An Analysis of the Impact of Information Security Policies on Computer Security Breach Incidents in Law Firms

Heikkila, Faith M.

01 January 2009

Law firms maintain and store voluminous amounts of highly confidential and proprietary data, such as attorney-client privileged information, intellectual properties, financials, trade secrets, personal, and other sensitive information. There is an ethical obligation to protect law firm client data from unauthorized access. Security breaches jeopardize the reputation of the law firm and could have a substantial financial impact if these confidential data are compromised. Information security policies describe the security goals of a law firm and the acceptable actions and uses of law firm information resources. In this dissertation investigation, the author examined the problem of whether information security policies assist with preventing unauthorized parties from accessing law firm confidential and sensitive information. In 2005, Doherty and Fulford performed an exploratory analysis of security policies and security breach incidents that highlighted the need for research with different target populations. This investigation advanced Doherty and Fulford's research by targeting information security policies and security breach incidents in law firms. The purpose of this dissertation investigation was to determine whether there is a correlation between the timing of security policy development (proactive versus reactive policy development) and the frequency and severity of security breach incidents in law firms of varying sizes. Outcomes of this investigation correlated with Doherty and Fulford's general findings of no evidence of statistically significant relationships between the existence of a written information security policy and the frequency and severity of security breach incidents within law firms. There was also a weak relationship between infrequency of information security policy updates and increase of theft resources. Results demonstrated that, generally, written information security policies in law firms were not created in response to a security breach incident. These findings suggest that information security policies generally are proactively developed by law firms. Important contributions to the body of knowledge from this analysis included the effectiveness of information security policies in reducing the number of computer security breach incidents of law firms, an under represented population, in the information assurance field. Also, the analysis showed the necessity for law firms to become more immersed in state security breach notification law requirements.

computer security breach

data breach incidents

information security policy

law firms

personally identifiable information

state security breach notification laws

Computer Sciences

Best Practices to Minimize Data Security Breaches for Increased Business Performance

Kongnso, Fedinand Jaiventume

01 January 2015

In the United States, businesses have reported over 2,800 data compromises of an estimated 543 million records, with security breaches costing firms approximately $7.2 million annually. Scholars and industry practitioners have indicated a significant impact of security breaches on consumers and organizations. However, there are limited data on the best practices for minimizing the impact of security breaches on organizational performance. The purpose of this qualitative multicase study was to explore best practices technology leaders use to minimize data security breaches for increased business performance. Systems theory served as the conceptual framework for this study. Fourteen participants were interviewed, including 2 technology executives and 5 technical staff, each from a banking firm in the Northcentral United States and a local government agency in the Southcentral United States. Data from semistructured interviews, in addition to security and privacy policy statements, were analyzed for methodological triangulation. Four major themes emerged: a need for implementation of security awareness education and training to mitigate insider threats, the necessity of consistent organization security policies and procedures, an organizational culture promoting data security awareness, and an organizational commitment to adopt new technologies and innovative processes. The findings may contribute to the body of knowledge regarding best practices technology leaders can use for securing organizational data and contribute to social change since secure organizational data might reduce consumer identity theft.

data breaches

data compromise

data security

information security

security awareness

security breach

Business

Databases and Information Systems

In pursuit of a perfect system : Balancing usability and security in computer system development

Matras, Omolara

January 2015

Our society is dependent on information and the different technologies and artifacts that gives us access to it. However, the technologies we have come to depend on in different aspects of our lives are imperfect and during the past decade, these imperfections have been the target of identity thieves, cyber criminals and malicious persons within and outside the organization. These malicious persons often target networks of organizations such as hospitals, banks and other financial organizations. Access to these networks are often gained by sidestepping security mechanisms of computer-systems connected to the organization’s network. Often, the goal of computer-systems security mechanisms is to prevent or detect threats; or recover from an eventual attack. However, despite huge investments in IT-security infrastructure and Information security, over 95% of banks, hospitals and government agencies have at least 10 malicious infections bypass existing security mechanisms and enter their network without being detected. This has resulted in the loss of valuable information and substantial sums of money from banks and other organizations across the globe. From early research in this area, it has been discovered that the reason why security mechanisms fail is because it is often used incorrectly or not used at all.  Specifically, most users find the security mechanisms on their computers too complicated and they would rather not use it. Therefore, previous research have focused on making computer-systems security usable or simplifying security technology so that they are “less complicated” for all types users, instead of designing computers that are both usable and secure. The problem with this traditional approach is that security is treated as an “add-on” to a finished computer-system design. This study is an attempt to change the traditional approach by adjusting two phases of a computer-system design model to incorporate the collection of usability as well as security requirements. Guided by the exploratory case study research design, I gained new insights into a situation that has shocked security specialists and organizational actors alike. This study resulted in the creation of a methodology for designing usable and secure computer-systems. Although this method is in its rudimentary stage, it was tested using an online questionnaire. Data from the literature study was sorted using a synthesis matrix; and analyzed using qualitative content analysis. Some prominent design and security models and methodologies discussed in this report include User-Centered System Design (UCSD), Appropriate and Effective Guidance for Information Security (AEGIS) and Octave Allegro. / Vårt samhälle är beroende av information och olika tekniker och artefakter som ger oss tillgång till den. Men tekniken vi förlitar oss på i olika aspekter av våra liv är ofullkomliga och under det senaste decenniet, har dessa brister varit föremål för identitetstjuvar, cyberbrottslingar och illvilliga personer inom och utanför organisationen. Dessa illvilliga personer riktar ofta sig till nätverk av organisationer såsom sjukhus, banker och andra finansiella organisationer. Tillgång till dessa nätverk uppnås genom att kringgå säkerhetsmekanismer av datorsystem anslutna till organisationens nätverk.   Målet med datorsystemsäkerhet är att förhindra eller upptäcka hot; eller återhämta sig från eventuella attacker. Trots stora investeringar i IT-säkerhet infrastruktur och informationssäkerhet, över 95 % av banker, sjukhus och myndigheter har minst 10 skadliga infektioner kringgå befintliga säkerhetsmekanismer och träda in i sitt nätverk utan att upptäckas. Detta har lett till förlust av värdefulla informationer och stora summor av pengar från banker och andra organisationer över hela världen. Från tidigare forskning inom detta område, har det visat sig att anledningen till att säkerhetsmekanismer misslyckas beror ofta på att den används på ett felaktigt sätt eller används inte alls. I synnerhet menar de flesta användare att säkerhetsmekanismer på sina datorer är alltför komplicerat. Därför har tidigare forskning fokuserat på att göra datorsystemsäkerhet användbar så att den är "mindre komplicerat" för alla typer av användare, i stället för att designa datorer som både är användbara och säkra. Problemet med detta traditionella synsätt är att säkerheten behandlas som ett "tillägg" till en färdig datorsystemdesign.   Denna studie är ett försök att ändra det traditionella synsättet genom att justera två faser av en datorsystemdesign modell för att integrera insamlingen av användbarhets- samt säkerhetskrav. Styrd av den explorativ fallstudie forskningsdesignen, fick jag nya insikter i en situation som har gäckat säkerhetsspecialister och organisatoriska aktörer. Denna studie resulterade i skapande av en designmetodik för användbara och säkra datorsystem. Även om denna metod är ännu i sin rudimentära fas, testades den med hjälp av en webbenkät. Data från litteraturstudien sorterades med hjälp av en syntesmatris; och analyserades med kvalitativ innehållsanalys. Några framstående design- och säkerhetsmodeller samt metoder som diskuterades i denna uppsats inkludera Användarcentrerad System Design (UCSD), Ändamålsenligt och Effektivt Vägledning för Informationssäkerhet (AEGIS) och Octave Allegro.

Computer-systems security

usability

information security

User-Centered System Design (UCSD)

balance

synthesis matrix

security breach

design methodology

Carbanak Attack

AEGIS

Octave Allegro.

Information Systems

Examining Data Privacy Breaches in Healthcare

Smith, Tanshanika Turner

01 January 2016

Healthcare data can contain sensitive, personal, and confidential information that should remain secure. Despite the efforts to protect patient data, security breaches occur and may result in fraud, identity theft, and other damages. Grounded in the theoretical backdrop of integrated system theory, the purpose of this study was to determine the association between data privacy breaches, data storage locations, business associates, covered entities, and number of individuals affected. Study data consisted of secondary breach information retrieved from the Department of Health and Human Services Office of Civil Rights. Loglinear analytical procedures were used to examine U.S. healthcare breach incidents and to derive a 4-way loglinear model. Loglinear analysis procedures included in the model yielded a significance value of 0.000, p > .05 for the both the likelihood ratio and Pearson chi-square statistics indicating that an association among the variables existed. Results showed that over 70% of breaches involve healthcare providers and revealed that security incidents often consist of electronic or other digital information. Findings revealed that threats are evolving and showed that likely factors other than data loss and theft contribute to security events, unwanted exposure, and breach incidents. Research results may impact social change by providing security professionals with a broader understanding of data breaches required to design and implement more secure and effective information security prevention programs. Healthcare leaders might affect social change by utilizing findings to further the security dialogue needed to minimize security risk factors, protect sensitive healthcare data, and reduce breach mitigation and incident response costs.

breach mitigation and response

data privacy breach

information security

loglinear analysis

secondary data analysis

security breach

Business

Computer Sciences

Databases and Information Systems

Overruling the Underclass? Homelessness and the Law in Queensland

Walsh, Tamara

January 2005

The impact of the law on the lives of homeless people in Queensland has, to date, remained largely unexplored by legal academics and researchers. This is despite the fact that homeless people experience a number of legal difficulties that seriously affect their lives. This thesis by published papers aims to make a significant and original contribution to filling this gap in the research evidence by presenting the results of analyses of the legal, theoretical and practical issues that arise in the context of homeless persons' interactions with the legal system in Queensland. Most notably, it is comprised of three pieces of empirical research which identify those areas of law that impact most on homeless people in Queensland and explore the consequences of the operation of these laws on their lives. In sum, this thesis examines the extent of the law's influence on the lives of homeless people in Queensland, and finds that the consequences of the law's operation on homeless people in Queensland are serious. The thesis first examines the effect on Queensland's homeless people of laws which regulate behaviour conducted in public space. The criminal offences of vagrancy, begging and public nuisance are analysed; their historical origins, the reasons for their retention on modern statute books, and arguments in favour of their repeal are discussed. The impact of 'public space law' on homeless people in Queensland is also explored through a survey of 30 homeless people residing in inner-city Brisbane. This part of the thesis concludes that public space law in Queensland results in breaches of homeless persons' human rights, as well as the contravention of rule of law principles. The thesis then explores the impact of the law on homeless persons' experiences of citizenship. Empirical research and theoretical analysis demonstrate that the application of various laws, particularly public space laws, social security laws and electoral laws, encroaches on homeless persons' citizenship rights. The thesis then reports on the results of a unique survey of Queensland's homelessness service providers. This survey is the most extensive piece of empirical research ever conducted on the extent to which various laws impact on homeless people. Respondents were asked to indicate which areas of law impact most adversely on their homeless clients. Based on the research findings outlined above, the hypothesis was that criminal law issues, particularly public space offences, would be proven to impact particularly adversely on homeless people in Queensland. Somewhat unexpectedly, the findings of the survey indicated that fines law, debt law and family law difficulties are those legal difficulties most often encountered by homeless people in Queensland. Difficulties produced by criminal laws, social security laws and electoral laws, while still generally relevant, rated less highly. However, the survey did demonstrate that experiences differ between sub-groups within the homeless population, for example Indigenous homeless people were reported to be most affected by criminal law issues, while young homeless people were reported to be most affected by social security law issues. Together, the five papers which comprise this thesis make an original and substantial contribution to knowledge by identifying empirically for the first time the various laws that have a significant impact on the lives of homeless people in Queensland, and analysing the consequences of this in terms of their effect on homeless persons' citizenship rights, human rights and rule of law entitlements.

Homelessness and the law

public space law

social security law

constitutional law

electoral law

citizenship

human rights

rule of law

vagrancy

begging

public nuisance

social security breach penalties

fines

voting

political communication

T.H. Marshall’s citizenship theory

right to equality before the law

right to freedom from arbitrary arrest

right to freedom from discrimination