, and virus among others. It protects against anti-fraud and this helps to provide security to your computer when using the internet to browse and also during setting the computer. Bit defender antivirus can perform many functions at the same time. These functions include raging files and folders directly into the program, Scan those programs (Studio, 2018).
In conclusion, the antivirus program helps to scan existing files in the programs, email database, files that are achieved, files that are executable, sectors that are bootable. It also helps in identifying files that are bootable (Naumann, 2012). It also helps in identifying files that have viruses. It is advisable to scan and update your computer scanning software on a daily basis or once it expires to ensure the protection of your computer. To ensure that your ...
Cyber Security: Most Important Aspect of a Successful BusinessFibonalabs
Cyber Security in business is all about protecting the data, not just the online data but also the offline data, from theft and any sort of damage. It includes the security of personal data, intellectual property data, protected information, sensitive data, government data as well as the data of various industries. It is a shield that helps in safeguarding the entire data of a business. Running a business is not everyone’s cup of tea and what makes it further difficult is the absence of cyber security. Let’s learn what impact this service has on the running of a successful business.
This Paper is Submitted to Fulfill The English 2 Task Study Program Software Engineering 4th Semester Buddhi Dharma University. Tangerang. Lecturer: Dra. Harisa Mardiana, M.Pd.
Running Head MALWARE1MALWARE2MalwareName.docxcowinhelen
Running Head: MALWARE 1
MALWARE 2
Malware
Name
Institution
Course
Date
Malware Attacks
Potential Malicious Attracts Against the Network Organization
In the world of technology, everything can just happen. Information can pass from one region to another with ease meaning that everything has been simplified. However, the information technology has also been affected by a few challenges that seem to recur from time to time. They include;
Trojan horse virus- Typically, a computer virus has been a challenge for most organizations, but the most common especially in such a company is the Trojan horse virus. The virus is not self-replicating like the majority of others, but it has terrible consequences if it affects the network server of an organization (Durairajan, Saravanan, & Chakkaravarthy, 2016). Apparently, the virus is used by hackers to get access to data from a specified user illegally. With the installation of the video game, other competitor servers can access such kind of data and reproduce a copy even before the initially programmed game gets into the market.
Effects of Trojan horse virus
The data within a user’s computer can be deleted or be modified by the hacker. With new businesses cropping out day in day out, the problem may affect the video game company. A hacker may eliminate valuable data from the program and install a fake one which will, in turn, nullify the whole project. The virus can also be used to steal valuable information from a company that is supposed to be classified.
Computer worms- The worst thing about computer worms is that they are self-replicating. Apparently, they utilize the space in the computer network and dispatch it there where they replicate. The copies of the worms are multiplied and therefore displace the data that was there. Additionally, computer worms don’t need to be attached to the case of Trojan horse virus, but they develop from the network of equipment bit by bit (Anwar, Bakhtiari, Zainal, Abdullah, & Qureshi, 2015). The video game is a program that is used by a lot of people, and there is a high possibility that some computer worms begin to develop slowly.
Impact of computer worms
One of the major troubles with the computer worms is that they replicate themselves on the host server and hence, eliminate valuable files. They apparently take the place of a file which will automatically cause a breakdown in the network system of a company. For instance, the video game has been programmed and is made of various files. If a computer worm takes the place of one of the critical files, it would be nearly impossible for the program to function normally.
Blended threat-The case happens when both the Trojan horse and the computer worms all attack at the same time. The attack by both can have very grave consequences as they require no human efforts. Apparently, the threat uses the internet vulnerabilities and the user to initiate and spread an attack within the system. Importantly, the attack is a ...
Introduction Over the past years, there have been increasing ca.docxnormanibarber20063
Introduction
Over the past years, there have been increasing cases of information security threats. As the information technology professionals stay up to date with the latest technologies, they navigate through complicated playing field. There has been a newly introduced terminology that has brought a lot of confusion in the area of technology. This paper focuses on the background of information security. It also looks at the information technology threats as well as the importance of planning policies to mitigate these risks.
History of Information Security
The computers were initially created to facilitate the swift exchange of information from one person to another (Jouini, 2014). The initial information technology infrastructure was created around the mainframe computers while others were established around the personal computers. At first, it seemed impossible to advance these computers to the present generation computers and information technology gadgets. However, as information technology revolutionize, new avenues are opening for the possibility of crimes. Cyber criminals take advantage of these opportunities to steal the passwords of the computers and get access to the private information as well as make devastating effects on computers and networks.
The nature of the use of computers has changed over the years. Various networks have been developed to enable the sharing and circulation of information and data. Regulating the access to these possessions is problematic as one need to stabilize the need for access to free information with the value of the content of the data he or she receives (Layton, 2016). Most of the information today is very sensitive while others are not. The information technology has today progressed over just the usernames and passwords. The field today encompasses digital strategies, the process of biometric identification and integrated security strategies.
The Need for Security
Many organizations agree that putting up the policies for information security is expensive and time-consuming. Most users also get interrupted by the substantial security policies that complicate their works and in turn develop bad politics within organizations (Omar, 2017). As such, it is essential to plan an audit policy on large networks that may consume a lot of time and money. Most users believe that there is no need to implement the security policies if there is no secret work done.
Developing a poor security plan can lead to detrimental effects and even devastating disasters. A password policy which enables the users to use weak or poor passwords is the paradise for the hackers (Von Solms, 2013). The absence of firewall or protection for the proxy between the firm and the local area network is a loophole for the company to become a cybercrime target.
Organizations should figure out the amount it may take them to efficiently implement the information security policies to safeguard their information as well as their ass.
10 web application security best practices for 2020developeronrents
We all know how important Web Application is in today’s business world. Web applications continue to make a huge impact in the way businesses are thought about and taken forward. But with every innovative web application developed, it is also very vital and important to keep it secured in the best possible ways from data hackers as well as numerous different types of viruses. Let us take a look at the various new options for web application security best practices, this year 2020 has, to suggest to us.
Week 1 Answer It is important to understand human beings and t.docxjessiehampson
Week 1 Answer :
It is important to understand human beings and technology interact in all information systems. This is important because when humans understand their interaction with technology, they will embrace its importance and help in managing and controlling their use(Mjolsnes, 2011). In addition to that, this knowledge helps humans to come up with innovative means to make sure that their interaction with technology is profitable to them.
It is important and necessary for businesses to educate their employees on security matters. This is because when employees understand the security of systems, they will avoid behaviors that might risk the safety of their systems (Seigneur, 2009). They will avoid sharing passwords of the systems to unauthorized people.
References
Mjolsnes, S. F. (2011). A Multidisciplinary Introduction to Information Security. Boca Raton, FL: CRC Press.
Seigneur, J. (2009). Collaborative Computer Security and Trust Management. IGI Global.
Week 2 answer :
Just give me 4 sentences. Not able to find prev. answer.
Week 3 Answer :
A secure system needs a good and effective antivirus program. Some antivirus is free so you do not need any cash to get the protection. The antivirus programs are active each moment on your computer to protect your files and your personal information is always private and confidential. It also helps in the scanning of documents. It is also not a must you log in to windows for you to install the antivirus tool you can use a computer that is functioning and use the antivirus tool that is free to boot and then run on the computer that is infected. An antivirus program with the scanning option is very good, very important and very secure to your computer because the scanning option helps identify a problem or a virus and stops it before it erodes the computer. There are different types of free antivirus programs: Some includes Aviva’s free software, Smadav free software, Avast free software, and Bit defender free software Antivirus (Ariwa & El-Qawasmeh, 2011).
The antivirus known as Bit defender provides protection to your computer instantly against threats, worms, and virus among others. It protects against anti-fraud and this helps to provide security to your computer when using the internet to browse and also during setting the computer. Bit defender antivirus can perform many functions at the same time. These functions include raging files and folders directly into the program, Scan those programs (Studio, 2018).
In conclusion, the antivirus program helps to scan existing files in the programs, email database, files that are achieved, files that are executable, sectors that are bootable. It also helps in identifying files that are bootable (Naumann, 2012). It also helps in identifying files that have viruses. It is advisable to scan and update your computer scanning software on a daily basis or once it expires to ensure the protection of your computer. To ensure that your ...
Cyber Security: Most Important Aspect of a Successful BusinessFibonalabs
Cyber Security in business is all about protecting the data, not just the online data but also the offline data, from theft and any sort of damage. It includes the security of personal data, intellectual property data, protected information, sensitive data, government data as well as the data of various industries. It is a shield that helps in safeguarding the entire data of a business. Running a business is not everyone’s cup of tea and what makes it further difficult is the absence of cyber security. Let’s learn what impact this service has on the running of a successful business.
Analysis of personal information security behavior and awareness.docxdaniahendric
Analysis of personal information security behavior and awareness
It's a developing portion of human security that aims at raising awareness concerning the dangers of fast-evolving information forms and emerging threats to the info which focuses on human character. Since threats have developed and information is developing value, attackers have upgraded their abilities and extended to broader intentions. Also, more means of making the attacks have as well developed (Öğütçü, Testik & Chouseinoglou, 2016). The attacks have evolved to circumvent processes and controls. Aggressors have focused and effectively exploited the character of humans to breach relevant infrastructure schemes and corporate networks. Individual who are unaware about the threats may circumvent traditional processes and security controls and cause organization breach. In reply, information security awareness is growing.
The main aim of the concept in the discussion is to enhance awareness to everyone and inform that they can be a victim of the threats and risk any time. Information security consciousness responds to developing cyber-attacks. Most of the time, people assume that security it's all about technical controls (Ki-Aries & Faily, 2017). But the fact is that people are the targets and the character they possess can cause risk or offer countermeasures in response to threats and risks. Awareness metrics are increasing at a high rate to know and amount people threat landscape. The increase also aims at reducing risks associated with organizations and weigh the effectiveness and expense of awareness as the countermeasure.
Most of the organizations don't invest a lot in information security. Few organizations pay attention to security issues. They tend to assume all is well so long as they have a password in their systems. However, this not trust because if an attack occurs, such kind of organization is likely to suffer a lot. Security is an essential plan any organization can adopt to minimize security threats resulting from workers. Awareness plan assists associates to understand that security it's not personal responsibility but everyone's' responsibility. Everyone should be careful when it comes to security because nobody can choose to be a victim, but they only find themselves (Ki-Aries & Faily, 2017). Employees should be accountable for the actions done under their empathies. Security awareness enforces effective means of how business computers can be handled.
A policy developed should give awareness about social media and other types of virus. Workers should be aware of necessary to be followed when using computers. Alternatively, Companies can plan to form interactive sessions for every worker to get to understand more about their security. Such kind of interactive sessions entails consciousness about new risks and measure to overcome them. The program of awareness won't be gainful if no punishment for those who violate rules. Employees who don't adhere to the pr ...
Stuxnet and U.S Incidence ResponseStudent NameProfessor Na.docxpicklesvalery
Stuxnet and U.S Incidence Response
Student Name
Professor Name
Institution
Date
The U.S Computer Emergency Readiness Team is a body mandated to protect the country’s internet infrastructure and to ensure the general welfare of all public entities in the internet. It devices methods to clearly respond to cyber security attacks that might pose a threat to the nation. They work alongside the Department of Homeland Security together with multiple other private and public companies in accomplishing this task (Techopedia, 2018).
The U.S CERT has a number of activities it engages in order to make the internet a safe place for the entire nation. It for instance devices means for the public to report any cyber threat or attack that they suspect to the body for appropriate actions to be taken. They also engage in educational ventures with the aim of making the public and industries aware about data security and threats.
The body also has the role of letting the general public aware of looming cyber security strikes and attacks. They gather information from various sources and analysis of these can actually help the point out possible security threats various bodies are facing or in risk of. By so doing they are able to prevent any loss that could have come about as a result of such attacks.(ICS-CERT, 2015).
The emergency response team also takes part in coordinating the recovery activities in emergency situations in conjunction with other firms. These activities are aimed at reducing the impact that a cyber attack makes and also try to restore any data or operations that might have been brought down as a result of the attack.
An analysis of the data gathered from security threats is also made by the firm in order to learn more about the nature of attacks and to prevent future attacks from happening. Additionally they also conduct an evaluation of malware applications in order to better know which systems are at risk of attacks and how these attacks can be detected in a system (Ferran, 2012).
The response team also has the role of working hand in hand with other security agencies in the quest of coming up with mitigation steps aimed at preventing and dealing with cyber security threats. The bodies share data that they have individually gathered and by putting it together they are able to come up with a clearer picture as to how security attacks are manifested and how they can be able to better detect these security threats.
The U.S Computer Emergency Response Team follows the best guidelines when it comes to cyber crime response and emergency response preparedness. They use the best approach when t comes to collection of data relating to security threats by getting it from actual security occurrences. The feedback from the general public is also a rich source of information in matters concerning cyber security. By colluding with other security agencies they stand a better position to more effectively combat security threats and possible attacks.
T ...
With work from home becoming popular amid the pandemic, cyber-attacks by ransomware
operators have been on the rise and they may go on after any organization- an enterprise or a
small business, as long as they can gain access to them with ease.
No one today is a stranger to the word- Ransomware! But yes, there are certain tips and tricks
to safeguard yourself from such attacks on an organizational level. A good computer security
practice can help defend organizations against ransomware attacks.
Replies Required for below Posting 1 user security awarene.docxsodhi3
Replies Required for below :
Posting 1 : user security awareness is the most important element of an organization as we know a single email can result in a multi-million dollar loss through a breach in very short time. that is the primary reason many large organizations have a specific division who deal with the security whose prime task is it identify and prevent security breaches and most interestingly companies like Facebook have one million dollar price reward for ethically breaching their security which helps them identify more ways and prevent them before they occur. speaking of which user security deals with various levels of users as mentioned below.
1. New employees
2. Company executives
3. Traveling Employees
4. IT Employees
5. For all employees
Security awareness should be covered focusing the four above mentioned categories using real-world examples like classroom training, and circulating latest updates in security patches and also articles or suggestions as well as visual examples about security awareness. Training employees by pasting most important security preventions every employee must consider in order to prevent security breach and pasting lastest updates about security measurements in common areas across office space and conduct brainstorm sessions with individual senior staff members to understand their needs and how to apply security awareness across teams.
and second thing is to secure customers who are the core revenue generating people to an organization and its organization's duty to secure customers. The customer is the benefit of any organization. At the present time, where online security turns into an essential, the association must view client's profitable data that movements between the server and the site. By building security culture, the association can spur clients, contractual workers, representatives. A fulfilled client dependably functions as a mouth exposure and will fill in as an advantage of the organization. The association can guarantee their clients that the amount they think about their web assurance. The association ought to likewise distribute a note of wellbeing safety measure on the site for clients while collaborating with the web world.
Posting 2:
Security is a key human thought that has ended up being harder to portray and approve in the Information Age. In rough social requests, security was compelled to ensuring the prosperity of the get-together's people and guaranteeing physical resources. As society has grown more mind-boggling, the centrality of sharing and securing the fundamental resource of data has extended. Before the extension of present-day trades, data security was confined to controlling physical access to oral or created correspondences. The essentials of data security drove social requests to make innovative techniques for guaranteeing their data.
Changes in security systems can be direct. Society needs to execute any new security innovation as a get-together, whic ...
1
Running Header: ORGANIZATIONAL SECURITY
4
ORGANIZATIONAL SECURITY
ORGANIZATIONAL SECURITY
Student’s Name
Tutor’s Name
Course Title
Date
Introduction
The security of the world is currently increasing in a simultaneous manner. Many countries all around the world try harder to cater to its citizens despite having huge numbers of citizens. Business is the core factor that gives out people a way to a better life. Organizations have emerged and that they all try as much as possible to be successful, despite having many challenges in the market square. The exchange of goods and services is the main core issue that led to the emergence of business globally. In general terms there are different products that are produced all around the world, researchers have proven that for the business to be rated in a successful level the security status of the business must also be considered. Security generally protects the product and services of the organization. It is very important to keep the security of the of the company high, this is based on the fact that all the product and services produced by the company will be secured from competitors and the ill motive individuals who might want to bring down the business. Employers and employees are the ones who are responsible for keeping the security in an organization to be at a high level.
Background information
In today’s world, everything that is tangible is always stored in a digital form. When the business lacks a form to defend its digital assets generally the business is lost, thus the potential loss of the business will grow bigger every day. (Gupta, Rees, Chaturvedi & Chi, 2006) The need of having legal security in the organization literally existed ever since the introduction of the first computer in the business environment. Recently the paradigm has greatly shifted over the years, nevertheless from the client-server systems and terminal server mainframe systems.
Despite the security system being very important, in many terms it has not always been set aside to be critical in organizational success. With the existence of the mainframe system being in the place, many organizations manage to protect their own systems from the abuse of the resources, for instances having unauthorized user gaining access to the organizational system and also the act of authorized user hogging company’s resources. Such types of abuse were considered to be more damaging based on the fact that the system had a higher cost during the early mainframes days. As time goes by, the technology techniques developed and increased to some level, hence the cost of the systems resources decreases, this issue apparently becomes less important to the business environment. (Gupta, Rees, Chaturvedi & Chi, 2006)The evolving act of having remote access outside the organizational networks was also considered to be non-existence. Furthermore, only the underground community had higher tools and knowledge that is rightfully needed.
Running head CHALLENGES OF CYBER SECURITY9.docxsusanschei
Running head: CHALLENGES OF CYBER SECURITY 9
Challenges of Cyber Security
Challenges of Cyber Security
Currently, computer security constitutes one of the fields with increasing significance because many people rely on computer systems and the internet for various operations. By the term ‘cyber security’, it refers to the provision of safety measures for computer systems against theft and destruction to the hardware, software and the information contained therein. It also includes protecting computer systems from any form of interference that hinders their efficiency to service delivery. According to (Vasconcelos et al., 2017), cyber security means limiting the physical access to certain hardware and providing safety against destruction that could result due to malpractice or when system operators become tricked and deviate from what is known secure guidelines.
There are many challenges for cyber security measures to be effective. Computer system operators experience great challenges in providing reliable and effective cyber security. Therefore, the question is that; how should system operators get the proper training to overcome numerous cyber security challenges? It is important to pose the question because today there are many businesses that feel insecure. For example, most enterprises doubt the preparedness by system operators and their ability to ensure that there is security in the corporate networks. In addition, a recent research carried by Enterprise Strategy Group established that about a quarter of system operators do not possess the desired skills. Lack of enough personnel who are equipped with right skills is the key factor attributed to challenges of cyber security. While cyber security significantly assists in to protecting us, many enterprises together with their esteemed clients, from someone falsely representing something as beneficial to them or to infiltrate our systems, it is in great need to be expanded on in order to safeguard us, and to create a safer environment protecting companies and our personal information and data, but it can and does fail to provide us complete security, if safe practices are not followed.
Protecting the Home Front
Home front is an informal term commonly used by the civilians of a nation, which faces a war, and their active support system of the military. As a result, military forces largely rely on home front civilian aid services. However, due to increased potential of destruction to the home front, there is a need to offer them appropriate protection (Wang & Lu, 2013). The military has the ability to design systems to help protect and deal with the vulnerabilities to the home front from direct attacks. There a number of things, that can be done to protect the home front against various attacks.
First, one could use automatic light timers fixed throughout in their systems. Light timers can be programmed to switch on and off in a way that helps simulate an in ...
Today's corporate world is part of the battleground fighting against potential threats and attacks. Though the threat landscape is evolving ra pidly, security has usually always caught up to gain the upper hand.
Research Paper TopicITS835 – Enterprise Risk Managemen.docxaudeleypearl
Research Paper Topic
ITS835 – Enterprise Risk Management
Dr. Jerry Alsay
University of the Cumberlands
Introduction
All research reports begin with an introduction. (1 – 2 Pages)
Background
Provide your reader with a broad base of understanding of the research topic. The goal is to give the reader an overview of the topic, and its context within the real world, research literature, and theory. (3 – 5 Pages)
Problem Statement
This section should clearly articulate how the study will relate to the current literature. This is done by describing findings from the research literature that define the gap. Should be very clear what the research problem is and why it should be solved. Provide a general/board problem and a specific problem (150 – 200 Words)
Literature Review
Using your annotated bibliography, construct a literature review. (3-5 pages)
Discussion
Provide a discussion about your specific topic findings. Using the literature, you found, how do you solve your problem? How does it affect your general/board problem?
References
Running Head: CLOUD COMPUTING AND DATA SECURITY1
Cloud Computing and Data Security
Naresh Rama
Professor Dr.Jerry Alsay
07/14/2019
Cloud Computing and Data Security
Introduction
In today's world, the movement of data is from a store that is severe and it is located centrally to the storage of cloud, services in the cloud offer the flexibility, scalability, and concerns that are proportionate that concerns the issue of security. Safety is an aspect that is important and it associated with the computing of cloud because information can be stored on the cloud by the users with the help of providers that works in the service of the cloud. In the security f data and computing of the cloud, there are some problems that are available. They include backups of data that is improper and inadequate that have caused organizations been among those that are vulnerable to threats that re-associated with security measures.
Data that is found in an organization and is stored in files that are encrypted are interfered by these threats. Problem found under these investigations is significant to this study and these show that the threats that emerge because of backups concerning data that is improper lead to an issue that is significant in the security of data in the computing cloud and also security concerning data.
The study tends to shows that security of data and computing of data leads to the provision of ways that helps in the protection of data that is private and also information that is classified away from such threats. That may include attacks in the cyber sector and losses that occur in case of disasters (Strategic Cyber Security, 2011). This study has limitations that state that assurance of security to the computing of cloud is not available and that there is no protection of data that is vital in an organization to a hundred percent.
Background
Hacke ...
Cyber Security Expert, A Challenging RoleSamidha Takle
Many aspire to be Cyber Security Experts. But before that let us understand what it takes to become a real expert in this field.
To know more details you can visit here:
https://texceed.in/cyber-security-expert-our-protector-from-cyber-attacks/
An Improved Method for Preventing Data Leakage in an OrganizationIJERA Editor
Data is one of the most important assets an organisation has since it denes each organisations unique- ness.It
includes data on members and prospects, their inter- ests and purchases, your events, speakers, your content,
social media, press, your staff, budget, strategic plan, and much more. As organizations open their doors to
employees, part- ners, customers and suppliers to provide deeper access to sensitive information, the risk
sassociated with business increase. Now, more than ever, within creasing threats of cyber terrorism, cor- porate
governance issues, fraud, and identity theft, the need for securing corporate information has become paramount.
Informa- tion theft is not just about external hackers and unauthorized external users stealing your data, it is also
about managing internal employees and even contractors who may be working within your organization for
short periods of time. Adding to the challenge of securing information is the increasing push for corporate
governance and adherence to legislative or regulatory requirements. Failure to comply and provide privacy,
audit and internal controls could result in penalties ranging from large nes to jail terms. Non-compliance can
result in not only potential implications for executives, but also possible threats to the viability of a corporation.
Insiders too represent a sign cant risk to data security. The task of detecting malicious insiders is very
challenging as the methods of deception become more and more sophisticated. There are various solutions
present to avoid data leakage. Data leakage detection, prevention (DLPM) and monitoring solutions became an
inherent component of the organizations security suite.DLP solutions monitors sensitive data when at rest, in
motion, or in use and enforce the organizational data protection policy.These solutions focus mainly on the data
and its sensitivity level, and on preventing it from reaching an unauthorized person. They ignore the fact that an
insider is gradually exposed to more and more sensitive data,to which she is authorized to access. Such data
may cause great damage to the organization when leaked or misused. Data can be leaked via emails, instant
messaging, le transfer etc. This research is focusing on email data leakage monitoring, detection and
prevention. It is proposed to be carried out in two phases: leakage detection through mining and prevention
through encryption of email content.
A data breach demands a comprehensive response. Knowing who will be part of your response team and assigning their primary tasks ahead of time will help you quickly take appropriate action. The team should be enterprise-wide and include key members of the executive team and board of directors, the head of IT, security experts, as well as representatives from your legal, communications and HR departments.
250-500 words APA format cite references Check this scenario out.docxjeanettehully
250-500 words APA format cite references
Check this scenario out. Long term care can consists of servicing patients need at a patient's home, providing meals, transportation and in home therapy. Some long term care is within the home and some can be rehab. Lets say there is a growing need to extend those services to our growing need in elderly population. Part of that need is a demand for servicing the increasing population of the Hispanic community. We as a team need to meet with a cross- functional management team that can relay the need and services outside of the facility. We need hired people who are bilingual that can work the call center, deliver food, offer in home therapy, and provide transportation.
Our audience will be the new management team. Each member of the coordination of care team of management will cover or be responsible for one of those areas. Our standpoint will be that we are the board of directors that would be talking with them.
Giving the above screnario my part of assignment is to come up with strategies of the transition and what methods may be needed?
.
2 DQ’s need to be answers with Zero plagiarism and 250 word count fo.docxjeanettehully
2 DQ’s need to be answers with Zero plagiarism and 250 word count for each question. Due in 6 hours TODAY! Please include all references if necessary.
Week One DQ1
Week One DQ3
To clarify... these ratios are part of the DuPont model, and the DuPont model considers liquidity as one of the factors to be evaluated, but at the end of the day, the DuPont model is all about return on equity... basically getting your money's worth. Given that, what are the elements of liquidity and how do they lead us into the discussion on equity? Why is this important to understand?
.
Analysis of personal information security behavior and awareness.docxdaniahendric
Analysis of personal information security behavior and awareness
It's a developing portion of human security that aims at raising awareness concerning the dangers of fast-evolving information forms and emerging threats to the info which focuses on human character. Since threats have developed and information is developing value, attackers have upgraded their abilities and extended to broader intentions. Also, more means of making the attacks have as well developed (Öğütçü, Testik & Chouseinoglou, 2016). The attacks have evolved to circumvent processes and controls. Aggressors have focused and effectively exploited the character of humans to breach relevant infrastructure schemes and corporate networks. Individual who are unaware about the threats may circumvent traditional processes and security controls and cause organization breach. In reply, information security awareness is growing.
The main aim of the concept in the discussion is to enhance awareness to everyone and inform that they can be a victim of the threats and risk any time. Information security consciousness responds to developing cyber-attacks. Most of the time, people assume that security it's all about technical controls (Ki-Aries & Faily, 2017). But the fact is that people are the targets and the character they possess can cause risk or offer countermeasures in response to threats and risks. Awareness metrics are increasing at a high rate to know and amount people threat landscape. The increase also aims at reducing risks associated with organizations and weigh the effectiveness and expense of awareness as the countermeasure.
Most of the organizations don't invest a lot in information security. Few organizations pay attention to security issues. They tend to assume all is well so long as they have a password in their systems. However, this not trust because if an attack occurs, such kind of organization is likely to suffer a lot. Security is an essential plan any organization can adopt to minimize security threats resulting from workers. Awareness plan assists associates to understand that security it's not personal responsibility but everyone's' responsibility. Everyone should be careful when it comes to security because nobody can choose to be a victim, but they only find themselves (Ki-Aries & Faily, 2017). Employees should be accountable for the actions done under their empathies. Security awareness enforces effective means of how business computers can be handled.
A policy developed should give awareness about social media and other types of virus. Workers should be aware of necessary to be followed when using computers. Alternatively, Companies can plan to form interactive sessions for every worker to get to understand more about their security. Such kind of interactive sessions entails consciousness about new risks and measure to overcome them. The program of awareness won't be gainful if no punishment for those who violate rules. Employees who don't adhere to the pr ...
Stuxnet and U.S Incidence ResponseStudent NameProfessor Na.docxpicklesvalery
Stuxnet and U.S Incidence Response
Student Name
Professor Name
Institution
Date
The U.S Computer Emergency Readiness Team is a body mandated to protect the country’s internet infrastructure and to ensure the general welfare of all public entities in the internet. It devices methods to clearly respond to cyber security attacks that might pose a threat to the nation. They work alongside the Department of Homeland Security together with multiple other private and public companies in accomplishing this task (Techopedia, 2018).
The U.S CERT has a number of activities it engages in order to make the internet a safe place for the entire nation. It for instance devices means for the public to report any cyber threat or attack that they suspect to the body for appropriate actions to be taken. They also engage in educational ventures with the aim of making the public and industries aware about data security and threats.
The body also has the role of letting the general public aware of looming cyber security strikes and attacks. They gather information from various sources and analysis of these can actually help the point out possible security threats various bodies are facing or in risk of. By so doing they are able to prevent any loss that could have come about as a result of such attacks.(ICS-CERT, 2015).
The emergency response team also takes part in coordinating the recovery activities in emergency situations in conjunction with other firms. These activities are aimed at reducing the impact that a cyber attack makes and also try to restore any data or operations that might have been brought down as a result of the attack.
An analysis of the data gathered from security threats is also made by the firm in order to learn more about the nature of attacks and to prevent future attacks from happening. Additionally they also conduct an evaluation of malware applications in order to better know which systems are at risk of attacks and how these attacks can be detected in a system (Ferran, 2012).
The response team also has the role of working hand in hand with other security agencies in the quest of coming up with mitigation steps aimed at preventing and dealing with cyber security threats. The bodies share data that they have individually gathered and by putting it together they are able to come up with a clearer picture as to how security attacks are manifested and how they can be able to better detect these security threats.
The U.S Computer Emergency Response Team follows the best guidelines when it comes to cyber crime response and emergency response preparedness. They use the best approach when t comes to collection of data relating to security threats by getting it from actual security occurrences. The feedback from the general public is also a rich source of information in matters concerning cyber security. By colluding with other security agencies they stand a better position to more effectively combat security threats and possible attacks.
T ...
With work from home becoming popular amid the pandemic, cyber-attacks by ransomware
operators have been on the rise and they may go on after any organization- an enterprise or a
small business, as long as they can gain access to them with ease.
No one today is a stranger to the word- Ransomware! But yes, there are certain tips and tricks
to safeguard yourself from such attacks on an organizational level. A good computer security
practice can help defend organizations against ransomware attacks.
Replies Required for below Posting 1 user security awarene.docxsodhi3
Replies Required for below :
Posting 1 : user security awareness is the most important element of an organization as we know a single email can result in a multi-million dollar loss through a breach in very short time. that is the primary reason many large organizations have a specific division who deal with the security whose prime task is it identify and prevent security breaches and most interestingly companies like Facebook have one million dollar price reward for ethically breaching their security which helps them identify more ways and prevent them before they occur. speaking of which user security deals with various levels of users as mentioned below.
1. New employees
2. Company executives
3. Traveling Employees
4. IT Employees
5. For all employees
Security awareness should be covered focusing the four above mentioned categories using real-world examples like classroom training, and circulating latest updates in security patches and also articles or suggestions as well as visual examples about security awareness. Training employees by pasting most important security preventions every employee must consider in order to prevent security breach and pasting lastest updates about security measurements in common areas across office space and conduct brainstorm sessions with individual senior staff members to understand their needs and how to apply security awareness across teams.
and second thing is to secure customers who are the core revenue generating people to an organization and its organization's duty to secure customers. The customer is the benefit of any organization. At the present time, where online security turns into an essential, the association must view client's profitable data that movements between the server and the site. By building security culture, the association can spur clients, contractual workers, representatives. A fulfilled client dependably functions as a mouth exposure and will fill in as an advantage of the organization. The association can guarantee their clients that the amount they think about their web assurance. The association ought to likewise distribute a note of wellbeing safety measure on the site for clients while collaborating with the web world.
Posting 2:
Security is a key human thought that has ended up being harder to portray and approve in the Information Age. In rough social requests, security was compelled to ensuring the prosperity of the get-together's people and guaranteeing physical resources. As society has grown more mind-boggling, the centrality of sharing and securing the fundamental resource of data has extended. Before the extension of present-day trades, data security was confined to controlling physical access to oral or created correspondences. The essentials of data security drove social requests to make innovative techniques for guaranteeing their data.
Changes in security systems can be direct. Society needs to execute any new security innovation as a get-together, whic ...
1
Running Header: ORGANIZATIONAL SECURITY
4
ORGANIZATIONAL SECURITY
ORGANIZATIONAL SECURITY
Student’s Name
Tutor’s Name
Course Title
Date
Introduction
The security of the world is currently increasing in a simultaneous manner. Many countries all around the world try harder to cater to its citizens despite having huge numbers of citizens. Business is the core factor that gives out people a way to a better life. Organizations have emerged and that they all try as much as possible to be successful, despite having many challenges in the market square. The exchange of goods and services is the main core issue that led to the emergence of business globally. In general terms there are different products that are produced all around the world, researchers have proven that for the business to be rated in a successful level the security status of the business must also be considered. Security generally protects the product and services of the organization. It is very important to keep the security of the of the company high, this is based on the fact that all the product and services produced by the company will be secured from competitors and the ill motive individuals who might want to bring down the business. Employers and employees are the ones who are responsible for keeping the security in an organization to be at a high level.
Background information
In today’s world, everything that is tangible is always stored in a digital form. When the business lacks a form to defend its digital assets generally the business is lost, thus the potential loss of the business will grow bigger every day. (Gupta, Rees, Chaturvedi & Chi, 2006) The need of having legal security in the organization literally existed ever since the introduction of the first computer in the business environment. Recently the paradigm has greatly shifted over the years, nevertheless from the client-server systems and terminal server mainframe systems.
Despite the security system being very important, in many terms it has not always been set aside to be critical in organizational success. With the existence of the mainframe system being in the place, many organizations manage to protect their own systems from the abuse of the resources, for instances having unauthorized user gaining access to the organizational system and also the act of authorized user hogging company’s resources. Such types of abuse were considered to be more damaging based on the fact that the system had a higher cost during the early mainframes days. As time goes by, the technology techniques developed and increased to some level, hence the cost of the systems resources decreases, this issue apparently becomes less important to the business environment. (Gupta, Rees, Chaturvedi & Chi, 2006)The evolving act of having remote access outside the organizational networks was also considered to be non-existence. Furthermore, only the underground community had higher tools and knowledge that is rightfully needed.
Running head CHALLENGES OF CYBER SECURITY9.docxsusanschei
Running head: CHALLENGES OF CYBER SECURITY 9
Challenges of Cyber Security
Challenges of Cyber Security
Currently, computer security constitutes one of the fields with increasing significance because many people rely on computer systems and the internet for various operations. By the term ‘cyber security’, it refers to the provision of safety measures for computer systems against theft and destruction to the hardware, software and the information contained therein. It also includes protecting computer systems from any form of interference that hinders their efficiency to service delivery. According to (Vasconcelos et al., 2017), cyber security means limiting the physical access to certain hardware and providing safety against destruction that could result due to malpractice or when system operators become tricked and deviate from what is known secure guidelines.
There are many challenges for cyber security measures to be effective. Computer system operators experience great challenges in providing reliable and effective cyber security. Therefore, the question is that; how should system operators get the proper training to overcome numerous cyber security challenges? It is important to pose the question because today there are many businesses that feel insecure. For example, most enterprises doubt the preparedness by system operators and their ability to ensure that there is security in the corporate networks. In addition, a recent research carried by Enterprise Strategy Group established that about a quarter of system operators do not possess the desired skills. Lack of enough personnel who are equipped with right skills is the key factor attributed to challenges of cyber security. While cyber security significantly assists in to protecting us, many enterprises together with their esteemed clients, from someone falsely representing something as beneficial to them or to infiltrate our systems, it is in great need to be expanded on in order to safeguard us, and to create a safer environment protecting companies and our personal information and data, but it can and does fail to provide us complete security, if safe practices are not followed.
Protecting the Home Front
Home front is an informal term commonly used by the civilians of a nation, which faces a war, and their active support system of the military. As a result, military forces largely rely on home front civilian aid services. However, due to increased potential of destruction to the home front, there is a need to offer them appropriate protection (Wang & Lu, 2013). The military has the ability to design systems to help protect and deal with the vulnerabilities to the home front from direct attacks. There a number of things, that can be done to protect the home front against various attacks.
First, one could use automatic light timers fixed throughout in their systems. Light timers can be programmed to switch on and off in a way that helps simulate an in ...
Today's corporate world is part of the battleground fighting against potential threats and attacks. Though the threat landscape is evolving ra pidly, security has usually always caught up to gain the upper hand.
Research Paper TopicITS835 – Enterprise Risk Managemen.docxaudeleypearl
Research Paper Topic
ITS835 – Enterprise Risk Management
Dr. Jerry Alsay
University of the Cumberlands
Introduction
All research reports begin with an introduction. (1 – 2 Pages)
Background
Provide your reader with a broad base of understanding of the research topic. The goal is to give the reader an overview of the topic, and its context within the real world, research literature, and theory. (3 – 5 Pages)
Problem Statement
This section should clearly articulate how the study will relate to the current literature. This is done by describing findings from the research literature that define the gap. Should be very clear what the research problem is and why it should be solved. Provide a general/board problem and a specific problem (150 – 200 Words)
Literature Review
Using your annotated bibliography, construct a literature review. (3-5 pages)
Discussion
Provide a discussion about your specific topic findings. Using the literature, you found, how do you solve your problem? How does it affect your general/board problem?
References
Running Head: CLOUD COMPUTING AND DATA SECURITY1
Cloud Computing and Data Security
Naresh Rama
Professor Dr.Jerry Alsay
07/14/2019
Cloud Computing and Data Security
Introduction
In today's world, the movement of data is from a store that is severe and it is located centrally to the storage of cloud, services in the cloud offer the flexibility, scalability, and concerns that are proportionate that concerns the issue of security. Safety is an aspect that is important and it associated with the computing of cloud because information can be stored on the cloud by the users with the help of providers that works in the service of the cloud. In the security f data and computing of the cloud, there are some problems that are available. They include backups of data that is improper and inadequate that have caused organizations been among those that are vulnerable to threats that re-associated with security measures.
Data that is found in an organization and is stored in files that are encrypted are interfered by these threats. Problem found under these investigations is significant to this study and these show that the threats that emerge because of backups concerning data that is improper lead to an issue that is significant in the security of data in the computing cloud and also security concerning data.
The study tends to shows that security of data and computing of data leads to the provision of ways that helps in the protection of data that is private and also information that is classified away from such threats. That may include attacks in the cyber sector and losses that occur in case of disasters (Strategic Cyber Security, 2011). This study has limitations that state that assurance of security to the computing of cloud is not available and that there is no protection of data that is vital in an organization to a hundred percent.
Background
Hacke ...
Cyber Security Expert, A Challenging RoleSamidha Takle
Many aspire to be Cyber Security Experts. But before that let us understand what it takes to become a real expert in this field.
To know more details you can visit here:
https://texceed.in/cyber-security-expert-our-protector-from-cyber-attacks/
An Improved Method for Preventing Data Leakage in an OrganizationIJERA Editor
Data is one of the most important assets an organisation has since it denes each organisations unique- ness.It
includes data on members and prospects, their inter- ests and purchases, your events, speakers, your content,
social media, press, your staff, budget, strategic plan, and much more. As organizations open their doors to
employees, part- ners, customers and suppliers to provide deeper access to sensitive information, the risk
sassociated with business increase. Now, more than ever, within creasing threats of cyber terrorism, cor- porate
governance issues, fraud, and identity theft, the need for securing corporate information has become paramount.
Informa- tion theft is not just about external hackers and unauthorized external users stealing your data, it is also
about managing internal employees and even contractors who may be working within your organization for
short periods of time. Adding to the challenge of securing information is the increasing push for corporate
governance and adherence to legislative or regulatory requirements. Failure to comply and provide privacy,
audit and internal controls could result in penalties ranging from large nes to jail terms. Non-compliance can
result in not only potential implications for executives, but also possible threats to the viability of a corporation.
Insiders too represent a sign cant risk to data security. The task of detecting malicious insiders is very
challenging as the methods of deception become more and more sophisticated. There are various solutions
present to avoid data leakage. Data leakage detection, prevention (DLPM) and monitoring solutions became an
inherent component of the organizations security suite.DLP solutions monitors sensitive data when at rest, in
motion, or in use and enforce the organizational data protection policy.These solutions focus mainly on the data
and its sensitivity level, and on preventing it from reaching an unauthorized person. They ignore the fact that an
insider is gradually exposed to more and more sensitive data,to which she is authorized to access. Such data
may cause great damage to the organization when leaked or misused. Data can be leaked via emails, instant
messaging, le transfer etc. This research is focusing on email data leakage monitoring, detection and
prevention. It is proposed to be carried out in two phases: leakage detection through mining and prevention
through encryption of email content.
A data breach demands a comprehensive response. Knowing who will be part of your response team and assigning their primary tasks ahead of time will help you quickly take appropriate action. The team should be enterprise-wide and include key members of the executive team and board of directors, the head of IT, security experts, as well as representatives from your legal, communications and HR departments.
250-500 words APA format cite references Check this scenario out.docxjeanettehully
250-500 words APA format cite references
Check this scenario out. Long term care can consists of servicing patients need at a patient's home, providing meals, transportation and in home therapy. Some long term care is within the home and some can be rehab. Lets say there is a growing need to extend those services to our growing need in elderly population. Part of that need is a demand for servicing the increasing population of the Hispanic community. We as a team need to meet with a cross- functional management team that can relay the need and services outside of the facility. We need hired people who are bilingual that can work the call center, deliver food, offer in home therapy, and provide transportation.
Our audience will be the new management team. Each member of the coordination of care team of management will cover or be responsible for one of those areas. Our standpoint will be that we are the board of directors that would be talking with them.
Giving the above screnario my part of assignment is to come up with strategies of the transition and what methods may be needed?
.
2 DQ’s need to be answers with Zero plagiarism and 250 word count fo.docxjeanettehully
2 DQ’s need to be answers with Zero plagiarism and 250 word count for each question. Due in 6 hours TODAY! Please include all references if necessary.
Week One DQ1
Week One DQ3
To clarify... these ratios are part of the DuPont model, and the DuPont model considers liquidity as one of the factors to be evaluated, but at the end of the day, the DuPont model is all about return on equity... basically getting your money's worth. Given that, what are the elements of liquidity and how do they lead us into the discussion on equity? Why is this important to understand?
.
270w3Respond to the followingStress can be the root cause of ps.docxjeanettehully
270w3
Respond to the following:
Stress can be the root cause of psychological disorders. Name four symptoms shared by acute and posttraumatic stress disorders.
What life events are most likely to trigger a stress disorder?
Traumatic events do not always result in a diagnosable
PSYCHOLOGICAL
disorder. What factors determine how a person may be affected by one such event?
What is the link between
PERSONALITY
styles and heart disease?
List and briefly describe four psychological treatments for physical disorders.
.
250 word response. Chicago Style citingAccording to Kluver, what.docxjeanettehully
250 word response. Chicago Style citing
According to Kluver, what are the ramifications of technology and globalization on global communication?
Compare Kluver’s arguments with endangered languages, and with the readings about the Digital Divide. How do they compare? From these readings, what are the general trends of communication?
Readings
Jandt, Fred E. (editor) Intercultural Communication: A Global Reader. Thousand Oaks, CA: Sage. 2004
“Globalization, Informatization, and Intercultural Communication,” Kluver, Jandt pages 425-437
“Part II: Language,” Introduction, Jandt pages 99-102
“Babel Revisited,” Mühlhäusler, Jandt pages 103-107
“Africa: The Power of Speech,” Bâ, Jandt pages 108-111
http://en.wikipedia.org/wiki/Digital_divide
http://www.endangeredlanguages.com/
.
250+ Words – Strategic Intelligence CollectionChoose one of th.docxjeanettehully
250+ Words – Strategic Intelligence Collection
Choose one of the following topics and respond per the Forum guidance:
1) What is the role of the Collection Management function? Does the CIA model work, given that analysts are separated from the National Clandestine Service
--or--
2) Why are some collection methods considered principally strategic, supporting the strategic analysis process? How would you define "strategic intelligence collection?"
.
2–3 pages; APA formatDetailsThere are several steps to take w.docxjeanettehully
2–3 pages; APA format
Details:
There are several steps to take when submitting a claim form to the insurance company for reimbursement. The result of a
clean claim
is proper reimbursement for the services the facility has provided.
In this assignment, you will be addressing the claims submission process and the follow-up.
Include the following in your submission:
List all of the information that is important before the claim can be submitted.
Discuss some of the reasons why a claim may be rejected.
What steps should be taken to check the claim status?
.
250 Word Resoponse. Chicago Style Citing.According to Kluver, .docxjeanettehully
250 Word Resoponse. Chicago Style Citing.
According to Kluver, what are the ramifications of technology and globalization on global communication?
Compare Kluver’s arguments with our readings last week on endangered languages, and with our readings about the Digital Divide.
How do they compare?
From these readings, what are the general trends of communication?
Readings:
http://en.wikipedia.org/wiki/Digital_divide
“Globalization, Informatization, and Intercultural Communication,” Kluver, Jandt pages 425-437
Jandt, Fred E. (editor) Intercultural Communication: A Global Reader. Thousand Oaks, CA: Sage. 2004
Last weeks reading:
“Part II: Language,” Introduction, Jandt pages 99-102
“Babel Revisited,” Mühlhäusler, Jandt pages 103-107
“Africa: The Power of Speech,” Bâ, Jandt pages 108-111
“Research and Context for a Theory of Maori Schooling,” Penetito, Jandt pages 173-188
Explore www.endangeredlanguages.com and watch the video at
http://youtu.be/Bn2QbwcjmOI
.
250 word mini essay question.Textbook is Getlein, Mark. Living wi.docxjeanettehully
250 word mini essay question.
Textbook is: Getlein, Mark. Living with Art, 9th Ed., New York: McGraw-Hill, 2010.
Please Cite in MLA format.
1. Distinguish between the Paleolithic and Neolithic Periods in terms of time and cultural developments.
2. Compare and contrast specific examples of artifacts, practices, and systems of belief.
3.Discuss why art survives or does not. Include the four reasons Getlein cites for how art survives, giving an example of art work from both the Paleolithic and Neolithic Periods that meet one of these requirements.
4. What types of art work or materials would not likely survive?
5. How might this affect our opinion of a culture?
.
250 word discussion post--today please. Make sure you put in the dq .docxjeanettehully
250 word discussion post--today please. Make sure you put in the dq that the research paper focused around recent Civil Rights in the Mississppi Area
How do you define Mississippi?
In your post, identify your thesis and the sources you used to prove your argument. Discuss how you came to define Mississippi and what conclusions you made about the state. Make sure to point out the general areas of History that you discuss and what events, people, or ideas were especially important to your interpretation of Mississippi History. What readings, from Bond, Busbee, or another source you found, profoundly influenced your view of the state? Overall, has your view of Mississippi changed or mostly stayed the same? What can we learn about Mississippi today from your paper? Is Mississippi as a "closed society" (Silver, 1964) an accurate way to look at the state? Has this been true at some point in the past, but is no longer true? What time period is most crucial to understanding Mississippi and best defines it?
Some examples of different periods in Mississippi History are:
pre-European Mississippi
colonial Mississippi
territorial Mississippi
antebellum Mississippi
Civil War/Reconstruction Mississippi
Jim Crow Mississippi
Mississippi during the Civil Rights Movement
Post Civil Rights Mississippi
.
2By 2015, projections indicate that the largest category of househ.docxjeanettehully
2
By 2015, projections indicate that the largest category of households will be composed of
·
[removed]
childless married couples and empty nesters
·
[removed]
married couples with children
·
[removed]
single-parent families
·
[removed]
singles living with nonrelatives
3
Which of the following elements of sociocultural environment can be associated with the growing demand for social surrogates like social networking sites, television, and so on?
·
[removed]
Views of nature
·
[removed]
Views of others
·
[removed]
Views of ourselves
·
[removed]
Views of organizations
Wabash Bank would like to understand if there is a relationship between the advertising or promotion it does and the number of new customers the bank gets each quarter. What type of research is this an example of?
·
[removed]
Secondary
·
[removed]
Exploratory
·
[removed]
Causal
·
[removed]
Qualitative
5
Which strategy does this exemplify? Kayak and Orbitz provide their customers with a variety of travel options including flight reservations, vacation packages, flight and hotel options with or without car rentals, and cruise offerings.
·
[removed]
Diversification
·
[removed]
Promotional
·
[removed]
Differentiation
·
[removed]
Focus
A company's sales potential would be equal to market potential when which situations exists?
·
[removed]
The marketing expenditure of the company is reduced to zero.
·
[removed]
The company gets 100 percent share of the market.
·
[removed]
Industry marketing expenditures approach infinity for a given marketing environment.
·
[removed]
The market is nonexpandable.
Marketing is considered both an art and a science. How do the 4Ps, or marketing mix, help us bridge the gap between art and science?
·
[removed]
Marketing focuses on sales as the primary goal.
·
[removed]
Marketing is involved with price as the major factor.
·
[removed]
Marketing is about advertising.
·
[removed]
Marketing balances the need for data with that of creativity.
In the U.S., consumer expenditures on homes and other large purchases tend to slow down during a recession because
·
[removed]
of steady supply of loanable funds in the economy during recession
·
[removed]
consumer borrowing increases during recession
·
[removed]
of stringent credit policies adopted by the Fed before the onset of recession
·
[removed]
the consumers have a high debt-to-income ratio
Which of the following statements demonstrates behavioral loyalty towards a brand?
·
[removed]
Myfavorite Laundry detergent is so easy to use.
·
[removed]
I always buy Myfavorite Laundry detergent when purchasing laundry detergent.
·
[removed]
My friends agree Myfavorite Laundry detergent is the best.
·
[removed]
Myfavorite Laundry detergent smells good.
When Apple introduced iTunes, a new market was opened. Which of the following describes this type of innovation?
·
[removed]
Operational excellence
·
[removed]
Value capture
·
[removed]
Presence
·
[removed]
Value chain
11
Which of.
29Answer[removed] That is the house whe.docxjeanettehully
29
Answer:
[removed]
That is the house "where I grew up."
The words in quotes make up an adjective clause. An adjective clause does
what an adjective does: it modifies the noun "house." Adjective clauses
begin with that, which, where, who, whom, or whose. Type the first word
followed by a space and the last word of the adjective clause in the
following sentence:
The doctor examined a man whose hands were colder than the rest of
his body.
30
Answer:
[removed]
That is the house "where I grew up."
The words in quotes make up an adjective clause. An adjective clause does
what an adjective does: it modifies the noun "house." Adjective clauses
begin with that, which, where, who, whom, or whose. Type the first word
followed by a space and the last word of the adjective clause in the
following sentence:
Mrs. Carnack has a cousin whom she would like us to meet.
31
Answer:
[removed]
That is the house "where I grew up."
The words in quotes make up an adjective clause. An adjective clause does
what an adjective does: it modifies the noun "house." Adjective clauses
begin with that, which, where, who, whom, or whose. Type the first word
followed by a space and the last word of the adjective clause in the
following sentence:
Who was the person who won the track meet?
32
Answer:
[removed]
That is the house "where I grew up."
The words in quotes make up an adjective clause. An adjective clause does
what an adjective does: it modifies the noun "house." Adjective clauses
begin with that, which, where, who, whom, or whose. Type the first word
followed by a space and the last word of the adjective clause in the
following sentence:
The restaurant where there was music was almost deserted.
33
Answer:
[removed]
That is the house "where I grew up."
The words in quotes make up an adjective clause. An adjective clause does
what an adjective does: it modifies the noun "house." Adjective clauses
begin with that, which, where, who, whom, or whose. Type the first word
followed by a space and the last word of the adjective clause in the
following sentence:
Find a boy whose eyes are green.
34
Answer:
[removed]
That is the house "where I grew up."
The words in quotes make up an adjective clause. An adjective clause does
what an adjective does: it modifies the noun "house." Adjective clauses
begin with that, which, where, who, whom, or whose. Type the first word
followed by a space and the last word of the adjective clause in the
following sentence:
The tale that was told that night was never forgotten.
35
Answer:
[removed]
That is the house "where I grew up."
The words in quotes make up an adjective clause. An adjective clause does
what an adjective does: it modifies the noun "house." Adjective clauses
begin with that, which, where, who, whom, or whose..
250 words discussion not an assignementThe purpose of this discuss.docxjeanettehully
250 words discussion not an assignement
The purpose of this discussion is to gain a more complete awareness of the extent of socio-environmental influences impacting the development of adolescents. Triandis (as cited in Coon and Kemmelmeier, 2001) states, "Individualism and collectivism are broadly defined cultural syndromes that encompass a number of elements, including values, norms, goals, and behaviors" (Coon and Kemmelmeier, 2001, p. 348).
Consider the audio piece in this unit's studies (also linked in the Resources) that compares two teens' viewpoints of life within their cultural domains. This piece highlights the impact of family, community, and cultural beliefs and values on an individual's development. For your initial post in this discussion, explore these influences by addressing the following questions:
How does exposure to media influence the manner in which adolescents develop?
How does exposure to peers influence development in both systems?
Using the reading from the textbook on risky behaviors, how might adolescents' influences and understanding of risk be different, based on their culture and expectations of self?
The optional reading in this unit's studies may provide additional information to support your post, if you choose to use it.
Response Guidelines
Respond to one learner by supporting his or her analysis of the two teens with additional information you have acquired outside of the textbook. Cite and reference your source with proper APA formatting. Be sure to address concepts in the post and find any similarities in your thinking as well.
Reference
Coon, H. M., Kemmelmeier, M. (2001). Cultural orientations in the United States: (Re)Examining differences among ethnic groups.
Journal of Cross-Cultural Psychology, 32
(3), 348–364. Thousand Oaks, CA: Sage.
.
25. For each of the transactions listed below, indicate whether it.docxjeanettehully
25. For each of the transactions listed below, indicate whether it is an operating (O), investing (I) or financing (F) activity on the statement of cash flows. Also, indicate if the transaction increases (+) or decreases (-) cash. 12 points
Transaction Type of Activity Effect on Cash
A) Paid dividends to the owners
B) Purchased equipment by paying cash
C) Issued stock for cash
D) Paid wages to employees
E) Repaid the bank loan
F) Collected cash on account from customers
.
250-word minimum. Must use textbook Jandt, Fred E. (editor) Intercu.docxjeanettehully
250-word minimum. Must use textbook: Jandt, Fred E. (editor) Intercultural Communication: A Global Reader. Thousand Oaks, CA: Sage. 2004 and articles provided. MLA citation.
Levi-Strauss and Hofstede portray culture as a dichotomy. What are the implications of such a dichotomy? How do these variants affect you when you attempt to communicate with other cultures? Likewise, how do these variants affect your audience when you attempt to communicate with them?
.
250-500 words APA format cite references Check this scenario o.docxjeanettehully
250-500 words APA format cite references
Check this scenario out. Long term care can consists of servicing patients need at a patient's home, providing meals, transportation and in home therapy. Some long term care is within the home and some can be rehab. Lets say there is a growing need to extend those services to our growing need in elderly population. Part of that need is a demand for servicing the increasing population of the Hispanic community. We as a team need to meet with a cross- functional management team that can relay the need and services outside of the facility. We need hired people who are bilingual that can work the call center, deliver food, offer in home therapy, and provide transportation.
Our audience will be the new management team. Each member of the coordination of care team of management will cover or be responsible for one of those areas. Our standpoint will be that we are the board of directors that would be talking with them.
Giving the above screnario my part of assignment is to come up with strategies of the transition and what methods may be needed?
.
250+ Words – Insider Threat Analysis Penetration AnalysisCho.docxjeanettehully
250+ Words – Insider Threat Analysis / Penetration Analysis
Choose one of the following. The first is insider threat analysis and the other is the threat presented by hostile intelligence operations. Be challenging and show what you know.
Topic 1
Insider threats come from individuals who operate inside friendly intelligence and national security organizations who purposefully set out to cause disruption, destruction, and commit crimes to those ends. Please read
Insider Threat IPT
and
Solving Insider Threat
in the Course Materials Folder. Using the web or the online library choose a high profile case of insider threat (cyber, intelligence, military) and draft a 350 word summary of the case highlighting successes or failures of
analysis
in bringing resolution to the case. What analysis methods can you discern? What do think could have been done differently to improve the analysis?
--or--
Topic 2
Complete reading
Foreign Espionage Threat
and
Observations on the Double Agent
and
Social Courtesy
. In the penetration of a hostile intelligence service analysis is central to identifying, pursuing, and preparing the recruitment of an agent. In 350 words please research the Oleg Penkovsky, Aldritch Ames, or Jonathan Pollard cases. Provide a summary of the role of analysis in the recruitment and running of these agents from the perspective of their handlers (the US/British, Soviet Union, and Israel, respectively). You'll need to conduct additional research on the web or in the online library to help you develop a factual understanding of the case you choose.
.
250 wordsUsing the same company (Bank of America) that you have .docxjeanettehully
250 words
Using the same company (Bank of America) that you have using in previous weeks, please review its cashflow sheet The statement of cash flows is divided into three parts: (1) operational cash flows, (2) financing cash flows, and (3) investment cash flows. Discuss the primary components of each of these sections of the cash flow statement:
Operational cash flows:
Use the direct method, which focuses on the sources of cash and the uses of operating cash such as cash from customers minus cash payment for expenses and payments to creditors.
Financing cash flows:
This should include cash received as the owner’s investment and cash withdrawals by owners.
Investing cash flows:
These include cash from investing activities (in other companies or securities) and any cash paid to make these investments.
.
250 mini essay questiontextbook Getlein, Mark. Living with Art, 9.docxjeanettehully
250 mini essay question
textbook: Getlein, Mark. Living with Art, 9th Ed., New York: McGraw-Hill, 2010 Please include citations in MLA format.
First, describe the shift in the Roman Empire that created Byzantium in the East and what would eventually become Europe in the West and explain the impact of this political, religious, and social split on the art produced in these regions in this era. Provide specific examples of particular works of art or architecture to illustrate your points.
Second, trace the subsequent development of art in the East and the West from the Early through the High and Late Middle Ages by citing specific works of art or architecture and describing characteristic features these works exemplify. Be sure to include the each of the following terms in your discussion:
-animal style
-Carolingian
-Romanesque
-Gothic
.
22.¿Saber o conocer… With a partner, tell what thes.docxjeanettehully
22.
¿
Saber
o
conocer
…?
With a partner, tell what these people know, using
saber
or
conocer
.
Natalia [removed] al suegro de Mirta. Ella [removed] dónde vive él, pero no [removed] su número de teléfono.
David [removed] muchas ciudades de España, pero no [removed] hablar español.
Estela [removed] muchos poemas de ese poeta, pero no [removed] ninguno de memoria.
Roberto [removed] a la familia que da la fiesta de Año Nuevo, pero no [removed] dónde es la fiesta.
Yo [removed] que Lorca es un poeta español.
.
A Strategic Approach: GenAI in EducationPeter Windle
Artificial Intelligence (AI) technologies such as Generative AI, Image Generators and Large Language Models have had a dramatic impact on teaching, learning and assessment over the past 18 months. The most immediate threat AI posed was to Academic Integrity with Higher Education Institutes (HEIs) focusing their efforts on combating the use of GenAI in assessment. Guidelines were developed for staff and students, policies put in place too. Innovative educators have forged paths in the use of Generative AI for teaching, learning and assessments leading to pockets of transformation springing up across HEIs, often with little or no top-down guidance, support or direction.
This Gasta posits a strategic approach to integrating AI into HEIs to prepare staff, students and the curriculum for an evolving world and workplace. We will highlight the advantages of working with these technologies beyond the realm of teaching, learning and assessment by considering prompt engineering skills, industry impact, curriculum changes, and the need for staff upskilling. In contrast, not engaging strategically with Generative AI poses risks, including falling behind peers, missed opportunities and failing to ensure our graduates remain employable. The rapid evolution of AI technologies necessitates a proactive and strategic approach if we are to remain relevant.
Welcome to TechSoup New Member Orientation and Q&A (May 2024).pdfTechSoup
In this webinar you will learn how your organization can access TechSoup's wide variety of product discount and donation programs. From hardware to software, we'll give you a tour of the tools available to help your nonprofit with productivity, collaboration, financial management, donor tracking, security, and more.
Synthetic Fiber Construction in lab .pptxPavel ( NSTU)
Synthetic fiber production is a fascinating and complex field that blends chemistry, engineering, and environmental science. By understanding these aspects, students can gain a comprehensive view of synthetic fiber production, its impact on society and the environment, and the potential for future innovations. Synthetic fibers play a crucial role in modern society, impacting various aspects of daily life, industry, and the environment. ynthetic fibers are integral to modern life, offering a range of benefits from cost-effectiveness and versatility to innovative applications and performance characteristics. While they pose environmental challenges, ongoing research and development aim to create more sustainable and eco-friendly alternatives. Understanding the importance of synthetic fibers helps in appreciating their role in the economy, industry, and daily life, while also emphasizing the need for sustainable practices and innovation.
Unit 8 - Information and Communication Technology (Paper I).pdfThiyagu K
This slides describes the basic concepts of ICT, basics of Email, Emerging Technology and Digital Initiatives in Education. This presentations aligns with the UGC Paper I syllabus.
Macroeconomics- Movie Location
This will be used as part of your Personal Professional Portfolio once graded.
Objective:
Prepare a presentation or a paper using research, basic comparative analysis, data organization and application of economic information. You will make an informed assessment of an economic climate outside of the United States to accomplish an entertainment industry objective.
Normal Labour/ Stages of Labour/ Mechanism of LabourWasim Ak
Normal labor is also termed spontaneous labor, defined as the natural physiological process through which the fetus, placenta, and membranes are expelled from the uterus through the birth canal at term (37 to 42 weeks
June 3, 2024 Anti-Semitism Letter Sent to MIT President Kornbluth and MIT Cor...Levi Shapiro
Letter from the Congress of the United States regarding Anti-Semitism sent June 3rd to MIT President Sally Kornbluth, MIT Corp Chair, Mark Gorenberg
Dear Dr. Kornbluth and Mr. Gorenberg,
The US House of Representatives is deeply concerned by ongoing and pervasive acts of antisemitic
harassment and intimidation at the Massachusetts Institute of Technology (MIT). Failing to act decisively to ensure a safe learning environment for all students would be a grave dereliction of your responsibilities as President of MIT and Chair of the MIT Corporation.
This Congress will not stand idly by and allow an environment hostile to Jewish students to persist. The House believes that your institution is in violation of Title VI of the Civil Rights Act, and the inability or
unwillingness to rectify this violation through action requires accountability.
Postsecondary education is a unique opportunity for students to learn and have their ideas and beliefs challenged. However, universities receiving hundreds of millions of federal funds annually have denied
students that opportunity and have been hijacked to become venues for the promotion of terrorism, antisemitic harassment and intimidation, unlawful encampments, and in some cases, assaults and riots.
The House of Representatives will not countenance the use of federal funds to indoctrinate students into hateful, antisemitic, anti-American supporters of terrorism. Investigations into campus antisemitism by the Committee on Education and the Workforce and the Committee on Ways and Means have been expanded into a Congress-wide probe across all relevant jurisdictions to address this national crisis. The undersigned Committees will conduct oversight into the use of federal funds at MIT and its learning environment under authorities granted to each Committee.
• The Committee on Education and the Workforce has been investigating your institution since December 7, 2023. The Committee has broad jurisdiction over postsecondary education, including its compliance with Title VI of the Civil Rights Act, campus safety concerns over disruptions to the learning environment, and the awarding of federal student aid under the Higher Education Act.
• The Committee on Oversight and Accountability is investigating the sources of funding and other support flowing to groups espousing pro-Hamas propaganda and engaged in antisemitic harassment and intimidation of students. The Committee on Oversight and Accountability is the principal oversight committee of the US House of Representatives and has broad authority to investigate “any matter” at “any time” under House Rule X.
• The Committee on Ways and Means has been investigating several universities since November 15, 2023, when the Committee held a hearing entitled From Ivory Towers to Dark Corners: Investigating the Nexus Between Antisemitism, Tax-Exempt Universities, and Terror Financing. The Committee followed the hearing with letters to those institutions on January 10, 202
2024.06.01 Introducing a competency framework for languag learning materials ...Sandy Millin
http://sandymillin.wordpress.com/iateflwebinar2024
Published classroom materials form the basis of syllabuses, drive teacher professional development, and have a potentially huge influence on learners, teachers and education systems. All teachers also create their own materials, whether a few sentences on a blackboard, a highly-structured fully-realised online course, or anything in between. Despite this, the knowledge and skills needed to create effective language learning materials are rarely part of teacher training, and are mostly learnt by trial and error.
Knowledge and skills frameworks, generally called competency frameworks, for ELT teachers, trainers and managers have existed for a few years now. However, until I created one for my MA dissertation, there wasn’t one drawing together what we need to know and do to be able to effectively produce language learning materials.
This webinar will introduce you to my framework, highlighting the key competencies I identified from my research. It will also show how anybody involved in language teaching (any language, not just English!), teacher training, managing schools or developing language learning materials can benefit from using the framework.
Introduction to AI for Nonprofits with Tapp NetworkTechSoup
Dive into the world of AI! Experts Jon Hill and Tareq Monaur will guide you through AI's role in enhancing nonprofit websites and basic marketing strategies, making it easy to understand and apply.
Introduction to AI for Nonprofits with Tapp Network
Running head STUDY OF RANSOMWARE .docx
1. Running head: STUDY OF RANSOMWARE
1
STUDY OF RANSOMWARE
2
Study of Ransomware
by
Vinay Akula
Instructor: Dr Donnie Grimes
University of Cumberlands
Table of Contents
Title page
1
Introduction
3
Study of Ransomware
3
Impacts Caused by Ransomware Attacks
4
Management of Ransomware Attacks
6
2. References
9
Study of Ransomware
Introduction
Information technology is a department that has really
developed over the last decades' thanks to the advances that
have been in the field of technology. The gradual development
in technology that has also been reflected with the advances in
the internet connection in the world leading to the concept of
internet of things whereby the concept has really led to massive
benefits being made. The advances have resulted in various
benefits being made for the organizations that have resorted to
the use of internet and technology in running of their key
activities. However, these advances have come with numerous
challenges and ransomware attack is just one of the key
challenges that organizations face in their use of the internet in
the provision of quality services for the market
(Moschovitis, 2018).
Study of Ransomware
The success of any organization depends on its ability to
provide protection and security measures to its database and
some of the key activities that take place within its premises.
This is especially important in today`s world where technology
has become an effective tool in the daily execution of duties. In
this regard, it's clear that cybercrimes have rapidly increased in
the world as technology advances have been made in the world.
This has related to making the fight against cybercrimes and
internet warfare a nightmare, more challenging and difficult to
deal with.
Ransomware attack which is basically defined as a malware
3. attack on somebody`s smartphone or computer by holding
ransom some of the data for the user till he/she pays for the data
in order to gain access for the data that they have been blocked
to access. The advances made in the world have made it
difficult for the users of the internet as criminals have always
managed to change how they handle these issues. Therefore, in
most cases, criminals are ever on the win in the fight against
ransomware in the world. The increase in the ransomware
attacks in the world has to be attributed to an increase in the
computer learners in the world and the computer security
professionals who might unknowingly or knowingly share some
critical information leading to these malicious attacks being
carried out (Moschovitis, 2018).
Impacts Caused by Ransomware Attacks
Ransomware attacks have been known to cause devastating
effects to both individuals and organization that have ended up
being culprits of these security concerns. The impacts caused by
ransomware attacks are usually devastating for the
organizations as they lead to data loss. Data loss for an
organization is not a normal business for any organization due
to the impact that such a loss can lead to the development of the
organization. For instance, an increase in the ransomware
attacks means that there is damage to the host system, files and
data thus making it difficult for the organizations to
successfully carry on with their business.
Besides that, due to data loss, the ability to carry on with
business organization becomes a difficult task for such an
organization. This is because of the impact that the
organizations face when they lose such data. For instance, loss
of data leads to damage to the company`s reputation as some of
the information lost might have been some confidential
information about the customers this is especially in cases when
hospitals are attacked. The impact of such a loss of data is that
they might lead to the closure of the company due to the
negative impact created in society.
Additionally, there is also system downtime whenever such an
4. attack takes place in any organization. This is usually the case
whenever an attack takes place within an organization. The data
loss and the time spent in ensuring that there is an easy
resumption of the system. As a result, this means that there is
an enormous amount of time that is lost in the process of
restructuring the entire system into a formidable system once
again. Therefore, the system downtime leads to further loss of
resources that would have been used in the overall running of
the company towards meeting its goals (Campbell, 2016).
In addition, the attack also leads to the loss company`s
resources such as time and money. This is especially in
instances after an attack has been carried out and the ransom is
required so that services blocked can easily be accessed by the
user of the computer. In this case, there is wastage of time as
one tries to ensure that an amicable solution is achieved.
Besides that, there is also the use of money to help solve the
situation. Therefore the attack has really huge impacts on the
successful running of the organization due to the fact that there
is a lot of time that is spent on seeking solution rather than
making the company realize its goals. Besides that, upon
assumption of the company, it never recovers the fear of being
attacked which makes everyone working at such an environment
insecure in the daily delivery of their duties.
The mentioned impacts above have devastating effects on the
effective running of the organization. There is wastage of
resources and in worse cases leading to the ultimate closure of
the organization caused by these impacts. As a result, there is a
need for the organization to seek the best security measures that
can be used to ensure that such threats do not cause devastating
impacts on society. This is largely due to the fact that fighting
cybercrimes has become effective in the world by the increase
in the training offered and education to various individuals in
the world.
Management of Ransomware Attacks
Therefore, there must be a robust security measure that prevents
the attack on the modified ransomware attacks on the
5. information infrastructure that focuses on android devices. The
method should be able to detect any defects on the processing
units, detect any malicious attacks and this effectively help in
the elimination of such attacks as fast as possible so that at the
end the organization can efficiently continue with discharging
of its duties unaffected with the ransomware attacks that have
become rampant in the world today.
The management of the attacks will have to be done by the
incorporation of some of the best and modern tools in the fight
against ransomware attacks in the organization. The tools
should be able to detect any suspicious behavior in the overall
execution of their duties; this will then call for appropriate
measures that will result into easy elimination of the threats
posed by the ransomware attacks.
In this case, there is a need to use various ways to ensure that
the management of ransomware attacks is perfectly done to
prevent further damage to the organizations. First is the
installation of the updated antivirus software throughout the
entire business organization. The use of antivirus has just to be
the first line of defense for the organization in which there is
multi-faceted management of the insecurity issues. The multi-
faceted system should be able to provide better technologies in
the management of insecurity threats, the technologies used are
such as the firewalls, heuristics, and behavioral-based threats.
Besides that, by the fact that technology is ever-growing means
that there must be the use of updating of this software to ensure
that it does not become outdated and ineffective in
identification and management of ransomware attacks (Haber &
Hibbert, 2017).
Besides that, there is also a need to create internet usage
awareness among users. Security threats and possible ways
which security breaches might be prevented are through the
creation of awareness among internet users. The awareness has
to be through campaigns that stress the avoidance of clicking on
the emails that they don't know the senders. In this case,
internet users have to answer personal questions before clicking
6. on the emails that they receive. These are such as, do they
know the sender? Is there need to open the file? Was anything
ordered from the purported sender? Answering such questions
will help in managing the insecurity issues within the
organization. These are common phishing methods used to
ensure that there is effective prevention of ransomware attacks
to the unsuspecting employees.
In addition, backing up the data is also another important aspect
of managing data that can be used to prevent ransomware
attacks on the organization`s database. There are various ways
in which the system can be backed up. However, there is always
a need to settle on the best security measure that can be useful
in ensuring effective management of the ransomware attacks. In
this case, the use of external storage of data is crucial for the
management of these threats. This is because it enables the user
of the internet to effectively prevent an attack on these data by
simply making sure that the data is stored in a different external
storage site that ensures no harm is done on the critical data of
the organization. Therefore, in such incidences whenever an
attack takes place there is no damage done and the company can
easily continue with its key activities unaffected (Vallabhaneni,
2019).
It's indeed true that management of the ransomware attacks has
become a difficult task in the world, this hugely due to the fact
that there are different ways in which organizations get
attacked, especially with the increase in the computer experts in
the world. However, there are also other robust security
measures that ensure there is effective management of such
incidences within the organizations. Therefore, this calls for the
use of the most updated ant malware that detects and prevents
such attacks on the organization. The threats have to be easily
identified and taken care of at an early stage in order to prevent
the huge impacts that take place upon the attack takes place.
7. References
Campbell, T. (2016). Practical Information Security
Management: A Complete Guide to Planning and
Implementation. New York, NY: Apress.
Haber, M. J., & Hibbert, B. (2017). Privileged Attack Vectors:
8. Building Effective Cyber-Defense Strategies to Protect
Organizations. New York, NY: Apress.
Moschovitis, C. (2018). Cybersecurity Program Development
for Business: The Essential Planning Guide. Hoboken, NJ: John
Wiley & Sons.
Vallabhaneni, S. R. (2019). Wiley CIA Exam Review 2019
Focus Notes, Part 3: Business Knowledge for Internal Auditing
(Wiley CIA Exam Review Series). Hoboken, NJ: Wiley.
Discussion Rubric: Graduate
Your active participation in the discussion forums is essential to
your overall success this term. Discussion questions are
designed to help you make meaningful
connections between the course content and the larger concepts
and goals of the course. These discussions offer you the
opportunity to express your own
thoughts, ask questions for clarification, and gain insight from
your classmates’ responses and instructor’s guidance.
Requirements for Discussion Board Assignments
Students are required to post one initial post and to follow up
with at least two response posts for each discussion board
assignment.
For your initial post (1), you must do the following:
11:59 p.m.
Eastern Time.
9. Thursday at
11:59 p.m. of your local time zone.
other
discussion boards from the current module and previous
modules, when
appropriate.
-reviewed sources to support your
discussion
points, as appropriate (using proper citation methods for your
discipline).
For your response posts (2), you must do the following:
two different classmates outside of your own
initial post
thread.
at 11:59
p.m. Eastern Time.
Sunday at
11:59 p.m. of your local time zone.
agree” or
“You are wrong.” Guidance is provided for you in each
discussion prompt.
10. Critical Elements Exemplary Proficient Needs Improvement
Not Evident Value
Comprehension Develops an initial post with an
organized, clear point of view or
idea using rich and significant
detail (100%)
Develops an initial post with a
point of view or idea using
appropriate detail (90%)
Develops an initial post with a
point of view or idea but with
some gaps in organization and
detail (70%)
Does not develop an initial post
with an organized point of view
or idea (0%)
20
Timeliness Submits initial post on time
(100%)
Submits initial post one day late
(70%)
Submits initial post two or more
days late (0%)
10
11. Engagement Provides relevant and
meaningful response posts with
clarifying explanation and detail
(100%)
Provides relevant response posts
with some explanation and
detail (90%)
Provides somewhat relevant
response posts with some
explanation and detail (70%)
Provides response posts that are
generic with little explanation or
detail (0%)
20
Critical Thinking Draws insightful conclusions that
are thoroughly defended with
evidence and examples (100%)
Draws informed conclusions that
are justified with evidence (90%)
Draws logical conclusions (70%) Does not draw logical
conclusions (0%)
30
Writing
(Mechanics)
12. Initial post and responses are
easily understood, clear, and
concise using proper citation
methods where applicable with
no errors in citations (100%)
Initial post and responses are
easily understood using proper
citation methods where
applicable with few errors in
citations (90%)
Initial post and responses are
understandable using proper
citation methods where
applicable with a number of
errors in citations (70%)
Initial post and responses are not
understandable and do not use
proper citation methods where
applicable (0%)
20
Total 100%
Running head: THE CISO IN HIGHER EDUCATION
13. The Chief Information Security Officer in Higher Education:
How Organizational Structure Affects Breach Rate
A paper submitted in partial fulfillment of the requirements for
the degree of Doctor of
Philosophy (Ph.D.) in Information Technology
BY
Justin O. Hensley, B.S, MBA, M.S.
University of the Cumberlands
THE CISO IN HIGHER EDUCATION ii
14. THE CISO IN HIGHER EDUCATION iii
Acknowledgments
Nothing will work unless you do.
John Wooden
As a senior in high school, I took a walk through the Kingsport
Press with my father who
would put 38 years of hard work into that company. My father
had opportunities to go to college
but stayed home to work and take care of his mom and siblings.
My mother came from a large
family and did not have the resources to go to college. As we
walked the concrete floor of that
old factory, my father simply asked whether I wanted to
continue my dream of working in
technology or if I wanted to come work with him in the factory.
He knew the answer, but he
used the question as an encouragement for me to continue to
college and get my degree. As a
first-generation college student, I do not take lightly the
responsibility to make my family proud
and encourage my children and generations to come in the
15. importance of education. I owe a debt
of gratitude to my parents for sacrificing to ensure I had
opportunities that they did not.
A heartfelt thank you goes out to Dr. Jennifer Simpson and all
the faculty of the Graduate
School and the School of Computer and Information Sciences at
University of the Cumberlands
for their wisdom and expertise as we have walked through this
journey together. I am especially
grateful to my dissertation committee chair Dr. Charles Lively.
As an undergraduate student at
the Cumberlands, I never dreamed that I would have the
opportunity to continue my education
through to a terminal degree. Each professor along the way has
provided a unique viewpoint
which has helped to shape this dissertation. I would also be
remiss in not thanking the students I
have had the opportunity to teach and mentor over the years as
they also provided valuable
insight from their research.
THE CISO IN HIGHER EDUCATION iv
16. The only reason I can format a proper sentence or comprehend
the structure of the
English language is because of my high school English teacher,
Mrs. Strickland. Thank you for
always pushing me to learn more and showing me that I was
capable of more than I ever thought
or imagined. I still have my blue English Composition
Handbook and it still comes to mind
often. Thank you also to Mrs. Reed, who taught me to think
using the scientific method. Thank
you to all the other faculty and staff at Cedar View Christian
School who helped to shape my
mind to prepare for future education. To the many friends,
family, and colleagues that have
supported me throughout this journey, I say thank you as well.
Your texts, visits, and notes of
encouragement have not been in vain.
There is one person who has pushed me more than anyone else
to be the best I can be.
Dr. Donnie Grimes, thank you for being my mentor, my
confidant, my leader, and my friend.
You helped me get my first job, encouraged me to continue my
education and training, and
provided me with an atmosphere to grow in my career. Your
17. consistent friendship and guidance
are invaluable.
Most importantly, this dissertation is dedicated to my wife,
Lisa, and our four boys:
Micah, Kevin, Caleb, and Luke. They have sacrificed their time
to ensure I could complete this
journey. Lisa has been at my side the whole way through and
has pushed me to the end of this
trek. I thank God for you all and I love you.
THE CISO IN HIGHER EDUCATION v
Abstract
The topic of information security is on the rise in all sectors of
business. Higher
education is not immune to attacks against student and
employee data. While all sectors are at
risk for loss from a security event, higher education could
encounter irreversible reputational
18. consequences affecting donor giving and student applications
(Grama, 2014). A properly
positioned Chief Information Security Officer (CISO) in
colleges and universities may help to
create controls to mitigate data breaches. Therefore, this study
evaluated relationships between
the CISO and similar information security officer titles in
higher education related to reporting
structure, time on task, and membership on the president’s
cabinet. Additionally, this study
evaluates the differences in breach rates in higher education
related to CISO reporting structure.
The results of this study revealed that there is a high likelihood
that the CISO will report to the
Chief Information Officer (CIO) than any other high-level
officer. The study also revealed that
there is not a significant difference in breach rate based on
CISO reporting structure in higher
education. However, limited data and research in this area
lends this topic to further study.
THE CISO IN HIGHER EDUCATION vi
19. Table of Contents
Title Page i
Approval for Recommendation ii
Acknowledgment iii
Abstract v
Table of Contents vi
List of Figures and Tables viii
Chapter One: Introduction 1
Overview 1
Background and Problem Statement 1
Purpose of the Study 2
Research Questions 3
Limitations 3
Assumptions 4
Definitions 4
Summary 5
Chapter Two: Review of the Literature 6
20. Introduction 6
The History of Information Security 7
The Evolution of the CISO 9
The Position of the CISO in Organizational Structure 12
Data Breaches and Effects 15
Information Security in Higher Education 18
Comparison of Data Breaches in Higher Education and Other
Sectors 21
Literary Gaps 23
Summary 24
Chapter Three: Methods and Procedures 25
Introduction 25
THE CISO IN HIGHER EDUCATION vii
Research Paradigm 25
Research Design 27
Data Collection 28
Data Analysis Techniques 31
21. Summary 33
Chapter Four: Research Findings 34
Introduction 34
Participant Demographics 34
Analyses of Research Questions 35
Question One 35
Question Two 36
Question Three 38
Question Four 39
Summary 41
Chapter Five: Summary, Discussion, and Implications 43
Introduction 43
Practical Assessments of Research Questions 44
Limitations of the Study 47
Implications for Future Study 48
Summary 49
References 51
22. Appendix A: Educause CDS Survey Demographics Chart 55
Appendix B: Educause CDS Survey Questions 56
Appendix C: IRB Approval Letter 58
Appendix D: Educause CDS Survey Contract 59
Appendix E: Privacy Rights Clearinghouse Data Use Permission
65
Appendix F: Raw Data for t tests 66
THE CISO IN HIGHER EDUCATION viii
List of Figures and Tables
Figure 1: Verizon 2018 DBIR: Summary of Findings 16
Figure 2: Industry Sectors in PRC Data 21
Figure 3: Steps for Data Protection 23
Figure 4: Educause CDS Survey Demographics 31
Table 1: Chi Square for Relationship of Reporting Structure 36
Table 2: Chi Square Relationship Between Title and Full Time
Percentage 37
Table 3: Relationship Between CISO and CIO as Member of
President's Cabinet 38
23. Table 4: Difference Between Number of Records Breached and
Reporting Structure 40
Table 5: Difference Between Number of Records Breached and
Reporting Structure 40
THE CISO IN HIGHER EDUCATION 1
Chapter One
Introduction
Overview
Information security and its relationship with information
technology (IT) and business
has changed drastically in the last decade. With this change has
come the need for a high-level
officer to manage the threats and risks associated with today’s
connected world. In the health
care industry alone, over ninety percent of IT managers found
vulnerabilities that could be
exploited by insider threats (Alexander & Cummings, 2016).
Businesses have been and are
continuing to see the need for the creation of an office for
information security.
24. Information security in higher education is a mostly unexplored
realm. Colleges and
universities see the need to protect their student and employee
data but do not have a good
understanding of how to organize and manage an information
security office. Guidance for
higher education hiring managers and CEOs is necessary to
place a security officer within the
proper organizational structure to provide security across the
institution.
Background and Problem Statement
While all industries are subject to the exploitation of
vulnerabilities by cyber threat
agents, education (specifically higher education) industries have
seen an alarming increase in
cyber-attacks in attempts to gain personally identifiable data of
students and employees. From
2005 to 2014, educational institutions in the US suffered 727
breaches involving more than 14
million records (Grama, 2014). While the records affected per
breach is lower than most
THE CISO IN HIGHER EDUCATION 2
25. industries, the increase in breach rate and records affected year-
over-year increased 7% in the
2005 to 2014 study (Brooks & Grama, 2017). Research shows
that the delegation of security
initiatives and responsibility to an individual in the institution
can provide for better
communication and security (Brooks & Grama, 2017). Research
also shows that the position of
this individual within the institution’s organization chart could
affect breach rate (Higgs et. al.,
2016).
Studies for multiple industries show the need for the chief
information security officer
(CISO) or equivalent to act as this responsible individual for
security. Much research also shows
the responsibilities and characteristics of the typical CISO (e.g.
Ashenden & Sasse, 2013; Kouns,
2014; Karanja & Rosso, 2017; Whitten, 2008). However,
research relating to higher education
and the CISO or equivalent is uncommon. While research by
Wilson (2016) indicates the need
for better security training within higher education institutions,
the research does not review the
26. position of the CISO or equivalent and associated breach rate.
Brooks and Gramma (2017)
review breach data and specifically relate it to the title of the
CISO or equivalent, but do not look
directly at the organizational chart position of that leader.
The scarcity of research surrounding the position of the CISO or
equivalent and the
relationship between that position and breach rate is an obvious
next step to research completed
by Brooks and Gramma (2017). This new research provides
higher education institutions with
the information needed to make informed decisions on the
placement of information security
professionals within the organizational structure.
THE CISO IN HIGHER EDUCATION 3
Purpose of the Study
This study analyzes the position of the CISO or equivalent with
in the higher education
institution’s organizational structure and any relationships with
that position to the number of
27. known breaches. The multiple possibilities of positions will be
considered, including the CISO
or equivalent reporting to the board of directors, CEO, CIO,
CFO, CRO, or another officer.
Research Questions Answered in the Study
The study will answer the following research questions:
1. Is there a relationship between the titles of highest-ranking
person in charge of
information security and to whom they report?
2. Is there a relationship between the titles of the highest-
ranking person in charge of
information security and the percentage of time on task?
3. Is there a relationship between the CISO and the CIO in
having cabinet-level
membership?
4. Is there a difference in the number of records breached and
the reporting structure of the
CISO or equivalent title?
Limitations
Notwithstanding the efforts of this researcher, some results of
the study may be affected
28. by the following limitations:
1. The data provided to Educause via the CDS survey is self-
reported and may contain
fallacies due to respondent error.
THE CISO IN HIGHER EDUCATION 4
2. A database containing breach data directly associated with
college and university
information security statistics is not available, therefore data
was combined from two
separate sources for this purpose. The results may be skewed as
part of this process.
3. This research is limited to the higher education sector.
Assumptions
As part of this research, several assumptions are provided:
1. Participants answered the survey honestly.
2. Educause and the Privacy Rights Clearinghouse properly
reported the data as it was
provided.
3. Since research in this area for higher education is sparse,
industry norms have been
29. applied to higher education for certain perspectives.
4. The title of the individual in charge of information security
may vary (e.g., CISO,
Director of Information Security, Information Security Officer,
Information
Assurance Officer, etc.).
Definitions
The following definitions were used in the study:
Chief Information Security Officer: “An executive specifically
hired to be in charge of the IT
security function” (Karanja & Russo, 2017, p.24).
Data breach: “A compromise of the confidentiality, integrity, or
availability of sensitive
information” (Waddell, 2013, p.16).
THE CISO IN HIGHER EDUCATION 5
Information security: “Deals with the entire infrastructure,
organization, personnel, and
components that collect, process, store, transmit, display,
disseminate, and act on information”
(de Leeuw et al., 2007, p.2).
30. Summary
This chapter provides the background of the study, research
questions, problem
statement, limitations, assumptions, and definitions of key
terms. As data breaches continue to
increase across all sectors of business, it is important for the
higher education community to
understand the controls necessary to mitigate risks associated
with attacks by threat agents.
While there is no silver bullet that controls all data breaches,
higher education officers should
desire to hire information security professionals who understand
the current risk climate and can
protect the institution from harm (Brooks & Grama, 2017).
Very little research has been
completed on the position of the CISO within higher education
organizational structure and its
effect on breach rate. Therefore, the purpose of this study was
to analyze the position of the
CISO or equivalent with in the higher education institution’s
organizational structure and any
relationships with that position to the number of known
breaches. The results of this study will
31. assist higher education officers and boards as they hire
information security personnel,
specifically the CISO. The following section provides a review
of the literature that supports the
need for this study. Specifically, it focuses on the history of
information security, the evolution
of the CISO, the position of the CISO within organizational
structure, data breaches and their
effects, information security in higher education, differentiation
of breaches in higher education
and other sectors, and literary gaps.
THE CISO IN HIGHER EDUCATION 6
Chapter Two
Review of the Literature
Introduction
Information security is a rather new topic in the history of
computing and technology.
While the use of modern computing technology to modify raw
data into information has been a
staple of the business economy since the 1960s, the need to
secure data from would-be attackers
32. has only entered mainstream news in the last two decades.
Securing personal data and ensuring
the privacy of customers has become a top priority for
businesses across all sectors. With this
increase for a need to secure data has also come the need for
specific persons inside the
organization to be responsible for that task. Although these
officers may have different titles,
most often the office is directed by the chief information
security officer (CISO). The higher
education sector is not as forward thinking as other sectors in
this matter, but the need to secure
student and employee data at these institutions still exists.
Unfortunately, research focusing on
information security within higher education and other sectors
is sparse at best (Karanja &
Russo, 2017).
Throughout this chapter, various facets of information security
are discussed to lead to
the understanding for the need for further research in
information security. The topics include
the history of information security, the position of the CISO
within organizational structure, data
33. breaches and their effects, information security within higher
education, differentiations in
breaches within higher education and other sectors, and current
literary gaps relating to these
topics. This review begins with an overview of the history of
information security.
THE CISO IN HIGHER EDUCATION 7
The History of Information Security
Securing data began long before the information age. An early
example of information security
can be found in 17th century Dutch history before William III
became King of Britain. In this
piece of history, William III was able to intercept and decrypt
encoded messages between the
Dutch and the French in order to gain important intelligence
about the impending war.
Cryptography and other methods of securing information can be
traced back to civilizations of
the ancient world, including the Roman Empire and the Caesar
cipher (de Leeuw & Bergstra,
2007).
The era of modern information security began in 1918 when
34. Polish cryptographers
created the enigma machine. During World War II, the enigma
machine was used by the
Germans to encrypt communications and was eventually broken
by the work of mathematician
Alan Turing in 1930. As the information age began to grow in
the 1960s, the United States
Department of Defense created ARPANet, the beginning of our
modern internet. Not long after
in the 1980s, cyberattacks on internet entities began to develop.
Famous cyberattackers such as
Ian Murphy (stolen information from military machines), Robert
Morris (the Morris Worm), and
Kevin Mitnick (committed the largest computer-related crime in
United States history) became
known in the 1980s and 90 (Daya, 2013).
Although the sophistication of cyberattacks has changed over
the years, the types of
attacks have not greatly changed. The Privacy Rights
Clearinghouse classifies attacks leading to
data breaches using eight categories: payment card fraud,
unintended disclosure, hacking or
malware, insider, physical loss, portable device, stationary
device, or unknown/other. Methods
35. such as social engineering are prevalent in all these types of
attacks. One author defines social
engineering as “a hacker’s clever manipulation of the natural
human tendency to trust” (Granger,
THE CISO IN HIGHER EDUCATION 8
2001, p.2). Once an attacker can gain information from the
unwitting user, they can then begin
to gain access into their system and other systems that may have
access to personally identifiable
information (PII).
Cyber terrorism, cyber war, and other cyber threats are now
mainstream events in
technology and information security. Lewis (2002) defines
cyber terrorism as “the use of
computer network tools to shut down critical national
infrastructures (such as energy,
transportation, government operations) or to coerce or
intimidate a government or civilian
population.” While terrorism is not a new topic, the ability to
use technological resources to
disable infrastructure is a rather new paradigm. A full-on attack
of infrastructure may only be
36. feasible for nation-states looking for an act of war. Lewis
(2002) also notes other “annoyances”
that can be achieved by targeted cyber attacks:
A virus in 2000 infected 1,000 computers at Ford Motor
Company. Ford received
140,000 contaminated e-mail messages in three hours before it
shut down its network. E-
mail service was disrupted for almost a week within the
company. Yet, Ford reported,
“the rogue program appears to have caused only limited
permanent damage. None of its
114 factories stopped, according to the automaker.
Computerized engineering blueprints
and other technical data were unaffected. Ford was still able to
post information for
dealers and auto parts suppliers on Web sites that it uses for
that purpose.” Companies
now report that the defensive measures they have taken meant
that viruses that were
exceptionally damaging when they first appeared are now only
“nuisances.” (p.7)
Entire government agencies such as the Central Intelligence
Agency (CIA) and the National
37. Security Agency (NSA) in the United States and Joint
Intelligence Organization (JIO) in the
United Kingdom are tasked with counter-terrorism in the
cybersecurity realm.
As information security has matured over the years, many
standards and guidelines have
been created by private, public, and federal entities alike. The
Office of Standard Weights and
Measures, created in 1824 long before the modern information
security age, eventually morphed
THE CISO IN HIGHER EDUCATION 9
into the National Bureau of Standards (NBS) in 1901. In
the1950s, the NBS began to take on
more digital computing work and became the primary computer
security standards setting body
for the United States federal government in 1965. The NBS
changed names in 1990 to the
National Institute of Standards and Technology (NIST) and
continues to be the primary provider
of information security standards and guidelines today (de
Leeuw & Bergstra, 2007). The NIST
specifically provides standards and guidelines for information
38. security and privacy controls in
the SP 800-53 publication “Security and Privacy Controls for
Federal Information Systems and
Organizations”. While entities outside of federal space are not
required to follow these
standards, they provide a baseline for information security
professionals to begin to secure their
environment.
For the information security professional, the history of
information security shows the
brevity of the future for the industry. De Leeuw and Bergstra
(2007) make this final comment in
their conclusion on the history of information security:
While security products abound and leading ones create some
degree of standardization,
the reality that no product or system is impenetrable becomes
all the more clear.
Increasing the dialog about the historically subverted topic of
computer security, both
publicly, and when necessary, in closed settings such as leading
international
corporations becomes all the more important. (p.619)
The Evolution of the CISO
39. Historically, the CISO has not held an executive-level position
in organizations. The
creation and promotion of security professionals within
organizations has mostly amplified due
to increased breach rates across all business sectors. Target, a
major international retailer,
encountered a major breach in 2013 that affected over 70
million customers’ personally
identifiable information (PII). Target hired their first CISO
after the major breach. Neiman
THE CISO IN HIGHER EDUCATION 10
Marcus, another retailer, also encountered a breach in 2013 and
hired its first CISO after the
breach (Karanja & Russo, 2017).
Information security was originally the responsibility of all
employees. Businesses
expected employees of each unit to understand their data and
how and when to protect it. While
it is important that every employee realizes they are responsible
for the security of company data,
this model did not allow for a single person to have primary
responsibility over information
40. security practices or for the organization to have a budget for
securing data. Additionally,
information security in this model is distributed and not
centralized making organization-wide
decisions challenging. Due to these difficulties, information
security eventually migrated into
the information technology (IT) office. Information security
officers (ISOs) were hired to review
the security of company data and work with access controls.
Mainly, these ISOs were IT
professionals with network and/or systems administration skills.
As the role of the ISO matured,
technical skills became insufficient for the role and the CISO
title became more prevalent.
Instead of just being concerned with technical and operational
controls such as firewalls and
access control devices, the CISO now gained responsibility of
organization-wide strategic
functions (Kouns, 2014).
The road to the CISO role is not one without struggles.
Karanja and Russo (2017)
continued research and “found that CISOs struggle to gain
credibility in their organizations due
41. to perceived lack of power, confusion about their role identity,
and their inability to engage
effectively with company employees” (p. 28). One reason for
the lack of credibility was the
need for a new skillset for the ISO moving to the CISO role.
Increased management and soft
skills are new requirements for this transition. However, the
CISO still needs to consume and
digest relevant technological information. According to
Whitten (2008), the CISO must have a
THE CISO IN HIGHER EDUCATION 11
combination of these skillsets and “should first think of
themselves as business professionals and
secondly as security specialists” (p.15). In his 2008 research,
Whitten found that 58% of CISO
job listings required management duties. Management duties
were bookended by the ability to
oversee IT security policy at 78% and IT security education at
42%.
Continuing education for security professionals is both
necessary and required in most
businesses. Professional certifications such as the Certified
Information Systems Security
42. Professional (CISSP), the Certified Information Systems
Auditor (CISA), and the Certified
Information Security Manager (CISM) are common
requirements for CISO roles (Kouns, 2014).
Additionally, more advanced management certifications such as
those offered by the SANS
Institute and the EC-Council Certified Chief Information
Security Officer certification are a plus
for those looking to obtain a CISO role. Higher education is
taking a more practical role in
CISO and other security professional education as well.
Degrees in information assurance,
information security, and cybersecurity are offered online by
several colleges and universities
throughout the United States and provide working professionals
the opportunity to complete
varying levels of degrees while continuing to protect their
organization.
The newest CISO candidates must be seen credible by their
organization, its employees,
and its stakeholders. While writing about critical success
factors for the CISO in 2016, Klimoski
narrowed this credibility factor into four areas: being seen
trustworthy, creating confidence,
43. having a good track record, and building an extensive
professional network. These credibility
factors lead to a CISO who “exhibits skills listening to
executives’ needs and matching them to
information security objectives” (Klimoski, 2016, p.15). When
these critical success factors are
matched with soft skills, the CISO can communicate effectively
at all levels of the organization.
Looking back to Whitten’s (2008) research, 61% of CISO job
listings required communication
THE CISO IN HIGHER EDUCATION 12
skills as required background experience. Those skills were
only trumped by IT security skills at
71%, and were followed by system experience, leadership skills,
and investigate experience.
Today’s CISO is a researcher, technician, visionary, and leader.
Alexander and
Cummings (2016) state that the “CISO has to keep up with the
breakneck speed of technological
change, and also have a Herculean aptitude for leading
courageously, moving nimbly, and
understanding the right level of risk needed to make an
44. organization safe while still innovating”
(p.12). Kouns (2014) sums up the role of the today’s CISO:
Realistically, the odds are against the CISO; even if the CISO
can control all technology-
related risks, hackers can take advantage of the human factor—
the employees, vendors,
and customers who sometimes fail to heed the advice of the
CISO and place the
organization at unnecessary risk. (p.57)
The Position of the CISO within Organizational Structure
While literature on the CISO is scarce, several pieces of
literature focus on the position of
the CISO within the corporate structure. As learned in the
previous section, the CISO comes
from a historically technical background. Other popular
backgrounds of the CISO can include
previous business leaders and/or political leaders (Alexander &
Cummings, 2016). Often, the
technically adept CISO finds difficulty migrating to an
executive-level position as they are
required to “broaden their approach” to cybersecurity initiatives
beyond just looking at the
technological solution (Alexander & Cummings, 2016).
45. Literature reveals several possible
combinations for the CISO reporting structure: chief executive
officer (CEO), chief information
officer (CIO), chief financial officer (CFO), chief risk officer
(CRO), board of directors, and
others. Since information technology and information security
have historically been the
responsibility of the CIO, many of today’s CISOs report
directly to the CIO. According to a
THE CISO IN HIGHER EDUCATION 13
study from Karanja and Russo (2017), CISOs in newly created
positions are more likely to report
to the CEO than the CIO.
A disturbing problem results when the CISO reports to the CIO.
The CIO is responsible
for the continuation and efficiency of IT operations within the
organization. The CISO is
responsible for the security of all organizational assets as they
pertain to data and information.
These initiatives often come in conflict with one another
(Karanja & Russo, 2017). Similarly,
the role of the CIO has not been immune to the issues of
46. reporting structures. Banker et. al.
(2008) found that less than 5% of CIOs reported to the chief
operating officer (COO) while most
reported to either the CFO or CEO depending on the business
type. Businesses with a cost-
leader strategy often had the CIO report to the CFO. Just as in
the case with the CISO reporting
to the CIO, the CIO reporting to the CFO often entangles the
CIO from making necessary
business decisions because of cost factors. Even with all the
current research, Karanja and Russo
(2017) state that “there is little consensus regarding who the
CISO should be reporting to” (p
.23).
Organizational structure can also affect how employees see the
CISO as both a leader and
a change agent. Ashenden and Sasse (2013) completed a study
that reviewed the effectiveness of
the CISO and stated that “there has been little information
security research that helps us to
understand the impact of the CISO on organizational change”
(p.2). As part of their research, the
position of the CISO within the organizational structure was
identified. The researchers found
47. that the CISO needs to “develop an identity within the
organization where they are seen to help
employees discuss, and make decisions about, information
security” (p.17). In order to maintain
this identity, the CISO should maintain a position of authority
over information security policy
across the organization.
THE CISO IN HIGHER EDUCATION 14
The reporting structure of the CISO is different among
industries. Kouns (2014) finds
that “while regulated industries, including financial services,
recognize the benefits of an
independent CISO reporting to a chief risk officer, some
industries, notably higher education,
continue to place the CISO in the IT department under the
direction of the CIO” (pp.55-56). The
author also continues to point out that some information
technology and information security
experts do not believe that organization placement matters at
all, while others believe the CISO
should report to the CEO or work in conjunction with the CIO
on security matters. The author
48. goes on to state that “in the author’s experience, placement of
the CISO function is very
dependent on the type of business and overall security
knowledge of the organization” (pp.56-
57). The relationship between the CISO and the organization’s
board is of importance. Higgs et.
al. (2016) found that there is a significant relationship between
board-level technology
committees and reported security breaches. Kouns (2014) found
that only 8% of CISOs report
directly to a board, while only 14% report to a CEO.
The ability for the CISO to have visibility across the
organization is paramount. Karanja
and Rosso find that “CISOs struggle to gain credibility in their
organizations due to a perceived
lack of power, confusion about their role identity, and their
inability to engage effectively with
company employees” (p.27). The authors continue to state that
“the review of the existing
literature on the position of CISO reveals a lack of clarity
regarding the role of the CISO in the
organization, as well as a lack of consensus as to where CISOs
in general should report in the
49. organization” (p.29). In order for the CISO to be found as an
agent of change, research must
continue in this area.
THE CISO IN HIGHER EDUCATION 15
Data Breaches and Effects
Mainstream news is riddled with reports of data breaches across
all sectors of business.
At the time of Grama’s (2014) research, the Privacy Rights
Clearinghouse documented over
4,200 breaches in the United States. Shockingly, over 850
million records were affected as part
of those breaches. According to research found by Waddell
(2009), 90% of US bases businesses
are affected by a data breach annually and 74% of United
Kingdom (UK) businesses reported a
data breach in 2004. While these statistics seem staggering,
they continue to grow. As of March
14, 2019, the Privacy Rights Clearinghouse documented 9,094
data breaches since 2005 with
over 11.5 million records affected. With this growth, the reality
50. of a breach is not “if” it occurs
but “when” it will occur.
The Verizon Data Breach Investigations Report was first
publicized in 2007 and has
since provided an annual “state of the union” for cybersecurity
and the state of breaches across
all sectors. According to the 2018 report, over 53,000 incidents
and 2,216 confirmed data
breaches are included in the report. The 2018 report
summarizes the findings as seen in Figure
1. Notable items in the summary include that 73% of breaches
were perpetrated by outsiders and
50% were operated by organized criminal groups. Additionally,
while only 14% of breaches
affected public sectors entities, 58% of breaches targeted small
businesses. Lastly of note, 68%
of breaches took more than two months to discover.
THE CISO IN HIGHER EDUCATION 16
Figure 1. Verizon 2018 DBIR: Summary of Findings
51. The Verizon DBIR also gathers more detailed information on
the types of attacks that
lead to breaches. Denial of Service (DoS) attacks topped this
list for more than 21,000 incidents
in the breach report. According to the 2018 report, a DoS
attack is “intended to compromise the
availability of networks and systems. Includes both network and
application attacks designed to
overwhelm systems, resulting in performance degradation or
interruption of service” (p.23).
Other incidents that made the top five included loss of data,
phishing, misdelivery of data, and
ransomware. Loss and misdelivery are directly associated with
user error. The report states that
“over half of the breaches in this [miscellaneous errors] pattern
were attributable to misdelivery
of information—the sending of data to the wrong recipient.
Misconfigurations, notably
unsecured databases, as well as publishing errors were also
prevalent” (p.24).
THE CISO IN HIGHER EDUCATION 17
One mitigation to breaches is policy which is administrated by
the CISO. While policy is
52. not the only mitigation for breaches, it is a first step to ensuring
the security of company data.
Brooks and Grama (2017) concluded in their research in higher
education data breaches that
“information security is an institutional issue and must be
addressed from an institutional
perspective, not from a silo. An institutional policy based on
recognized best practices sets the
foundation for improving the institution’s information security
posture” (p.7). Along with a
generic information security policy, an incident response policy
is also recommended. The
incident response policy should identify roles for information
security personnel and be tested
and reviewed annually. Personnel should also know how to
handle breach incidents and how to
follow proper digital forensics procedures along with contacting
and communicating with law
enforcement (Brooks & Grama, 2017).
While breaches of PII always lead to a financial cost, Wilson
(2016) points to an
additional and possibly more worrisome loss of consumer
confidence. Consumers are less likely
53. to associate with an organization that has a public breach.
Higgs et. al. (2016) conclude their
research on security breaches with the understanding that
“security breaches are costly to firms
and the cost continues to increase. Firms are increasingly
recognizing this phenomenon and
considering governance mechanisms in response” (p.94).
Governance mechanisms of this type
can include board-level committees (Higgs et.al., 2016).
Designation of a CISO or equivalent
role is also a mechanism for reducing breaches. Brooks and
Grama (2017) point out that the
CISO should be an “effective leader who can communicate
information security issues across the
institution is essential for information security program
success” (p.7). The Verizon DBIR
(2018) sums up breach mitigation:
THE CISO IN HIGHER EDUCATION 18
Attackers are constantly developing new tactics to help them
access your systems and
data. But what’s clear from our research is that too many
organizations continue to make
54. their job easy. Some companies are failing to take the most
basic of security measures
like keeping anti-virus software up to date or training staff on
how to spot the signs of an
attack (p.7)
Information Security in Higher Education
While little research has been completed on information
security and the CISO in general
across all sectors, research in the higher education sector is
especially lacking. Public opinion
and news media concerning breaches and other information
security and privacy issues have
been primarily focused on the private sector. Recently, the
spotlight has widened to include both
public and private educational institutions (Culnan & Carlin,
2009). Higher education was
founded in academic freedom, creativity, and openness; all of
which are antonyms of data
security and privacy.
Waddell (2013) studied the effect of policies on breaches in
higher education. In this
unique study, Waddell points out the importance that “colleges
and universities face the same
types of privacy and security challenges as other types of
55. businesses” (p.25). Sales, donations,
online portals, and the transfer and storage of PII is common
and necessary in higher educational
institutions. Culnan and Carlin (2009), along with Waddell
(2013), emphasize that, while other
business sectors may keep data for a pre-determined period,
higher education often retains
records indefinitely. It is the opinion and experience of this
researcher that it is not unusual for
these records to be stored in multiple physical locations both
on-premises and in the cloud.
Many of today’s systems are Software-as-a-Service (SaaS) or
even Infrastructure-as-a-Service
(IaaS) which are designed to provide resources to higher
education institutions without the need
for major on-premise datacenter operations. Moving data to the
cloud via SaaS or IaaS can
provide a cost-savings overtime, but data security risk must be
assessed prior to this decision.
THE CISO IN HIGHER EDUCATION 19
Academic freedom and creativity provide security challenges
for higher education
56. information security professionals. In their research into online
privacy practices in higher
education, Culnan and Carlin (2009) state that “academic
departments often operate their own
servers and run their own Web sites. Individual faculty, students
and student organizations also
have personal Web sites that run on department servers or
servers managed by the school”
(p.126). This decentralized environment produces a breeding
ground for unsecure data and
makes policy implementation difficult. Implementation of well-
formed and actionable security
policies are paramount in these scenarios (Waddell, 2013).
Colleges and universities are required to comply with several
federal regulations
regarding the security and privacy of both employee and student
data. The Family Educational
Rights and Privacy Act of 1974 (FERPA) pertains to
educational entities that receive federal
funding via the Department of Education. Beaudin (2015)
writes the following in a legal
overview of the data covered by FERPA:
The information covered includes education records, defined as
records that “contain
57. information directly related to a student” and are maintained by
the educational
institution. Additionally, directory information is covered,
defined as information “that
would not generally be considered harmful or an invasion of
privacy if disclosed.”
Because directory information is not harmful, all that is
required of a covered college or
university is “public notice of the categories of information
which it has designated as
such information.” (p.673)
In this legal research, Beaudin also found that the use of cloud
services (e.g. Saas and IaaS) and
other online educational services can be of interest in FERPA
cases. At the time of Beaudin’s
research, the Department of Education had provided little
direction for FERPA as it relates to
cloud computing other than providing that educational
institutions must have direct control over
any third party which uses or processes its PII. Beaudin states
that “it will be important for
THE CISO IN HIGHER EDUCATION 20
58. colleges and universities to assess each online service and
determine whether to notify students
and identify the information, if any, that falls under FERPA”
(p.674).
In addition to FERPA, many colleges and universities are
required to abide by regulations
in the Health Insurance Portability and Accountability Act of
1996 (HIPPA). According to
Beaudin (2015), “HIPAA focuses on health insurance portability
and on the prevention of health
care fraud and abuse by adoption of standards and requirements
for electronic transmission of
health information” (p.667). Higher education institutions
which provide healthcare for anyone
besides its own students in any capacity are considered a
covered entity by HIPPA. Institutions
may be exempt if they only provide medical services to student
as this data would fall under
FERPA instead of HIPPA. Covered entities are required to
provide safeguards for sensitive data
including administrative, physical, and technical controls.
HIPPA also institutes monetary
penalties for data breaches that can range from $100 to
$1,500,000 depending on the severity of
59. the incident. According to research by Beaudin, two universities
have recently encountered
breaches that have resulted in fines: Idaho State University
($400,000) and Columbia University
($1,500,000).
Higher education institutions may also fall under the Gramm-
Leach-Bliley Act (GLBA),
also known as the Financial Modernization Act of 1999.
According to Beaudin (2015), higher
education institutions can fall under GLBA and the Federal
Trade Commission (FTC) when they
“participate in financial activities, such as making federal
loans” (p.677). The Safeguards Rule
of GLBA requires institutions to have an information security
program designed to guarantee the
privacy of customer data. Additionally, the FTC Red Flags
Rule requires college and
universities that disperse federal financial aid to be able to
identify, detect, and respond to breach
attempts.
THE CISO IN HIGHER EDUCATION 21
60. The desired significance of these regulations on higher
educational institutions is to force
the use of good policies and procedures for information
security. Higher education entities are
not so different from other sectors. Every college and
university has customers (students) who
are purchasing a service (education) from a business that
maintains employees. Additionally, the
consequences of failure in information security in higher
education are like that of any other
business sector. Grama (2014) states: “Particularly important
for higher education institutions
are reputational consequences, which could result in a loss of
alumni donations and even a
reduction in the number of students choosing to apply to or
attend the institution” (p.1).
Comparison of Data Breaches in Higher Education and Other
Sectors
In an earlier section on data breaches, information was
presented from the Privacy Rights
Clearinghouse (PRC) for all sectors. In addition to breach type,
the PRC also breaks down
breaches by organization type (see Figure 2). Grama (2014)
pulled PRC data from 2005-2014
61. for research on breaches in higher education.
Figure 2, Grama (2014)
THE CISO IN HIGHER EDUCATION 22
Grama’s research found that, while education had a larger
number of breaches than all other
sectors except healthcare, the average number of affected
records exposed per breach was lower
than in any other sector. Grama provided a possible explanation
for this phenomenon.
Many speculate that higher education’s culture of openness and
transparency encourages
breach reporting by institutions, even when such reporting is
not legally necessary. This
culture does not exist in other industry sectors, where breach
reporting could damage an
organization’s ability to be competitive in that industry. In
these instances, a breach may
only be reported when it is required by a law or some other
regulation, and even then,
only when the breach circumstances clearly fall within the
purview of the underlying
62. regulation (p.6).
Higher education is a unique situation for breaches compared to
other industries. Most
other industries are heavily regulated. Higher education,
however, has historically provided a
more open and collaborative environment based on research and
information sharing.
Decentralization of data is common in colleges and universities
and provides a struggle for
information security and information technology personnel to
control PII (Patton, 2015).
Additionally, many larger universities provide medical services
and often have an entire medical
hospital overseen by the institution. Adherence to regulations
and proper compliance is vital in
all these scenarios (Beaudin, 2015).
While there are differences with higher education breaches and
those of other sectors,
there are also many similarities. Colleges and universities must
utilize administrative, physical,
and technical controls to protect PII. As explained earlier in
this research, the NIST provides
standards for information security policies and procedures that
63. meet and exceed current
regulations. Patton (2015) provides research from Casey
O’Brien that specifies four steps every
college and university should take to protect its data (see Figure
3). Of these objectives,
THE CISO IN HIGHER EDUCATION 23
understanding that a data breach is a question of “when” and not
a question of “if” is of
importance.
1) Prioritize academic objectives and figure out the institution’s
risk tolerance
2) Make sure the college has a proactive security plan
3) Prepare for the inevitable: you are going to be attacked
4) Promote a culture of security within the college
Figure 3, Patton (2015)
Literary Gaps
Both Whitten (2008) and Karanja and Russo (2017) admit to a
scarcity of research on the
CISO, the role they play, and their position within the
64. organizational chart. While their research
did fill obvious initial gaps in literature, further research is
needed. Educause has recently
supported the research of CISO and information security
implementation in higher education.
Grama (2014) and Brooks and Grama (2017) completed research
on data breaches in higher
education and began to link those findings back to leadership in
information security in that
industry. However, these two articles are currently the only
research in this field of the CISO
and data breaches as related to higher education. Additionally,
while Brooks and Grama (2017)
do research the existence of a CISO or equivalent officer and
higher education breach rate, the
research stops short of looking at the organizational structure of
the CISO within the institution
and how breach rate is affected by that variable. Brooks and
Grama (2017) finish their research
by stating that higher education institutions should promote an
individual who is solely
THE CISO IN HIGHER EDUCATION 24
65. responsible for security and can be “an effective leader who can
communicate information
security issues across the institution is essential for information
security program success.” (p.7).
Summary
This chapter attempted to describe the importance of
information security, the role of the CISO,
and the effect of data breaches across all business sectors with a
focus on higher education. Due
to its infancy in modern technology, information security has
little associated academic research.
A further understanding of how the placement of the CISO
affects breach rate may assist all
business sectors to make better hiring decisions. Research may
also improve the ability of
colleges and universities to bridge the gap between academic
freedom and data security. The
following chapter describes the methodology and procedures
used to conduct this research on the
relationship between the organizational position of the CISO
within higher education and breach
rate.
66. THE CISO IN HIGHER EDUCATION 25
Chapter Three
Methods and Procedures
Introduction
A review of the literature in Chapter Two suggests that the
position of the CISO within
organizational structure varies among business sectors.
Additionally, the literature suggests that
research about the CISO is limited in higher education. This
study can fill gaps in the research
by providing more information on how the organizational
structure of information security and
the position of the CISO in higher education affect breach rates.
This chapter outlines the
methodologies and statistical analyses used to observe the
position of the CISO within
67. organizational structure in higher education and how it affects
breach rate. This study directly
observes the differences in reporting structures between CISOs
and other similar job titles while
making comparisons to the position of CIOs in higher education
institutions. Additionally, the
study uses publicly-accessible breach rate data in comparison
with organizational structure. This
chapters also defines the research paradigm, the research
design, and data collection and analysis
tools and procedures.
Research Paradigm
The research paradigm for this study was quantitative. This
study built on the work of
Grama (2014) and Brook and Grama (2017) to further determine
the relationship between the
position of the CISO within organizational structure in higher
education and breach rate.
Additional relationships including time spend on task and the
ability to report directly to the
institution’s president and board were also analyzed. Survey
data collected from Educause and
68. THE CISO IN HIGHER EDUCATION 26
publicly-accessible data breach data from the Privacy Rights
Clearinghouse were utilized for the
study.
Grama (2014) specifically studied data breached in higher
education. The purpose of the
study was to determine if higher education breaches were
exposing as many records as other
sectors. Grama was attempting to dispute the claim that higher
education should be singled out
as the most susceptible to data loss due to the number of
breaches occurring in that sector.
Grama found that the number of breaches and their relationship
to the number of records
breached was different in higher education than other sectors.
Specifically, the study found that
“education has some of the lowest counts of records exposed per
breach incident” (p. 6). While
the study was not the first to take data breaches in education
(with an emphasis on higher
education) into account, the study did not elaborate on the
reasons for the lower number of
breached records. Additionally, the study did not research any
reason for the unusually high
69. number of breach rates in education.
Brook and Grama (2017) continued the 2014 study by
researching Educause CDS survey
data and Privacy Rights Clearinghouse (PRC) data and
identifying points in the dataset that
might affect breach rates. The study was the first in higher
education to research the role of the
CISO and its affect on breach rate. While the study researched
areas of training, prevention,
detection, policies, and risk management, it did not study the
relationship of the position of the
CISO in organization structure and breach rates. Additionally,
the study did not determine a
relationship existed when a title other than CISO was used for
an information security officer.
This study used the quantitative research method to utilize
survey and publicly-accessible
data. Qualitative and mixed methods were also considered for
this study but were rejected. A
qualitative method would require the researcher to interview
CISOs and other security
THE CISO IN HIGHER EDUCATION 27
70. professionals throughout the field and ask questions relating to
their perception of their
environment and how that affected breach rate. While this
method could be used and be
beneficial in answering some research questions, the data found
that directly related to this study
would not have been used. A mixed method could be affective
for this study. Jick (1979)
provides a case study on how interviews and survey data were
used together to provide usable
conclusions. This method was ultimately rejected due to the
same reason as the qualitative
method. The need to interview CISOs in higher education
concerning breach rates at their
institutions is difficult since breaches can be legal challenges
and information may be
confidential.
The quantitative research method provided this study with the
basis to research
relationships between variables. Quantitative tests designed to
reveal correlations and
differences between means were used to provide an analysis of
the data. This descriptive (or
71. observational) study “observed subjects without otherwise
intervening” (Hopkins, 2008, p. 2).
The survey tool provided by Educause reduced the chance of
confounding which can occur when
attempting to find cause and effect as was present int his study.
Confounding was controlled in
the Educause CDS survey by ensuring all subjects met the
requirements of being an accredited
US institution.
Research Design
This quantitative research was based on causal-comparative
design and was appropriate
to determine relationships between the position of the CISO
within higher education
organizational structure and breach rates. Causal-comparative
design includes independent
and/or dependent variables. This research could also be
classified as nonexperimental research
as it utilizes independent variables over which the researcher
has no control as they have already
THE CISO IN HIGHER EDUCATION 28
occurred (Johnson, 2001). While this research is causal-
72. comparative in design, it is important to
note that definite relationships cannot be determined from this
research. Cook and Cook (2008)
conclude the following when discussing nonexperimental
quantitative research:
Because neither surveys nor correlational research incorporate
the defining features of
group experimental research (i.e., random assignment of
participants to groups and active
introduction of an intervention), they cannot be used to
determine definitively causal
relationships and should therefore not be relied on to establish
whether a practice is
evidence based. This is not to suggest that survey and
correlational research methods are
less important than experimental research; they are simply
designed to answer different
questions. (p. 103)
However, survey was determined by the researcher to be the
best way to gain data for the
variables to be tested.
Other research designs were also considered for this study.
Descriptive research and
73. experimental research designs did not meet the requirements of
this study. In descriptive
research, the researcher does not typically have a hypothesis.
In this study, the hypothesis of the
researcher is clear. Experimental studies require an experiment
using the scientific method
which is also no applicable. Correlational research could have
been utilized for this study as it is
used to review variables in their natural environment. While
some of the questions of this study
do lend themselves to correlational research, the overall study is
causal-comparative as it seeks
to determine if the position of the CISO in higher education
affects breach rate.
Data Collection Sources
Following approval from the Institutional Review Board (see
Appendix C) at University
of the Cumberlands, data were requested from the Educause
Core Data Service. Specifically, the
information security module of the CDS survey was utilized.
The survey data were gathered in
2015-2018. Additionally, data were gathered from the Privacy
Rights Clearinghouse (PRC) via
74. THE CISO IN HIGHER EDUCATION 29
the online database. The Educause contract for data (see
Appendix D) and the communication
from PRC for data use (see Appendix E) were both requested in
February 2019.
Educause produces the Core Data Service (CDS) annual survey
which is populated by
750 higher education institutions. The Educause CDS survey
contains several modules including
the information security module used for this study. The
information security module of the
CDS survey contains questions about the organization, staffing,
policies, and practices related to
information security within higher education. The questions
utilized from this survey included
one multiple choice question describing staffing, one multiple
choice question regarding
percentage of time on task, one multiple answer question
regarding report structure, and one
binary question regarding cabinet-level membership. The
Educause CDS data was chosen over a
survey created by the researcher. Many of the questions in the
survey were similar to the
75. questions the originally crafted by the researcher. Additionally,
the survey is a tested tool for
data that is used by higher education institutions and other
researchers for similar purposes.
Without an additional researcher-led survey, Educause CDS
provides the only other collection of
data applicable to this study.
The Privacy Rights Clearinghouse is a nonprofit organization
that collects data from
publicly-accessible sources and compiles it into usable
information. Breach data are separated
by breach type, organization type, and year of breach. For this
study, data were requested for the
higher education sector for all breach types between 2015-2018.
Only publicly-reported
breaches are privy to the PRC database. It is plausible that
some higher education institutions
have encountered breaches that were not published in the
database and are therefore not a part of
this study or its findings. Other breach databases also exist
including The Campus Computing
Project, Breach Level Index, and the Center for Higher
Education Chief Information Officer
76. THE CISO IN HIGHER EDUCATION 30
Studies, Inc. However, these resources did not provide the
granularity or scope of data that was
provided by the PRC database.
This study utilized the 2018 Educause Core Data Service Survey
which contained data
from 750 respondents from a pool of 3,816 eligible institutions.
Higher education uses the
Carnegie Classification framework to classify colleges and
universities according to their type of
degree granted. All colleges and universities listed in the
Carnegie Classification and
respondents of the Educause CDS survey are accredited with the
US Department of Education
and represented in the National Center for Education Statistics
Integrated Postsecondary
Education Data System (IPEDS). Doctoral degree institutions
provided the largest set of data
with 134 responses while institutions outsides the US provided
the smallest set of data with 53
responses. See Figure 4 for a breakdown of the Carnegie
Classification for the Educause CDS
survey data.
77. This study also utilized the Privacy Rights Clearinghouse
database. Out of 3065 total
records representing data breaches in all sectors from 2015 to
2018, 111 records characterized
education and 70 records related specifically to higher
education. Of those 70 records, 42
associated directly to an institution that also completed the
information security module of the
2018 Educause CDS Survey.
THE CISO IN HIGHER EDUCATION 31
Carnegie
Class
Participating
Institutions
Eligible
Institutions
Response
78. Rate (%)
AA 114 1044 10.9
BA 109 524 20.8
MA Pub 110 267 41.2
MA Priv 100 396 25.3
DR Pub 134 201 66.7
DR Priv 61 123 49.6
Other U.S. 69 842 8.2
Non-U.S. 53 419 12.6
Mean 93.8 477.0 29.4
Median 104.5 407.5 23.1
Sum 750 3816
Figure 4 Educause CDS Survey Demographics
Data Analysis Techniques
Chi square tests were used to determine if significant
relationships existed between the
CISO or similar title in several areas including time spent on
79. task, reporting structure, and
cabinet membership. Two t-tests were used to determine if the
number of breached records were
different dependent upon the organization reporting structure of
the CISO.
McHugh (2013) states that “the Chi-square test of
independence (also known as the
Pearson Chi-square test, or simply the Chi-square) is one of the
most useful statistics for testing
hypotheses when the variables are nominal” (p. 143). The chi
square test was chosen for the
research questions that involved a relationship:
1. Is there a relationship between the titles of highest-ranking
person in charge of
information security and to whom they report?
THE CISO IN HIGHER EDUCATION 32
2. Is there a relationship between the titles of the highest-
ranking person in charge of
information security and the percentage of time on task?
3. Is there a relationship between the CISO and the CIO in
having cabinet-level
80. membership?
The Fisher’s exact test could be used as a substitute for the chi
square test but requires that the
test have two rows and two columns only (McHugh, 2013).
Since some of the tests needed for
this study required more rows and columns, the chi square test
was chosen for all relationship
tests for consistency. Sufficiently large sample sizes and
randomized data were used for the tests
to provide best results.
A t test was also utilized for one research question:
4. Is there a difference in the number of records breached and
the reporting structure of the
CISO or equivalent title?
Two sample datasets were gathered from a combination of
Educause CDS survey data and
breached records data from the PRC database. Specifically,
data from two questions in the
Educause CDS survey were combined: what is the title of the
highest-ranking person in charge
of information security, and to whom does this person report.
Reporting structure was combined
into two categories: CISO reporting to CIO, and CISO reporting
81. to another high-level officer.
The total number of breached records related to the higher
education institution was then entered
for the corresponding row and column. A row containing a zero
indicated that no records had
been breached for that specific institution. Data for this table
was gathered by matching 22
breach incidents associated with institutions that completed the
Educause CDS survey with their
corresponding breached records report in the PRC database and
by using the same Educause
THE CISO IN HIGHER EDUCATION 33
CDS survey data from 22 randomly selected institutions that
were not part of a breach according
to the PRC database. In compliance with the researcher’s
contract, the data was anonymized
before being used for any statistical tests. See Appendix F for
raw data table.
A two-sample t test was chosen for its ability to compare two
populations based on
sample data. Although other types of t tests could have been
utilized, Ruxton (2006) concludes
82. that “the unequal variance t-test should always be used in
preference to the Student’s t-test or
Mann–Whitney U test” (p. 690). Due to the distribution of the
populations used for this test,
both equal and unequal variance tests were utilized.
Summary
This chapter outline the methodology for this research. The
literature review specified
gaps in understanding the role of the CISO in higher education
and how different factors,
including breach rate, could be affected by the position of the
CISO within the organization. A
quantitative, causal-comparative study was conducted to
evaluate the organization structure of
the CISO and its effect on breach rate in higher education.
Survey data from the Educause CDS
and publicly-accessible breach data from the Privacy Rights
Clearinghouse were used in this
study. Chi square and t-tests were used to used analyze the
data. A summary of the results is
presented in Chapter Four.
83. THE CISO IN HIGHER EDUCATION 34
Chapter Four
Research Findings
Introduction
Chapter Four provides an analysis of the research findings
related to the relationships in
reporting structures between CISOs and other similar job titles
while making comparisons to the
position of CIOs in higher education institutions. As previously
stated in Chapter Three, the
purpose of this quantitative study was to provide an analysis of
how the organizational structure
of information security and the position of the CISO in higher
education affect breach rates. The
Educause CDS annual survey data and breach rate data from the
Privacy Rights Clearinghouse
were used to find relationships between the CISO and similar
titles, their reporting structure, and
its effect on breach rate in higher education. Chapter Four
includes specific information
84. pertaining to the statistical analysis used to study the research
questions found in Chapter One.
Participant Demographics
The sample population from the Educause CDS survey
contained 471 records from
higher education institutions that had completed the 2018
information security module. The
sample population from the Privacy Rights Clearinghouse
(PRC) contained 70 records derived
from educational institutions that had suffered a breach between
2015-2018. The PRC data were
narrowed to 42 records in order to match information back to
the CDS survey. The primary job
title for respondents was CISO (29%) followed by CIO (26%),
information security officer (ISO)
(15%), director of information security (8%), and information
technology security officer (5%).
All other respondent title groups were less than 5% and can be
seen in Appendix A. A further
THE CISO IN HIGHER EDUCATION 35
breakdown of the Educause CDS survey data demographics can
be seen in Figure 4 in Chapter
85. Three.
Analyses of Research Questions
Data were collected from the information security module of the
Educause CDS survey
and publicly-accessible data from PRC as described in Chapter
Three. The highest-ranking
information security staff member was identified by a 16-option
multiple choice question that
also provided space for a write-in option. Percentage of time on
task was identified by a 7-
option multiple choice question. Reporting structure was
provided by multiple answer question
which presented 17 options including a provided space for a
write-in position. Reporting to the
university cabinet was provided as a binary yes/no question set.
The write-in options were not
calculated as part of this research. The PRC dataset contained a
record for each breach incident
at a higher education institutions and included the institution
name, number of breached records,
breach type, and supporting sources.
Question One. Is there a relationship between the titles of
highest-ranking person in
86. charge of information security and to whom they report? The
highest-ranking security officer is
most often called a CISO but this can vary among institutions.
All relevant titles that would
fulfill the same role as the CISO were included in the
calculations. In order to understand how
the CISO or similar title is positioned within the institution, the
data was categorized into
reporting to the CIO or other officer. Officers in the other
category included the president, CFO,
CRO, and other similar positions. Since literature shows that
the CISO most often reports to the
CIO, that position was listed as its own variable. A Chi Square
test was conducted on the survey
data. The test found the results were not significant, (X2 [2, N=
503] = 0.48, p > .05). Table 1
shows the results of the Chi Square test as described.
THE CISO IN HIGHER EDUCATION 36
Table 1
Chi Square for Relationship of Reporting Structure
87. Observed Values Expected Values
CISO
Similar
Title Sum CISO Similar Title
CIO 118 265 383 CIO 114.98 268.0239
Other 33 87 120 Other 36.024 83.97614
151 352 503
Observed Expected (O-E)2 (O-E)2 /E
Variable 1 A 118 114.9761 9.14371 0.079527
Variable 1 B 265 268.0239 9.14371 0.034115
Variable 2 A 33 36.02386 9.14371 0.253824
Variable 2 B 87 83.97614 9.14371 0.108885
X
2 0.476351
P Value 0.49008
This analysis concluded that the title of the person responsible
for information security in
88. higher education is insignificant when paired with reporting
structure. While the CISO is the
most common title in the respondent survey (see Appendix A), a
change from that title does not
provide any indication that organization structure will change.
While titles are important, just
changing the title of the information security administrator may
not increase the ability for that
person to participate at a higher level in the organizational
chart.
Question Two. Is there a relationship between the titles of the
highest-ranking person in
charge of information security and the percentage of time on
task? A Chi Square test was
utilized to determine if a relationship existed between the title
of the security officer and the time
that was spent in that role. In order to place the data into a 2x3
Chi Square test, the time on task
THE CISO IN HIGHER EDUCATION 37
percentages were modified from the original data. All
categories below 80% were combined to
represent a single variable. The test found this relationship
89. insignificant (X2 [3, N= 314] = 1.70,
p > .05). Table 2 shows the results of this Chi Square test as
described.
Table 2
Chi Square Relationship Between Title and Full Time
Percentage
Observed Expected
CISO Similar Title Sum Var A Var B
100% 94 112 206 Variable 1 88.567 117.43 206
80-99% 14 23 37 Variable 2 15.908 21.092 37
Below 80% 27 44 71 Variable 3 30.525 40.475 71
135 179 314 135 179 314
Observed Expected (O-E)2
(O-E)2
/E
Variable 1 A 94 88.5669 29.519 0.3333
Variable 1 B 112 117.433 29.519 0.2514 df= 4
Variable 2 A 14 15.9076 3.6391 0.2288
90. Variable 2 B 23 21.0924 3.6391 0.1725
Variable 3 A 27 30.5255 12.429 0.4072
Variable 3 B 44 40.4745 12.429 0.3071
X
2 1.7002
P Value 0.7907
Each survey respondent was asked “what percentage of full
time did this person devote to
information security?” (see Appendix B). Many different types
of higher education institutions
were represented by the Educause CDS survey. Independent
colleges and universities and other
types with low enrollment may have staff that handle several
roles simultaneously. This test
analyzed the relationship between the time the person
administrating information security spent
THE CISO IN HIGHER EDUCATION 38
on just that role alone. As the test was insignificant, the
91. conclusion lends that a change in title of
the person administrating information security does not
significantly affect time on task.
Additionally, the data from this test indicates that many
information security administrators,
regardless of their title, are dedicated to information security
only.
Question Three. Is there a relationship between the CISO and
the CIO in having
cabinet-level membership? A Chi Square test was utilized to
determine if a relationship exists
between a CISO and a CIO reporting to a cabinet-level position
in higher education using binary
variables. The test found this relationship to be significant (X2
[2, N= 259] = 60.35, p < .001).
The CIO is much more likely to be a cabinet member than the
CISO. Table 3 shows the results
of this Chi Square test as described. Table 3 shows the results
of this Chi Square test as
described.
Table 3
Relationship Between CISO and CIO as Member of President's
Cabinet
92. Observed Values Expected Values
CISO CIO Sum CISO CIO
Yes 16 69 85 Yes 45.2895753 39.71042
No 122 52 174 No 92.7104247 81.28958
138 121 259
Observed Expected (O-E)2 (O-E)2 /E
Variable 1 A 16 45.28958 857.8792 18.94209
Variable 1 B 69 39.71042 857.8792 21.60338
Variable 2 A 122 92.71042 857.8792 9.25332
Variable 2 B 52 81.28958 857.8792 10.55337
X
2 60.35216
P Value 7.93E-15
THE CISO IN HIGHER EDUCATION 39
While reporting structure was tested in the first research
question, this question relates to
93. a different data point. In the survey, respondents were asked “is
this person a member of the
president/chancellor’s cabinet?”. For this test, the researcher
reduced the dataset to just those
respondents with the specific title of CISO or CIO. The
significance of this analysis shows that
the CISO is less likely to sit on the president’s cabinet than the
CIO. As noted in Chapter Two,
this scenario can create a security concern for the organization
as the CIO and the CISO may
have differing agendas. The position of the CISO or CIO in
organizational structure is irrelevant
in this test.
Question Four. Is there a difference in the number of records
breached and the reporting
structure of the CISO or equivalent title? Reporting structure
data from the information security
module of the Educause CDS survey was combined with known
breach data from PRC which
included number of records breached. The number of breached
records was the included in a
two-sample t test assuming equal variances. The number of
breaches that occurred when a CISO
reported to a CIO (M = 22597.92) were not significantly
94. different than the number of breaches
that occurred when a CISO reported to a different cabinet-level
officer (M = 1216.37), (t [40] =
1.0810, p > .05). There is not a significant difference in breach
rates between the reporting
structures. Table 4 shows the results of this t test as described.
THE CISO IN HIGHER EDUCATION 40
Table 4
Difference Between Number of Records Breached and Reporting
Structure
t-Test: Two-Sample Assuming Equal Variances
CISO to CIO CISO to Other
Mean 22597.92308 1216.375
Variance 6195248036 7531018.383
Observations 26 16
Pooled Variance 3874854155
95. Hypothesized Mean Difference 0
df 40
t Stat 1.081019395
P(T<=t) one-tail 0.143081573
t Critical one-tail 1.683851013
P(T<=t) two-tail 0.286163147
t Critical two-tail 2.02107539
In addition to the above test, the same data was analyzed by a
two-sample t test assuming
unequal variances. In this analysis, the number of breaches
result (t [25] = 1.3838, p > .05)
remained insignificant. Table 5 shows the results of this t test
as described.
Table 5
Difference Between Number of Records Breached and Reporting
Structure
t-Test: Two-Sample Assuming Unequal Variances
CISO to CIO CISO to Other
Mean 22597.92308 1216.375
96. Variance 6195248036 7531018.383
Observations 26 16
Hypothesized Mean Difference 0
df 25
t Stat 1.383782862
P(T<=t) one-tail 0.089328216
t Critical one-tail 1.708140761
P(T<=t) two-tail 0.178656431
t Critical two-tail 2.059538553
THE CISO IN HIGHER EDUCATION 41
This researcher found that a primary variable that was excluded
from Brooks and
Grama’s (2017) research was the position variable. Question
four is the focal point of this
research as it attempts to determine if breaches in higher
education are affected by the reporting
structure of the CISO or equivalent title. Literature from
Chapter Two indicates that security
97. could be more likely to be compromised if the CISO reports to
the CIO instead of the CEO.
Chapter Three provides details for the layout of these tests and
the raw data for the test can be
seen in Appendix F. While neither of the test results were
significant, the researcher notes that
the unequal variances t test is very close to significance. A
limited number of data points for this
question may have affected the outcome of the tests.
Summary
Data from the information security module of the Educause
CDS survey and publicly-
accessible data from the Privacy Rights Clearinghouse were
analyzed to determine how the
CISO and similar positions relate in organization structure in
higher education. The data from
the security module of the Educause CDS survey included 471
institutions. The primary title of
the highest-ranking security officer was CISO (29%) followed
by CIO (26%). The survey used
multiple choice, multiple answer, and binary questions to gather
data.
Three Chi Square tests, a two-sample t test assuming equal
variances, and a two-sample t
98. test assuming unequal variances were used to evaluate the
relationships of the CISO within
organizational structure in higher education and its relation to
breach rate. The relationship
between the titles of the highest-ranking security officers and to
whom they report was analyzed
by a Chi Square test and found to be insignificant (X2 [2, N=
503] = 0.48, p > .05). A Chi Square
test also analyzed the relationship between titles of the highest-
ranking security officer and time
on task. The results of this test were also insignificant (X2 [3,
N= 314] = 1.70, p > .05). The
THE CISO IN HIGHER EDUCATION 42
final Chi Square test analyzed the relationship between the
CISO and the CIO as a cabinet-level
member. This test was found to be significant (X2 [2, N= 259]
= 60.35, p > .05) and shows that
the CIO is more likely to be a member of the president’s cabinet
than the CISO.
Two t tests were utilized to determine if differences in number
of breached records were
present when a CISO reported to the CIO verses when a CISO
99. reported to another cabinet-level
officer. In the first t test, equal variances were assumed. The
test was insignificant and
concluded that the number of breaches that occurred when a
CISO reported to a CIO (M =
22597.92) were greater than the number of breaches that
occurred when a CISO reported to a
different cabinet-level officer (M = 1216.37), (t [40] = 1.0810,
p > .05). A t test assuming
unequal variances was also performed. While this test was
much closer to being significant, the
result (t [25] = 1.3838, p > .05) remained insignificant.
While the results of all but one of the tests are insignificant, the
analysis do yield several
conclusions. The title of the person administrating information
security is not an overarching
concern. A change in title in not likely to change the position
of that role in organizational
structure. The CISO is much less likely to have a presence on
the cabinet than the CIO. The
lack of a CISO or similar role on the president’s cabinet could
affect information security by
reducing the level of information provided to the cabinet
members. There is a need for more
100. data about data breaches in higher education and their
relationship to reporting structure of the
CISO. While the t tests relating to organizational structure and
number of breached records were
insignificant, the conclusions showed a need for more data for
comparison. The practical
implications of the analyses in this chapter are further
suggestions for study are discussed in
Chapter Five.
THE CISO IN HIGHER EDUCATION 43
Chapter Five
Summary, Discussion, and Implications
Introduction
The purpose of this study was to research the position of the
CISO in higher education
organizational structure and how that positioning affects breach
rate. Additionally, the study
evaluated relationships between the CISO and the CIO and the
differences in their reporting
101. structure. The overall goal of this research was to expand other
studies about the CISO in higher
education that used factors other than position in organization
structure and potentially provide
higher education colleges and universities with data needed to
make informed decisions when
hiring and promoting the CISO. Brooks and Grama (2017)
stated that their research in higher
education has found that “no single measure of prevention is
enough by itself to prevent a
breach” (p. 8). This research can add another measure to
provide defense in depth for higher
education institutions.
The frequency at which data breaches occur in all industry
sectors, including higher
education, is rising and shows no slowing rate. Higher
education institutions are not immune to
data breaches. While research by Grama (2014) shows the
number of records per breach in
higher education is traditionally lower than other sectors, this
should not lull colleges and
universities into a false sense of security. A capable leader for
information security is necessary
102. to combat attacks with administrative and technical controls
that are applicable to the entire
organization.
THE CISO IN HIGHER EDUCATION 44
Chapter Two provided an overview of literature related to the
history, importance, and
function of the CISO in all sectors. The overview also provided
a focus on the CISO in higher
education and the challenges faced in that sector. The need for
an effective leader at the helm of
information security in higher education is necessary for any
college or university (Brooks and
Gramma, 2017). This need provides the basis for this and
similar studies. As discussed in
Chapter Three, data from the information security module of the
Educause Core Data Survey
(CDS) was paired with publicly-accessible data from the
Privacy Rights Clearinghouse (PRC)
and utilized for this research questions for this study. Chapter
Four provides a detailed analysis
of the data collection and research findings of this study.
Chapter Five presents the practical
103. significance and implications of the research results discussed
in Chapter Four along with the
limitation of the study and opportunities for further research.
Practical Assessment of Research Questions
This quantitative research was based on causal-comparative
design and was intended to
fill gaps in previous research pertaining to the CISO and
information security within higher
education. Four research questions were developed and used for
this study.
The first research question asked if there is a relationship in
reporting structure when a
title other than CISO is used for the top-ranking security officer
at a higher education institution.
Two responses from the information security module of the
Educause CDS were utilized that
provided the title of the highest-ranking person responsible for
information security and to whom
they reported. The Chi Square test was configured to observe
how the CISO or similar title
reported to the CIO or other high-level officer. The test results
were insignificant, (X2 [2, N=
503] = 0.48, p > .05).
104. THE CISO IN HIGHER EDUCATION 45
These findings are not abnormal. Across all sectors of
business, Karanja and Rosso
(2017) found that the newly-hired CISO was less likely to
report to the CIO than another high-
level officer such as the CEO. However, with older CISO
positions, they found that 63% of
CISOs report directly to the CIO. The test results suggest that
higher education may be behind
the normal trend in organizational structure tactics for the CISO
and CIO seen in other sectors.
This also would not be abnormal as research into the CISO and
the advent of information
security in higher education is lacking.
The second research question asked if there is a relationship
with time spent on task when
a title other than CISO is used for the top-ranking security
officer at a higher education
institution. Two responses from the information security
module of the Educause CDS were
utilized that provided the title of the highest-ranking person
responsible for information security
105. and the associated time spent on task. The Chi Square test was
configured to observe if the
CISO or similar title spent 100%, 80-99%, or less than 80% of
job time on information security
related tasks. The test results were insignificant, (X2 [3, N=
314] = 1.70, p > .05).
According to Brooks and Grama (2017), the use of the CISO
title in higher education is
still rare. According to their research from 2014, only 34% of
administrators in higher education
information security devoted 100% of their time to that task and
only 32% of that group held the
title CISO. The findings of this test parrot that of the earlier
research from Brooks and Grama
(2017). The test indicates that the title of the highest-ranking
information security officer does
not seem to affect time spent on task.
The third research question asked if there is a relationship with
the CISO or the CIO and
serving as a member of the college or university president’s
cabinet. Two responses from the
information security module of the Educause CDS were utilized
that provided the title of the