Case Study 1
APA Writing Sample: Extortion on the Job
Valorie J. King, PhD
April 2, 2014
Running Head: APA WRITING SAMPLE 1
Running Head: APA WRITING SAMPLE 5
Introduction
Writing as Anonymous (2003), the Chief Information Security Officer (CISO) of a major United States (US) corporation told a chilling tale of email based extortion attempts against employees who had received extortion threats via email sent to their corporate email addresses. The corporation, its managers, and the individual employees who were targeted faced a number of issues and dilemmas as they responded to security incident caused by the extortion attempts. In the following analysis, one issue–the enforcement of acceptable use policies–is discussed and critiqued.
Analysis
The Attack
Drive by download attacks occur when a legitimate Web server has been infected with malware or malicious scripts which deliver malware, pornography, or other objectionable material along with the Web page content that the visitor was expecting to see (Microsoft, 2014; Niki, 2009). These types of attacks are difficult to detect and often result in the infection of large numbers of visitors before the infection is detected and removed from the Web site.
In this attack, computers used by the affected employees (victims) were compromised by a drive by download attack (Microsoft, 2014) which resulted in the download of pornographic materials while they were browsing websites which, in turn, had been compromised (Anonymous, 2003). The attackers also obtained each visitor’s email address from the Web browser. Extortion emails were sent to victims demanding credit card payment of hush fees. The extortionists told the victims exactly where the contraband files were located on the computer hard drive and assured the victims that it was impossible to remove those files.
Why the Problem Went Unreported
Anonymous (2003) discovered that he was dealing with “paranoid users who don't trust security people” (p. 1). There are many possible reasons why employees turn into paranoid users who are unwilling to self-report for security incidents, even those which are accidental. Two such reasons are enforcement of zero tolerance for violations and perceptions of unfairness or a lack of justice.
Zero tolerance. The previous CISO implemented a zero tolerance policy with respect to acceptable use policy (AUP) violations (Anonymous, 2003). Under this zero-tolerance policy, a number of employees were terminated (fired), without due process or hearings to establish guilt or innocence. When employees began receiving extortion emails and threats, they believed that their jobs could be placed at risk, regardless of their innocence or guilt with respect to downloading of pornography to company computers, if they reported the presence of pornographic files (pushed to the computer by the extortionists).
Perceptions of fairness and justice. When employees feel that IT policy enforcement is unfair, the situation is usually accompanied by extreme and long-lasting negative feelings or emotions (Flint et al., 2005). The overall result (consequences) in this instance was an increase in unethical behavior as victims attempted to hide or cover-up the extortion attempts (lying) rather than asking their employer for assistance and protection from harm (Moor, 1999). This undesirable result is, in part, due to the employer’s failure to consider the consequences of the application of the zero tolerance policy.
Incident Response
The new CISO treated the extortion situation as a security incident rather than as an employee disciplinary problem (Anonymous, 2003). He and his IT Security Staff investigated the situation and learned that (a) the company’s employees regularly received such threats and (b) some of them had paid the extortionists rather than risk losing their jobs. The CISO directed the IT Security Staff to reconfigure firewalls and other network security appliances to block all further emails containing extortion keywords or from the known IP addresses for the extortionists. The CISO also met with IT staff members to determine what additional protective actions could be taken. Finally, the new CISO met with the IT staff and other selected employees to determine what actions needed to be taken to encourage employees to come forward (self-report) in the future and decrease the atmosphere of fear and distrust that he had inherited.
Summary and Conclusions
In this article, the author highlighted some of the problems that can arise when employers emphasize adherence to rules rather than seeking a balance between rules and outcomes (Anonymous, 2003). The company’s zero-tolerance enforcement of its acceptable use policy resulted in undesirable outcomes, particularly the creation of an atmosphere of fear and secretive behavior. This, in turn, resulted in employees being unwilling to report security incidents. To avoid this problem in the future, corporate management should review the potential negative consequences or outcomes of policy enforcement and address specific circumstances with compassion rather than hardline enforcement (Reynolds, 2007).
References
Anonymous. (2003, February 3). A sordid tale. Chief Security Officer. CSO Online. Retrieved from https://web.archive.org/web/20031119054351/http://www.csoonline.com/read/020103/undercover.html
Flint, D., Hernandez-Marrero, P., & Wielemaker, M. (2005). The role of affect and cognition in the perception of outcome acceptability under different justice conditions. The Journal of American Academy of Business, 7(1), 269-277.
Microsoft. (2014). Microsoft security intelligence report. Retrieved from http://www.microsoft.com/security/sir/glossary/drive-by-download-sites.aspx
Moor, J. H. (1999). Just consequentialism and computing. Ethics and Information Technology, 1(1), 61-69.
Niki, A. (2009, December). Drive-by download attacks: Effects and detection methods. Paper presented at the 3rd IT Student Conference for the Next Generation. Retrieved from http://www.kaspersky.com/fr/images/drive-by_download_attacks_effects_and_detection_methods.pdf
Reynolds, G. W. (2007). Ethics in information technology (2nd ed.). Boston, MA: Thompson Course Technology.