CHAPTER ONE - INTRODUCTION

CHAPTER ONE: INTRODUCTION
1. Purpose of Study
2. Organization

CHAPTER ONE: INTRODUCTION

Purpose of Study

The government industry was one of three main industries where 95% of all records were breached (Milkovich, 2020). Cybercrime has drastically increased over the years and more so since the COVID 19 pandemic took hold in the United States in early 2020 (Monteith et al., 2021). During the first five months of 2020, the number of reported cybercrimes matched those during the entire year of 2019 (Monteith et al., 2021). The Federal Bureau of Investigation’s (FBI) Internet Crime Complaint Center (IC3) also tracks the number of reported cybercrimes and there was a notable difference between 2019 and 2020. There were 467,361 complaints and an estimated $3.5 billion in reported losses in 2019 as compared to 791,790 complaints and an estimated $4.1 billion in reported losses in 2020, nearly a 70% increase in complaints (Federal Bureau of Investigation, 2021). A recent report by Cyberedge Group (2021) concluded that an increasing number of organizations are suffering from successful cyberattacks over the last 5 years as shown in figure 1.

Figure 1.1 Percentage of Organizations Compromised from 2016-2021

Advancements in technology are being leveraged by criminals to commit cybercrime against all types of entities, especially the United States Federal Government (herein referred to as “government”), focusing on data destruction, stealing proprietary information, financial gain, and many others (Eggers, 2021; Olejarz, 2015). An understanding of why cyberattacks and cyber incidents are occurring is necessary before developing solutions to the problem.

Common themes have appeared that describe reasons why these events have been occurring so much in recent years that have been identified in recent publications: human error, environment complexity, and restricted information sharing, and insufficient budgets (Macak et al., 2020; Office of the Secretary of Defense, 2015; Sen, 2018; Ashford, 2017). The 2021 Cyberthreat Defense report also provided several of the most common reasons why organizations are unable to successfully defend their systems. Figure 2 shows that the main two reasons are: (a) Low Cybersecurity awareness, and (b) Lack of Skilled Personnel (Cyberedge Group, 2021).

Figure 1.2 Cybersecurity Effectiveness Barriers

According to Bruce Schneier (2000), a cybersecurity expert, people are referred to as the weakest link in security and are repeatedly responsible for system failures. System failures can be caused by performing tasks incorrectly or by being the victim of a cyberattack that introduces malicious actors into the information system. The human problem has not made much progress since then and remains as the top threat to the government since 2014 (SolarWinds, 2020). A recent report to Congress concluded that the total number of cyber related incidents within the government caused by human error increased nearly 30% from fiscal years 2018 to 2019, accounting for nearly 50% of all cyber incidents (Executive Office of the President of the United States, n.d.). A significant increase in this category should be alarming as it indicates a serious problem with peoples’ interaction with information systems. Human error is often a result of a lack of awareness, distractions, or natural psychological flaws and has been blamed for 95% of data breaches (Huseyin, 2019; Milkovich, 2020; Pollock, 2017).

Several recent events involving human error include the SolarWinds hack resulting from a poor password, Hillary Clinton’s disclosure of classified information, and the 2016 presidential election hack via a phishing campaign (Datta, 2021; Temple-Raston, 2021; Fessler & Martin, 2017). Using a poor password can be argued as poor organizational policy; however, it could also be argued that if the administrator was aware of the vulnerability, the situation could have been avoided and the system less likely compromised if a stronger password was used (Scarfone & Souppaya, 2009). Several government agencies downloaded the compromised software from SolarWinds that ultimately compromised their networks allowing adversaries to infiltrate their systems (Whitaker, 2021). To this day, the SolarWinds hack is known to be one of the most complex and destructive hacks to have ever happened (Whitaker, 2021).

The disclosure of classified information from Clinton’s email server was found not to be malicious but was a result of 38 individuals not properly securing classified information (U.S. Department of State, 2019). Had these individuals been aware that their actions were not complying with security policies, it is likely they would have used the appropriate methods to communicate sensitive information. Similar to the phishing emails used in the presidential election hack (Fessler & Martin, 2017), email recipients may not have been aware of the illegitimacy of the emails or how to identify them based on the detection difficulty (Steves et al., 2019). Moreover, in 2019, the United States Department of Agriculture (USDA) reported 36 improper use cases consisting of unauthorized software installations, viewing of forbidden content, and more (U.S. Department of Agriculture, 2019). Thus, collectively, this suggests that people that lack cyber awareness may have the tendency to engage in dangerous activities that pose a great risk to the organization.

Statistics and recent events demonstrate that people who lack cyber awareness may be a serious problem and can jeopardize the integrity and security of information systems. Employees throughout the entire organizational structure pose a risk, from line workers to senior leaders. Each employee can be targeted for cyberattacks or exercise poor cybersecurity practices that result in unwanted outcomes. Proofpoint (2019) reported that lower levels of management and front line workers were targeted more frequently with phishing attacks and email-based malware than senior leaders. However, in 2020, a study shows that top level executives are twelve times more likely to be pursued as a target rather than the average employee (Aon, 2020). Executives are high profile targets because they often have access to valuable company information but (Aon, 2020). As the literature highlights people as the weakest link and potentially being a top threat to cyber defense, the government will remain vulnerable if the human factor is not addressed and resolved (U. S. Government Accountability Office, 2021).

While there is no single solution for increasing cybersecurity and mitigating risks, the government should also focus on non-technical solutions, rather than just technical solutions, to have the best chances at success (Donalds & Osei-Bryson, 2020). Developing a cybersecurity culture has been recognized as the best approach to address human factors as the weaknesses within cybersecurity (Gcaza & Solms, 2017). Policy compliance is an aspect of cybersecurity culture that identifies acceptable behaviors detailing how employees shall interact with the organization’s information system. Policy compliance has shown to reduce risk and minimize security-related incidents since individuals behave accordingly (Li et al., 2019; Veiga, 2016). Therefore, the objective of this project is to explore the importance of a cybersecurity culture and how it can be used to mitigate risks while focusing on policy compliance. The specific questions the project will focus on include:

How can the government create a cybersecurity culture? What environmental and cognitive factors may have an influence on individuals to exercise compliant behavior?
What are the best practices we can learn from? What challenges may the government be faced with when implementing cybersecurity culture best practices?
Based on the best practices and challenges discovered, what recommendations can be made for the government?

Organization

This project is organized as follows: Chapter 2 will provide a background on cybercrime and cyberwarfare within the government along with challenges that the government is currently faced with. Chapter 3 will describe the methodology used for research. Chapter 4 will review the results. Chapter 5 will provide recommendations for the government, limitations, and a conclusion.