Management Information Systems Commons^™

From The Editors, Michael E. Whitman, Herbert J. Mattord, Carole L. Hollingsworth

Journal of Cybersecurity Education, Research and Practice

No abstract provided.

Car Hacking: Accessing And Exploiting The Can Bus Protocol, Bryson R. Payne

Journal of Cybersecurity Education, Research and Practice

With the rapid adoption of internet-connected and driver-assist technologies, and the spread of semi-autonomous to self-driving cars on roads worldwide, cybersecurity for smart cars is a timely concern and one worth exploring both in the classroom and in the real world. Highly publicized hacks against production cars, and a relatively small number of crashes involving autonomous vehicles, have brought the issue of securing smart cars to the forefront as a matter of public and individual safety, and the cybersecurity of these “data centers on wheels” is of greater concern than ever.

However, up to this point there has been a …

Adopting The Cybersecurity Curriculum Guidelines To Develop A Secondary And Primary Academic Discipline In Cybersecurity Postsecondary Education, Wasim A. Alhamdani

Journal of Cybersecurity Education, Research and Practice

A suggested curriculum for secondary and primarily academic discipline in Cybersecurity Postsecondary Education is presented. This curriculum is developed based on the Association for Computing Machinery guidelines and the National Centers of Academic Excellence Cyber Operations program.

Cybersecurity Education: The Need For A Top-Driven, Multidisciplinary, School-Wide Approach, Lucy Tsado

Journal of Cybersecurity Education, Research and Practice

The human resource skills gap in cybersecurity has created an opportunity for educational institutions interested in cybersecurity education. The current number of schools designated by the Department of Homeland Security (DHS) and National Security Agency (NSA) as Centers of Academic Excellence (CAE) to train cybersecurity experts are not sufficient to meet the shortfall in the industry. The DHS has clearly mapped out knowledge areas for cybersecurity education for both technical and non-technical disciplines; it is therefore possible for institutions not yet designated CAEs to generate cybersecurity experts, with the long-term goal of attaining the CAE designation. The purpose of this …

From The Editors, Herbert J. Mattord, Michael E. Whitman

Journal of Cybersecurity Education, Research and Practice

A message from the editors.

Investigating The Impact Of Publicly Announced Information Security Breaches On Corporate Risk Factor Disclosure Tendencies, Sandra J. Cereola, Joanna Dynowska

Journal of Cybersecurity Education, Research and Practice

As the reported number of data breaches increase and senators push for more disclosure regulation, the SEC staff issued a guidance in 2011 on disclosure obligations relating to cybersecurity risks and incidents. More recently, on February 26, 2018 the SEC Commission issued interpretive guidance to help assist public companies prepare disclosures regarding cybersecurity risks and incidents. As reported incidents of cybersecurity breaches occur, investors are concerned about the risks associated with these incidents and the impact they may have on financial performance. Although the SEC staff guidance warns public companies to make timely disclosure, recognizing the threat that cybercrime poses …

Sit Back, Relax, And Tell Me All Your Secrets, Sarah Kirk, Daniel Foreman, Cody Lee, Shannon W. Beasley

Journal of Cybersecurity Education, Research and Practice

The goal of this research is to describe an active learning opportunity that was conducted as a community service offering through our Center for Cybersecurity Education and Applied Research (CCEAR). As a secondary goal, the participants sought to gain real world experience by applying techniques and concepts studied in security classes. A local insurance company tasked the CCEAR with assembling a team of students to conduct penetration testing (including social engineering exploits) against company personnel. The endeavor allowed the insurance company to obtain information that would assess the effectiveness of employee training with regard to preventing the divulgence of sensitive …

From The Editors, Carole L. Hollingsworth, Michael E. Whitman, Herbert J. Mattord

Journal of Cybersecurity Education, Research and Practice

Welcome to the Fall 2018 issue of the Journal of Cybersecurity Education, Research, and Practice (JCERP). On behalf of the editorial team, we thank you for taking the time to read this issue and strongly encourage you to submit an article for consideration in an upcoming edition.

An Examination Of Cybersecurity Knowledge Transfer: Teaching, Research, And Website Security At U.S. Colleges And Universities, Aditya Gupta, James R. Wolf

Journal of Cybersecurity Education, Research and Practice

This work seeks to answer the question: Does faculty cybersecurity knowledge gained from teaching and research transfer to other IT units in the university? Specifically, do colleges and universities that excel in cybersecurity teaching and research have more secure websites? This work explores a unique setting where the knowledge of the source and recipient are both directly related and observable without outside intervention. Our study employed data from 591 U.S. colleges and universities, the National Centers of Academic Excellence (CAE) program, accepted paper data from the ACM Conference on Computer and Communications Security (CCS) and the IEEE Symposium on Security …

From The Editors, Michael E. Whitman, Herbert J. Mattord, Carole L. Hollingsworth

Journal of Cybersecurity Education, Research and Practice

Welcome to the Spring 2018 issue of the Journal of Cybersecurity Education, Research, and Practice (JCERP). On behalf of the editorial team, we thank you for taking the time to read this issue and strongly encourage you to submit an article for consideration in an upcoming edition.

Voice Hacking: Using Smartphones To Spread Ransomware To Traditional Pcs, Bryson R. Payne, Leonardo I. Mazuran, Tamirat Abegaz

Journal of Cybersecurity Education, Research and Practice

This paper presents a voice hacking proof of concept that demonstrates the ability to deploy a sequence of hacks, triggered by speaking a smartphone command, to launch ransomware and other destructive attacks against vulnerable Windows computers on any wireless network the phone connects to after the voice command is issued. Specifically, a spoken, broadcast, or pre-recorded voice command directs vulnerable Android smartphones or tablets to a malicious download page that compromises the Android device and uses it as a proxy to run software designed to scan the Android device’s local area network for Windows computers vulnerable to the EternalBlue exploit, …

"Think Before You Click. Post. Type." Lessons Learned From Our University Cyber Security Awareness Campaign, Rachael L. Innocenzi, Kaylee Brown, Peggy Liggit, Samir Tout, Andrea Tanner, Theodore Coutilish, Rocky J. Jenkins

Journal of Cybersecurity Education, Research and Practice

This article discusses the lessons learned after implementing a successful university-wide cyber security campaign. The Cyber Security Awareness Committee (CyberSAC), a group comprised of diverse units across campus, collaborated together on resources, talent, people, equipment, technology, and assessment practices to meet strategic goals for cyber safety and education. The project involves assessing student learning and behavior changes after participating in a Cyber Security Password Awareness event that was run as a year-long campaign targeting undergraduate students. The results have implications for planning and implementing university-wide initiatives in the field of cyber security, and more broadly, higher education at large.

A Case Study In The Implementation Of A Human-Centric Higher Education Cybersecurity Program, John W. Coffey, Melanie Haveard, Geissler Golding

Journal of Cybersecurity Education, Research and Practice

This article contains a description of the implementation of a comprehensive cyber security program at a regional comprehensive university. The program was designed to create an effective cyber security management infrastructure and to train end users and other categories of security management personnel in data protection and cyber security. This work addresses the impetus for the program, the rather extensive planning and development that went into the program, its implementation, and insights gleaned from the experience. The paper concludes with a summary of the strengths and weaknesses of the initiative.

Student Misconceptions About Cybersecurity Concepts: Analysis Of Think-Aloud Interviews, Julia D. Thompson, Geoffrey L. Herman, Travis Scheponik, Linda Oliva, Alan Sherman, Ennis Golaszewski, Dhananjay Phatak, Kostantinos Patsourakos

Journal of Cybersecurity Education, Research and Practice

We conducted an observational study to document student misconceptions about cybersecurity using thematic analysis of 25 think-aloud interviews. By understanding patterns in student misconceptions, we provide a basis for developing rigorous evidence-based recommendations for improving teaching and assessment methods in cybersecurity and inform future research. This study is the first to explore student cognition and reasoning about cybersecurity. We interviewed students from three diverse institutions. During these interviews, students grappled with security scenarios designed to probe their understanding of cybersecurity, especially adversarial thinking. We analyzed student statements using a structured qualitative method, novice-led paired thematic analysis, to document patterns in …

A Developmental Study On Assessing The Cybersecurity Competency Of Organizational Information System Users, Richard K. Nilsen, Yair Levy, Steven R. Terrell Ph.D., Dawn Beyer

Journal of Cybersecurity Education, Research and Practice

Organizational information system users (OISUs) that are open to cyber threats vectors are contributing to major financial and information losses for individuals, businesses, and governments. Moreover, technical cybersecurity controls may be rendered useless due to a lack of cybersecurity competency of OISUs. The main goal of this research study was to propose and validate, using subject matter experts (SMEs), a reliable hands-on assessment prototype tool for measuring the knowledge, skills, and abilities (KSAs) that comprise the cybersecurity competency of an OISU. Primarily using the Delphi methodology, this study implemented four phases of data collection using cybersecurity SMEs for proposing and …

From The Editors, Herbert J. Mattord, Michael E. Whitman, Carole L. Hollingsworth

Journal of Cybersecurity Education, Research and Practice

No abstract provided.

Social Media Risk Perceptions Of Human Resource Professionals: Issues Undergraduate Students Should Consider, Julio C. Rivera, Jack Howard, Samuel Goh, James L. Worrell, Paul Di Gangi

Journal of Cybersecurity Education, Research and Practice

This study contrasts the social media risk perceptions of undergraduate students, versus those of certified Human Resource professionals. Social media is widely used by most segments of the population, and particularly among the age group that includes most undergraduate students. Organizations hiring employees are increasingly examining job applicant's social media postings as part of the applicant screening process. In this study we examine how these groups differ in their perceptions of the risks inherent in using social media, and what these differences may mean for students seeking employment. Recommendations are made for raising undergraduate student awareness of these risks.

Synergistic Security: A Work System Case Study Of The Target Breach, Martha Nanette Harrell

Journal of Cybersecurity Education, Research and Practice

Recent publicized security breaches can be used to evaluate information security programs. The processes and procedures that allowed the event to occur can be examined in a case study and then be used to find methods for future mitigation of risk. The Target security breach is used in this study to examine the organization’s information security program using a macro-ergonomic model. This research posits that an information security program should consider the work system design, based in macro-ergonomics, to help mitigate information security risk to the organization and ensure an efficient and effective information security program. Based on a seminal …

A Toolkit Approach To Information Security Awareness And Education, Peter Korovessis, Steven Furnell, Maria Papadaki, Paul Haskell-Dowland

Journal of Cybersecurity Education, Research and Practice

In today’s business environment where all operations are enabled by technology, information security has become an established discipline as more and more businesses realize its value. The human component has been recognized to have an important role in information security since the only way to reduce security risks is through making employees more information security aware. Towards this goal the research will appreciate the importance of information security awareness by illustrating the need for more effective user training. Further to that it proposes and develops an information security toolkit as a prototype awareness raising initiative. Apart from the elements of …

From The Editors, Carole L. Hollingsworth, Michael E. Whitman, Herbert J. Mattord

Journal of Cybersecurity Education, Research and Practice

Welcome to the third issue of the Journal of Cybersecurity Education, Research and Practice (JCERP).

Cyber Security For Everyone: An Introductory Course For Non-Technical Majors, Marc J. Dupuis

Journal of Cybersecurity Education, Research and Practice

In this paper, we describe the need for and development of an introductory cyber security course. The course was designed for non-technical majors with the goal of increasing cyber security hygiene for an important segment of the population—college undergraduates. While the need for degree programs that focus on educating and training individuals for occupations in the ever-growing cyber security field is critically important, the need for improved cyber security hygiene from the average everyday person is of equal importance. This paper discusses the approach used, curriculum developed, results from two runs of the course, and frames the overall structure of …

Pedagogical Resources For Industrial Control Systems Security: Design, Implementation, Conveyance, And Evaluation, Guillermo A. Francia Iii, Greg Randall, Jay Snellen

Journal of Cybersecurity Education, Research and Practice

Industrial Control Systems (ICS), which are pervasive in our nation’s critical infrastructures, are becoming increasingly at risk and vulnerable to internal and external threats. It is imperative that the future workforce be educated and trained on the security of such systems. However, it is equally important that careful and deliberate considerations must be exercised in designing and implementing the educational and training activities that pertain to ICS. To that end, we designed and implemented pedagogical materials and tools to facilitate the teaching and learning processes in the area of ICS security. In this paper, we describe those resources, the professional …

How Much Should We Teach The Enigma Machine?, Jeffrey A. Livermore

Journal of Cybersecurity Education, Research and Practice

Developing courses and programs in Information Assurance can feel like trying to force ten pounds of flour into a five pound sack. We want to pack more into our courses than we have time to teach. As new technologies develop, we often find it necessary to drop old technologies out of the curriculum and our students miss out on the historical impacts the old technologies had. The discipline is so broad and deep that we have to carefully choose what concepts and technologies we study in depth, what we mention in passing, and what we leave out. Leaving out important …

Planning And Implementing A Successful Nsa-Nsf Gencyber Summer Cyber Academy, Bryson R. Payne, Tamirat Abegaz, Keith Antonia

Journal of Cybersecurity Education, Research and Practice

The GenCyber program is jointly sponsored by the National Security Agency (NSA) and the National Science Foundation (NSF) to help faculty and cybersecurity experts provide summer cybersecurity camp experiences for K-12 students and teachers. The main objective of the program is to attract, educate, and motivate a new generation of young men and women to help address the nationwide shortage of trained cybersecurity professionals. The curriculum is flexible and centers on ten cybersecurity first principles. Currently, GenCyber provides cyber camp options for three types of audiences: students, teachers, and a combination of both teachers and students. In 2016, over 120 …

Threats To Information Protection - Industry And Academic Perspectives: An Annotated Bibliography, Michael E. Whitman, Herbert J. Mattord

Journal of Cybersecurity Education, Research and Practice

Threats to information assets have always been a concern to those responsible for making information useful and defending its value. The concepts of threat, threat agent, threat events and threat sources have evolved in recent years have very precise definitions. A summary of threat classification models used in academic research is provided along with a summary of recent industry threat assessment reports. Finally, the results from a recent study, 2015 SEC/CISE Threats to Information Protection Report Including a Current Snapshot of the State of the Industry, are given.

Towards An In-Depth Understanding Of Deep Packet Inspection Using A Suite Of Industrial Control Systems Protocol Packets, Guillermo A. Francia Iii, Xavier P. Francia, Anthony M. Pruitt

Journal of Cybersecurity Education, Research and Practice

Industrial control systems (ICS) are increasingly at risk and vulnerable to internal and external threats. These systems are integral part of our nation’s critical infrastructures. Consequently, a successful cyberattack on one of these could present disastrous consequences to human life and property as well. It is imperative that cybersecurity professionals gain a good understanding of these systems particularly in the area of communication protocols. Traditional Transmission Control Protocol (TCP) and User Datagram Protocol (UDP) are made to encapsulate some of these ICS protocols which may enable malicious payload to get through the network firewall and thus, gain entry into the …

Using A Virtual Computing Laboratory To Foster Collaborative Learning For Information Security And Information Technology Education, Abdullah Konak, Michael R. Bartolacci

Journal of Cybersecurity Education, Research and Practice

Virtual computer laboratories have been an excellent technological solution to the problem of providing students with hands-on experimentation in information technology fields such as information security in a cost effective and secure manner. A virtual computer laboratory was utilized in this work as a collaborative environment for student learning with the goal of measuring its effect on student learning and attitudes toward laboratory assignments. Experiments were carried out utilizing specially-designed computer-based laboratory activities that included student assessments and surveys upon their completion. The experiments involved both small groups and individual students completing their respective laboratory activities and subsequent assessments/surveys. …

From The Editors, Michael E. Whitman, Herbert J. Mattord

Journal of Cybersecurity Education, Research and Practice

Welcome to the inaugural issue of the Journal of Cybersecurity Education, Research and Practice (JCERP).