The Role Of Personal Responsibility Within Cyber Security Failures (Thesis Sample)

THE ROLE OF PERSONAL RESPONSIBILITY WITHIN CYBER SECURITY A Master Thesis Submitted to the Faculty of American Public University by Student In Partial Fulfillment of the Requirements for the Degree of Master of Science Mar 2017 American Military University Charles Town, WV ABSTRACT OF THE THESIS THE ROLE OF PERSONAL ACCOUNTABILITY WITHIN CYBER SECURITY by Student American Military University, Mar 2015 Charles Town, West Virginia Dr. Denise Eggersman, Thesis Professor Enforcement and education both are a major part in maintaining the correct security posture to assist in the elimination of many cyber failures due to negligence or lack of knowledge. The need to require the proper level of personal accountability is important in order to maintain a proper environment of cyber security in your business organization or within your industry. The overzealous or zero tolerance type of enforcement of arbitrary and ultimately unenforceable cyber policies will only serve as a detriment to your desired effect of a heightened security state and a cyber-aware workforce. The methods discussed here are not so detailed specific as to be useable in only certain specific select situations or industries. These can be applied to a great many organizations or professions. The methods herein will generally be of a mixed methodology style, as some perceptions of security are undertaken. The findings will however show that proper policies, adequate training and appropriate and equal enforcement will maintain a better level of security overall. You of course cannot stop all the bad actors’ intent on harming your network or computer system. However, with the right balance of personal accountability, education and enforcement, you may eliminate a great many of the cyber threats facing you today and tomorrow. Keywords: accountability, cyber, security, computer, personal, enforcement TABLE OF CONTENTS CHAPTERPAGE I. INTRODUCTION1 Problem Statement2 Purpose2 Hypotheses Research Questions3 Significance of the Study4 Definitions4 Limitations4 Assumptions5 Theoretical Framework.5 II. LITERATURE REVIEW6 History of Cyber Security6 Policies and Laws7 Accountability Methods7 Accountability in the internet8 Personal Behaviors and Intent9 III. METHODOLOGY0 Subjects and Setting0 Data Collection Technique0 Statistical Analysis0 Limitations of the Study0 IV. RESULTS0 Legal Issues0 Human resource issues0 Productivity Issues0 V. DISCUSSION0 Summary0 Recommendations0 LIST OF REFERENCES11 APPENDICES0 The role of personal accountability within Cyber Security Introduction Individuals should be held accountable for intentional cyber security failures, personal accountability will lead to a higher security posture, which will improve the overall security of the network. Without a core standard to be held accountable for or to, there would be no need for security, a lack of accountability will lead to a noticeable degradation in security. While policies that punish people for something that is beyond their control will of course be counterproductive in the end. The research shows that significant levels of cyber breaches and policy violations the majority, which with the proper education, training and most of all enforcement these can be mitigated. Various phishing and or social engineering tactics have accomplished many of these attacks, by getting users to install malware into the network. Many of these failures are attributable to the IT dept. themselves failing to follow their own best practices. That happens to be one such group you would assume above all others in the realm of security would be aware of such activity and not fall prey to it. What comes along with that is generally a large amount of the users not trained to be fully cyber aware, they do not know what best practices to follow and they lack a basic proper understanding of cyber security. We also are aware that human nature, intent, can play a large part in how people approach cyber security, these people affect our system as well and need addressed. You of course cannot know what someone intends to do in your system until they do it, but there are normally clues and things you can notice by studying the human nature and learning signs that may point to an insider threat. Ultimately, there is also the need for those individuals held accountable, when without a doubt they have failed to live up to their cyber security responsibilities. The public and other employee’s need to see that cyber security enforcement does happen and they need to learn that proper enforcement and the company is performing accountability. Problem Statement The insider threat, the untrained worker, the lack of accountability and policies/training are some of the largest problems facing cyber security issues today. These are also most of the major areas you have the best amount of control. You of course will not stop all the outside actors from attacking your system, you never will, nor should you expend all your time and effort trying to do so. The only way to do this successfully would be to completely disconnect from the internet and let no one use your computers. That will however render you unable to perform your business functions in this connected world, operating off the grid is not truly an option for business or the government itself today. Purpose The need for this research is that a balance is most desirable between overbearing security, rendering your system unusable, and too little security, which renders your system vulnerable to attacks. This balance is what you are going for while you protect the cyber environment and the users from themselves. This accomplishment is by having good policies that are current and viable also providing accurate training, and yes, adherence to and enforcement of, those policies on all users of your network. The research will show that a proper application of the policies and the proper education or training of those users will lead to a better understanding of why the policy is in effect. This is turn will lead to a more security conscious aware employee and a better-prepared cyber workforce. The individual is after all the front line in the security of your system, do not overlook or ever forget this. A complete technological system as of yet, cannot fully replace a properly trained and cyber aware person. If the individual does not comply with policy and practice proper cyber security, the whole system tends to become useless. You cannot lock out a burglar if someone opens the front door when the burglar knocks. Therefore, as it is with proper security, it may be in place, but if the user fails to follow it or the procedures they themselves are not enforced, the defenses are for nothing. Hypotheses and Research Questions Individuals held accountable for cyber security failures personal accountability and a high security posture will improve the overall security of the network. Without a core standard to hold up for accountability, there would be no need for security at all, a lack of accountability will lead to degradation in security. H1. The individual does not play a large role in the security of the network. H2. Holding an individual user accountable criminally and or financially liable will improve security. H3. Individual users who receive security training and education make your system more secure. H4. Higher levels of education and training lead to an increase in the security of your network. H5. Technological security measures will not replace the user’s responsibility in the realm of cyber security. H6. The individual does play a large role in the security of the network. H7. Users can do little to impact cyber security. Significance of the Study The study undertaken will show that a proper level of enforcement, training and education is a requirement to assist you in the protection of your network or system. The enforcement of those polices will be shown to have a measurable impact at increasing the overall protection of a network or system. Definitions Accountability according to Merriam-Webster (2015) is the quality or state of being accountable; especially:  an obligation or willingness to accept responsibility or to account for one's actions. Enforcement according to Merriam-Webster (2015) is to make (a law, rule, etc.) active or effective: to make sure that people do what is required by (a law, rule, etc.): to make (something) happen: to force or cause (something). Limitations There will always be some limitations in this study area. Some may be the lack of truthful or complete responses on the survey from those who take it. They may have minimal knowledge in the area of enforcement, the policies may actually be enforced, but the individuals may not see or be aware that it is happening within their area. Human Resources, the Information Technology department and managers may be hesitant to speak or not wish to discuss the specifics of any action or inaction they may or may not have taken. This could be out of fear of violating some privacy issue or the appearance of being heavy-handed or even lax in their enforcement of the policies. Assumptions The area in study runs on the presumption that without the threat of punishment or the witnessing of actually punishment, individuals will not actively attempt to take basic measures to protect the network they use. The prevailing thought behind this is most people will assume network protection is not their job. They may feel they are not a cyber-security employee that is not their responsibility; someone else is running some type of computer program on my machine and that does it. They do not need to worry about security for themselves; someone else handles it for them. Theoretical Framework My research should uncover the correlation between enforcement of cyber policies and holding individual...