disertation

Regardless of the industry that an institution may operate in, it must have reliable security measures to ensure that its data, systems, as well as the information that it relies on, is not compromised. Learning institutions are one of the few institutions that have multiple security threats. In order to ensure that learning institutions secure their assets and operations, schools employ the use of security architecture that includes responsive controls, preventive controls, and detective controls.

The study looks at the security threats that higher learning institutions face as well as explains how schools face and deal with the security threats. There are four security threats that are identified in the paper that face learning institutions. The threats include, fraud, data loss and compromise and the disruption of the functions and services of critical infrastructure. The identified threats as well as represent the different security architectures that learning institutions employ in their bid to ensure that security prevails.

Chapter I: Introduction and Background

Most of the times when people hear the word cyber security they look at measures that can secure a building, a premise, property or even a person from physical harm, damage or even theft from external parties (Bertino, 2016). To an extent, what most people understand about cyber security is true; cyber security is all about security from physical activities that may lead to loss or damage. Unfortunately, cyber security is often overlooked in comparison to technical security. Many organizations and institutions all over the world spend a lot of resources to ensure that their operating systems are protected from malware and hacks, on the other hand, they spend very little in terms of cyber security (Tuor et al., 2017). The biggest downside of doing the above is that the relevance of cyber security is ignored or overlooked.

Cyber security is big on three main things; surveillance, access control, and testing. It is primary concerned with the placing of obstacles in the paths of criminals, burglars or malicious people to prevent them from carrying out malicious activities or errors that may lead to the loss of property, networks or even lives. Due to the focus on the three main items that cyber security is big on, there is one thing that is often overlooked or ignored and unfortunately, it might be the biggest threat to cyber security. That is insider threat. Insider threat is the single and biggest threat to an organization yet very little is done to address the threat (Agrafiotis et al., 2015). There is very little research compared to the impact of the threat. To make it worse, The Internet of Things (TIOT) is making it harder for the implementation of cyber security as it introduces elements of technical security in cyber security.

The success of the majority if not all institutions and firms is significantly dependent on the security measures employed by firms. Regardless of the industry that an institution may operate, it must have reliable security measures to ensure that its operations as well as the information that it relies on, is not compromised. Security is divided into mainly cyber security and network security. Bearing the above in mind, there are three types of security controls and they include; responsive controls, preventive controls, and detective controls. In order for organizations to make the claim that they have reliable security, they have to have a solid security architecture. The architecture details the infrastructure in use to enforce security measures as well as the actions in place to ensure that security prevails. By going through a typical learning institution security architecture it will be possible for security to be defined as well as explained considering that schools are one of the institutions that emphasize both physical and network security.

The research team responsible for carrying out the study believes that if insider threat is dealt with that most of the issues if not all the issues that affect cyber security will be dealt with. The above belief forms the foundation of the research as the research team will seek to confirm or dispel the notion that if the insider threat is dealt with that most security concerns as regards cyber security will be dealt with.

Learning institutions have been in existence for a long time in informal and formal settings. There are different types of learning institutions. There are elementary schools, high schools, and higher education institutions among other types of schools. Learning institutions offer learners opportunities to increase their knowledge as well as acquire skill sets that are valuable in life. For educators and other individuals that work in schools, schools offer them employment opportunity. In their operations, learning institutions rely on personal and identification data as part of their operations. Additionally, learning institutions more so, higher learning institutions rely on learning management systems to administer education. In the last decades, learning institutions have been targeted by cyber-criminals for terrorism, data breaches and other related crimes. By identifying how cyber criminals target learning institutions, primarily, higher learning institutions it is possible to formulate mechanisms of countering cyber-crimes targeting them.

Due to the nature of the education sector as well as the functions of schools, learning institutions have many security threats. There are four main security threats that learning institutions face. The first threat is the employees leaking information or making their institutions susceptible to cybercrime.

The second type of threat is fraud. Fraud in most cases happens through insider threats; Learning institution employees and suppliers make it possible for fraud to happen. Another way in which fraud happens is through cyber-attacks. Cybercriminals attack network vulnerabilities to access information of learning systems and through that, they can cause fraudulent attacks. The fraud security threat compromises both physical and network security. The compromise of cyber security happens when the insider threat is in play whereas the compromise of network security happens when cyber-attacks are in play.

The third security threat in learning institutions is the disruption of critical infrastructure. For the majority of learning institutions, their network, databases, servers, and system are classified as critical infrastructure. The disruption of the above-mentioned infrastructures for whatever reasons can hamper the operations of a learning institution. The disruption of critical infrastructure leads to the institutions not performing their functions. The disruption of critical infrastructure affects both physical and network security.

The fourth security threat for learning institutions is information loss or disclosure. Learning institutions rely entirely on the information that they have to offer services. As it stands learning institutions are always at the risk of collected information being compromised by either employee or by cybercriminals. It is for that reason that learning institutions invest heavily in securing their databases and their servers as they are the doors to the information stored such as student personal and identification records, security details of an institution as well as their learning management system.

There are three main goals of a school’s security architecture. The goals are the same as the three main security controls earlier mentioned and there are also the goals of the project. The first goal of a school’s security architecture is preventing security breaches; that is both physical and network security breaches. Security architecture details the infrastructure as well as the security measures in place to prevent data loss, fraud, and the disruption of critical infrastructure amongst other things. By having security architecture, a school’s security system protects its assets as well as resources from being compromised (Gomber et al., 2018).

The second goal of a school’s security architecture is detecting security breaches. According to Kaipainen (2017), in cases where a school is unable to prevent a security breach for whatever reason, the school should have a detection system in order to stop the ongoing compromise and also reduce the attack surface of a security breach. Security architecture details a reliable framework for detecting security breaches. By having the ability to detect security breaches, schools can secure themselves from data loss, money loss, reputation loss as well as save their critical infrastructure from destruction.

The last goal of a school’s security architecture is to offer a response to a security breach. It is critically important that if a school is not able to prevent a breach that it offers a response to the breach. In most cases, a response involves countering the security breach. Security architecture provides a framework or a guideline of ensuring that schools have a response should they face a data breach or should the services and functions of their critical infrastructures be disrupted.

Immemorial fraud continues being a burning issue in human society (Cole, 2015). The insider threat is a form of fraud and this is because insiders that are perceived as threat deceive their employers and their colleagues with the aim of gaining from a security lapse. Most of the times insiders that help in breaching of security controls are promised of good returns if they do (Liu et al., 2018). The need to do deter insiders from helping other people break security protocols is what has led to this study. Many organizations have suffered from the malicious or erroneous activities of their employees that have exposed them to security risks. Organizations will suffer from the malicious or erroneous activities of their employees as the activities will expose them to security risks unless the insider threat is effectively dealt with (Eberz et al., 2015).

The insider threat is not only an issue that affects the organization, institutions, and corporations, but it is as well a societal issue as it encourages deception (Bunn & Sagan, 2017). Coming up with solutions to effectively deal with insider threats will in extension help in coming up with ways to deal or mitigate deception at the society and community level. The insider threat is a burning issue considering that it is people that have been granted rights, access, and privileges that help criminals to breach security protocols (Walton, 2016). It is also a burning issue since it is insiders or people who are trusted that breach security protocols and through that expose organizations and institutions to unnecessary risks (Gheyas & Abdallah, 2016).

Since it is already established that insiders or employees or suppliers are the biggest security concern in cyber security, there is a need to find effective ways to deal with them or mitigate their effects (Collins, 2016). There is a strong belief that if solutions that effectively deal or hamper insiders from aiding or breaking security protocols and controls are identified then it is most likely that cyber security will be more guaranteed in the world (Sanzgiri & Dasgupta, 2016). This research has three main purposes. The first purpose is to identify how the insider threat can be mitigated or done away with the intention of improving not only cyber security but all types of security including technical security.

The second purpose of the study is to confirm or dispel the belief that insider threat is the single biggest challenge that hampers cybersecurity. Through the made confirmation, industry stakeholders or players will be better informed to make better decisions as concerns cybersecurity. If the confirmation confirms that insider threat is the single biggest challenge that hampers cybersecurity, players in the security sector will concentrate on the insider threat and through that solution to the threat will be realized (Hu et al., 2015). On the other hand, if the confirmation dispels that insider threat is the single biggest challenge that hampers cybersecurity, players and stakeholders in the security sector will know how best to divide their attention on the known security threats as opposed to concentrating on the insider threat. The third purpose of the study will be to educate employees, suppliers or basically any individual who has the potential to be categorized as an insider threat. Through educating potential insider threats people will be better placed to avoid becoming actual insider threats (Punithavathani, Sujatha & Jain, 2015: Williams et al., 2018).

The research question is aligned with the problem statement and the purpose of the research (Graue, 2015). The research is primarily interested in knowing whether indeed insider threat is the single biggest challenge to cyber security. In addition, the research is also interested in knowing how insider threat can be effectively dealt with or mitigated. Furthermore, the research is also interested in establishing whether the dealing with or mitigating of insider threats can significantly improve cyber security based on the belief that insider threat is the biggest security challenge for not only cyber security but also cybersecurity. The primary purpose of the research is to formulate policies and measures of effectively dealing with cyber security concerns to answer the following questions:

1. How do higher education learning institutions mitigate cyber security threats?

2. What are the measures that can be put in place to effectively deal with the insider threat in order to bring significant changes in cyber security?

The above-identified research question will make two things possible. The first thing is the identification of measures or controls that can be implemented or adapted to deal with or mitigate the insider threat. The second thing is the confirmation of whether dealing with insider threats is the key to having cyber security.

The study on insider threats on cyber security and general cybersecurity is bound to contribute significantly to the world. Insecurity causes corporations, organizations, and institutions all over the world to lose a lot of resources (Fontana &Prokos, 2016). By studying insider threats through this research, the world more so the corporate world will be better placed to protect itself from insider threats. Concentrating on the learning of insider threats and their implications will lead to the development of security protocols that not only enhance cyber security but enhance generally all sectors of security. The insider threat is a threat that faces companies not only in America but also in other nations of the world therefore finding a solution for insider threats not only sorts the US but it also sorts the world; it helps to do away or mitigate a global issue (Aldawood & Skinner, 2018).

The study promises value addition as well as the eradication of problems affecting computer science. IT experts more so those who are interested in ensuring that IT security prevails have for a long time been troubled with how to handle or deal with insider threats. This research will lighten the weight on the shoulders of IT experts and this is because the findings of the research will help security experts in the IT field gain several steps in terms of the fight against cyber security issues (Eriksson & Kovalainen, 2015). Regardless of the results of the study, IT security experts will gain much from the research. They will know whether insider threat is a threat that can be done away with or if insider threat is a threat that is there to stay and that it can only be mitigated.

There are several beneficiaries of this research. Top on the list of the beneficiaries is the academic field. The findings of the study will enable the field of IT security and cyber security to grow. There will be more information for future scholars than there is currently on the topics of insider threats, cyber security, and cybercrime. The society is the second beneficiary of the research. As earlier mentioned, fraud and in extension insider dealings are societal issues in that they are vices that seem to be holding back the society. By identifying solutions to insider dealings and insider threats, solutions to a social vice are also identified. The profession of cybersecurity is the third beneficiary as the field will acquire more information on a major threat (Dumay et al., 2016). In general, this research will provide insight into the field of cyber security and through the study, better security controls and policies will be formulated. The policies will not only benefit the security sector but the policies will also benefit the world.

This first chapter outlined the purpose of the study, its benefits as well as the study’s implications. In chapter two, I will provide an analysis of the current literature on the topic. In chapter three, I outline the methods and procedures to be conducted as I answer my research questions. The methodology focuses on case study.

There are several terms that will be used in the study and they include:

1. Insider Threat- security threats as a result of employee, supplier or any person with authority from an institution.

2. Cyber Security- are processed in place to protect people, property, and facilities from harm or damage.

3. Technical Security- is security geared at protecting technology from security risks.

4. Cybersecurity- the process of protecting networks and related infrastructure from cyber-attacks (Garrard, 2016).

5. Cyber-Crime- are crimes committed involving a network or computer.

6. Security Policies- are written documents that detail how to protect an organization or institution from security risk.

7. Information Technology (IT)- refers to the reliance of computers and information in the context of business.

8. Rights- refers to the permissions granted to an employee.

9. Privilege- refers to the permissions granted to an employee.

10. Access- refers to the systems and areas employees are authorized to use or visit.

11. System- refers to a set of functions running together under one unit.

12. Threat Management- refers to the assessing and controlling of risk in cyber security.

13. Risk Assessment- refers to the analysis of risk with the aim of classifying the risk

14. Insider Risk- refers to security risks that may are associated with having employees, supplier or any individual with access, rights or privileges of an organization or institution.

The literature review is based on articles and research reporting done in the last ten years. The literature review will be done on online academic databases. The databases used include Ebscohost, google scholar among other databases. The review focuses on how Bring your own devices protocols can be exploited by insiders to expose institutions to cyber security concerns.

In order to get a hint of why the research team states that the insider threat is the biggest threat to cyber security and why dealing with insider threat significantly does away with most security concerns, it is proper to understand how insiders can lead to insecurity. For example, a lapse in closing up or properly securing an entrance as expected whether intentional or not can lead to theft which can destabilize a company (Fennelly, 2016). The stealing of company property such as laptops by employees simply by the fact that they have access to a floor is a security breach that can cost a company bearing in mind the amount and type of data that can be housed in a laptop (Mavroeidis, Vishi & Jøsang, 2018).

The introduction of devices that can copy data such as flash disks and other external devices to computers in a secured network is another example of how insiders can bring lapses in security (Eggenschwiler, Agrafiotis & Nurse, 2016). There are many incidences in which company employees have granted access to hackers by simply connecting external devices that act as doors or access points (Ali & Awad, 2018). There are similarly many incidences in which company employees have stolen important data from their employers using their mobile phones and external hard drives (DiMase et al., 2015).

The above crimes and security issues have been possible simply because employees misused or abused the rights and access granted to them by their employers (Sarma et al., 2017). There are countless times that we have heard that schools have robbed simply because of the information shared by some employees with school robbers (Mylrea et al., 2018). Employees share information that is crucial in terms of bypassing security protocols due to the fact that employees are privy to such information or have access to such information easily.

From the little research that is available on the research topic, many researchers have alluded to that there needs to be further research on the insider threat and how to effectively deal with it (Wang, Gupta & Rao, 2015). According to Denis Smith, insider threats are borne from lapses from senior managers. Denis carried out a study which helped reveal that senior managers and not executive managers create conditions in which cyber security can fail through poor decision making, erosion of controls and the creation of cultures that lead to failures in cyber security. Senior managers hold the biggest responsibility as far as implementation of security policies in organizations is concerned and it is for that reason that their lapses can lead to major breaches in cyber security (Fischbacher-Smith, 2015). If senior managers can better their interactions with junior employees in organizations, the insider threat will be significantly dealt with (Deng, Mahadevan & Zhou, 2015).

Five researchers from Europe carried out a study on the insider threat and they identified insider threat as the most difficult cyber-security issue to deal with because it poses a threat to cyber security and technical security. The five researchers in their publication offer insight in how incidents that involve insiders can be classified, how insider threats can be detected early in advance before they become a reality, how already in place working and reliable frameworks of dealing with insider threats can be replicated to ensure security prevails and how to identify trends as relates to insider threats. The researchers argue that the majority if not all cyber-crimes happen or are possible due to insider help (Homoliak et al., 2019: Harilal et al., 2018). The researchers believe that if insider threat is dealt with that most security concerns will be dealt with.

Based from the explanation of how insider threats are a concern for cyber security and the review of previous research on the research topic, it is evident that there needs to be further research on insider threat and cyber security. The below study will look to explain how the proper dealing of insider threat can lead to enhanced cyber security. The study will concentrate on finding as much information as possible on how mitigating insider threat can lead to better cyber security. The below study topic is of importance as it promises to provide a solution to the menacing issues affecting cyber security. The fact that insider threat has been identified as the most challenging threat in cyber and cyber security alludes to that if solutions of dealing with insider threats are identified then the world would have proper and reliable solutions for cyber security.

There are five values that access management brings to an organization. Top on the list is that it helps in reducing data entry errors due to the use of important services by unskilled or unqualified users. The second value is that access management provides the capabilities to revoke user rights on a timely basis which is important more so during security considerations.

The third value is that access management allows or ensures that employees or users have the right access levels to perform or execute their duties. The fourth reason is that access management enables organizations and institutions to maintain data and information confidentiality. The last value is that access management grants organizations the ability to audit and track how their systems are used. This is particularly important for tracing the abuse or rights and privileges.

There are five main types of access controls for devices. The first type is the Mandatory Access Control(MAC) which is often used by the institution that deals with highly sensitive information such as the military and the government. For mobile devices that are under mandatory access control policy most services or systems that can be accessed via the handset are under the full control of the central authority which might be the IT unit of the institution.

The second type of access control that is used on devices is the discretionary access control(DAC). The policy that guides DAC enable administrators to limit the propagation of access rights. Unlike MAC, DAC does not have centralized control and it is for that reason is the worst access control management policy that can be used for mobile devices as far as curtailing insider threat in learning institution is concerned. The third type is the role based access control(RBAC). The above control restricts the rights a user has; It helps in restricting the access to resources that a user might have. Organizations that use RBAC policies in controlling BOYD devices limit the functions of users when accessing an institutions network or systems.

The fourth type of access control that is used in devices is role-based access control. In this type of access, the administrator determines the resources that can be accessed and for how long and during what time; the accessing of service is pegged on rules and policies of an organisation or institution. Most of the time the rule-based access control is used to complement the role-based access control. An example of an Institution or organization that uses rule-based control is a school. Schools have operating hours and it is because of that reason that they have restrictions on the time that employees can access their systems or resources.

The last type of access control used on devices is the attribute-based access control (ABAC). The above control policies for devices access rights by evaluating the relationships, policies, and rules that dictate systems, users as well as the environmental conditions (Hu et al., 2015). The above control is used by the military and institutions that rely on sensitive data such as power plant. In most cases, an organization’s resources and network can only be accessed when the devices are within a specified range; the range is specified by the system administrators.

Bill Murrow conducted a study in 2012 to access the security implication of allowing BYOD. Bill noted that in his study that there were several trends that were impacting an institutions ability to secure and control the use and sharing of sensitive corporate data. The first trend that he identified to be causing trouble for system administrators was the use of software as a service. This was because the service encourages the use of BYOD. The above is security concerning as Software as a service is enabling or allowing business partners, employees as well as learners to access information that concerns an institution on devices that are not managed by system administrators or IT departments.

According to bill, as much as there are access controls in place, they seem to be inadequate at preventing data leakage. In conclusion to his studies, Bill made the conclusion that organizations should stop making distinctions between devices outside an institution’s network and devices in the institution’s network. Bill argues that all devices should be treated the same; all devices should comply with all IT security policy requirements (Morrow, 2012). In his defense, Bill states that it is the distinguishing of devices that leads to the creation of loopholes that can be exploited by cyber-criminals.

The article was written by Mahmoud, Cheung, and Seyed focuses on the challenges of the Internet of things as far as maintaining security is concerned. According to the three researchers, the lack of clear interoperability of devices is making it easy for information technology systems to be breached. The three researchers stated in their report that mobile phones play a significant role in security breach as they are the devices that are used in the linking of other devices on the Internet of things.

The three researchers as well stated that there is not enough access to management systems or processes to secure mobile phones. In the defense of their statement, the researchers stated that mobile phones are easy to hack considering the networks that the use. Once a mobile phone is hacked, a hacker can access resources and even other devices in the network. The above is much more destructive if the mobile phone device is connected or has access to an organization or an institution's network.

Since the study was pegged on surveys, the researchers made two major conclusions. The first conclusion was that access management processes for mobile phones or handheld devices need to be more advanced. The above is due to the role that mobile devices play in the interoperability of the internet of things. The second conclusion was it is important that a multifaceted approach to the internet of things is developed in order to reduce the security challenges associated with the technology (Elkhodr, Shahrestani & Cheung, 2016).

According to an article written by Maumita and Kathleen, BYOD is a phenomenon that is a growing trend in institutions for three main reasons. The first and main reason is that it is cheap to have employees or learner’s users use their own devices to carry out functions compared to institutions providing computers and other related devices to their employees and even learners. In addition, institutions have fewer devices or resources to manage when Bring your own device is in play.

Unfortunately, according to Maumita and Kathleen, as much as bring your own device is cost saving for institutions it also possesses a great risk concern for data and intellectual property security. As part of their study, the two researchers focus on two risk areas in reference to bringing your own devices(BYOD). The first and main risk concern of BYOD according to the researchers was that there were little effective access management systems or process for BYODs (Downer & Bhattacharya, 2015).

The control measures, procedures, and processes recommended for BYOD were hard to implement because the devices are not owned by the organizations. There is very little that an organization can do since the devices are not theirs. According to the researchers, the best organizations can do as far as access management is concerned is to restrict and manage the systems and resources used or accessed once a BYOD is connected to an organization's network.

The second risk area was that there is very little known effective framework in the use of BYOD. As it stands, there is no properly structured framework that ensures through the use of BYODs that institutions secure their data or information. Many organizations are relying on the integrity that their employees claim to have to ensure that there is no data leakage.

A look at the three articles reviewed reveals three main things. The first thing is that the access management controls, process or procedures that are in use in BYODs are not effective enough at preventing breaches. There are some measures that are effective at restricting but not preventing security breaches. In reference to two articles reviewed, the fact that people are using their own devices makes it much harder to control what they can or cannot do when using their devices.

The second finding was that it is much difficult to control the accessing of a network or devices connected to a network on mobile devices owned by individuals. Access can be managed on the network side but very little can be done as far as restricting unauthorized users from accessing what is already permitted once a person has access to the device.

The third finding was that there is no clear and effective framework that guides on how to properly implement the bring your own device operational model. The lack of a clear framework makes it harder to have in place effective access management policies and guidelines. All the concerns raised on BYOD contribute significantly to the effectiveness of insider threats as far as cyber security is concerned.

The research will take on a qualitative approach to gather data on the research topic by analysing information which is passed through behaviour and language in the study subject’s natural environment. Unlike the quantitative methodology, the qualitative methodology allows the research time to gather data about the feelings, the values, the beliefs and the motivations that lead to certain behaviours (Katz, 2015). The above methodology will be crucial for understanding why insiders might consider abusing a privilege or right which might expose the company or organization that they work for to cyber security risks (Rahman, 2017). The qualitative research method is best for answering “why” questions in research (Creswell & Creswell, 2017). The above methodology will help to explain why insider threat is claimed to be the biggest threat to cyber security and through that, it will be possible to establish whether doing away or mitigating internal threat will improve cyber security significantly.

There are three other reasons as to why the research will use a qualitative approach. The first reason is that the methodology creates openness. The methodology allows participants to clearly express themselves as regards the study topic. The above methodology will be critical as the research team is on path finding mission; a mission to understand why insiders are a threat to cyber security and which measures are best fit to handle the threat by insiders. The second reason is that the methodology helps to stipulate the individual experiences of people (Berger, 2018). The above reason is really important as there are varying reasons as to why insiders might opt to breach security or might accidentally lead to a security breach. The third reason is that the methodology attempts to avoid prejudgement. Since this research is based on results from quantitative studies (the two pieces of literature reviewed), the qualitative research methodology can help explain why the particular findings of the previously done research were realized.

Data collection will be done through the reviewing of previous research on insider threats and cyber security and case study. The review and case study will enable the researcher to gather as much information as possible (Hart, 2018).

The qualitative research methodology will be handy for the study as the researcher will be able to gather information as relates to the views and beliefs of the people unlike the quantitative approach (Booth, Sutton & Papaioannou, 2016: Katz, 2015). The quantitative approach does not allow the views and beliefs of people to be incorporated into a study (Graue, 2015). The approach is also important in supporting and explaining previously done research that followed a quantitative approach (Houghton et al., 2015).

Cyber attacks pose a number of risks to the world of higher education that go beyond financial losses. It is true that educational institutions hold a large amount of sensitive data, ranging from student biological security information to precious intellectual property, which, if stolen or hacked, might have far-reaching consequences well beyond the doors of the institution. Cyber attacks are a serious danger to a university's image as well as the safety of its students, which is maybe even more crucial than the aforementioned possible financial damages (Aldawood, et al 2018).

Despite the fact that cyber security threats are continuously developing, schools must reinvest in both the personnel and the infrastructure necessary to tackle the challenges of the future in cyber security. This article will provide more insight into the significance of creating cyber security knowledge for institutions of higher learning, as well as ways for dealing with the issues that these institutions face. Following an examination of why colleges and universities are particularly vulnerable to cyber, we will strive to understand the strategies attackers employ to exploit these vulnerabilities, with the goal of developing a set of recommendations to better prepare schools and universities to address cyber threats in the future (Aldawood, et al 2018).

Research Questions

1. How do higher education learning institutions mitigate cyber security threats?

2. What are the measures that can be put in place to effectively deal with the insider threat in order to bring significant changes in cyber security?

Case Study Design

The qualitative research methodology will be handy for the study as the researcher will be able to gather information as relates to the views and beliefs of the people unlike the quantitative approach (Booth, Sutton & Papaioannou, 2016: Katz, 2015). The quantitative approach does not allow the views and beliefs of people to be incorporated into a study (Graue, 2015). The qualitative approach will allow the research team to interact with potential insiders who might breach security policies and protocols. The approach will also be important in supporting and explaining previously done research that followed a quantitative approach (Houghton et al., 2015).

To conduct the qualitative study, a case study research design will be utilized. Case study research explores an issue through one or more cases within a system or organization (Creswell and Creswell, 2017). Given the constraints in the project timeline, only one case will be explored through interviews, observations, and artifact analysis.

Research Context

According to research issued by Bit Sight (a cyber risk management business), higher education had the greatest rate of cybercrimes among all industries evaluated, and the second highest rate according to a 2017 analysis provided by Bit Sight. As a result, institutions are working feverishly to strengthen their protection against the potentially catastrophic losses.

The study will focus on individuals that have interacted with higher learning institutions systems and their security. The case study will be conducted at a private Christian University in the Midwest. This research context was chosen based on existing information that supports the higher learning institutions are among the top victims of cybercrime. The case study method allows for a deeper analysis given the smaller sample size. Additionally, existing information supports that insiders are the biggest threat to cyber security (Hadlington, 2021).

Study Participants

The research will involve having 12 participants interviewed and observed during a five-month research period. The participants will include one IT security expert, six students of the selected University, and five junior employees of the University. Using both convenience and purposive sampling to form the case study group, these 12 participants will be selected based on position and experience, as well as availability and willingness to participate in the interview process.

Junior employees are as well as the target of security protocols and policies and it is for that reason are best to explain which security policies might curtail the insider threats. IT security experts are part of the participants as they can share on their experiences as regards insider threats and cyber security in general. Gaining a variety of perspectives to form the case study group is a top priority.

Data Collection Procedures

Interviews

The interview focuses on gathering information from a variety of stakeholders of the university concerning cyber security. The security expert, junior employees and students of the university will be interviewed to gather information on how insider threat is concern for the university and other higher learning institutions. All participants will need to sign an informed consent for their participation the study. All participant data will be stored on a password-protected computer and all results will be shared using psuedonyms to protect participant identity. Participants will be asked the following six open-ended interview questions:

1. Do you believe the university and other higher learning institutions are safe from

cybercrime? Please explain.

2. Have you experienced or heard of a security breach within the university?

3. If yes, what was the type of breach and what do you believe made it possible for

the breach to be successful?

4. What do you believe makes the institution’s system and information vulnerable to

cyber-crime and related crimes?

5. Have you heard of BOYDs, if yes, what role do they play concerning cyber

security?

6. What are the security measures that you think that the university and other higher

learning institutions should adopt to reduce the attack surface area for cyber

attacks?

There are different observation methods that can be used in research. The techniques include participant observation, naturalistic and controlled observations. The study will employ both the naturalistic and controlled observation techniques, primarily because this offers the researcher an opportunity to conduct a scenario-based discussion (controlled observation) within the context of a real higher-learning setting (naturalistic observation).

For the proposed research study, the researcher will observe and analyze how a group of dotoral level computer science researchers and professors would respond to each cybersecurity scenario (see appendix B).

Using two of the six scenarios prepared by the Center for Internet Security (2018), the researcher will present the scenarios to a group of doctoral researchers in the department of Computer Science on the Zoom platform during one of their regular class sessions. The purpose of the observation is provide an opportunity for the participants to confront a cybersecurity scenario while the researcher gains insight as to how a team within the case study context navigates cybersecurity issues. Each observation group will run for approximately 20 minutes. From the observation and analysis, the researcher will gain insight into how cyber crime impacts higher learning institutions. The researcher will facilitate each observation session, and the sessions will be audiotaped and transcribed for analysis. All participants will sign an informed consent (see Appendix A).

A collection of artifacts will be studied to support the data analysis within the case study context. The artifact selected for this study are available on the university website and are used to educate staff and students and prevent cyber security attacks. Analysis of the artifacts reviewed reveals the lack of understanding as well as the overlloking of IT security protocols in higher learning institutions exposes such institutions to cyber crime. The artifiacts being studied include:

1. Cybersecurity Awarness Training Video

2. Information Systems and Technoloogy Policy and Procedures

3. IT Solutions Website

This research will apply an iterative procedure to analyze the qualitative data gathered for the study using both a holistic and embedded analysis approach. All data will first be coded in order to determine major categories and themes. Interpreting qualitative data is very subjective, therefore mechanisms for establishing inter dependability must be created. After the initial codes/themes are developed, the data will be re-analyzed according to those themes to guide an interpretive meaning of the case. These themes will guide the written analysis of the findings in chapter 4 of the dissertation to reveal insights about the case being investigated.

Data Collection and Analysis Timeline

Agrafiotis, I., Nurse, J. R., Buckley, O., Legg, P., Creese, S., & Goldsmith, M. (2015). Identifying attack patterns for insider threat detection. Computer Fraud & Security, 2015(7), 9-17.

Aldawood, H., & Skinner, G. (2018, December). Educating and raising awareness on cybersecurity social engineering: A literature review. In 2018 IEEE International Conference on Teaching, Assessment, and Learning for Engineering (TALE)(pp. 62-68). IEEE.

Ali, B., & Awad, A. (2018). Cyber and cyber security vulnerability assessment for IoT-based smart homes. Sensors, 18(3), 817.

Alotaibi, B., & Almagwashi, H. (2018, April). A Review of BYOD Security Challenges, Solutions and Policy Best Practices. In 2018 1st International Conference on Computer Applications & Information Security (ICCAIS) (pp. 1-6). IEEE.

Berger, A. A. (2018). Media and communication research methods: An introduction to qualitative and quantitative approaches. Sage Publications.

Bertino, E. (2016). Security threats: protecting the new cyber frontier. Computer, (6), 11-14.

Booth, A., Sutton, A., & Papaioannou, D. (2016). Systematic approaches to a successful literature review. Sage.

Bunn, M., & Sagan, S. D. (Eds.). (2017). Insider Threats. Cornell University Press.

Cole, E. (2015). Insider threats and the need for a fast and directed response. SANS Institute InfoSec Reading Room, Tech. Rep.

Collins, M. (2016). Common sense guide to mitigating insider threats (No. CMU/SEI-2016-TR-015). CARNEGIE-MELLON UNIV PITTSBURGH PA PITTSBURGH United States.

Creswell, J. W., & Creswell, J. D. (2017). Research design: Qualitative, quantitative, and mixed methods approach. Sage publications.

Deng, Y., Mahadevan, S., & Zhou, D. (2015). Vulnerability Assessment of Physical Protection Systems: A Bio-Inspired Approach. International Journal of Unconventional Computing, 11.

DiMase, D., Collier, Z. A., Heffner, K., & Linkov, I. (2015). Systems engineering framework for cyber-cyber security and resilience. Environment Systems and Decisions, 35(2), 291-300.

Downer, K., & Bhattacharya, M. (2015, December). BYOD security: A new business challenge. In 2015 IEEE International Conference on Smart City/SocialCom/SustainCom (SmartCity) (pp. 1128-1133). IEEE.

Dumay, J., Bernardi, C., Guthrie, J., & Demartini, P. (2016, September). Integrated reporting: A structured literature review. In Accounting Forum (Vol. 40, No. 3, pp. 166-185). Taylor & Francis.

Eberz, S., Rasmussen, K., Lenders, V., & Martinovic, I. (2015). Preventing lunchtime attacks: Fighting insider threats with eye movement biometrics.

Eggenschwiler, J., Agrafiotis, I., & Nurse, J. R. (2016). Insider threat response and recovery strategies in financial services firms. Computer Fraud & Security, 2016(11), 12-19.

Elkhodr, M., Shahrestani, S., & Cheung, H. (2016). The internet of things: new interoperability, management, and security challenges. arXiv preprint arXiv:1604.04824.

Eriksson, P., & Kovalainen, A. (2015). Qualitative methods in business research: A practical guide to social research. Sage.

Fennelly, L. (2016). Effective cyber security. Butterworth-Heinemann.

Fischbacher-Smith, D. (2015). The enemy has passed through the gate: Insider threats, the dark triad, and the challenges around security. Journal of Organizational Effectiveness: People and Performance, 2(2), 134-156.

Fontana, A., & Prokos, A. H. (2016). The interview: From formal to postmodern. Routledge.

Garrard, J. (2016). Health sciences literature review made easy. Jones & Bartlett Learning.

Gheyas, I. A., & Abdallah, A. E. (2016). Detection and prediction of insider threats to cybersecurity: a systematic literature review and meta-analysis. Big Data Analytics, 1(1), 6.

Graue, C. (2015). Qualitative data analysis. International Journal of Sales, Retailing & Marketing, 4(9), 5-14.

Hadlington, L. (2021). The “human factor” in cybersecurity: Exploring the accidental insider. In Research anthology on artificial intelligence applications in security (pp. 1960-1977). IGI Global.

Harilal, A., Toffalini, F., Homoliak, I., Castellanos, J. H., Guarnizo, J., Mondal, S., & Ochoa, M. (2018). The Wolf Of SUTD (TWOS): A Dataset of Malicious Insider Threat Behavior Based on a Gamified Competition. JoWUA, 9(1), 54-85.

Hart, C. (2018). Doing a literature review: Releasing the research imagination. Sage.

Homoliak, I., Toffalini, F., Guarnizo, J., Elovici, Y., & Ochoa, M. (2019). Insight into insiders and it: A survey of insider threat taxonomies, analysis, modeling, and countermeasures. ACM Computing Surveys (CSUR), 52(2), 30.

Houghton, C., Murphy, K., Shaw, D., & Casey, D. (2015). Qualitative case study data analysis: An example from practice. Nurse Researcher, 22(5).

Hu, P., Li, H., Fu, H., Cansever, D., & Mohapatra, P. (2015, April). Dynamic defense strategy against an advanced persistent threat with insiders. In 2015 IEEE Conference on Computer Communications (INFOCOM) (pp. 747-755). IEEE.

Hu, V. C., Kuhn, D. R., Ferraiolo, D. F., & Voas, J. (2015). Attribute-based access control. Computer, 48(2), 85-88.

Jorgensen, D. L. (2015). Participant observation. Emerging trends in the social and behavioral sciences: An interdisciplinary, searchable, and linkable resource, 1-15.

Katz, J. (2015). A theory of qualitative methodology: The social system of analytic fieldwork. Méthod (e) s African Review of Social Sciences Methodology, 1(1-2), 131-146.

Keyes, J. (2016). Bring your own devices (BYOD) survival guide. Auerbach Publications.

Kirwan, G. (Ed.). (2011). The Psychology of Cyber Crime: Concepts and Principles: Concepts and Principles. Igi Global.

Kondakci, Y., & Van den Broeck, H. (2009). Institutional imperatives versus emergent dynamics: A case study on continuous change in higher education. Higher education, 58(4), 439-464.

Liu, L., De Vel, O., Han, Q. L., Zhang, J., & Xiang, Y. (2018). Detecting and preventing cyber insider threats: a survey. IEEE Communications Surveys & Tutorials, 20(2), 1397-1417.

Lune, H., & Berg, B. L. (2016). Qualitative research methods for the social sciences. Pearson Higher Ed.

Mavroeidis, V., Vishi, K., & Jøsang, A. (2018, August). A framework for data-driven cyber security and insider threat detection. In 2018 IEEE/ACM International Conference on Advances in Social Networks Analysis and Mining (ASONAM)(pp. 1108-1115). IEEE.

Morrow, B. (2012). BYOD security challenges: control and protects your most sensitive data. Network Security, 2012(12), 5-8.

Mylrea, M., Gourisetti, S. N. G., Larimer, C., & Noonan, C. (2018, May). Insider threat cybersecurity framework webtool & methodology: Defending against complex cyber-physical threats. In 2018 IEEE Security and Privacy Workshops (SPW)(pp. 207-216). IEEE.

Punithavathani, D. S., Sujatha, K., & Jain, J. M. (2015). Surveillance of anomaly and misuse in critical networks to counter insider threats using computational intelligence. Cluster Computing, 18(1), 435-451.

Rahman, M. S. (2017). The Advantages and Disadvantages of Using Qualitative and Quantitative Approaches and Methods in Language" Testing and Assessment" Research: A Literature Review. Journal of Education and Learning, 6(1), 102-112.

Sanzgiri, A., & Dasgupta, D. (2016, April). Classification of insider threat detection techniques. In Proceedings of the 11th annual cyber and information security research conference (p. 25). ACM.

Sarma, M. S., Srinivas, Y., Abhiram, M., Ullala, L., Prasanthi, M. S., & Rao, J. R. (2017, November). Insider Threat Detection with Face Recognition and KNN User Classification. In 2017 IEEE International Conference on Cloud Computing in Emerging Markets (CCEM) (pp. 39-44). IEEE.

Shah, N., & Shankarappa, A. (2018, October). Intelligent Risk management framework for BYOD. In 2018 IEEE 15th International Conference on e-Business Engineering (ICEBE)(pp. 289-293). IEEE.

Shannon, L. J. Y., & Bennett, J. (2012). A case study: Applying critical thinking skills to computer science and technology. Information Systems Education Journal, 10(4), 41.

Spradley, J. P. (2016). Participant observation. Waveland Press.

Tuor, A., Kaplan, S., Hutchinson, B., Nichols, N., & Robinson, S. (2017, March). Deep learning for unsupervised insider threat detection in structured cybersecurity data streams. In Workshops at the Thirty-First AAAI Conference on Artificial Intelligence.

Walton, H. (2016). Security Culture: A How-to Guide for Improving Security Culture and Dealing with People Risk in Your Organisation. Routledge.

Wang, J., Gupta, M., & Rao, H. R. (2015). Insider threats in a financial institution: Analysis of attack-proneness of information systems applications. MIS Quarterly, 39(1).

Williams, M. L., Levi, M., Burnap, P., & Gundur, R. V. (2018). Under the corporate radar: Examining insider business cybercrime victimization through an application of routine activities theory. Deviant Behavior, 1-13.

Willis, J., Surles, T., Silverberg, M., Kendall, S., LoCascio, H., Gernsheimer, J., ... & Smith, T. (2018). Are Standardized Video Interview Scores Predictive of Interview Performance?. Western Journal of Emergency Medicine: Integrating Emergency Care with Population Health, 19(4.1).

Yamin, M. M., & Katt, B. (2019, January). Mobile device management (MDM) technologies, issues, and challenges. In Proceedings of the 3rd International Conference on Cryptography, Security and Privacy (pp. 143-147). ACM.

Appendix A: Informed Consent Form

Informed Consent Form

I am working on a research project on cyber security. I'd like to invite you to take part in this study. You were chosen as a participant because you are either an expert, have expertise with, have perpetrated or are a potential victim of a cyber-security attack. Before agreeing to participate in the study, please read this form and ask any questions you may have.

This study is being conducted by: researcher: Prem chander Boinapally

Background Information:

This research has three main purposes. The first purpose is to identify how the insider threat can be mitigated or done away with the intention of improving not only cyber security but all types of security including technical security. The second purpose of the study is to confirm or dispel the belief that insider threat is the single biggest challenge that hampers cybersecurity. Through the made confirmation, industry stakeholders or players will be better informed to make better decisions as concerns cybersecurity. The third purpose of the study will be to educate employees, suppliers or basically any individual who has the potential to be categorized as an insider threat. Through educating potential insider threats people will be better placed to avoid becoming actual insider threats

Procedures:

I'm going to ask you to perform the following. When an interviewer performs the survey face to face, provide pertinent information and assessment for answers. The information you submit will be kept private. You can ask the researcher questions at any time during the study. Before taking the survey, you must complete a consent form.

Risks and Benefits of Being in the Study:

The study contains a number of drawbacks. The institution may dismiss employees for disclosing knowledge regarding system breaches that have not been made public. Third, institutions that feel compelled to hide such knowledge may issue threats.

If you want to engage in this study and be recorded, there is no danger of mental distress. If assistance is required you can reached at prem.boinapally@student.judsonu.edu

You will receive no immediate rewards from participating in this study.

The direct benefits of your participation include increased awareness to aid in the battle against cyber security breaches. The subject will become more aware of cybercriminals and will be protected from them.

Confidentiality:

Pseudonyms will be used in place of participant or location names in any publications of the results. The findings of this study will be kept confidential. I shall not include any information in any report I post that could be used to identify you in any manner. The study documents, as well as video and audio recordings, will be kept secure; only my Judson University research advisor and I will have access to them.

Video Recordings

In a professional setting, video recordings for data analysis and sections of recordings may be shown. Participants may be identifiable to those who identify them in video recorded artifacts, despite the fact that real names will not be used in study presentations and responses will be treated with anonymity to anybody outside of the project research personnel. Records will be preserved until the degree is completed, following which they will be destroyed. If you agree to have your photograph recorded, please sign below. If you do not want your image recorded, you can still participate in this study. If you don't want to be video recorded, the camera will be placed in the classroom at an angle that will prevent your image from being captured.

___________________________ ______________

Signature Date

· Audio Recordings

Audio recordings of interviews may be made for data analysis, and portions of the recordings may be presented in a professional setting. Participants may be identifiable to those who identify them in audio-recorded artifacts, despite the fact that real names will not be used in research presentations and responses will be treated with confidentially to anybody outside of the project research personnel. Records will be preserved until the degree is completed, following which they will be destroyed. If you agree to have the interview(s) audio recorded, please sign here. If you do not want your interview(s) to be audio recorded, you can still participate in this project.

__________________________ ___________

Signature Date

Voluntary Nature of the Study:

It is totally up to you whether or not you participate in this study. Your choice to participate or not will have no bearing on your existing or future relationships with your employer or Judson University. If you decide to take part in the study, you can opt out at any moment without consequence. If you decide to leave the study, the information we have about you or your pupils will only be utilized up to the point where you leave.

Contacts and Questions

Hello, my name is Prem chander Boinapally. You are free to ask any questions you have at any time during the study process. You can reach me at prem.boinapally@student.judsonu.edu if you have any questions. You can also reach out to dana.onayemi@judsonu.edu, my advisor.

You will be given a copy of this form to keep for your records.

Statement of Consent:

___________________________ ________________

Printed Name of Participant Date

___________________________ ________________

Signature of Study Participant Date

___________________________ ________________

Signature of Researcher Date

Appendix B: Scenario Observation Group Protocol

Description:

This document serves as a guide for conducting the observations. Using two of the six scenarios prepared by the Center for Internet Security (2018), the researcher will present the scenarios to a group of doctoral researchers in the department of Computer Science on the Zoom platform. The purpose of the observation is provide an opportunity for the participants to confront a cybersecurity scenario. Each observation group will run for approximately 20 minutes. The researcher will facilitate each observation session, and the sessions will be audiotaped and transcribed for analysis.

Researcher Script:

Good (morning/afternoon). I want to start by thanking you for your willingness to participate in this study. I will be audio recording this session for later data analysis in addition to taking notes during the session. Please know that I will protect your identity and that only my dissertation committee members and myself will see these data.

For this research experience, you will be presented with two cybersecurity scenarios. You are to assume the role of a cybersecurity team by discussing each scenario and working together to solve the problem. We will work on each scenario for about 20 minutes and then we will have time for questions and answers after the scenario investigations.

Scenarios (From Center for Internet Security, 2018):

1. A Malware Infection (accidental insider)

2. The Cloud Compromise (external threat)

33