Case Study Resources:
1. Introduction to Information Security
https://www.us-cert.gov/sites/default/files/publications/infosecuritybasics.pdf
2. Baldridge Cybersecurity Excellence Builder (pp. C2, Skim Read 2-22)
https://www.nist.gov/sites/default/files/documents/2017/04/03/baldrige-cybersecurity-excellencebuilder-v1.0.pdf
3. NICE Cybersecurity Workforce Framework
https://niccs.us-cert.gov/workforce-development/cyber-security-workforce-framework
4. Seasonal Employee Security Risks: Present Danger, Proactive Defense
https://securityintelligence.com/seasonal-employee-security-risks-present-danger-proactive-defense/
5. Unlocking the Secrets of Cybersecurity
https://www.umuc.edu/documents/upload/unlocking-the-secrets-of-cyber-security.pdf
6. Are you keeping tabs on your digital footprint?
https://www.envision-creative.com/companys-digital-footprint-keeping-tabs/
Case Study #1: Digital Footprints and Asset Protection
Scenario
Welcome to Padgett-Beale! As a new management intern, your first rotation will be with the
Training Team in the Office of Human Resources. T2, as they like to be known, is part of a collaborative
effort to develop a robust internal training program for Padgett-Beale’s employees and managers. Your
first assignment is to help develop a training module for security awareness. The training will be
included in “first day” training for future employees and will also be presented as part of an on-going
series of employee Lunch & Learn seminars offered by the Office of Human Resources.
The topic for this training module will be “Digital Footprints and Asset Protection.” This topic
was selected after several members of Padgett-Beale’s leadership team reviewed a program from the
United Kingdom’s Centre for the Protection of National Infrastructure that is part of their “embedding
security savvy behaviors online” campaign. (See https://www.cpni.gov.uk/my-digital-footprint and
https://www.cpni.gov.uk/embedding-security-behaviour-change )
Your deliverable for this assignment will be a briefing paper that identifies and discusses five or
more major issues that employees need to be aware of about this topic (Digital Footprints and Asset
Protection). After you identify and describe each issue, include two to three additional points that
employees should know. Try to keep a neutral tone, that is, you should include items that represent
both the benefits and the drawbacks of a digital footprint. You should also address the importance of
protecting both personal and company owned digital assets that are part of a digital footprint. See the
instructions below for additional information about length, formatting, and citing of sources.
Research
1. Review the Week 1 and 2 readings.
2. Research the term “digital footprint.” Here are some resources to help you get started:
a. https://www.internetsociety.org/your-digital-footprint-matters (there are nine video
tutorials on this page)
b. http://blog.trendmicro.com/the-importance-of-understanding-your-digital-footprint/
c. https://cyberbullying.org/the-importance-of-your-digital-reputation
d. https://memeburn.com/2013/06/your-digital-footprint-is-important-heres-how-togrow-it/
e. https://www.envision-creative.com/why-your-digital-footprint-is-your-best-salesman/
3. Review three or more items in CPNI employee awareness campaign
https://www.cpni.gov.uk/my-digital-footprint and https://www.cpni.gov.uk/embeddingsecurity-behaviour-change
4. Research additional ownership, privacy, and security issues associated with a digital footprint.
a. https://us.norton.com/internetsecurity-privacy-clean-up-online-digital-footprint.html
b. http://thewiseinvestorgroup.com/Wise-Investor-Files/Public/PDF_Files/FeaturedArticles/YourDigitalLifeasPartofyourEstatePlan2.pdf
c. https://efinplan.com/estate-planning-for-your-digital-footprint/
5. Find at least one additional source which provides information an employee can use to better
protect their own digital assets (the things that contribute to your digital footprint) loss or harm.
Write
Write a 2 page briefing paper in which you present a summary of your research about the topic and your
recommendations as to what should be included in the training module. Be choosy about what you
include – the total training time available will be 30 minutes. Don’t be too choosy however. Your
recommended content should be comprehensive and fully address the training topic.
At a minimum, your briefing paper for this case study must include the following:
1. An introduction to the case scenario and the topic (use the information above)
2. A discussion of five or more key points about the topic (“security and privacy issues”)
3. Recommendations for 5 or more actions that managers and employees should take to
address the identified security and privacy issues.
4. A closing section in which you restate the key issues and your recommendations.
As you write your briefing paper, make sure that you address security issues using standard terms and
definitions. See the resources listed under Week 1 and under Course Resources > Cybersecurity
Concepts for definitions and terminology.
Submit For Grading
Submit your research paper in MS Word format (.docx or .doc file) using the Case Study #1 Assignment
in your assignment folder. (Attach your file to the assignment entry.)
Additional Information
1. To save you time, a set of appropriate resources / reference materials has been included as part of
this assignment. You must incorporate at least three of these resources into your final deliverable.
You must also include one resource that you found on your own.
2. Your briefing paper should use standard terms and definitions for cybersecurity. See Course Content
> Cybersecurity Concepts for recommended resources.
3. You must include a cover page with the assignment title, your name, and the due date. Your
reference list must be on a separate page at the end of your file. These pages do not count towards
the assignment’s minimum page count. (An example and template file are available in the LEO
classroom. See CSIA_Basic_Paper_Template(APA_6ed,Nov2014).docx file under Content > Course
Resources.)
4. Your briefing paper should be professional in appearance with consistent use of fonts, font sizes,
margins, etc. You should use headings to organize your paper. The CSIA program recommends that
you follow standard APA formatting since this will give you a document that meets the “professional
appearance” requirements. APA formatting guidelines and examples are found under Course
Resources > APA Resources. An APA template file (MS Word format) has also been provided for your
use CSIA_Basic_Paper_Template(APA_6ed,Nov2014).docx.
5. You are expected to write grammatically correct English in every assignment that you submit for
grading. Do not turn in any work without (a) using spell check, (b) using grammar check, (c) verifying
that your punctuation is correct and (d) reviewing your work for correct word usage and correctly
structured sentences and paragraphs.
6. You are expected to credit your sources using in-text citations and reference list entries. Both your
citations and your reference list entries must follow a consistent citation style (APA, MLA, etc.).
Case Study Resources:
1. Introduction to Information Security
https://www.us-cert.gov/sites/default/files/publications/infosecuritybasics.pdf
2. Baldridge Cybersecurity Excellence Builder (pp. C2, Skim Read 2-22)
https://www.nist.gov/sites/default/files/documents/2017/04/03/baldrige-cybersecurity-excellencebuilder-v1.0.pdf
3. NICE Cybersecurity Workforce Framework
https://niccs.us-cert.gov/workforce-development/cyber-security-workforce-framework
4. Seasonal Employee Security Risks: Present Danger, Proactive Defense
https://securityintelligence.com/seasonal-employee-security-risks-present-danger-proactive-defense/
5. Unlocking the Secrets of Cybersecurity
https://www.umuc.edu/documents/upload/unlocking-the-secrets-of-cyber-security.pdf
6. Are you keeping tabs on your digital footprint?
https://www.envision-creative.com/companys-digital-footprint-keeping-tabs/
CYBERSECURITY MANAGEMENT & POLICY
Padgett-Beale, Inc.
A case study for CSIA 300
Valorie J. King, PhD
8/18/2017
Copyright © 2018 by University of Maryland University College. All Rights Reserved.
CSIA 300 Cybersecurity for Leaders and Managers
Welcome!
Dear Intern,
Welcome to Padgett-Beale! We are excited to have you join us as a management intern and
hope that your participation in our virtual / online program will be beneficial for both you and our
company. This year, our management interns will have the opportunity to participate in Padgett-Beale’s
pervasive cybersecurity initiative. This initiative is designed to help our employees and managers better
understand and address the cybersecurity problems that our company is facing. These problems include
a host of privacy related concerns, intellectual property protection issues, and the appropriate use of
information technology resources. Since you are joining us as a management intern, you will also be
participating in our internal training program: Cybersecurity for Leaders and Managers. During this eightweek program, you will have an opportunity to participate in a number of management and leadership
activities and assessments related to cybersecurity.
As you move through this program, we hope that you and your peers will take advantage of the
numerous communication channels made available to you via our internal Websites and discussion
forums. We are truly interested in learning from you and hearing your thoughts on the management and
leadership issues that you encounter during your time with us.
Finally, our goal is to help you find opportunities to take what you learn here and apply it to
your future studies and career. We hope that you, in turn, will help us by providing feedback during and
at the end of this program. Thank you for your participation and, again, Welcome!
Sincerely,
Edwina L. Beale
Edwina L. Beale
Chief of Staff and Manager, Internship Programs
Copyright © 2018 by University of Maryland University College. All Rights Reserved.
CSIA 300: Cybersecurity for Leaders and Managers
Padgett-Beale Organization Chart -- 2017
Figure 1. Padgett-Beale, Inc. Organization Chart
Copyright © 2018 by University of Maryland University College. All Rights Reserved.
CSIA 300: Cybersecurity for Leaders and Managers
Company History
Elmer and Robenia Padgett’s first hotel, Robenia’s Guest House, opened in 1925 with six
family suites (two per floor), a tea room, and a formal dining room. The guest house
primarily served wealthy families who relocated to the seashore for the summer to escape
the heat in New York City. This property provided amenities and services matching those of rival longstay hotels in major cities along the East Coast. The second and third properties, Padgett’s Hotel and
Padgett’s Beach House, were acquired in 1935. Flintom’s Tavern, a landmark restaurant and
entertainment venue, was added to the Padgett properties portfolio in 1940.
Periodic resurgences in popularity of the seashore as a vacation destination occurred
over the next fifty years (1940-1990) as bridges were built, roads were improved, and
regional economies strengthened. These resurgences brought additional competition as
new motels and resorts operated by national chains entered the seashore vacations market. Major
weather events in the 1970’s resulted in damage to both Padgett’s Beach House and Flintom’s Tavern
causing both to close for an extended period of renovations. The Padgett family’s brand remained
strong, despite these setbacks, as members of the family took a personal interest in the day-to-day
operations and management of the company.
Padgett’s was not an early adopter of computers and information technology. But, over
time and as younger family members entered the business, computers began a slow
march into the company’s offices in the form of personal computers with word
processing, spreadsheets, and database systems. Personal computers also made their way
into manager’s offices in the hotel properties where spreadsheets proved valuable in tracking revenues
and expenses. In 1982, an embezzlement scandal at Flintom’s Tavern forced the company to adopt
computer-based point of sale (POS) systems throughout the company for all cash handling functions
(hotel front desks and restaurants). A benefit of the POS systems were the built-in reporting functions,
which enabled the company to more closely track cash and credit sales by property. By 1995, the
company had fully integrated custom hotel management software into its operations. This software and
the associated databases were hosted on company owned / operated mainframe computer systems. By
the end of the decade, information technologies were in use to support all aspects of the company’s
internal operations (accounting, customer service, property management, and reservations).
At the beginning of the new century, the company adopted its first strategic plan with
a heavy emphasis upon growth and expansion. Under this plan, the company branched
out and began offering hotel and resort management services to other hoteliers and
property owners. Advanced telephony services and implementation of custom
software allowed Padgett’s to offer one of the first centralized reservations management services. The
company also leveraged the Internet and World Wide Web to launch a resort affiliates program, which
provided a menu of business related services to member properties. These services included: online
advertising and promotions, architecture and design assistance, business operations consulting, group
Copyright © 2018 by University of Maryland University College. All Rights Reserved.
CSIA 300: Cybersecurity for Leaders and Managers
business insurance, and guest loyalty programs. The hotel and resort management services business
area continues to be the major source of revenues and profits for the company and its owners.
As part of Padgett’s expansion plan, the company purchased Beale Realty Holdings in 2001
and formed Padgett-Beale, Inc. (PBI). Shortly thereafter, PBI embarked on a series of realestate acquisition activities, which led to the purchase of several large tracts of prime Eastern Shore
waterfront property. The company’s long-term plan was to hold the properties as real estate
investments and, when market demand rose sufficiently, expand into development, sales, and
management of condominiums and vacation time-share properties. The focus on long term investment
was a wise choice as this particular market segment was adversely impacted by the housing boom/bust
in the mid 2000’s.
At the time of purchase, the waterfront properties were in use as campgrounds and
resorts for tent-campers, travel-trailers, and motorhomes. These camping facilities
were allowed to continue their existing operations with minimal investment and
oversight for the next 15 years (2002 – 2017). During this laissez-faire management period, some
campground managers modernized their camp offices and stores by purchasing computer-based point
of sale systems that allowed them to accept credit and debit cards. Most of these managers also
outsourced their reservations management to a third party online reservations system, which provided
a customized website to advertise each park and provide access to the online reservations system. A few
campgrounds did not modernize beyond setting up a simple website with contact information and a few
photographs. These facilities continue to use a mail or telephone-based reservation process with a “cash
only” payment policy.
In 2015, the day-to-day operations and management of PBI was transitioned to a new
leadership team recruited from leading hotel and resort management companies. The
new leadership team includes the Chief Executive Officer, Chief Financial Officer, Chief
Operating Officer / Director for Resort Operations, and the Corporate Counsel
(attorney) who is also dual-hatted as the Chief Privacy Officer. Under this new leadership, the company
was reorganized to better focus on the three most profitable business areas: Resort Operations,
Reservations Services, and Resort Affiliates. Management and daily operations for the three company
owned hotel properties (Robenia’s Guest House, Padgett’s Hotel, and Padgett’s Beach House), Flintom’s
Tavern, and the campgrounds / trailer parks were transferred to the newly formed Property Holdings
and Development division.
Building a strong management and leadership team is a priority for both the new
CEO and the current chair of the PBI Board of Directors. In 2017, these two
leaders developed and launched a management internship program whose
participants were recruited from a select group of colleges and universities. The next class of
management interns has just started in program and will soon find out where their first assignment will
take them within the company.
Copyright © 2018 by University of Maryland University College. All Rights Reserved.
CSIA 300: Cybersecurity for Leaders and Managers
Industry Overview
Padgett-Beale, Inc. (PBI) operates in the Hotels, Motels, & Resorts industry (NAICS Codes 721110
and SIC Codes 7011) (First Research, 2017a). Hotels, motels, and resorts provide short-term housing and
lodging for travelers and visitors. Related services offered by companies in this industry include: catering
and meals, conferences and event hosting, entertainment, resort amenities (golf, swimming, spa, etc.),
etc. The company also operates in the Recreational Vehicle Parks industry (NAICS Codes 721211; SIC
Codes 7033) as both an owner/operator and as a management and operations partner providing
specialty services to member and affiliate RV parks.
Hotels, Motels, and Resorts
Leading firms in this industry include Marriott International, Inc., Hilton Worldwide Holdings,
Inc., and Starwood Hotels & Resorts Worldwide, LLC (First Research, 2017a). On an annual basis, this
global industry generates over $500 billion in revenue. The U.S. segment of this industry generates
approximately $175 billion in revenues each year. These revenues may be generated directly from
operation and management of company owned properties. Or, revenues may be generated through
franchising arrangements or through fees generated in conjunction with property management / hotel
operations services provided to other property owners.
Demand for products and services in this industry is driven by two primary factors: (a) business
travel and (b) vacation or tourist travel (First Research, 2017a). Both of these factors are highly sensitive
to the health of regional, national, and global economies. Financial analysts estimate that 75% of
industry revenues result from fees for overnight lodging. The remaining 25% of revenues result from
sales of related products and services (e.g. meals, beverages, etc.). Labor is the most significant source
of expenses.
This industry uses information technology and the Internet in a variety of ways. First, most
brands use the Internet and social media to support their marketing efforts. Second, all but the smallest
of properties / brands use information technologies and the Internet to support reservation call center
operations. Third, information technologies are used in the daily operations of facilities (front and back
of house) and in support of corporate business processes and functions. These technologies include
Point of Sale systems for handling customer financial transactions, housekeeping and maintenance
management systems, card key access systems for guest rooms and restricted areas, scheduling and
timekeeping systems for personnel, and building / facilities management systems that control and
monitor energy using systems such as lighting and heating/ventilation/cooling (HVAC) systems.
Information technologies are also used to provide physical security in such forms as video surveillance
and recording, access controls for equipment and control zones (key pads, badge readers, password
controlled logins), and automated access logs which record identity information along with
timestamped entry/exit for controlled zones.
Copyright © 2018 by University of Maryland University College. All Rights Reserved.
CSIA 300: Cybersecurity for Leaders and Managers
Recreational Vehicle Parks
Leading firms in this industry include Thousand Trails (owned by Equity LifeStyle Properties), and
Kampgrounds of America (KOA) (First Research, 2017b). Each of these companies has a slightly different
business model. Thousand Trails is an owner/operator for RV Parks (First Research, 2017b). KOA sells
franchises to owner/operators of privately owned RV Parks and provides brand related services such as
marketing, park design and management consulting, and reservations management. A third company,
Good Sam Enterprises, markets and sells RV travel related services to individual travelers (“members”)
and provides marketing and sales support to member parks (Good Sam Club, 2017). All three firms
provide online guidebooks (some with reviews, inspection reports, and ratings), which include
information about individual parks and their amenities. In addition to these three firms, there are
thousands of smaller owner/operators of RV parks in the United States. These RV parks range in size
from 10 – 100 acres with a capacity of 150 to 2,000 or more RV, tent, and rental cabin sites.
Demand for products and services in this industry is driven by vacation or tourist travel (First
Research, 2017). Sales and revenues are highly seasonal as preferred destinations change with the
weather and with the usual and customary vacation periods (summer, holidays, school breaks, etc.).
Rental fees for overnight stays are the largest source of revenues for individual RV Parks. Additional
revenue sources include: camp store and gift shop operations, restaurants and snack bars, fuel sales
(propane), and sales of RV parts and accessories. Major areas of expenses are: utilities (water, electric,
sewer, cable TV, and Internet service), park maintenance (including roads and buildings), vehicles,
property taxes, and operating expenses for amenities such as laundry facilities, bath houses, swimming
pools, playgrounds, etc. Insurance coverage for park operations is also a major area of expense and may
include additional coverage for cybersecurity liability (Philadelphia Consolidated Holding Company,
2017).
This industry uses information technology and the Internet in a variety of ways. First, many RV
parks maintain a Website to advertise the park (First Research, 2017b). They may also use social media
to attract visitors to their Website and to the RV park. They may also depend upon Websites operated
by third parties such as RV Park Reviews, Trip Advisor, and Good Sam Club to attract the attention of
individuals who are planning trips or vacations. Second, all but the smallest of properties use an online
reservation management system that allows travelers to search for available sites by date(s) and by
required or desired amenities (electric, water, sewer, cable, pet friendly, etc.). Larger operators and
networks of parks may also use a telephone call centers for reservations management. These call
centers depend upon computer applications to route and manage calls. Reservation management
systems also depend upon databases and database servers to store and process customer information.
Third, information technologies are used in the daily operations of some facilities. Such uses include
guest check-in/check-out, cash and credit card transaction management (payments & refunds),
maintenance records, camp store / gift-shop inventory and sales, and bookkeeping / reporting (revenue
tracking). Some RV parks also use computer-based systems for video and audio surveillance, automated
vehicle entry/exit, and energy usage monitoring.
Copyright © 2018 by University of Maryland University College. All Rights Reserved.
CSIA 300 Cybersecurity for Leaders and Managers
References
First Research. (2017a). Hotels, motels, & reports: First Research custom report. Retrieved July 26, 2017
from Hoovers Online.
First Research. (2017b). Recreational vehicle parks: First Research industry custom report. Retrieved July
26, 2017 from Hoovers Online.
Good Sam Club. (2017). Who we are. Retrieved from http://www.goodsamclub.com/about
Philadelphia Consolidated Holding Corp. (2017). Cyber security liability. Retrieved from
https://www.phly.com/mplDivision/managementLiability/CyberSecurity.aspx
Copyright © 2018 by University of Maryland University College. All Rights Reserved.
3/6/2018
LEADERSHIP & MANAGEMENT
Study Note for CSIA 300
UNDERSTANDING LEADERSHIP
From: Northouse, P. G. (2008 ). Introduction to leadership: Concepts and practice (4th ed.). Thousand Oaks, CA: SAGE Publications.
1
3/6/2018
From: https://nelsontouchconsulting.wordpress.com/2011/02/22/leadership-vs-management/
LEADERSHIP IN CYBERSECURITY
• Define and articulate a vision
• Develop and promote strategy
• Motivate, inspire, and empower
• Create, invent, integrate solutions
• Excellence, Quality, Ethics, Morality
2
3/6/2018
INFLUENCING LEADERS
• Find a wedge and then widen the crack to open doors for Cybersecurity discussions
with the organization’s leaders
• Learn to speak their language
• Business Leaders think in terms of profits and losses
• Government Leaders think in terms of budgets and compliance (legal, regulatory)
• Address the twin problems of ignorance and complacency
• Cybersecurity is not a well-known quantity outside of CIO and CISO organizations
• Seek opportunities to educate peers within the organization
• Participate in Governance activities
• Contribute to Enterprise Risk Management
• Contribute to Business Continuity Planning
• Contribute to Budgets, Strategies, and Futures Thinking
From: https://nelsontouchconsulting.wordpress.com/2011/02/22/leadership-vs-management/
3
3/6/2018
ASSETS TO BE MANAGED
• Information
• Intellectual Property including sensitive business plans, product designs, finances
• Information held in trust (customer and vendor)
• Information Systems
• Workstations
• Mobile Devices
• Network Security Appliances
• Information Infrastructures
• Networks
• Networking Equipment
CYBERSECURITY MANAGEMENT
• Threats
• Vulnerabilities
• Configurations
• Patches
• Mitigations & Controls
• Compliance & Audits
• People, Processes, Policies, Plans, Technologies (and quite a bit more!)
4
3/6/2018
PROJECT MANAGEMENT
• Project Management is concerned with:
• Cost
• Schedule
• Quality
• “A project is temporary in that it has a defined beginning and end in time,
and therefore defined scope and resources.”
• “A project is unique in that it is not a routine operation, but a specific set of
operations designed to accomplish a singular goal.”
Source: https://www.pmi.org/about/learn-about-pmi/what-is-project-management
PROJECT MANAGEMENT
• Project management processes fall into five groups:
• Initiating
• Planning
• Executing
• Monitoring and Controlling
• Closing
• Source: https://www.pmi.org/about/learn-about-pmi/what-is-project-management
5
3/6/2018
PROJECT MANAGEMENT
• Project management knowledge
draws on ten areas:
• Project management knowledge
draws on ten areas:
1. Integration
6. Procurement
2. Scope
7. Human resources
3. Time
8. Communications
4. Cost
9. Risk management
5. Quality
10. Stakeholder management
Source: https://www.pmi.org/about/learn-about-pmi/what-is-project-management
LEADERSHIP + MANAGEMENT
“[John] Kotter argues that leadership and management involve two distinct
but complementary sets of action.
“Leadership is about coping with change
“Management is about coping with complexity.” (Amit Mohindra)
• Adapted from
https://nelsontouchconsulting.wordpress.com/2011/02/22/leadership-vsmanagement/
6
CSIA 300: Cybersecurity for Leaders and Managers
Why do Businesses Need Security?
There are many different types of businesses. Each one needs security in some form. In this reading, we
will explore the reasons why a business needs to have someone or some group within the business that
is responsible for security.
Types of Businesses
A sole proprietorship is a simple form of business in which the owner is personally responsible for the
business’s activities (including debts) (Entrepreneur Staff, 2017b). The business may have a trade name
but it does not have a legal identity separate from its owner. In this form of business, the owner’s
personal knowledge of cybersecurity issues and solutions will be very important.
A partnership is a form of business in which two or more individuals own the business (Entrepreneur
Staff, 2017a). Partners contribute resources to the business (“investments”) and then share any
resulting profits or losses. Partnership agreements state how those profits or losses will be distributed
among the owner. Such agreements also provide for management and authority over the day-to-day
operations of the business. A partnership will also need some form of governance structure to guide
decision making about how the business will be operated (strategies, goals, policies, etc.). At least one
of the partners involved in daily operations will need to have cybersecurity knowledge.
A corporation (Investopedia, 2017) is a legally recognized entity (owned or controlled by a group of
people) that enjoys many of the rights, responsibilities, and duties as are granted under the law to a
person. The corporation’s rights, responsibilities, and duties exist separately from those of the
corporation’s owners. The documents of incorporation provide structure to the company’s governance
by outlining key roles and responsibilities. The members of the Board of Directors and the senior leaders
/ managers of the company all need to have some familiarity with cybersecurity related principles,
practices, threats and risks.
Reasons Why Businesses Need Security
Asset Protection (Traditional & Digital Assets)
Businesses exist to make a profit. They do this by creating and selling products and services. Business
assets are resources used by the organization to produce the goods and services it will sell or to provide
supporting services required to operate the business (Kovacich & Halibozek, 2003).
An asset is a possession (item or object) that has value. This value must be protected against
harm or loss.
1
Copyright ©2018 by University of Maryland University College. All Rights Reserved
Cite this work as: King, V. (2018). CSIA 300: Why do businesses need security? Adelphi, MD: University of Maryland University
College.
CSIA 300: Cybersecurity for Leaders and Managers
Digital assets are information assets that exist only in digital form (electronically stored
information). These assets are stored on digital media and are accessed / used via digital
devices. The term is used to refer to files, software, and firmware. Digital assets may also be
physical assets (when they exist in stored form) or they may be classified as intangible assets.
Physical assets include buildings, land, property, etc. Computer hardware and infrastructures
are physical assets.
Intangible assets include such things as intellectual property, trade secrets, brand recognition,
reputation and good will.
Thus, we have our first reason that businesses need security – to protect business assets. Asset security
consists of those measures taken by the business to protect its assets from harm or loss. This harm or
loss may be caused by insiders (e.g. employees), outsiders (criminals, competitors), and extraordinary
events (force majeure) or acts of God. Business assets that must be protected against loss or harm
include:
buildings and facilities, equipment and furnishings
business processes
computer systems
financial instruments and cash (money)
information (databases, documents, and files)
inventory (completed products, parts, and supplies)
networks and infrastructures
personnel (skilled workforce)
intellectual property (e.g., patents, trade secrets, plans, and strategies)
reputation
Information and information systems are assets. Information is an asset because the organization must
spend money to obtain it so that the information can be used to produce goods and services. Examples
of valuable information assets include recipes or formulas, customer and vendor lists, sales plans, and
marketing strategies. An information system is an asset because each component of the system costs
money to purchase or replace. Note: Businesses may also be holders or custodians of information
belonging to others. This information must also be protected from harm or loss.
The security measures required to protect business assets are determined by identifying the assets that
require protection and then assessing the specific threats and vulnerabilities (for each asset or type of
asset) that are present in the organization’s operating environment.
2
Copyright ©2018 by University of Maryland University College. All Rights Reserved
Cite this work as: King, V. (2018). CSIA 300: Why do businesses need security? Adelphi, MD: University of Maryland University
College.
CSIA 300: Cybersecurity for Leaders and Managers
Legal and Regulatory Compliance
Businesses must comply with laws and regulations set forth by certain governments and government
agencies (Reynolds, 2010). Sometimes, it can be difficult to determine which laws or regulations apply
and in what circumstances they apply. Businesses need the advice and services of attorneys or
corporate counselors to provide guidance in making such determinations. It is important to have
competent legal counsel for areas where the business is at risk or may face penalties for non
compliance. Cybersecurity requirements imposed by laws or regulations are an area where specialized
legal counsel may be required.
Key concepts from law that affect business operations are due diligence and duty of care (Reynolds,
2010). Due diligence is the obligation to be conscientious in performing your duties. In some uses, this
term refers specifically to functions related to contracts and acquisitions. Duty of care is the obligation
to be attentive and to avoid causing harm. Leaders and managers need to understand cybersecurity
principles, practices, threats, and risks in order to meet their obligations under both due diligence and
duty of care.
Integrating Security with Business Operations
Businesses can be described as systems of people, processes, policies, and technologies and the
interconnections / relationships between these components (ISACA, 2009). These components can also
be viewed as assets, which have value to the organization. Each component, each relationship between
components requires some level of protection from harm or loss. Thus, the need for security throughout
the system is pervasive and should be approached in a holistic manner.
Figure 1. Systems View of an Organization
3
Copyright ©2018 by University of Maryland University College. All Rights Reserved
Cite this work as: King, V. (2018). CSIA 300: Why do businesses need security? Adelphi, MD: University of Maryland University
College.
CSIA 300: Cybersecurity for Leaders and Managers
Working with the entire system at once can be a daunting task especially when greater levels of detail
are required. Breaking the system down into smaller chunks is an obvious solution but, how should
those chunks be defined? One organizing strategy, used by business analysts, is to divide the
organization into functional areas. Within each functional area, we can identify the components of the
system that operate within the functional area and those components which are cross-cutting (apply to
multiple functional areas at the same time. Dividing the business into functional areas will also allow us
to analyze and assess security needs within each area. After the needs in each area are considered, we
can identify cross-cutting or system-wide security requirements and gaps. Finding commonalities allows
us to identify ways to reduce costs and improve efficient allocation of resources to deliver required
levels of security.
Business Functions
The day-to-day business operations of organizations are typically organized into five functional areas
(see figure 1). Each functional area is supported by business processes and assets. As business becomes
e-business and commerce becomes e-commerce, businesses must reevaluate their security programs to
ensure that the confidentiality, integrity, and availability of business processes and assets are protected
against threats (sources of harm or loss). The figure below shows the five functional areas typically
found in the day-to-day operations and activities of an organization. Notice that “security” is a separate
business function yet is fully integrated within the business enterprise. Security both supports and is
supported by the other functional areas of the business.
Figure 2. Day-to-Day Business Operations
4
Copyright ©2018 by University of Maryland University College. All Rights Reserved
Cite this work as: King, V. (2018). CSIA 300: Why do businesses need security? Adelphi, MD: University of Maryland University
College.
CSIA 300: Cybersecurity for Leaders and Managers
Accounting and Finance Functions
The accounting and finance functions of a business include:
accounting and bookkeeping
budget preparation and monitoring
fiscal analysis and reporting
sales or other financial transaction processing
Security is required for devices and information systems which process or provide access to financial
information. Required security functions include providing authentication, authorization, and
nonrepudiation for access to and use of both physical and digital assets containing financial information.
Additional security services may also be required to ensure compliance with federal and state laws and
regulations (e.g., Gramm-Leach-Bliley Act, Sarbanes-Oxley Act, Fair Credit Reporting Act, etc.).
Commercial Functions
The commercial functions of a business include:
sales
marketing and business intelligence
customer relationship management
Security needs for commercial functions include:
protection of confidential business information (client lists, sales/marketing plans, etc.), trade
secrets, and other forms of intellectual property
protection of customer and vendor information (including personally identifiable information)
provision of authentication, authorization, and nonrepudiation for access to and use of
information systems involved in the collection, use, reporting, and storage of customer
information
Additional security services may be required to comply with provisions federal and state laws regarding
privacy, data breach reporting, and corporate transparency.
For marketing and business intelligence functions, the organization may need to incorporate auditing
and control functions to ensure that the information collected about competitors does not violate the
Economic Espionage Act or other applicable laws.
5
Copyright ©2018 by University of Maryland University College. All Rights Reserved
Cite this work as: King, V. (2018). CSIA 300: Why do businesses need security? Adelphi, MD: University of Maryland University
College.
CSIA 300: Cybersecurity for Leaders and Managers
General and Functional Management Functions
According to Henri Fayol (Svenson, 1961), the management functions of a business include:
Planning, organizing, and coordinating the work of the organization
Allocating and controlling resources (including budgeting)
Monitoring and controlling (“commanding”) the work of the organization
These management functions frequently involve decision-making activities which require access to and
the ability to benefit from a variety of information that the organization collects, processes, transmits,
and stores (Tannenbaum, 1950). Such information includes:
business records
confidential business information (client lists, sales/marketing plans, corporate strategies, etc.)
customer data (including personally identifiable information)
financial data and forecasts
plans and schedules
trade secrets
other forms of intellectual property
The information and confidential business processes used in the general and functional management
activities of an organization must be protected against unauthorized access or disclosure. Typically, this
is done by putting restrictions in place which control access to information and information resources.
These restrictions must be balanced against legitimate uses and disclosures of information while
communicating, coordinating, and collaborating as part of the day-to-day operations of the business.
Security Functions
Security of the business, from assets to operations and all the functions in between, is a shared
responsibility for all managers and employees (Kovacich & Halibozek, 2003). This responsibility includes
diligence in the performance of duties under the duty of care (Reynolds, 2010). The reasonable person
standard is used to determine if an individual has performed these responsibilities with the same level
of diligence and care that a conscientious person would put forth.
The effectiveness and efficiency of security functions are improved when there is a single manager with
primary responsibility for these functions (Kovacich & Halibozek, 2003).
The security manager has both an operational and a strategic role in the business and must use a great
deal of influence and collaboration to ensure cooperation on security matters throughout the
organization (Kovacich & Halibozek, 2003). The security manager is usually supported by a dedicated
organization whose personnel are specifically trained in security administration, physical security,
6
Copyright ©2018 by University of Maryland University College. All Rights Reserved
Cite this work as: King, V. (2018). CSIA 300: Why do businesses need security? Adelphi, MD: University of Maryland University
College.
CSIA 300: Cybersecurity for Leaders and Managers
personnel security, operations security, and information security. The security manager is responsible
for the establishment and management of the organization’s security program. These responsibilities
include ensuring compliance with laws, regulations, and standards for corporate security. The security
manager and supporting security personnel are also trained in risk management, fraud deterrence,
internal investigations, contingency planning, disaster recovery, and crisis management.
The security functions of an organization include (Kovacich & Halibozek, 2003):
protect against harm or loss
detect attempts to cause harm or loss
react to events causing harm or loss
document incidents and responses
prevent by planning and implementing security measures to prevent future incidents
assist in ensuring compliance with laws and regulations
The protection of business functions which depend upon cyberspace and digital assets which can be
accessed from cyberspace has become an increasingly important area of responsibility for security
managers. A separate sub-specialty or functional area for security, Cybersecurity (Department of
Homeland Security, 2017), has emerged as a result of this growing need.
Technical Functions
The technical functions of a business are those activities, which directly or indirectly contribute to the
conversion of inputs (raw materials and labor) into outputs (products and services which can be sold or
otherwise converted into monetary value). These functions include:
business operations
product development and production
purchasing and logistics
research and development
The security needs of each activity area vary by the types and sensitivity levels of the processes and
information required by the activity and the degree to which each activity interacts with or relies upon
the external environment. These activities require security protections that ensure the confidentiality,
integrity, and availability of information (data) and services. Many of these activities also require
auditing, monitoring, and control capabilities (security services) that provide for nonrepudiation of
actions taken by both insiders and external actors.
7
Copyright ©2018 by University of Maryland University College. All Rights Reserved
Cite this work as: King, V. (2018). CSIA 300: Why do businesses need security? Adelphi, MD: University of Maryland University
College.
CSIA 300: Cybersecurity for Leaders and Managers
E-Business/E-Commerce Infrastructure
E-business and e-commerce infrastructures are built from capabilities provided by the technical and
commercial functions of a business. These infrastructures are then used to provide products and
services that are either delivered in cyberspace or which are accessible from cyberspace (e.g. products
ordered via an online ordering system). Special care must be taken to ensure that the data storage,
processing, and transmission capabilities (see figure 2) within the e-business and e-commerce
infrastructure protect the confidentiality, integrity, and availability of information and services.
Figure 3. E-Business/E-Commerce Infrastructure
8
Copyright ©2018 by University of Maryland University College. All Rights Reserved
Cite this work as: King, V. (2018). CSIA 300: Why do businesses need security? Adelphi, MD: University of Maryland University
College.
CSIA 300: Cybersecurity for Leaders and Managers
References
Department of Homeland Security. (2017). Glossary. Retrieved from https://niccs.us-cert.gov/glossary
Entrepreneur Staff. (2017a). Partnership. Retrieved from
https://www.entrepreneur.com/encyclopedia/partnership
Entrepreneur Staff. (2017b). Sole proprietorship. Retrieved from
https://www.entrepreneur.com/encyclopedia/sole-proprietorship
Investopedia. (2017). Corporation. Retrieved from
http://www.investopedia.com/terms/i/incorporate.asp
ISACA. (2009). An introduction to the Business Model for Information Security. Retrieved from
http://www.isaca.org/knowledge-center/research/documents/introduction-to-the-businessmodel-for-information-security_res_eng_0109.pdf
Kovacich, G. L., & Halibozek, E. P. (2003). The manager’s handbook for corporate security: Establishing
and managing a successful assets protection program. Burlington, MA: Elsevier.
Reynolds, G. W. (2010). Ethics in information technology (3rd ed.). Boston, MA: Course Technology.
Svenson, A. L. (1961). Pioneers of management organization theory. Management International 1(5/6),
115-130.
Tannenbaum, R. (1950). Managerial decision-making. The Journal of Business of the University of
Chicago, 23(1), 22-39.
9
Copyright ©2018 by University of Maryland University College. All Rights Reserved
Cite this work as: King, V. (2018). CSIA 300: Why do businesses need security? Adelphi, MD: University of Maryland University
College.
Business Horizons (2016) 59, 567—569
Available online at www.sciencedirect.com
ScienceDirect
www.elsevier.com/locate/bushor
GUEST EDITORS’ PERSPECTIVE
Cybersecurity in 2016: People, technology,
and processes
Michael Parent a,*, Brian Cusack b,*
a
b
Telfer School of Management, University of Ottawa, 55 Laurier Avenue East, Ottawa, ON K1N 6N5, Canada
Auckland University of Technology, 55 Wellesley Street East, Auckland 1142, New Zealand
You have been, are being, or will be hacked. It’s that
simple, that certain, and that daunting. For most
organizations today, it’s no longer a matter of if, but
when. As James Comey, director of the Federal
Bureau of Investigation (FBI), bluntly stated in a
60 Minutes interview in 2014: ‘‘There are two kinds
of big companies in the United States. Those who’ve
been hacked by the Chinese and those who don’t
know they’ve been hacked by the Chinese’’ (Cook,
2014).
According to the National Association of Corporate
Directors (NACD), from 2014 to Q2 2015, companies
reported over 2,429 data breaches affecting more
than 1.25 billion records, at a hard (out-of-pocket)
cost of over $150 per record. For individual firms, this
typically means costs of $5.85 million for a single
security incident (CompTIA, 2015; Owen & Bondi,
2016). And it is only going to get worse. The forthcoming, aptly-named Internet of Things (IoT) will see
well over 10 billion internet-connected devices by
2020–—more than the current number of computers,
smartphones, tablets, and wearables combined
(Adler, 2013), providing hackers with untold gateways into the world’s networks and databases.
The Ponemon Institute reports that it takes an
average of three months for financially vigilant firms
to discover they have been hacked, an average of
* Corresponding authors
E-mail addresses: michael.parent@telfer.uOttawa.ca
(M. Parent), brian.cusack@aut.ac.nz (B. Cusack)
seven months for most organizations, and even
years for others; meanwhile, it may take hackers
just minutes to compromise a network (Kennedy,
2016; Osborne, 2015). A compilation of some of the
largest hacks in recent history attests to this. Following is a miniscule sample of the many large
breaches (Dingman, Silcoff, & Greenspan, 2015):
Target — December 2013: 110 million records
TJX — January 2007: 94 million records
JP Morgan — August 2014: 83 million records
The Home Depot — September 2014: 56 million
records
We are witnessing a new dawn in cybercrime: a layer
cake, if you will, of criminals eagerly seeking out
networks and data. The bottom layer–—in more ways
than one–—are the so-called script kiddies: hackers
who troll the internet for attack scripts and then
copy-paste them into attacks of their own. Not
terribly sophisticated; but then again, a recent
report calculated that over 652,000 distributed
denial-of-service (DDoS) attacks occurred in a
seven-day period (Graphic News, 2015). The next
layer consists mainly of criminals, who have become
increasingly enamored of ransomware: encrypting
companies’ data and offering to sell back the
decryption key at a high price (Dingman, 2016).
Organized crime and terrorists occupy the next
0007-6813/$ — see front matter # 2016 Kelley School of Business, Indiana University. Published by Elsevier Inc. All rights reserved.
http://dx.doi.org/10.1016/j.bushor.2016.08.005
568
two tiers, using attacks to hide money-laundering
activities or to gain valuable intelligence against
people, places, and infrastructures. At the top of
the cake are APTs: Advanced Persistent Threats, or
sovereign hacking. According to Comey, most APTs
come from two countries: the People’s Republic of
China (PRC) and the Democratic People’s Republic of
Korea (DPRK, or North Korea). In this case, the
perpetrators are not looking for credit cards or
personal information, but rather for patents, new
drug discoveries, proprietary information, financial
data (like forthcoming mergers or acquisitions),
intellectual property, or even national secrets.
Any way you look at it, the news and prognoses
are grim. Data breaches have paradoxically become
commonplace crises and organizations are lagging in
responding, adapting, and adopting protective measures. Reaction windows are now measured in minutes, not hours, much less days. As we like to say
when briefing managers: ‘‘Hope is no longer a strategy.’’
In soliciting articles for this issue, we sought to go
beyond the conventional and beyond the dramatic.
There seems to be a widespread culture of shared
negative experiences surrounding cybersecurity.
Contributing to alarmist discourses does little to
reassure managers and even less to encourage constructive research. Our goal was to provide clear and
cogent perspectives that might facilitate positive
information exchanges.
If one thing is clear, it is that cybersecurity is more
than just a technical issue. It involves unique
alchemies between technologies, people, and
processes–—the latter in the form of overarching
regulations and laws. As such, we have divided the
articles into these three sections, starting with two
articles on the most important element: people.
The first article–—by Dang-Pham, Pittayachawan,
and Bruno–—considers how and when security advice
is shared by employees. Research supports the efficacy of security-centric cultures. However, more
often than not, managing security is seen as a
top-down exercise, where a lack of compliance is
met with disciplinary action. The authors analyze
some of the underlying personal and structural
causes impeding security cultures, asserting they
are more circular than hierarchical, and offer some
practical insights for both researchers and managers
who wish to develop and sustain peer-managed
security cultures in their organizations.
The role of Chief Information Security Officer, or
CISO, is a recent creation in organizations. The
second article–—by Hooper and McKissack–—outlines
the responsibilities of this role, its place in the
organization, and the type of leadership it demands
if it is to succeed.
GUEST EDITORS’ PERSPECTIVE
The technology subsection of the issue presents
the next three articles, each dealing with different
technological considerations related to security.
Lutui’s article is our only piece on digital forensics
and is eerily reminiscent of the FBI’s recent desire to
unlock a domestic terrorist’s phone, the subject of
court action against Apple Inc. Lutui presents a
forensic model that is both contemporary and concise. In doing so, he provides a sound overview of
digital forensics for those who might not be familiar
with the field. While the tool he presents is still in its
infancy, it holds much promise for investigators as
smartphones and smart devices proliferate. The two
other articles in this subsection–—by co-editor Cusack and his colleague Ghazizadeh; and Mills, Watson, Pitt, and Kietzmann–—discuss the risks inherent
in nascent technologies: the cloud and single sign-on
failures for the former and the growing field of
wearables for the latter. In both cases, we deal with
security issues at the cutting edge of technology.
However, the authors also make the point that
while the technologies might be new and their
imperatives different, the principles underlying
sound security policies and practices still apply–—
now more than ever.
Finally, Crowley and Johnstone conclude the special issue section with an overview of the legal and
technical issues surrounding data security. As they
so aptly state, ‘‘nothing in cyberspace may be private.’’ The article explores the tension between
privacy and disclosure using the recent Microsoft
E-Mail and Apple iPhone cases. Crowley and Johnstone echo some of the points made by earlier
authors in the subsections on people and technology. Although the Apple case has been resolved, it
nevertheless allowed legislators, law enforcement
authorities, privacy advocates, equipment manufacturers, and end-users to comment on and gain
insight from each other.
With the vastness, visibility, and velocity of data
breaches increasing exponentially, managers are
left with a complex challenge that spans across
the organization, not just their information technology (IT) divisions. Cybersecurity is a critical,
cross-functional issue that affects everyone and
every organization, directly and indirectly. The six
articles presented in this special issue, we believe,
collectively merge the human, technological, and
regulatory environments, offering intriguing insights and ideas for both research and practice as
this discussion evolves.
References
Adler, E. (2013, December 7). Here’s why ‘the Internet of Things’
will be huge, and drive tremendous value for people and
GUEST EDITORS’ PERSPECTIVE
business. Business Insider. Retrieved May 1, 2016, from http://
www.businessinsider.com/growth-in-the-internet-of-things2013-10
CompTIA. (2015). Trends in Information Security. Retrieved
May 10, 2016, from https://www.comptia.org/resources/
trends-in-information-security-study
Cook, J. (2014, October 6). FBI Director: China has hacked every
big US company. Business Insider. Retrieved May 15, 2016,
from http://www.businessinsider.com/fbi-director-chinahas-hacked-every-big-us-company-2014-10
Dingman, S. (2016, May 20). Ransomware in real time: How
hackers infiltrate secured systems. The Globe and Mail.
Retrieved May 30, 2016, from http://www.theglobeandmail.
com/technology/ransomware-in-real-time-how-hackersinfiltrate-secured-systems/article30111818/
Dingman, S., Silcoff, S., & Greenspan, R. (2015). Hacked:
The escalating arms race against cybercrime. The Globe
and Mail. Retrieved December 12, 2015, from http://www.
theglobeandmail.com/report-on-business/hacked-the-
569
escalating-arms-race-against-cybercrime/article21305464/
?page=all
Graphic News. (2015, October 27). Cyber smokescreen to
steal data. Graphic News. Retrieved from http://www.
graphicnews.com/en/go/pages/33616/TECHNOLOGY_
Destructive_cyber_assaults
Kennedy, J. (2016, April 25). Data breaches take minutes to
happen, but weeks to discover. Silicon Republic. Retrieved
May 16, 2016, from https://www.siliconrepublic.com/
enterprise/verizon-data-breach-report-2016
Owen, D. R., & Bondi, B. J. (2016, March 16). Defending data — A
director’s cybersecurity duty. NACD Directorship Boardroom
Intelligence. Retrieved May 1, 2016, from https://www.
nacdonline.org/Magazine/Article.cfm?ItemNumber=25613
Osborne, C. (2015, May 19). Most companies take over six months
to detect data breaches. ZDNet. Retrieved May 16, 2016, from
http://www.zdnet.com/article/businesses-take-over-sixmonths-to-detect-data-breaches/
Purchase answer to see full
attachment