Feature Article

Cybersecurity is
Mission Critical

Future business leaders must be prepared to defend against threats to the vital information infrastructures of their organizations.
by William Perry

Attacks on the confidential information resources of business organizations are on the rise—truly serious data breaches are increasing at an alarming rate. Only recently, Sony lost the personal and confidential information of more than 77 million of its customers. The U.S. Pentagon's information infrastructure was penetrated when malicious attackers deliberately left infected USB drives in the parking lot and other locations. Delighted with their finds, employees who picked up the flash drives inserted them into their workstations, allowing attackers free access to information "protected" behind a network fire wall. Hundreds of such attacks, against thousands of companies, have cost businesses, organizations, and individuals millions of dollars.

As business leaders, our students will be responsible for maintaining the integrity of their companies' information infrastructure, but most students graduate without knowing how to protect the confidential information for which they are responsible. An informal review of online course catalogs for AACSB-accredited institutions indicates that only about 20 percent offer courses in information security and fewer still teach information assurance as a core subject. But given the growing security threats facing organizations, business schools have a responsibility to teach this vital topic. Business educators need to ask: "Are we adequately preparing our students to protect an organization's mission-critical information assets?"

Focusing on Fundamentals

Risks to information security are ubiquitous, affecting the vast majority of organizations. Banking and finance, energy and communications, food and water suppliers, and many other crucial industries are all vulnerable to attack. Without proper preparation, business graduates could underestimate the dangers and see only the costs of security. They could dismiss the importance of a software upgrade that would protect a digitally controlled coolant pump from attack; they might fail to recognize incompatibilities between hardware devices and network infrastructure that could result in vulnerabilities.

Several years ago, we began teaching an information security course in the business computer information systems program at Western Carolina University (WCU) in Cullowhee, North Carolina. The course focuses on fundamentals and emphasizes to students that the ultimate responsibility for information security rests with a company's board of directors and senior management. We characterize information assurance as a business process that crosses all organizational lines. We also cover topics ranging from information security policies to industry standards and guidelines used to establish day-to-day best practices.

The course includes projects that require students to design security classification systems for an organization's digital portfolio, write formal information security policies, perform"white-hat hacks" (or benign breaches) of computer systems to identify vulnerabilities, configure network operating systems, and compare and contrast information security standards. The goal is to allow students to see cybersecurity from both sides—from the defender and the attacker—so that they can learn to create even stronger defenses.

As the course's capstone experience, students design and present an information security seminar for the support staff at the university. Each student is assigned a subject such as workstation security practices, password protection, social engineering attacks, or the inappropriate use of information resources. The seminar is of such interest that there was standing room only at our students' presentation last spring. Some of our students also organized and marketed an information security seminar for regional managers.

Because our students have had so many opportunities to research and identify information security threats, they recognize the need for robust password-protection policies. They know that data lines for an organization should not run through rooms with public access. They know that something as innocent looking as a plastic wristband could be a USB storage device that insiders could use to steal, damage, and destroy information.

Today, topics related to information security have been incorporated throughout our CIS curriculum. As a result, WCU has reaped several direct benefits. Not only do our students secure positions specifically because of their knowledge of information security, but our staff and faculty are made more aware of the importance of information security as a result of our students' work.

Essential Learning Objectives

As businesses continue to require more graduates trained in information security, business programs should create more opportunities in their curricula focused on the topic. Before they graduate, management students should have the ability to do the following:

Identify mission-critical information assets and understand how each adds value to the organization. Most managers would know, for example, that accounts receivable information would be a mission critical asset. But would they view an employee's laptop computer and the information installed on it in the same way? Once vulnerable assets are identified, managers must recognize their responsibility to implement security policies that protect them.

Classify each information asset's level of importance. Managers must know how critical each component in the information infrastructure is. Otherwise, how can the components be monitored for information assurance? A public website, for example, is far less critical to continuing operations than an organization's online credit card transaction processing system, order fulfillment processes, or net-IS Resources for Educators worked monitoring devices. Students must understand that information, in some instances, is more valuable than cash, equipment, or physical assets.

Create and implement information security policies. Many organizations are still without strong information technology security policies and procedures. Once they enter the workplace, our students are counseled to respectfully suggest appropriate security practices to their superiors if information assets are at risk.

Describe the information security environment, including regulations, standards, relevant laws, and available resources. In many industries, for example, federal law governs how confidential information must be handled. To do otherwise actually leads to a violation of the law.

Different states and countries have different information security rules and regulations. For instance, in the U.S., students should know about laws such as the Health Information Patient Privacy Act (HIPPA), Electronic Protected Health Information (ePHI) act, and Health Information Technology for Economic and Clinical Health (HITECH) act, which relate to how confidential health information is processed and stored. Students also should know about Safe Harbor, a protocol relating to international information security; Sarbanes-Oxley, a law requiring specific financial reporting practices; and Gramm-Leach-Bliley, a law that relates to the confidentiality of consumer information in banking.

Articulate an existing information security plan to subordinates and promote security awareness among employees. Managers must actively and visibly discharge their information security responsibilities.

Implement and monitor an information security plan and maintain compliance. Most organizations lack security policies related to emerging social media, even though more of them are using the technology. Astute managers can quickly detect and address any threats and vulnerabilities to information assets that arise from technological advancements.

Security Is Survival

At WCU, we are excited about the future. Last fall, we installed a virtual computing lab to provide students with even more experience with computer systems. We will also look at security issues related to cloud computing.

Recently, students in our information security class cooperated with the U.S. Department of Defense to conduct individual research studies, which will be compiled into a monograph titled "The Strategic and Tactical Importance of Computer and Network Security." One student's contribution describes how easily someone with intermediate electronics knowledge can construct a scalable EMP (electromagnetic pulse) weapon inside a soft drink can. Such an inconspicuous device would discharge without noise and instantly destroy delicate computer devices and memory.

Their research further highlights how crucial a role our graduates will play in securing the future of their organizations. We must make tomorrow's business leaders aware of their fiduciary responsibility to information assurance, and we must equip them with the core knowledge they'll need to protect digital processing infrastructures. We must implement interdisciplinary approaches to our students' digital education, including comprehensive discussions that show how information security crosses departmental lines. Otherwise, we place all organizations—and their information—at risk.

Course Components

To train students in information security, business schools can integrate a range of content into their core curricula. There is a vast amount of information online regarding information security, so that professors without extensive information technology skills can easily find what they need.

To design an effective course dedicated to information security in an undergraduate CIS program, professors must present a more detailed examination of the topic. In many cases, professors may need to obtain professional certification, perhaps by becoming Certified Information Systems Analysts or obtaining certifications through programs offered by companies such as Microsoft and Cisco.

Professors in all business disciplines can identify the computer security issues that are unique to their courses. As a start, they could "cut and paste" into their courses one or more of the following security concepts that we integrate into our information security course at Western Carolina University:

Information and its components.

This unit of instruction focuses on developing a view of information as an asset. Students learn how information assurance is essential for the successful operation of organizations.

The business information security environment.

In this unit, we help students understand the scope of information security challenges. Because thousands of mobile computing devices are stolen from workers each month, we emphasize the wireless and mobile work environment, as well as the need to encrypt all devices that travel outside of the organization.

The digital processing infrastructure.

Here, we outline the nature of digital processing infrastructures, as well as the threats and vulnerabilities they represent. Students learn about the interdependencies in the information infrastructure that simultaneously result in major efficiencies and significant dangers.

The components of an information security plan.

Topics in this course include hiring to enhance digital security, as well as detecting and defending against intrusions to network security. We pay particular attention to the regulatory environment, policies and procedures, and security issues associated with hardware and software.

The asymmetric threat environment.

In this unit, we help students understand that the variety of threats to an organization's digital processing assets are incredibly asymmetric—that is, they can be of any type, originate from any source, and come at any time. We discuss, among other topics, how to mitigate such threats, which range from corporate espionage and insider sabotage to cyber terrorism and malicious hacker attacks.

Information security and staffing.

The staffing function has a major influence on the information security of an organization. Students receive a comprehensive orientation regarding what information security components should be emphasized, from removing a recently terminated employee's network access privileges to specifying a potential candidate's security certifications to verifying that candidates have appropriate work experience.

Laws, regulations, and industry standards.

Students learn about regulations, including ISO 17799/27000, a set of information security practices and guidelines from the International Standards Organization; COBIT, an information security governance framework; and FISMA, the U.S. Federal Information Security Management Act.

Assuring privacy and avoiding liability.

Organizations are obliged to protect personal and confidential information. Students learn how to conduct business operations while exercising due diligence and mitigating information security liabilities.

Information security resources.

This unit outlines basic information about security resources available to aspiring managers. (Several of these resources are listed in "IS Resources for Educators" on page 40.)

Disaster recovery.

We make students understand that no matter how well they prepare, natural disasters, security breaches, and hardware and malicious software failures will occur. We teach them about the components of disaster recovery and how to lessen the negative impact of a major security incident.


IS Resources for Educators

In the U.S.:

www.cert.org
Housed at Carnegie Mellon University's Software Engineering Institute and part of the U.S. Computer Emergency Readiness Team, the CERT program responds to and analyzes major security breaches in the U.S. and works to design technologies and system management practices to defend against them.

www.infragard.com
Infragard, a professional information security organization formed in partnership with the Federal Bureau of Investigation and the private sector, shares best practices in defending against cyber attacks.

www.csrc.nist.gov
Here, the National Institute of Standards and Technology computer security division includes publications, news, and information on areas such as cryptography, emerging security technologies, and security management.

Non-U.S. Locations:

www.iwar.org.uk
The Information Warfare Site provides information and debate on issues such as information security, information operations, computer network operations, and homeland security, with special emphasis on offensive and defensive information operations.

www.ethicsweb.ca/resources/computer/issues.html
Hosted by EthicsWeb, this page includes links to a range of material regarding the ethics of technology, which includes issues such as copyright infringement and the"hacker ethic."

export.gov/safeharbor/eu/eg_main_018476.asp
Part of the U.S. site Export.gov, Safe Harbor Overview covers the framework of the European Commission's 1998 Directive on Data Protection and provides information to help organizations understand and comply with the directive.

www.auscert.org.au
This site includes information from the Australian Computer Emergency Response Team (AusCERT), a membership organization that offers advice and strategic assistance to its members and the public regarding information security.

According to the Ponemon Institute's second annual Cost of Cyber crime Study, conducted with HP, cyber attacks are becoming more frequent, more sophisticated—and more costly:

  • • U.S. organizations lose an average 5.9 million USD a year to cyber crime—some lose as much as 36.5 million USD. That's a 56 percent increase from the institute's 2010 study.
  • • Of today's attacks, 90 percent are caused by malicious code, denial of service, stolen devices, and Web-based attacks.
  • • Each attack now takes 18 days to resolve and costs 416,000 USD, on average—up from 14 days and 250,000 USD just last year.
  • William Perry is a professor of computer information systems at Western Carolina University in Cullowhee, North Carolina. Perry also serves as an associate fellow for the Joint Special Operations University at MacDill Air Force Base in Florida and is an academic council member for the Center for Security Policy in Washington, D.C.