Expert Assessment of the Top Platform Independent Cybersecurity Skills for Non-IT Professionals

Size: px
Start display at page:

Download "Expert Assessment of the Top Platform Independent Cybersecurity Skills for Non-IT Professionals"

Transcription

1 Expert Assessment of the Top Platform Independent Cybersecurity Skills for Non-IT Professionals Melissa Carlton, Yair Levy Graduate School of Computer and Information Sciences Nova Southeastern University Ft. Lauderdale, FL, USA {mc2418, Abstract Cybersecurity threats are causing substantial financial losses for individuals, organizations, and governments. Information technology (IT) users mistakes, due to poor cybersecurity skills, represent about 72% to 95% of cybersecurity threats to organizations. As opposed to IT professionals, computer end-users are one of the weakest links in the cybersecurity chain, due to their limited cybersecurity skills. Skills are defined as the combination of knowledge, experience, and ability to do something well. Cybersecurity skills are the skills one possess to prevent damage to IT via the Internet. However, the current measures of end-user cybersecurity skills are based on self-reported surveys. This study is the first phase of a larger research project that is aimed to develop a scenariobased ipad application to measure cybersecurity skills based on actual scenarios with hands-on tasks that the participants complete in demonstrating their skills. To design a measure that has both high validity and reliability, the first phase of the study was set forth to follow the Delphi method in seeking subject matter experts opinion on the top platform independent cybersecurity skills for non-it professionals. A total of 18 experts from the Florida chapter of the InfraGard, a public-private partnership between the United States Federal Bureau of Investigation (FBI) s cyber division and private sector that focus on cybersecurity, along with subject matter experts from other federal agencies such as the United States Secret Services (USSS) Electronic Crimes Task Force team and industry, took part in our Delphi expert panel process. The exploratory expert panel data was recorded and categorized into similar groups of comments for improvements, along with quantitative rankings. Comments were then solicited again for expert consensus, to derive the rankings of the top nine platform independent cybersecurity skills. The paper ends with some discussion on the next phase of this ongoing research along with some initial implications of the findings to practice and research. Keywords cybersecurity; cybersecurity skills; risk mitigation tool; information security skills of non-it professional; InfraGard- United States Federal Bureau of Investigation expert panel I. INTRODUCTION One of the main challenges in the study of information technology (IT) skills is the fact that IT skills have been measured, predominantly in research, based on self-reported survey instruments [1, 2]. Cybersecurity threats and vulnerabilities are causing substantial financial losses for individuals, organizations, and governments all over the world [3, 4]. Cyberwar is another major concern that nations around the world are struggling to get ready to fight or maintain strong defense tactics. It has been found that non-it computer users mistakes, due to poor cybersecurity skills, represents about 72% to 95% of cybersecurity threats and vulnerabilities to organizations [5, 6]. The U.S. National Security Council has developed The Comprehensive National Cybersecurity Initiative (CNCI) and one of its main initiatives is to: Initiative #8. Expand cyber education. While billions of dollars are being spent on new technologies to secure the U.S. Government in cyberspace, it is the people with the right knowledge, skills, and abilities to implement those technologies who will determine success. However, there are not enough cybersecurity experts within the Federal Government or private sector to implement the CNCI, nor is there an adequately established Federal cybersecurity career field. Existing cybersecurity training and personnel development programs, while good, are limited in focus and lack unity of effort. In order to effectively ensure our continued technical advantage and future cybersecurity, we must develop a technologically-skilled and cyber-savvy workforce and an effective pipeline of future employees. It will take a national strategy, similar to the effort to upgrade science and mathematics education in the 1950s, to meet this challenge. [7] Yet, the existing measures of cybersecurity skills are dated and limited. Additional work is needed to develop a measure based on scenarios that emulate real-life cases of cybersecurity attacks. Moreover, with the shift from desktop to laptop computers, and in the past decade to mobile devices, there is a need to ensure such measures are not tied to a specific platform and/or operating system. As such, the key objective of this study was to develop a list of the top platform independent skills that will form the basis for the set of scenarios that will capture potential cybersecurity threats. With the massive move into mobile computing and the seamless move between devices that the majority of current employees are engaged in, a critical need emerged to ensure that prior to uncovering the list of the skills, a set of platform independent threats is identified. Once the set of top platform independent threats is identified, a list of matching skills for non-it professionals can be developed that can form the foundation for the development of the specific scenarios. For example, the threat of malware via attachment can be assessed via an activity within an Funding for this research was provided by the Nova Southeastern University's President's Faculty and Research Development Grant (PFRDG).

2 attack scenario that provides participants with a list of s in an inbox asking them to identify potentially harmful messages and measure how many of these they identify. Another example of an activity within the attack scenario is to present participants with two messages sent from a bank, asking them to identify the one that is a hoax and the one that is real, while asking them to identify all the indicators that triggered the suspicion of the hoax . As such, the main goal of this extensive cybersecurity skills research is to develop a prototype Cybersecurity Skills Index (CSI) ipad app. However, before the development of real-life scenarios can be made, our foundational work documented in this paper will outline the process of identifying and validating the specific cybersecurity threats, their matching skills from non-it professionals, and their ranking (weights) in construction of such novel index. Therefore, the central aim of this phase of our developmental research was to address the following three specific research questions (RQs): RQ1: What are the top most critical cybersecurity threats that non-it professionals pose to organizations? RQ2: What are the matching top cybersecurity skills that non-it professionals must have to mitigate the top nine most critical cybersecurity threats posed to organizations? RQ3: What are the weights of the skills that enable a validated aggregation to a benchmarking index of cybersecurity skills? Given the documented increase in importance of cybersecurity in everyday activity, the significance of this study is substantial. With the limitations that currently exist in the measurement of cybersecurity skills within the research body of knowledge, the development of a scenario-based tool to measure such skills using scores on simulated activities rather than self-reported survey, will help several stakeholders. Ideally, the use of the CSI ipad app will allow organizations to map their human threat-vectors when it comes to employees and the employees of external contractors. A second example includes organizations that use the CSI ipad app to identify groups of employees where additional training in the area of cybersecurity attack preventions should be targeted. The third example includes government recruiters, in conjunction with high school teachers/administrators, which can use the CSI ipad app to identify individuals who demonstrate a high level of cybersecurity skills and may be the appropriate feeders for advanced cyber warrior programs. As seen in the literature review, organizations have an ongoing need for non-it cybersecurity skilled professionals. Therefore, the arguments discussed later focus mainly on the non-it professionals representing the corporate organizations. II. LITERATRUE REVIEW A. Cybersecurity Threats According to IBM Global Technology Services [6], human error was identified as a contributing factor in over 95 percent of all security incidents investigated. Furthermore, opening an infected attachment or selecting an unsafe Universal Resource Locator (URL) was the most prevalent contributing human error when it comes to inflicting malware on computing systems [6]. From 2005 to 2012, Privacy Rights Clearinghouse [8] reported over 607 million records lost from nearly 3,500 data breaches. According to Boritz and No [9], in the past government agencies were only involved in egregious privacy breaches. Over a year later, President Barack Obama signed Executive Order No. 13,681 requiring the use of multiple factors of authentication and an effective identity proofing process [10] when a U.S. citizen s personal data is made available through digital applications. Nearly 1.6 billion records were reported lost from 453 data breaches during the period of January 2013 to December 2014 and an additional 454 breaches occurred with an unknown number of lost records [8]. Prior research identified the need for research to address the threats to organizational IT due to vulnerabilities and breaches caused by employees [11, 12, 13]. More than any other internal process or technology, breaches were discovered by end-users armed with the skills needed to quickly identify and report possible cyber espionage occurrences [14]. Technology alone cannot guarantee security. A security risk is often accepted by an end-user when the countermeasure interferes with work productivity [11]. Therefore, the human factor cannot be ignored in corporate security without peril [15]. Most security incidents were attributed to everyday insiders like current or former employees [16]. According to Verizon Communication s chief security officer, insider threats may be from a good employee doing righteous work in an insecure manner [16]. Moreover, it was noted that unfortunately, even the best security mechanisms can be bypassed through social engineering [17], which is now considered the great security threat to people and organizations [18]. Even amid those who classified themselves as being aware of social engineering techniques, Kvedar, Nettis, and Fulton [19] s findings suggested an implemented social engineering plot could succeed. An end-user with technology knowledge does not automatically become skilled in cybersecurity [11]. In the work of Qin and Burgoon [20], users had an 18% accuracy in detecting deception. According to Enterprise Risk Management (ERM) [21], not protecting an organization s information puts the reputation, success, and survival of the organization at risk. An example of this occurred in November 2014 when Sony Pictures suffered a data breach that shut down all communications and computer usage due to a hacker posting threatening messages on company owned computers and obtaining unsecured data files [8]. However, the skills needed to mitigate such cybersecurity threats and to protect corporate IT systems from such data breach attacks can be the difference between experiencing a breach or not. Thus, the importance of a measure to assess the level of cybersecurity skills held by a non-it professional is significant. B. Skills According to Boyatzis and Kolb [22], as well as Levy [1], skill is a combination of knowledge, experience, and ability that enables end-users to perform well. The acquisition of a skill is a learning process and generally adopts three incremental stages [23, 24]. These stages begin with the initial

3 acquisition of a skill known as declarative knowledge (Stage 1). During Stage 1, instruction and information about a skill are given to the end-user [23, 25]. Moreover, Stage 1 allows the end-user to establish the knowledge needed as a foundation for later learning stages [24]. The second stage of skill acquisition (Stage 2) allows the learner to practice declarative knowledge and convert it to procedural knowledge [25, 26]. Knowledge becomes better organized and end-users start to connect the actions needed to complete an activity [24]. Next, at the third stage, comes automaticity [25, 27]. End-users progress beyond the initial acquisition stage into an efficient and autonomous stage (Stage 3) by increasing their experience level [23, 28]. Experience positively influences an end-user s computer usage, which helps establish the needed experience of the skill [24]. The ability to generalize procedures and increase performance occurs during the acquisition of knowledge phases [27]. Over time, Eschenbrenner and Nah [29] identified that skills are honed and competencies are acquired. The skill development stages are shown in Fig. 1. C. Cybersecurity Skills Cybersecurity is the activity or process, ability or capability, or state whereby information and communications systems and the information contained therein are protected from and/or defended against damage, unauthorized use or modification, or exploitation [30]. Cybersecurity also includes the restoration of digital information and communications [31]. Protection of data and information remains in the most vulnerable spot [32]. Humans, despite their intellect, are the most severe threat to an individual s security [33]. Information is valuable and knowledge protects information from progressively sophisticated cybersecurity threats [33]. Therefore, cybersecurity skills correspond to an individual s technical knowledge, ability, and experience surrounding the hardware and software required to execute information security in protecting their IT against damage, unauthorized use, modification, and/or exploitation [11]. Cybersecurity is not a solitary occupational category and knowledge, skills, and abilities are needed for more than cybersecurity work [34]. Limited cybersecurity skills contribute to the behavior of users that causes human errors, often unintentional [35]. Likewise, a technology savvy user does not automatically make a cybersecurity savvy user [11]. Thus, it appears that a non-it professional with limited cybersecurity skills presents opportunities for organizational information vulnerabilities and threats [36]. Fig. 1: Skill development stages over time D. Competence vs. Skills Bronsburg [37], as well as Morcke, Dornan, and Eika [38] demonstrated the importance of the high-level of skills experienced in the medical and health profession academic programs. The need to include competencies, skills, knowledge, and abilities in the classroom so students had the tools (experience) necessary for future employment were the focus of Havelka and Merhout [39], as well as Rubin and Dierdorff [40]. Havelka and Merhout [39] found that knowledge is obtained through coursework. Whereas, Rubin and Dierdorff [40] found the courses offered by colleges and universities are relevant to the competency level of a student. It was discovered that the maturing of an individual s knowledge improves skills, which then develops user competency [29]. Moreover, it was previously noted in literature that knowledge gathered by users and honed skills in a certain functional area developed competencies [41]. A misalignment between course offerings and required corporate competencies reduces the individual s exposure to important knowledge needed to do a task well [40]. Additionally, it was noted that a reasonable degree of competency at a skill requires at least 100 hours of learning and practice [23]. An individual s competency level of a particular skill is valuable; it may influence or even determine an individual s level of professional success and satisfaction [39]. A user s computer competence is vital for an organization that relies on its employees to possess skills, (i.e. knowledge, experiences, & abilities) to complete technical tasks [42]. Thus, it appears that competency is acquired after a skill is practiced over time. III. METHODOLOGY When judgmental information is essential, prior research has employed the Delphi technique [43, 44]. Using the Delphi technique provides a way and method for consensus-building without direct confrontation among the experts [45]. Characterized as an iterative group communication process, the Delphi technique allows for experts to address complex problems in an effective manner [43, 44, 46]. Prior research, e.g. [47, 48], utilized the Delphi technique for forecasting, issue identification, and concept/framework development. In addition, the Delphi method ensures both reliability and validity as it exposes the study to a panel of differing, and often contradictory, opinions while seeking convergence through subject matter experts (SMEs) feedback [48]. This study employed the Delphi technique for the purpose of identifying the indispensable expert opinion of cybersecurity threats and related skills. Key features that are regarded as the Delphi technique include secrecy, iteration, controlled feedback, and statistically clustering the responses [49]. Secrecy was maintained in this study with the use of Web-based questionnaires. Between each questionnaire, feedback was controlled by incorporating the SMEs responses into the next questionnaire. Round one consisted of 12 platform independent cybersecurity threats that were identified after a survey of existing body of knowledge and were presented to SMEs from the Florida chapter of the InfraGard, a public-private partnership between the United States Federal Bureau of Investigation (FBI) s cyber division and private sector that

4 focus on cybersecurity, along with subject matter experts from other federal agencies such as the United States Secret Services (USSS) Electronic Crimes Task Force team and industry. The SMEs were asked to rank in order of importance the threats that non-it professionals poses for organizational cybersecurity posture. Based on the SMEs feedback, the list of 12 platform independent cybersecurity threats were narrowed to 10 platform independent cybersecurity threats. In the second Delphi technique round, the 10 cybersecurity threats identified as the most significant were then presented to the panel of SMEs in a Web-based survey using a seven-point Likert scale. Based on a score of 1 for strongly disagree and 7 for strongly agree, each of the proposed cybersecurity threats were evaluated to determine 1) if it was valid to be included in the core fundamental cybersecurity threat set; 2) if a proposed platform independent skill is valid or not; and 3) if each proposed skill is independent from other proposed cybersecurity skills. Moreover, the SME panel were asked to provide a ranking of 1, representing the highest threat, to 10, representing a lessor threat. The skill importance weight for each skill was calculated so the lessor threat received a weight closer to 0.0, while the highest ranked threat received a weight closer to 1.0. The threats are based on their skill importance weight in causing harm to organizations and individuals, while forming the foundations for the development of a hierarchical-based indexing to measure an overall measure of cybersecurity skills (i.e. the CSI) in follow-up research. IV. DATA ANALYSIS AND RESULTS As seen in the works of Helmer [50], as well as Linstone and Turoff [46], a consensus of SMEs opinion emerged with the top nine cybersecurity skills needed for non-it professionals. Three distinct categories were identified among the cybersecurity threats and identified matching skills: (A) malware; (B) personally identifiable information (PII); and (C) work information systems (WIS) related threats. At the end of the second Delphi round, the difference between the lowest ranked cybersecurity threat/skill and the highest was nearly Cybersecurity threat and corresponding skill number 10, preventing unauthorized information system access via workstation lock or log out, was identified as an outlier and the SMEs highly recommended discarding it from the list. Table 1 displays the collective results of both Delphi rounds identifying the top nine platform independent cybersecurity skills, their respective category, SME rankings, number of SME responses, ranked weighted total, ranked average, and skill importance weight. V. CONCLUSION AND DISCUSSION The main goal of this research study was to develop a list of top platform independent skills that will form the basis for the set of scenarios that will capture potential cybersecurity threats through hands-on tasks. Using the Delphi technique, the top nine most critical threats and related cybersecurity skills were identified by consensus of 18 cybersecurity professionals. The Delphi technique is a popular research tool for identifying and ranking issues within the IT field [43, 44]. To ensure the most reliable and valid results, this study warranted 1) the panel of SMEs remained stable; 2) the amount of time between questionnaires was minimized; 3) clear-cut questions were presented; and 4) consensus was reached with justified feedback [51]. Weighted totals were based on the number of SME responses multiplied times the score for each assigned ranking. This was then divided by the total number of SME responses for determining the final rank of one through nine. Each skill importance weight was based on the individual skill weighted average divided by the total weighted average. These results provide a foundation in achieving the larger research study objectives. VI. FUTURE RESEARCH This study was the first phase of a larger research study. The second objective of the larger research study will involve the design and development of scenario-based, hands-on tasks related to each of the nine SME identified cybersecurity skills. In round three of the Delphi technique, SMEs will be asked for feedback regarding the scenario-based, hands-on tasks, and the relationship to the respective skill. At the conclusion of round three, SMEs responses will be incorporated into the development of the MyCyberSkills ipad app. While developing and validating such a comprehensive set of scenario-based, hands-on benchmarking index is a good step in the right direction, the process of implementing it in order to actually measure such skills can be challenging. In order to overcome this issue, the third objective of the larger research TABLE I. RANKINGS OF THE TOP NINE CYBERSECURITY SKILLS

5 study will be the development of the MyCyberSkills ipad application prototype. This prototype will operationalize the previously developed and validated scenario-based, hands-on tasks CSI into an actual app that will be used to collect the cybersecurity skills data. Once the MyCyberSkills ipad app has been completed and fully tested, empirical research will be done to evaluate its reliability. Thus, the fourth objective of the larger study will be to conduct a quantitative research study using the MyCyberSkills ipad app by collecting data from at least 100 non-it employees/participants and documenting the results of the measure. Results from this quantitative phase will be analyzed, reliability of the CSI will be measured, and additional adjustment to the CSI will be concluded. Recommendations for the administration as a result from the data analysis will also be provided. ACKNOWLEDGMENT The authors thank Dr. Gary Margules, Roxana Ross, and their team from the NSU s Office of Research and Technology Transfer for the generous funding of this research via the NSU s President's Faculty and Research Development Grant (PFRDG). Moreover, the authors thank Dr. Joshua Stalker for his early contribution to this study, Dr. Eric Ackerman for his assistance with the data collection, as well as Dr. Michelle M. Ramim for her assistance and guidance during the Delphi expert panel process. REFERENCES [1] Y. Levy, A case study of management skills comparison in online MBA programs, Int. J. of Inform. and Comm. Technol. Educ., vol. 1, no. 3, pp. 1-20, July-Sept [2] G. Torkzadeh and J. Lee, Measures of perceived end-user computing skills, Inform. & Manage., vol. 40, no. 7, pp , Aug [3] Y. Levy, M. M. Ramim, S. M. Furnell, and N. L. Clarke, Comparing intentions to use university-provided vs. vendor-provided multibiometric authentication in online exams, Campus-Wide Inform. Syst., vol. 28, no. 2, pp , Mar [4] M. M. Ramim and Y. Levy, Securing e-learning systems: a case of insider cyber attacks and novice IT management in a small university, J. of Cases on Inform. Technol., vol. 8, no. 4, pp , Oct [5] J. D Arcy, A. Hovav, and D. Galletta, User awareness of security countermeasures and its impact on information systems misuse: a deterrence approach, Inform. Syst. Research, vol. 20, no. 1, pp , Mar [6] IBM Global Technology Services, Managed Security Services, IBM security services 2014 cyber security intelligence index, IBM Infographic: 2014 Cyber Security Intelligence Index, [Online]. Available: [7] U.S. National Security Council, The comprehensive national cybersecurity initiative, The White House: Foreign Policy, [Online]. Available: [8] Privacy Rights Clearinghouse, Chronology of data breaches, privacyrights.org, Dec. 31, [Online]. Available: https://www.privacyrights.org/data-breach. [Accessed: Jan. 8, 2015] [9] J. E. Boritz and W. G. No, E-commerce and privacy: exploring what we know and opportunities for future discovery, J. of Inform. Syst., vol. 25, no. 2, pp , Fall [10] Exec. Order No. 13,681, 79 Fed. Reg , [11] M. S. Choi, Y. Levy, and A. Hovav, The role of user computer selfefficacy, cybersecurity countermeasures awareness, and cybersecurity skills influence on computer misuse, Proc. of the Pre-Int. Conference of Inform. Syst. (ICIS) SIGSEC Workshop on Inform. Security and Privacy (WISP) 2013, December, 2013, Milan, Italy. [Online]. Available: [Accessed: May 22, 2014]. [12] B. K. Jensen, J. L. Bailey, and S. Baar, Making security policies memorable: the first line of defense, Int. J. of Bus., Humanities and Technol., vol. 4, no. 2, Mar. 2014, [Online]. Available: [13] J. M. Peha, The dangerous policy of weakening security to facilitate surveillance, Carnegie Mellon University, Oct. 4, [Online]. Available: lance.pdf. [14] Verizon Enterprise Solutions, Verizon 2014 data breach investigations report, verizon.com, [Online]. Available: DBIR-2014_en_xg.pdf. [Accessed: Nov. 13, 2014]. [15] Kaspersky Lab, Global Research and Analysis Team (GREAT), Kaspersky security bulletin 2013, Kaspersky Lab, [Online]. Available: [Accessed: Sept. 12, 2014]. [16] PricewaterhouseCoopers, Defending yesterday: key findings from the global state of information security survey 2014, PricewaterhouseCoopers LLP Advisory Services, Oct. 21, [Online]. Available: [Accessed: August 2, 2014]. [17] S. Winkler and B. Dealy, Information security technology? Don t rely on it: A case study in social engineering, in Proc. of the Fifth USENIX UNIX Security Symposium, Jun. 1995, [Online]. Available: https://www.usenix.org/legacy/publications/library/proceedings/security 95/full_papers/winkler.pdf. [Accessed: Nov. 8, 2014]. [18] A. Algarni, Y. Xu, T. Chan, and Y.-C. Tian, Social engineering in social networking sites: how good become evil, in Proc. of the 18th Pacific Asia Conference on Inform. Syst. (PACIS 2014), Jun [19] D. Kvedar, M. Nettis, and S. P. Fulton, The use of formal social engineering techniques to identify weaknesses during a computer vulnerability competition, J. of Computing Sci. in Colleges, vol. 26, no. 2, pp , Dec [20] T. Qin, and J. K. Burgoon, An investigation of heuristics of human judgment in detecting deception and potential implications in countering social engineering, in 2007 IEEE Intelligence and Security Informatics, G. Muresan, T. Altiok, B. Melamed, and D. Zeng, Eds., 2007, pp [21] Enterprise Risk Management (ERM). "Explaining the Importance of Information Risk Management: engaging your directors with a powerful dashboard, emrisk.com, [Online]. Available: [Accessed: Nov. 14, 2014]. [22] R. E. Boyatzis and D. A. Kolb, Assessing individuality in learning: the learning skills profile, Educational Psychology, vol. 11, no. 3/4, pp , Jan [23] J. R. Anderson, Acquisition of cognitive skill, Psychological Review, vol. 89, no. 4, pp , July [24] J. I. Gravill, D. R. Compeau, and B. I. Marcolin, Experience effects on the accuracy of self-assessed user competence, Inform. & Manage., vol. 43, no. 3, pp , Apr [25] P. M. Fitts, Perceptual-motor skill learning, in Categories of Human Learning, A. W. Melton, Ed., New York: Academic Press, 1964, pp [26] D. M. Neves and J. R. Anderson, Knowledge compilation: mechanisms for the automatization of cognitive skills, in Cognitive Skills and Their Acquisition, J. R. Anderson, Ed., Hillsdale, NJ: Lawrence Erlbaum Associates, Inc., 1981, ch. 2, pp [27] B. L. Marcolin, D. R. Compeau, M. C. Munro, and S. L. Huff, Assessing user competence: conceptualization and measurement, Inform. Syst. Research, vol. 11, no. 1, pp , Mar

6 [28] K. Kraiger, J. K. Ford, and E. Salas, Application of cognitive, skillbased, and affective theories of learning outcomes to new methods of training evaluation, J. of Appl. Psychology, vol. 78, no. 2, pp , Apr [29] B. Eschenbrenner and F. F.-H. Nah, Information systems user competency: a conceptual foundation, Commun. of the Assoc. for Inform. Syst., vol. 34, no. 1, pp , [30] National Initiative for Cybersecurity Careers and Studies (NICCS), Cyber glossary, Dept. of Homeland Security: [Online]. Available: [Accessed: Jan. 8, 2015]. [31] C. W. Axelrod, Cybersecurity and the critical infrastructure: looking beyond the perimeter, Inform. Syst. Control J., vol. 3, [Online]. Available: 3/Pages/Cybersecurity-and-the-Critical-Infrastructure-Looking-Beyondthe-Perimeter1.aspx. [32] K. D. Mitnik and W. L. Simon, The Art of Deception: Controlling the Human Element of Security, Indianapolis, IN: Wiley Publishing Inc., [33] Enterprise Risk Management (ERM). Cybersecurity academy: your cyber security information portal, emrisk.com, [Online]. Available: [Accessed: Jan. 8, 2015]. [34] D. L. Burley, J. Eisenberg, and S. E. Goodman, Privacy and security: would cybersecurity professionalization help address the cybersecurity crisis, Commun. of the ACM, vol. 57, no. 2, pp , Feb [35] M. S. Choi, Assessing the Role of User Computer Self-efficacy, Cybersecurity Countermeasures Awareness, and Cybersecurity Skills Toward Computer Misuses Intention at Government Agencies. PhD [Dissertation]. Ft. Lauderdale, FL: Nova Southeastern University, [Online]. Available: ProQuest Dissertations and Theses. [36] K.-L. Thomson and R. von Solms, Information security obedience: a definition. Comput. & Security, vol. 24, no. 1, pp , Feb [37] S. E. Bronsburg, The Impact of an Osteopathic Medical Program on Information Technology Skills of Physicians Entering the Workforce. PhD [Dissertation]. Ft. Lauderdale, FL: Nova Southeastern University, [Online]. Available: ProQuest dissertations and Theses. [38] A. M. Morcke, T. Dornan, and B. Eika, Outcome (competency) based education: an exploration of its origins, theoretical basis, and empirical evidence, Advances in Health Sci. Educ., vol. 18, no. 4, pp , Oct [39] D. Havelka and J. W. Merhout, Toward a theory of information technology professional competence, The J. of Comput. Inform. Syst., vol. 50, no. 2, pp , Winter [40] R. S. Rubin and E. C. Dierdorff, How relevant is the MBA? Assessing the alignment of required curricula and required managerial competencies, Academy of Manage. Learning & Educ., vol. 8, no. 2, pp , Jun [41] P. Toth and P. Klein. National Institute of Standards and Technology, A role-based model for federal information technology/cyber security training (NIST special publication revision 1, 3rd draft). [Online]. Available: rev1/sp800_16_rev1_3rd-draft.pdf. [42] J. P. Downey and L.A. Smith, The role of computer attitudes in enhancing computer competence in training, J. of Organizational and End User Computing, vol. 23, no. 3, pp , July [43] C. Okoli and S. D. Pawlowski, The Delphi method as a research tool: an example, design considereations and applications, Inform. & Manage. vol. 42, no. 1, pp , Dec [44] M. M. Ramim and B. T. Lichvar, Eliciting expert panel perspective on effective collaboration in system development projects, Online J. of App. Knowlg. Manage., vol 2., no. 1., pp , Jun [45] N. Dalkey and O. Helmer, An experimental application of the Delphi method to the use of experts, Manage. Sci., vol. 9, no. 3, pp , Apr [46] H. A. Linstone and M. Turoff, Eds., The Delphi Method: Techniques and Applications, vol. 29. Reading, MA: Addison-Wesley, [47] J. C. Brancheau and J. C. Wetherbe, Key issues in information systems management, MIS Quart., vol. 11, no. 1, pp , Mar [48] R. Schmidt, K. Lyytinen, M. Keil, and P. Cule, Identifying software project risks: an international Delphi study, J. of Manage. Inform. Syst., vol. 17, no. 4, pp. 5-36, Spring [49] G. Rowe and G. Wright, The Delphi technique as a forecasting tool: issues and analysis, Int. J. of Forecasting, vol. 15, no. 4, pp , Oct [50] O. Helmer, Looking Forward: a Guide to Futures Research, Beverly Hills, CA: Sage Publications, [51] T. Gordon and O. Helmer, Social Technology, New York, NY: Basic Books, 1966.

NICE and Framework Overview

NICE and Framework Overview NICE and Framework Overview Bill Newhouse NIST NICE Leadership Team Computer Security Division Information Technology Lab National Institute of Standards and Technology TABLE OF CONTENTS Introduction to

More information

The Effect of Competence-Based Simulations on Management Skills Enhancements in E-Learning Courses

The Effect of Competence-Based Simulations on Management Skills Enhancements in E-Learning Courses 34E The Effect of Competence-Based Simulations on Management Skills Enhancements in E-Learning Courses The Effect of Competence-Based Simulations on Management Skills Enhancements in E-Learning Courses

More information

National Initiative for Cyber Security Education

National Initiative for Cyber Security Education 2014/PPWE/SEM2/007 Agenda Item: 5 National Initiative for Cyber Security Education Submitted by: United States Women Business and Smart Technology Seminar Beijing, China 23 May 2014 NICE OVERVIEW Women

More information

The Future of Organization s Computer Network Security for the Next 5 Years (2011-2015) by Using Delphi Technique

The Future of Organization s Computer Network Security for the Next 5 Years (2011-2015) by Using Delphi Technique 2011 International Conference on Information and Electronics Engineering IPCSIT vol.6 (2011) (2011) IACSIT Press, Singapore The Future of Organization s Computer Network Security for the Next 5 Years (2011-2015)

More information

The Comprehensive National Cybersecurity Initiative

The Comprehensive National Cybersecurity Initiative The Comprehensive National Cybersecurity Initiative President Obama has identified cybersecurity as one of the most serious economic and national security challenges we face as a nation, but one that we

More information

A Detailed Strategy for Managing Corporation Cyber War Security

A Detailed Strategy for Managing Corporation Cyber War Security A Detailed Strategy for Managing Corporation Cyber War Security Walid Al-Ahmad Department of Computer Science, Gulf University for Science & Technology Kuwait alahmed.w@gust.edu.kw ABSTRACT Modern corporations

More information

THE HUMAN FACTOR AT THE CORE OF FEDERAL CYBERSECURITY

THE HUMAN FACTOR AT THE CORE OF FEDERAL CYBERSECURITY THE HUMAN FACTOR AT THE CORE OF FEDERAL CYBERSECURITY CYBER HYGIENE AND ORGANIZATIONAL PLANNING ARE AT LEAST AS INTEGRAL TO SECURING INFORMATION NETWORKS AS FIREWALLS AND ANTIVIRUS SOFTWARE Cybersecurity

More information

Introduction to NICE Cybersecurity Workforce Framework

Introduction to NICE Cybersecurity Workforce Framework Introduction to NICE Cybersecurity Workforce Framework Jane Homeyer, Ph.D., Deputy ADNI/HC for Skills and Human Capital Data, ODNI Margaret Maxson, Director, National Cybersecurity Education Strategy,

More information

White Paper on Financial Industry Regulatory Climate

White Paper on Financial Industry Regulatory Climate White Paper on Financial Industry Regulatory Climate According to a 2014 report on threats to the financial services sector, 45% of financial services organizations polled had suffered economic crime during

More information

CYBERSECURITY: Is Your Business Ready?

CYBERSECURITY: Is Your Business Ready? CYBERSECURITY: Is Your Business Ready? Cybersecurity: Is your business ready? Cyber risk is just like any other corporate risk and it must be managed from the top. An organization will spend time monitoring

More information

The Importance of Cyber Threat Intelligence to a Strong Security Posture

The Importance of Cyber Threat Intelligence to a Strong Security Posture The Importance of Cyber Threat Intelligence to a Strong Security Posture Sponsored by Webroot Independently conducted by Ponemon Institute LLC Publication Date: March 2015 Ponemon Institute Research Report

More information

Ed McMurray, CISA, CISSP, CTGA CoNetrix

Ed McMurray, CISA, CISSP, CTGA CoNetrix Ed McMurray, CISA, CISSP, CTGA CoNetrix AGENDA Introduction Cybersecurity Recent News Regulatory Statements NIST Cybersecurity Framework FFIEC Cybersecurity Assessment Questions Information Security Stats

More information

What is Management Responsible For?

What is Management Responsible For? What is Management Responsible For? Matthew J. Putvinski, CPA, CISA, CISSP MEMBER OF PKF NORTH AMERICA, AN ASSOCIATION OF LEGALLY INDEPENDENT FIRMS 2011 Wolf & Company, P.C. About Wolf & Company, P.C Regional

More information

CYBER SECURITY INFORMATION SHARING & COLLABORATION

CYBER SECURITY INFORMATION SHARING & COLLABORATION Corporate Information Security CYBER SECURITY INFORMATION SHARING & COLLABORATION David N. Saul Senior Vice President & Chief Scientist 28 June 2013 Discussion Flow The Evolving Threat Environment Drivers

More information

By: Gerald Gagne. Community Bank Auditors Group Cybersecurity What you need to do now. June 9, 2015

By: Gerald Gagne. Community Bank Auditors Group Cybersecurity What you need to do now. June 9, 2015 Community Bank Auditors Group Cybersecurity What you need to do now June 9, 2015 By: Gerald Gagne MEMBER OF PKF NORTH AMERICA, AN ASSOCIATION OF LEGALLY INDEPENDENT FIRMS 2015 Wolf & Company, P.C. Cybersecurity

More information

CyberNEXS Global Services

CyberNEXS Global Services CyberNEXS Global Services CYBERSECURITY A cyber training, exercising, competition and certification product for maximizing the cyber skills of your workforce The Cyber Network EXercise System CyberNEXS

More information

Incident Response. Proactive Incident Management. Sean Curran Director

Incident Response. Proactive Incident Management. Sean Curran Director Incident Response Proactive Incident Management Sean Curran Director Agenda Incident Response Overview 3 Drivers for Incident Response 5 Incident Response Approach 11 Proactive Incident Response 17 2 2013

More information

An Overview of Large US Military Cybersecurity Organizations

An Overview of Large US Military Cybersecurity Organizations An Overview of Large US Military Cybersecurity Organizations Colonel Bruce D. Caulkins, Ph.D. Chief, Cyber Strategy, Plans, Policy, and Exercises Division United States Pacific Command 2 Agenda United

More information

QUANTITATIVE MODEL FOR INFORMATION SECURITY RISK MANAGEMENT

QUANTITATIVE MODEL FOR INFORMATION SECURITY RISK MANAGEMENT QUANTITATIVE MODEL FOR INFORMATION SECURITY RISK MANAGEMENT Rok Bojanc ZZI d.o.o. rok.bojanc@zzi.si Abstract: The paper presents a mathematical model to improve our knowledge of information security and

More information

Building The Human Firewall. Andy Sawyer, CISM, C CISO Director of Security Locke Lord

Building The Human Firewall. Andy Sawyer, CISM, C CISO Director of Security Locke Lord Building The Human Firewall Andy Sawyer, CISM, C CISO Director of Security Locke Lord Confidentiality, Integrity, Availability Benchmarks of Cybersecurity: Confidentiality Information is protected against

More information

CYBERSPACE SECURITY CONTINUUM

CYBERSPACE SECURITY CONTINUUM CYBERSPACE SECURITY CONTINUUM A People, Processes, and Technology Approach to Meeting Cyber Security Challenges in the 21 st Century 1 InterAgency Board 1550 Crystal Drive Suite 601, Arlington VA 22202

More information

A B S T R A C T. Index Terms : Framework, threats, skill, social engineering, risks, insider. I. INTRODUCTION

A B S T R A C T. Index Terms : Framework, threats, skill, social engineering, risks, insider. I. INTRODUCTION A Framework to Mitigate the Social Engineering Threat to Information Security Rakesh Kumar*, Dr Hardeep Singh. Khalsa college for women, Amritsar, Guru Nanak Dev University, Amritsar rakeshmaster1980@rediffmail.com*,

More information

Data Breach and Senior Living Communities May 29, 2015

Data Breach and Senior Living Communities May 29, 2015 Data Breach and Senior Living Communities May 29, 2015 Todays Objectives: 1. Discuss Current Data Breach Trends & Issues 2. Understanding Why The Senior Living Industry May Be A Target 3. Data Breach Costs

More information

Nine recommendations for alternative funds battling cyber crime. kpmg.ca/cybersecurity

Nine recommendations for alternative funds battling cyber crime. kpmg.ca/cybersecurity Nine recommendations for alternative funds battling cyber crime kpmg.ca/cybersecurity Cyber criminals steal user names and passwords and use it to conduct financial trading activity illicitly. Hackers

More information

How Your Current IT Security System Might Be Leaving You Exposed TAKEAWAYS CHALLENGES WHITE PAPER

How Your Current IT Security System Might Be Leaving You Exposed TAKEAWAYS CHALLENGES WHITE PAPER WHITE PAPER CHALLENGES Protecting company systems and data from costly hacker intrusions Finding tools and training to affordably and effectively enhance IT security Building More Secure Companies (and

More information

How to use the National Cybersecurity Workforce Framework. Your Implementation Guide

How to use the National Cybersecurity Workforce Framework. Your Implementation Guide How to use the National Cybersecurity Workforce Framework Your Implementation Guide A NATIONAL PROBLEM The Nation needs greater cybersecurity awareness. The US workforce lacks cybersecurity experts. Many

More information

SECURITY CONSIDERATIONS FOR LAW FIRMS

SECURITY CONSIDERATIONS FOR LAW FIRMS SECURITY CONSIDERATIONS FOR LAW FIRMS Enterprise Risk Management Professional consulting firm that specializes in cyber security Founded in 1998 in Miami, Florida Serves more than 150 clients, locally,

More information

Is the PCI Data Security Standard Enough?

Is the PCI Data Security Standard Enough? Is the PCI Data Security Standard Enough? By: Christina M. Freeman ICTN 6870 Advanced Network Security Abstract: This paper will present the researched facts on Payment Card Industry Data Security Standard

More information

The 5 Cybersecurity Concerns You Can t Overlook

The 5 Cybersecurity Concerns You Can t Overlook The 5 Cybersecurity Concerns You Can t Overlook and how to address them 2014 SimSpace Corporation The 5 Cybersecurity Concerns You Can t Overlook CONCERN 1 You don t know how good your cybersecurity team

More information

Department of Homeland Security Federal Government Offerings, Products, and Services

Department of Homeland Security Federal Government Offerings, Products, and Services Department of Homeland Security Federal Government Offerings, Products, and Services The Department of Homeland Security (DHS) partners with the public and private sectors to improve the cybersecurity

More information

SpectorSoft 2014 Insider Threat Survey

SpectorSoft 2014 Insider Threat Survey SpectorSoft 2014 Insider Threat Survey An overview of the insider threat landscape and key strategies for mitigating the threat challenge Executive Summary SpectorSoft recently surveyed 355 IT professionals,

More information

ROCKEFELLER SNOWE CYBERSECURITY ACT SUBSTITUTE AMENDMENT FOR S.773

ROCKEFELLER SNOWE CYBERSECURITY ACT SUBSTITUTE AMENDMENT FOR S.773 ROCKEFELLER SNOWE CYBERSECURITY ACT SUBSTITUTE AMENDMENT FOR S.773 March 17, 2010 BACKGROUND & WHY THIS LEGISLATION IS IMPORTANT: Our nation is at risk. The networks that American families and businesses

More information

Cyber security Time for a new paradigm. Stéphane Hurtaud Partner Information & Technology Risk Deloitte

Cyber security Time for a new paradigm. Stéphane Hurtaud Partner Information & Technology Risk Deloitte Cyber security Time for a new paradigm Stéphane Hurtaud Partner Information & Technology Risk Deloitte 90 More than ever, cyberspace is a land of opportunity but also a dangerous world. As public and private

More information

Cybersecurity: Protecting Your Business. March 11, 2015

Cybersecurity: Protecting Your Business. March 11, 2015 Cybersecurity: Protecting Your Business March 11, 2015 Grant Thornton. All LLP. rights All reserved. rights reserved. Agenda Introductions Presenters Cybersecurity Cybersecurity Trends Cybersecurity Attacks

More information

NIST Cybersecurity Framework What It Means for Energy Companies

NIST Cybersecurity Framework What It Means for Energy Companies Daniel E. Frank J.J. Herbert Mark Thibodeaux NIST Cybersecurity Framework What It Means for Energy Companies November 14, 2013 Your Panelists Dan Frank J.J. Herbert Mark Thibodeaux 2 Overview The Cyber

More information

CONSULTING IMAGE PLACEHOLDER

CONSULTING IMAGE PLACEHOLDER CONSULTING IMAGE PLACEHOLDER KUDELSKI SECURITY CONSULTING SERVICES CYBERCRIME MACHINE LEARNING ECOSYSTEM & INTRUSION DETECTION: CYBERCRIME OR REALITY? ECOSYSTEM COSTS BENEFITS BIG BOSS Criminal Organization

More information

Cybersecurity: What CFO s Need to Know

Cybersecurity: What CFO s Need to Know Cybersecurity: What CFO s Need to Know William J. Nowik, CISA, CISSP, QSA PCIP MEMBER OF PKF NORTH AMERICA, AN ASSOCIATION OF LEGALLY INDEPENDENT FIRMS 2014 Wolf & Company, P.C. Today s Agenda Introduction

More information

A PRACTICAL APPROACH TO INCLUDE SECURITY IN SOFTWARE DEVELOPMENT

A PRACTICAL APPROACH TO INCLUDE SECURITY IN SOFTWARE DEVELOPMENT A PRACTICAL APPROACH TO INCLUDE SECURITY IN SOFTWARE DEVELOPMENT Chandramohan Muniraman, University of Houston-Victoria, chandram@houston.rr.com Meledath Damodaran, University of Houston-Victoria, damodaranm@uhv.edu

More information

Cloud Computing: A Comparison Between Educational Technology Experts' and Information Professionals' Perspectives

Cloud Computing: A Comparison Between Educational Technology Experts' and Information Professionals' Perspectives Noa Aharony 1 Cloud Computing: A Comparison Between Educational Technology Experts' and Information Professionals' Perspectives Noa Aharony Department of Information Science, Bar-Ilan University Noa.aharony@biu.ac.il

More information

CLOSING THE DOOR TO CYBER ATTACKS HOW ENTERPRISES CAN IMPLEMENT COMPREHENSIVE INFORMATION SECURITY

CLOSING THE DOOR TO CYBER ATTACKS HOW ENTERPRISES CAN IMPLEMENT COMPREHENSIVE INFORMATION SECURITY CLOSING THE DOOR TO CYBER ATTACKS HOW ENTERPRISES CAN IMPLEMENT COMPREHENSIVE INFORMATION SECURITY CLOSING THE DOOR TO CYBER ATTACKS Cybersecurity and information security have become key challenges for

More information

Statement for the Record. Richard Bejtlich. Chief Security Strategist. FireEye, Inc. Before the. U.S. House of Representatives

Statement for the Record. Richard Bejtlich. Chief Security Strategist. FireEye, Inc. Before the. U.S. House of Representatives Statement for the Record Richard Bejtlich Chief Security Strategist FireEye, Inc. Before the U.S. House of Representatives Committee on Foreign Affairs Subcommittee on Asia and the Pacific Reviewing President

More information

Integrating Cybersecurity with Emergency Operations Plans (EOPs) for Institutions of Higher Education (IHEs)

Integrating Cybersecurity with Emergency Operations Plans (EOPs) for Institutions of Higher Education (IHEs) Integrating Cybersecurity with Emergency Operations Plans (EOPs) for Institutions of Higher Education (IHEs) Amy Banks, U.S. Department of Education, Center for School Preparedness, Office of Safe and

More information

Structuring the Chief Information Security Officer Organization

Structuring the Chief Information Security Officer Organization Structuring the Chief Information Security Officer Organization December 1, 2015 Julia Allen Nader Mehravari Cyber Risk and Resilience Management Team CERT Division Software Engineering Institute Carnegie

More information

RARITAN VALLEY COMMUNITY COLLEGE COURSE OUTLINE. CISY-274 Privacy, Ethics & Computer Forensics

RARITAN VALLEY COMMUNITY COLLEGE COURSE OUTLINE. CISY-274 Privacy, Ethics & Computer Forensics RARITAN VALLEY COMMUNITY COLLEGE COURSE OUTLINE CISY-274 Privacy, Ethics & Computer Forensics I. Basic Course Information A. Course Number & Title: CISY-274 - Privacy, Ethics, & Computer Forensics B. New

More information

SECURITY. Risk & Compliance Services

SECURITY. Risk & Compliance Services SECURITY Risk & Compliance s V1 8/2010 Risk & Compliances s Risk & compliance services Summary Summary Trace3 offers a full and complete line of security assessment services designed to help you minimize

More information

A model for Crises Management in Software Projects

A model for Crises Management in Software Projects www.ijcsi.org 112 A model for Crises Management in Software Projects Mohammad tarawneh 1, Haroon tarawneh 2, farid alzboun 3 1 computer information system, Albalqa Applied University Karak, Jordan 2 computer

More information

SECURING YOUR SMALL BUSINESS. Principles of information security and risk management

SECURING YOUR SMALL BUSINESS. Principles of information security and risk management SECURING YOUR SMALL BUSINESS Principles of information security and risk management The challenge Information is one of the most valuable assets of any organization public or private, large or small and

More information

Panel on Emerging Cyber Security Technologies. Robert F. Brammer, Ph.D., VP and CTO. Northrop Grumman Information Systems.

Panel on Emerging Cyber Security Technologies. Robert F. Brammer, Ph.D., VP and CTO. Northrop Grumman Information Systems. Panel on Emerging Cyber Security Technologies Robert F. Brammer, Ph.D., VP and CTO Northrop Grumman Information Systems Panel Moderator 27 May 2010 Panel on Emerging Cyber Security Technologies Robert

More information

Evaluating Protection of Computer Network in Education Sector

Evaluating Protection of Computer Network in Education Sector , 22-24 October, 2014, San Francisco, USA Evaluating Protection of Computer Network in Education Sector Yas A. Alsultanny Abstract The use of Information Technology (IT) in the higher education institutes

More information

CYBER & PRIVACY INSURANCE FOR FINANCIAL INSTITUTIONS

CYBER & PRIVACY INSURANCE FOR FINANCIAL INSTITUTIONS CYBER & PRIVACY INSURANCE FOR FINANCIAL INSTITUTIONS 1 As regulators around the world move to tighten compliance requirements for financial institutions, improvement in cyber security controls will become

More information

Dealing with Big Data in Cyber Intelligence

Dealing with Big Data in Cyber Intelligence Dealing with Big Data in Cyber Intelligence Greg Day Security CTO, EMEA, Symantec Session ID: HT-303 Session Classification: General Interest What will I take away from this session? What is driving big

More information

AN AGILE IT SECURITY MODEL FOR PROJECT RISK ASSESSMENT

AN AGILE IT SECURITY MODEL FOR PROJECT RISK ASSESSMENT AN AGILE IT SECURITY MODEL FOR PROJECT RISK ASSESSMENT Damien Hutchinson, Heath Maddern, Jason Wells School of Information Technology, Deakin University drh@deakin.edu.au, hmma@deakin.edu.au, wells@deakin.edu.au

More information

Defensible Strategy To. Cyber Incident Response

Defensible Strategy To. Cyber Incident Response Cyber Incident Response Defensible Strategy To Cyber Incident Response Cyber Incident Response Plans Every company should develop a written plan (cyber incident response plan) that identifies cyber attack

More information

INTRODUCTION TO PENETRATION TESTING

INTRODUCTION TO PENETRATION TESTING 82-02-67 DATA SECURITY MANAGEMENT INTRODUCTION TO PENETRATION TESTING Stephen Fried INSIDE What is Penetration Testing? Terminology; Why Test? Types of Penetration Testing; What Allows Penetration Testing

More information

Accenture Intelligent Security for the Digital Enterprise. Archer s important role in solving today's pressing security challenges

Accenture Intelligent Security for the Digital Enterprise. Archer s important role in solving today's pressing security challenges Accenture Intelligent Security for the Digital Enterprise Archer s important role in solving today's pressing security challenges The opportunity to improve cyber security has never been greater 229 2,287

More information

An Investigation into the Human/Computer Interface from a Security Perspective. Daniel J. Cross. A Proposal Submitted to the Honors Council

An Investigation into the Human/Computer Interface from a Security Perspective. Daniel J. Cross. A Proposal Submitted to the Honors Council An Investigation into the Human/Computer Interface from a Security Perspective by Daniel J. Cross A Proposal Submitted to the Honors Council For Honors in Computer Science and Engineering 15 October, 2004

More information

KASPERSKY SECURITY INTELLIGENCE SERVICES. EXPERT SERVICES. www.kaspersky.com

KASPERSKY SECURITY INTELLIGENCE SERVICES. EXPERT SERVICES. www.kaspersky.com KASPERSKY SECURITY INTELLIGENCE SERVICES. EXPERT SERVICES www.kaspersky.com EXPERT SERVICES Expert Services from Kaspersky Lab are exactly that the services of our in-house experts, many of them global

More information

Cyber security is a shared responsibility and each of us has a role to play in making it safer, more secure and resilient.

Cyber security is a shared responsibility and each of us has a role to play in making it safer, more secure and resilient. Overview of Cyber Security: Our daily life, economic vitality, and national security depend on a stable, safe, and resilient cyberspace. We rely on this vast array of networks to communicate and travel,

More information

Cybersecurity Tips for Startups and Small Businesses

Cybersecurity Tips for Startups and Small Businesses FOUR ESSENTIAL Cybersecurity Tips for Startups and Small Businesses Cybercrime is a Big Problem for Small Business As you know, there s nothing small about the small business sector. According to the U.S.

More information

High Level Cyber Security Assessment 2/1/2012. Assessor: J. Doe

High Level Cyber Security Assessment 2/1/2012. Assessor: J. Doe 2/1/2012 Assessor: J. Doe Disclaimer This report is provided as is for informational purposes only. The Department of Homeland Security (DHS) does not provide any warranties of any kind regarding any information

More information

Cybersecurity Framework. Executive Order 13636 Improving Critical Infrastructure Cybersecurity

Cybersecurity Framework. Executive Order 13636 Improving Critical Infrastructure Cybersecurity Cybersecurity Framework Executive Order 13636 Improving Critical Infrastructure Cybersecurity National Institute of Standards and Technology (NIST) Mission To promote U.S. innovation and industrial competitiveness

More information

NICE Cybersecurity Workforce Framework Tutorial

NICE Cybersecurity Workforce Framework Tutorial NICE Cybersecurity Workforce Framework Tutorial Jane Homeyer, Ph.D., Deputy ADNI/HC for Skills and Human Capital Data, ODNI Margaret Maxson, Director, National Cybersecurity Education Strategy, DHS Outline

More information

National Security & Homeland Security Councils Review of National Cyber Security Policy. Submission of the Business Software Alliance March 19, 2009

National Security & Homeland Security Councils Review of National Cyber Security Policy. Submission of the Business Software Alliance March 19, 2009 National Security & Homeland Security Councils Review of National Cyber Security Policy Submission of the Business Software Alliance March 19, 2009 Question # 1: What is the federal government s role in

More information

Defending yesterday. Financial Services. Key findings from The Global State of Information Security Survey 2014

Defending yesterday. Financial Services. Key findings from The Global State of Information Security Survey 2014 www.pwc.com/security Defending yesterday While organizations have made significant security improvements, they have not kept pace with today s determined adversaries. As a result, many rely on yesterday

More information

Educational Requirement Analysis for Information Security Professionals in Korea

Educational Requirement Analysis for Information Security Professionals in Korea Educational Requirement Analysis for Information Security Professionals in Korea Sehun Kim Dept. of Industrial Engineering, KAIST, 373-1, Kusong-dong, Yusong-gu, Taejon, 305-701, Korea shkim@kaist.ac.kr

More information

Strategic Plan September 2012

Strategic Plan September 2012 Strategic Plan September 2012 NIST NICE Component Leads Overall Lead Ernest L. McDuffie, Ph.D. Lead for the National Initiative for Cybersecurity Education (NICE) United States Department of Commerce (DoC)

More information

Security for Financial Services: Addressing the Perception Gaps in a Dynamic Landscape

Security for Financial Services: Addressing the Perception Gaps in a Dynamic Landscape White Paper Security for Financial Services: Addressing the Perception Gaps in a Dynamic Landscape Financial services organizations have a unique relationship with technology: electronic data and transactions

More information

TOP 3. Reasons to Give Insiders a Unified Identity

TOP 3. Reasons to Give Insiders a Unified Identity TOP 3 Reasons to Give Insiders a Unified Identity Although much publicity around computer security points to hackers and other outside attacks, insider threats can be particularly insidious and dangerous,

More information

WRITTEN TESTIMONY OF

WRITTEN TESTIMONY OF WRITTEN TESTIMONY OF KEVIN MANDIA CHIEF EXECUTIVE OFFICER MANDIANT CORPORATION BEFORE THE SUBCOMMITTEE ON CRIME AND TERRORISM JUDICIARY COMMITTEE UNITED STATES SENATE May 8, 2013 Introduction Thank you

More information

Middle Class Economics: Cybersecurity Updated August 7, 2015

Middle Class Economics: Cybersecurity Updated August 7, 2015 Middle Class Economics: Cybersecurity Updated August 7, 2015 The President's 2016 Budget is designed to bring middle class economics into the 21st Century. This Budget shows what we can do if we invest

More information

Information Technology Risk Management

Information Technology Risk Management Find What Matters Information Technology Risk Management Control What Counts The Cyber-Security Discussion Series for Federal Government security experts... by Carson Associates your bridge to better IT

More information

IBM i2 Enterprise Insight Analysis for Cyber Analysis

IBM i2 Enterprise Insight Analysis for Cyber Analysis IBM i2 Enterprise Insight Analysis for Cyber Analysis Protect your organization with cyber intelligence Highlights Quickly identify threats, threat actors and hidden connections with multidimensional analytics

More information

PACB One-Day Cybersecurity Workshop

PACB One-Day Cybersecurity Workshop PACB One-Day Cybersecurity Workshop WHAT IS CYBERSECURITY? PRESENTED BY: JON WALDMAN, SBS CISA, CRISC 1 Contact Information Jon Waldman Partner, Senior IS Consultant CISA, CRISC Masters of Info Assurance

More information

www.pwc.com Cybersecurity and Privacy Hot Topics 2015

www.pwc.com Cybersecurity and Privacy Hot Topics 2015 www.pwc.com Cybersecurity and Privacy Hot Topics 2015 Table of Contents Cybersecurity and Privacy Incidents are on the rise Executives and Boards are focused on Emerging Risks Banking & Capital Markets

More information

A Review of Anomaly Detection Techniques in Network Intrusion Detection System

A Review of Anomaly Detection Techniques in Network Intrusion Detection System A Review of Anomaly Detection Techniques in Network Intrusion Detection System Dr.D.V.S.S.Subrahmanyam Professor, Dept. of CSE, Sreyas Institute of Engineering & Technology, Hyderabad, India ABSTRACT:In

More information

Network Security Report:

Network Security Report: Network Security Report: The State of Network Security in Schools Managing tight budgets. Complying with regulatory requirements. Supporting Internet-based learning technologies. There are many challenges

More information

Into the cybersecurity breach

Into the cybersecurity breach Into the cybersecurity breach Tim Sanouvong State Sector Cyber Risk Services Deloitte & Touche LLP April 3, 2015 Agenda Setting the stage Cyber risks in state governments Cyber attack vectors Preparing

More information

FACT SHEET: Ransomware and HIPAA

FACT SHEET: Ransomware and HIPAA FACT SHEET: Ransomware and HIPAA A recent U.S. Government interagency report indicates that, on average, there have been 4,000 daily ransomware attacks since early 2016 (a 300% increase over the 1,000

More information

Cyber Security Management

Cyber Security Management Cyber Security Management Focusing on managing your IT Security effectively. By Anthony Goodeill With the news cycles regularly announcing a recurrently theme of targets of hacker attacks and companies

More information

2 Gabi Siboni, 1 Senior Research Fellow and Director,

2 Gabi Siboni, 1 Senior Research Fellow and Director, Cyber Security Build-up of India s National Force 2 Gabi Siboni, 1 Senior Research Fellow and Director, Military and Strategic Affairs and Cyber Security Programs, Institute for National Security Studies,

More information

NIST Cybersecurity Framework Overview

NIST Cybersecurity Framework Overview NIST Cybersecurity Framework Overview Executive Order 13636 Improving Critical Infrastructure Cybersecurity 2nd ENISA International Conference on Cyber Crisis Cooperation and Exercises Executive Order

More information

SECURE POWER SYSTEMS PROFESSIONALS (SPSP) PROJECT PHASE 3, FINAL REPORT: RECRUITING, SELECTING, AND DEVELOPING SECURE POWER SYSTEMS PROFESSIONALS

SECURE POWER SYSTEMS PROFESSIONALS (SPSP) PROJECT PHASE 3, FINAL REPORT: RECRUITING, SELECTING, AND DEVELOPING SECURE POWER SYSTEMS PROFESSIONALS 1 SECURE POWER SYSTEMS PROFESSIONALS (SPSP) PROJECT PHASE 3, FINAL REPORT: RECRUITING, SELECTING, AND DEVELOPING SECURE POWER SYSTEMS PROFESSIONALS Synopsis SPSP Project Overview Phase I Summary Phase

More information

Everything You Wanted to Know about DISA STIGs but were Afraid to Ask

Everything You Wanted to Know about DISA STIGs but were Afraid to Ask Everything You Wanted to Know about DISA STIGs but were Afraid to Ask An EiQ Networks White Paper 2015 EiQ Networks, Inc. All Rights Reserved. EiQ, the EiQ logo, the SOCVue logo, SecureVue, ThreatVue,

More information

Information Security Technology?...Don t Rely on It A Case Study in Social Engineering

Information Security Technology?...Don t Rely on It A Case Study in Social Engineering The following paper was originally published in the Proceedings of the Fifth USENIX UNIX Security Symposium Salt Lake City, Utah, June 1995. Information Security Technology?...Don t Rely on It A Case Study

More information

The Human Factor of Cyber Crime and Cyber Security

The Human Factor of Cyber Crime and Cyber Security The Human Factor of Cyber Crime and Cyber Security Challenges: September 11th has marked an important turning point that exposed new types of security threats and disclosed how cyber criminals pursuit

More information

Cyber Adversary Characterization. Know thy enemy!

Cyber Adversary Characterization. Know thy enemy! Cyber Adversary Characterization Know thy enemy! Brief History of Cyber Adversary Modeling Mostly Government Agencies. Some others internally. Workshops DARPA 2000 Other Adversaries, RAND 1999-2000 Insider

More information

Cybersecurity..Is your PE Firm Ready? October 30, 2014

Cybersecurity..Is your PE Firm Ready? October 30, 2014 Cybersecurity..Is your PE Firm Ready? October 30, 2014 The Panel Melinda Scott, Founding Partner, Scott Goldring Eric Feldman, Chief Information Officer, The Riverside Company Joe Campbell, CTO, PEF Services

More information

Information Technology Security Review April 16, 2012

Information Technology Security Review April 16, 2012 Information Technology Security Review April 16, 2012 The Office of the City Auditor conducted this project in accordance with the International Standards for the Professional Practice of Internal Auditing

More information

Insider Threat Detection Using Graph-Based Approaches

Insider Threat Detection Using Graph-Based Approaches Cybersecurity Applications & Technology Conference For Homeland Security Insider Threat Detection Using Graph-Based Approaches William Eberle Tennessee Technological University weberle@tntech.edu Lawrence

More information

Experience the commitment WHITE PAPER. Information Security Continuous Monitoring. Charting the Right Course. cgi.com 2014 CGI GROUP INC.

Experience the commitment WHITE PAPER. Information Security Continuous Monitoring. Charting the Right Course. cgi.com 2014 CGI GROUP INC. Experience the commitment WHITE PAPER Information Security Continuous Monitoring Charting the Right Course May 2014 cgi.com 2014 CGI GROUP INC. During the last few months of 2013, six federal agencies

More information

Presenter: October 14, 2009 Mr. Takanobu Ito Managing Director, Asia Pacific & Middle East Operations

Presenter: October 14, 2009 Mr. Takanobu Ito Managing Director, Asia Pacific & Middle East Operations TeleContinuity The Survivable Cyber Solution Presentation For Presenter: October 14, 2009 Mr. Takanobu Ito Managing Director, Asia Pacific & Middle East Operations 2007 TeleContinuity, Inc.. All Rights

More information

Cyber Security Metrics Dashboards & Analytics

Cyber Security Metrics Dashboards & Analytics Cyber Security Metrics Dashboards & Analytics Feb, 2014 Robert J. Michalsky Principal, Cyber Security NJVC, LLC Proprietary Data UNCLASSIFIED Agenda Healthcare Sector Threats Recent History Security Metrics

More information

COUNTERINTELLIGENCE. Protecting Key Assets: A Corporate Counterintelligence Guide

COUNTERINTELLIGENCE. Protecting Key Assets: A Corporate Counterintelligence Guide COUNTERINTELLIGENCE O F F I C E O F T H E N A T I O N A L C O U N T E R I N T E L L I G E N C E Protecting Key Assets: A Corporate Counterintelligence Guide E X E C U T I V E Counterintelligence for the

More information

SOCIAL MEDIA MOBILE DEVICES CLOUD SERVICES INTERNET OF THINGS (IOT)

SOCIAL MEDIA MOBILE DEVICES CLOUD SERVICES INTERNET OF THINGS (IOT) INFORMATION SECURITY AND CYBER LIABILITY RISK MANAGEMENT THE FIFTH ANNUAL SURVEY ON THE CURRENT STATE OF AND TRENDS IN INFORMATION SECURITY AND CYBER LIABILITY RISK MANAGEMENT Sponsored by October 2015

More information

The Problems With SEC s Cybersecurity Approach

The Problems With SEC s Cybersecurity Approach Portfolio Media. Inc. 860 Broadway, 6th Floor New York, NY 10003 www.law360.com Phone: +1 646 783 7100 Fax: +1 646 783 7161 customerservice@law360.com The Problems With SEC s Cybersecurity Approach Law360,

More information

Cybersecurity Workshop

Cybersecurity Workshop Cybersecurity Workshop February 10, 2015 E. Andrew Keeney, Esq. Kaufman & Canoles, P.C. E. Andrew Keeney, Esq. Kaufman & Canoles, P.C. 150 West Main Street, Suite 2100 Norfolk, VA 23510 (757) 624-3153

More information

Exercising Your Enterprise Cyber Response Crisis Management Capabilities

Exercising Your Enterprise Cyber Response Crisis Management Capabilities Exercising Your Enterprise Cyber Response Crisis Management Capabilities Ray Abide, PricewaterhouseCoopers, LLP 2015 PricewaterhouseCoopers LLP, a Delaware limited liability partnership. All rights reserved.

More information

Position Paper for Cognition and Collaboration Workshop: Analyzing Distributed Community Practices for Design

Position Paper for Cognition and Collaboration Workshop: Analyzing Distributed Community Practices for Design Position Paper for Cognition and Collaboration Workshop: Analyzing Distributed Community Practices for Design Jean Scholtz, Michelle Steves, and Emile Morse National Institute of Standards and Technology

More information