Running Head: EXTORTION ON THE JOB
Extortion on the Job
Valorie J. King, PhD
August 16, 2017 (originally published April 2, 2014)
1
Running Head: EXTORTION ON THE JOB
2
Introduction
Writing as Anonymous (2003), the Chief Information Security Officer (CISO) of a major
United States (US) corporation told a chilling tale of email based extortion attempts against
employees who had received extortion threats via email sent to their corporate email addresses.
The corporation, its managers, and the individual employees who were targeted faced a number
of issues and dilemmas as they responded to security incident caused by the extortion attempts.
In the following analysis, one issue–the enforcement of acceptable use policies–is discussed and
critiqued.
Analysis
The Attack
Drive by download attacks occur when a legitimate Web server has been infected with
malware or malicious scripts which deliver malware, pornography, or other objectionable
material along with the Web page content that the visitor was expecting to see (Microsoft, 2014;
Niki, 2009). These types of attacks are difficult to detect and often result in the infection of large
numbers of visitors before the infection is detected and removed from the Web site.
In this attack, computers used by the affected employees (victims) were compromised by
a drive by download attack (Microsoft, 2014) which resulted in the download of pornographic
materials while they were browsing websites which, in turn, had been compromised
(Anonymous, 2003). The attackers also obtained each visitor’s email address from the Web
browser. Extortion emails were sent to victims demanding credit card payment of hush fees. The
extortionists told the victims exactly where the contraband files were located on the computer
hard drive and assured the victims that it was impossible to remove those files.
Running Head: EXTORTION ON THE JOB
3
Why the Problem Went Unreported
Anonymous (2003) discovered that he was dealing with “paranoid users who don't trust
security people” (p. 1). There are many possible reasons why employees turn into paranoid users
who are unwilling to self-report for security incidents, even those which are accidental. Two
such reasons are enforcement of zero tolerance for violations and perceptions of unfairness or a
lack of justice.
Zero tolerance. The previous CISO implemented a zero tolerance policy with respect to
acceptable use policy (AUP) violations (Anonymous, 2003). Under this zero-tolerance policy, a
number of employees were terminated (fired), without due process or hearings to establish guilt
or innocence. When employees began receiving extortion emails and threats, they believed that
their jobs could be placed at risk, regardless of their innocence or guilt with respect to
downloading of pornography to company computers, if they reported the presence of
pornographic files (pushed to the computer by the extortionists).
Perceptions of fairness and justice. When employees feel that IT policy enforcement is
unfair, the situation is usually accompanied by extreme and long-lasting negative feelings or
emotions (Flint et al., 2005). The overall result (consequences) in this instance was an increase in
unethical behavior as victims attempted to hide or cover-up the extortion attempts (lying) rather
than asking their employer for assistance and protection from harm (Moor, 1999). This
undesirable result is, in part, due to the employer’s failure to consider the consequences of the
application of the zero tolerance policy.
Incident Response
The new CISO treated the extortion situation as a security incident rather than as an
employee disciplinary problem (Anonymous, 2003). He and his IT Security Staff investigated
Running Head: EXTORTION ON THE JOB
4
the situation and learned that (a) the company’s employees regularly received such threats and
(b) some of them had paid the extortionists rather than risk losing their jobs. The CISO directed
the IT Security Staff to reconfigure firewalls and other network security appliances to block all
further emails containing extortion keywords or from the known IP addresses for the
extortionists. The CISO also met with IT staff members to determine what additional protective
actions could be taken. Finally, the new CISO met with the IT staff and other selected employees
to determine what actions needed to be taken to encourage employees to come forward (selfreport) in the future and decrease the atmosphere of fear and distrust that he had inherited.
Summary and Conclusions
In this article, the author highlighted some of the problems that can arise when employers
emphasize adherence to rules rather than seeking a balance between rules and outcomes
(Anonymous, 2003). The company’s zero-tolerance enforcement of its acceptable use policy
resulted in undesirable outcomes, particularly the creation of an atmosphere of fear and secretive
behavior. This, in turn, resulted in employees being unwilling to report security incidents. To
avoid this problem in the future, corporate management should review the potential negative
consequences or outcomes of policy enforcement and address specific circumstances with
compassion rather than hardline enforcement (Reynolds, 2007).
Running Head: EXTORTION ON THE JOB
5
References
Anonymous. (2003, February 3). A sordid tale. Chief Security Officer. CSO Online. Retrieved
from http://www.csoonline.com/article/2116226/fraud-prevention/extortion-by-e-mail--asordid-tale.html
Flint, D., Hernandez-Marrero, P., & Wielemaker, M. (2005). The role of affect and cognition in
the perception of outcome acceptability under different justice conditions. The Journal of
American Academy of Business, 7(1), 269-277.
Microsoft. (2014). Microsoft security intelligence report. Retrieved from
http://www.microsoft.com/security/sir/glossary/drive-by-download-sites.aspx
Moor, J. H. (1999). Just consequentialism and computing. Ethics and Information Technology,
1(1), 61-69.
Niki, A. (2009, December). Drive-by download attacks: Effects and detection methods. Paper
presented at the 3rd IT Student Conference for the Next Generation. Retrieved from
http://www.kaspersky.com/fr/images/driveby_download_attacks_effects_and_detection_methods.pdf
Reynolds, G. W. (2007). Ethics in information technology (2nd ed.). Boston, MA: Thompson
Course Technology.
Aligning CobiT® 4.1, ITIL® V3 and ISO/IEC 27002 for Business Benefit (pp. 13-18)
http://www.isaca.org/Knowledge-Center/Research/Documents/Aligning-COBIT-ITIL-V3-ISO27002-forBusiness-Benefit_res_Eng_1108.pdf
Business Model for Information Security (pp. 5-15)
http://www.isaca.org/knowledge-center/research/documents/introduction-to-the-business-model-forinformation-security_res_eng_0109.pdf
NIST Cybersecurity Framework (version 1, Ch 1 & 2)
https://www.nist.gov/sites/default/files/documents/cyberframework/cybersecurity-framework021214.pdf
NIST Risk Management Framework SP 800-37 (pp. 18, 22-23)
https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-37r1.pdf
NIST Security and Privacy Controls for Federal Information Systems and Organizations 800-53
(Abstract, Notes, Ch 1 & 2)
https://nvlpubs.nist.gov/nistpubs/specialpublications/nist.sp.800-53r4.pdf
Governance, Risk and Compliance (GRC)
https://www.oceg.org/about/what-is-grc/
Understanding the Types of Risks That Could Affect Your Business
https://www.dnb.com/perspectives/small-business/understanding-the-types-of-risks-that-could-affectyour-business.html
Cyber Attack Example: Extortion
Extortion by E-Mail: A Sordid Tale
https://www.csoonline.com/article/2116226/fraud-prevention/extortion-by-e-mail--a-sordid-tale.html
CYBERSECURITY MANAGEMENT & POLICY
Padgett-Beale, Inc.
A case study for CSIA 300
Valorie J. King, PhD
8/18/2017
Copyright © 2018 by University of Maryland University College. All Rights Reserved.
CSIA 300 Cybersecurity for Leaders and Managers
Welcome!
Dear Intern,
Welcome to Padgett-Beale! We are excited to have you join us as a management intern and
hope that your participation in our virtual / online program will be beneficial for both you and our
company. This year, our management interns will have the opportunity to participate in Padgett-Beale’s
pervasive cybersecurity initiative. This initiative is designed to help our employees and managers better
understand and address the cybersecurity problems that our company is facing. These problems include
a host of privacy related concerns, intellectual property protection issues, and the appropriate use of
information technology resources. Since you are joining us as a management intern, you will also be
participating in our internal training program: Cybersecurity for Leaders and Managers. During this eightweek program, you will have an opportunity to participate in a number of management and leadership
activities and assessments related to cybersecurity.
As you move through this program, we hope that you and your peers will take advantage of the
numerous communication channels made available to you via our internal Websites and discussion
forums. We are truly interested in learning from you and hearing your thoughts on the management and
leadership issues that you encounter during your time with us.
Finally, our goal is to help you find opportunities to take what you learn here and apply it to
your future studies and career. We hope that you, in turn, will help us by providing feedback during and
at the end of this program. Thank you for your participation and, again, Welcome!
Sincerely,
Edwina L. Beale
Edwina L. Beale
Chief of Staff and Manager, Internship Programs
Copyright © 2018 by University of Maryland University College. All Rights Reserved.
CSIA 300: Cybersecurity for Leaders and Managers
Padgett-Beale Organization Chart -- 2017
Figure 1. Padgett-Beale, Inc. Organization Chart
Copyright © 2018 by University of Maryland University College. All Rights Reserved.
CSIA 300: Cybersecurity for Leaders and Managers
Company History
Elmer and Robenia Padgett’s first hotel, Robenia’s Guest House, opened in 1925 with six
family suites (two per floor), a tea room, and a formal dining room. The guest house
primarily served wealthy families who relocated to the seashore for the summer to escape
the heat in New York City. This property provided amenities and services matching those of rival longstay hotels in major cities along the East Coast. The second and third properties, Padgett’s Hotel and
Padgett’s Beach House, were acquired in 1935. Flintom’s Tavern, a landmark restaurant and
entertainment venue, was added to the Padgett properties portfolio in 1940.
Periodic resurgences in popularity of the seashore as a vacation destination occurred
over the next fifty years (1940-1990) as bridges were built, roads were improved, and
regional economies strengthened. These resurgences brought additional competition as
new motels and resorts operated by national chains entered the seashore vacations market. Major
weather events in the 1970’s resulted in damage to both Padgett’s Beach House and Flintom’s Tavern
causing both to close for an extended period of renovations. The Padgett family’s brand remained
strong, despite these setbacks, as members of the family took a personal interest in the day-to-day
operations and management of the company.
Padgett’s was not an early adopter of computers and information technology. But, over
time and as younger family members entered the business, computers began a slow
march into the company’s offices in the form of personal computers with word
processing, spreadsheets, and database systems. Personal computers also made their way
into manager’s offices in the hotel properties where spreadsheets proved valuable in tracking revenues
and expenses. In 1982, an embezzlement scandal at Flintom’s Tavern forced the company to adopt
computer-based point of sale (POS) systems throughout the company for all cash handling functions
(hotel front desks and restaurants). A benefit of the POS systems were the built-in reporting functions,
which enabled the company to more closely track cash and credit sales by property. By 1995, the
company had fully integrated custom hotel management software into its operations. This software and
the associated databases were hosted on company owned / operated mainframe computer systems. By
the end of the decade, information technologies were in use to support all aspects of the company’s
internal operations (accounting, customer service, property management, and reservations).
At the beginning of the new century, the company adopted its first strategic plan with
a heavy emphasis upon growth and expansion. Under this plan, the company branched
out and began offering hotel and resort management services to other hoteliers and
property owners. Advanced telephony services and implementation of custom
software allowed Padgett’s to offer one of the first centralized reservations management services. The
company also leveraged the Internet and World Wide Web to launch a resort affiliates program, which
provided a menu of business related services to member properties. These services included: online
advertising and promotions, architecture and design assistance, business operations consulting, group
Copyright © 2018 by University of Maryland University College. All Rights Reserved.
CSIA 300: Cybersecurity for Leaders and Managers
business insurance, and guest loyalty programs. The hotel and resort management services business
area continues to be the major source of revenues and profits for the company and its owners.
As part of Padgett’s expansion plan, the company purchased Beale Realty Holdings in 2001
and formed Padgett-Beale, Inc. (PBI). Shortly thereafter, PBI embarked on a series of realestate acquisition activities, which led to the purchase of several large tracts of prime Eastern Shore
waterfront property. The company’s long-term plan was to hold the properties as real estate
investments and, when market demand rose sufficiently, expand into development, sales, and
management of condominiums and vacation time-share properties. The focus on long term investment
was a wise choice as this particular market segment was adversely impacted by the housing boom/bust
in the mid 2000’s.
At the time of purchase, the waterfront properties were in use as campgrounds and
resorts for tent-campers, travel-trailers, and motorhomes. These camping facilities
were allowed to continue their existing operations with minimal investment and
oversight for the next 15 years (2002 – 2017). During this laissez-faire management period, some
campground managers modernized their camp offices and stores by purchasing computer-based point
of sale systems that allowed them to accept credit and debit cards. Most of these managers also
outsourced their reservations management to a third party online reservations system, which provided
a customized website to advertise each park and provide access to the online reservations system. A few
campgrounds did not modernize beyond setting up a simple website with contact information and a few
photographs. These facilities continue to use a mail or telephone-based reservation process with a “cash
only” payment policy.
In 2015, the day-to-day operations and management of PBI was transitioned to a new
leadership team recruited from leading hotel and resort management companies. The
new leadership team includes the Chief Executive Officer, Chief Financial Officer, Chief
Operating Officer / Director for Resort Operations, and the Corporate Counsel
(attorney) who is also dual-hatted as the Chief Privacy Officer. Under this new leadership, the company
was reorganized to better focus on the three most profitable business areas: Resort Operations,
Reservations Services, and Resort Affiliates. Management and daily operations for the three company
owned hotel properties (Robenia’s Guest House, Padgett’s Hotel, and Padgett’s Beach House), Flintom’s
Tavern, and the campgrounds / trailer parks were transferred to the newly formed Property Holdings
and Development division.
Building a strong management and leadership team is a priority for both the new
CEO and the current chair of the PBI Board of Directors. In 2017, these two
leaders developed and launched a management internship program whose
participants were recruited from a select group of colleges and universities. The next class of
management interns has just started in program and will soon find out where their first assignment will
take them within the company.
Copyright © 2018 by University of Maryland University College. All Rights Reserved.
CSIA 300: Cybersecurity for Leaders and Managers
Industry Overview
Padgett-Beale, Inc. (PBI) operates in the Hotels, Motels, & Resorts industry (NAICS Codes 721110
and SIC Codes 7011) (First Research, 2017a). Hotels, motels, and resorts provide short-term housing and
lodging for travelers and visitors. Related services offered by companies in this industry include: catering
and meals, conferences and event hosting, entertainment, resort amenities (golf, swimming, spa, etc.),
etc. The company also operates in the Recreational Vehicle Parks industry (NAICS Codes 721211; SIC
Codes 7033) as both an owner/operator and as a management and operations partner providing
specialty services to member and affiliate RV parks.
Hotels, Motels, and Resorts
Leading firms in this industry include Marriott International, Inc., Hilton Worldwide Holdings,
Inc., and Starwood Hotels & Resorts Worldwide, LLC (First Research, 2017a). On an annual basis, this
global industry generates over $500 billion in revenue. The U.S. segment of this industry generates
approximately $175 billion in revenues each year. These revenues may be generated directly from
operation and management of company owned properties. Or, revenues may be generated through
franchising arrangements or through fees generated in conjunction with property management / hotel
operations services provided to other property owners.
Demand for products and services in this industry is driven by two primary factors: (a) business
travel and (b) vacation or tourist travel (First Research, 2017a). Both of these factors are highly sensitive
to the health of regional, national, and global economies. Financial analysts estimate that 75% of
industry revenues result from fees for overnight lodging. The remaining 25% of revenues result from
sales of related products and services (e.g. meals, beverages, etc.). Labor is the most significant source
of expenses.
This industry uses information technology and the Internet in a variety of ways. First, most
brands use the Internet and social media to support their marketing efforts. Second, all but the smallest
of properties / brands use information technologies and the Internet to support reservation call center
operations. Third, information technologies are used in the daily operations of facilities (front and back
of house) and in support of corporate business processes and functions. These technologies include
Point of Sale systems for handling customer financial transactions, housekeeping and maintenance
management systems, card key access systems for guest rooms and restricted areas, scheduling and
timekeeping systems for personnel, and building / facilities management systems that control and
monitor energy using systems such as lighting and heating/ventilation/cooling (HVAC) systems.
Information technologies are also used to provide physical security in such forms as video surveillance
and recording, access controls for equipment and control zones (key pads, badge readers, password
controlled logins), and automated access logs which record identity information along with
timestamped entry/exit for controlled zones.
Copyright © 2018 by University of Maryland University College. All Rights Reserved.
CSIA 300: Cybersecurity for Leaders and Managers
Recreational Vehicle Parks
Leading firms in this industry include Thousand Trails (owned by Equity LifeStyle Properties), and
Kampgrounds of America (KOA) (First Research, 2017b). Each of these companies has a slightly different
business model. Thousand Trails is an owner/operator for RV Parks (First Research, 2017b). KOA sells
franchises to owner/operators of privately owned RV Parks and provides brand related services such as
marketing, park design and management consulting, and reservations management. A third company,
Good Sam Enterprises, markets and sells RV travel related services to individual travelers (“members”)
and provides marketing and sales support to member parks (Good Sam Club, 2017). All three firms
provide online guidebooks (some with reviews, inspection reports, and ratings), which include
information about individual parks and their amenities. In addition to these three firms, there are
thousands of smaller owner/operators of RV parks in the United States. These RV parks range in size
from 10 – 100 acres with a capacity of 150 to 2,000 or more RV, tent, and rental cabin sites.
Demand for products and services in this industry is driven by vacation or tourist travel (First
Research, 2017). Sales and revenues are highly seasonal as preferred destinations change with the
weather and with the usual and customary vacation periods (summer, holidays, school breaks, etc.).
Rental fees for overnight stays are the largest source of revenues for individual RV Parks. Additional
revenue sources include: camp store and gift shop operations, restaurants and snack bars, fuel sales
(propane), and sales of RV parts and accessories. Major areas of expenses are: utilities (water, electric,
sewer, cable TV, and Internet service), park maintenance (including roads and buildings), vehicles,
property taxes, and operating expenses for amenities such as laundry facilities, bath houses, swimming
pools, playgrounds, etc. Insurance coverage for park operations is also a major area of expense and may
include additional coverage for cybersecurity liability (Philadelphia Consolidated Holding Company,
2017).
This industry uses information technology and the Internet in a variety of ways. First, many RV
parks maintain a Website to advertise the park (First Research, 2017b). They may also use social media
to attract visitors to their Website and to the RV park. They may also depend upon Websites operated
by third parties such as RV Park Reviews, Trip Advisor, and Good Sam Club to attract the attention of
individuals who are planning trips or vacations. Second, all but the smallest of properties use an online
reservation management system that allows travelers to search for available sites by date(s) and by
required or desired amenities (electric, water, sewer, cable, pet friendly, etc.). Larger operators and
networks of parks may also use a telephone call centers for reservations management. These call
centers depend upon computer applications to route and manage calls. Reservation management
systems also depend upon databases and database servers to store and process customer information.
Third, information technologies are used in the daily operations of some facilities. Such uses include
guest check-in/check-out, cash and credit card transaction management (payments & refunds),
maintenance records, camp store / gift-shop inventory and sales, and bookkeeping / reporting (revenue
tracking). Some RV parks also use computer-based systems for video and audio surveillance, automated
vehicle entry/exit, and energy usage monitoring.
Copyright © 2018 by University of Maryland University College. All Rights Reserved.
CSIA 300 Cybersecurity for Leaders and Managers
References
First Research. (2017a). Hotels, motels, & reports: First Research custom report. Retrieved July 26, 2017
from Hoovers Online.
First Research. (2017b). Recreational vehicle parks: First Research industry custom report. Retrieved July
26, 2017 from Hoovers Online.
Good Sam Club. (2017). Who we are. Retrieved from http://www.goodsamclub.com/about
Philadelphia Consolidated Holding Corp. (2017). Cyber security liability. Retrieved from
https://www.phly.com/mplDivision/managementLiability/CyberSecurity.aspx
Copyright © 2018 by University of Maryland University College. All Rights Reserved.
Purchase answer to see full
attachment