menacing shadow of a hand on a neyboard

Choosing the Right Defense

When it comes to cyber security, there’s no one-size-fits-all solution. In some cases, businesses may not know all of the best practices available. So how can they determine the best tactics? One professor is trying to bridge that gap with the help of student researchers.

By Laura Braddick

High profile data breaches, hacking and other cybersecurity crises have become the scary new normal.

Even with large, sophisticated security infrastructures, high-profile data breaches during the last few years at large multinational companies, national healthcare systems, government agencies and more demonstrate that no institution is impervious to cyberattacks.

But it’s not just big companies at risk. Small and mid-size businesses are just as if not more vulnerable to cyberattacks.

Think tanks like the National Security Administration’s Science of Security (SoS) initiative are devoted to researching new and cutting-edge systems to get ahead of malicious hackers and prevent breaches as attack methods grow in sophistication and frequency.

But what’s needed is a bridge between these valuable yet deeply complex and highly technical security methods and the businesses and organizations that can benefit from them.

“There is a ton of great research out there on cyber security that’s theory-based, but the problem is we’re not necessarily seeing these models getting deployed,” says Natalie Scala, an assistant professor of e-business and technology management. “There’s a need to translate this research into useable methods for businesses.”

Scala is hoping to close this gap. For the last few years, she’s recruited a series of student researchers to help lay the groundwork while also working with subject matter experts at National Security Administration’s SoS initiative and Army Cyber Institute at the United States Military Academy (West Point).

“There is a ton of great research out there on cyber security that’s theory-based, but the problem is we’re not necessarily seeing these models getting deployed.”

Their collective work has established the framework for a model that businesses can use to determine what cybersecurity measures they should implement to protect themselves.

The project began with literature review led by Jasmin Farahani ’16 (BUAD) ’18 (marketing intelligence). Farahani identified seven best practices in cybersecurity that were most appropriate for businesses. She then created and distributed a survey to organizations and businesses across different industries to measure what they value most in a cybersecurity system. Rachel Fredman ’17 (BUAD/CIS) analyzed the results.

“Some of the most commonly high-valued metrics and best practices were threat detection, encryption, authentication, awareness and training for employees,” says Fredman.

Alex Thierer ’16 (BUAD) surveyed small legal firms and solo practitioners to gather additional data on how businesses view cybersecurity. Emil Manuel ’16 (BUAD), identified how relevant the metrics identified by Farahani would be to supply chain firms.

Natalie Scala with the students she helped mentor while researching cyber security best practices
From left, Natalie Scala, Ph.D., Jasmin Farahani, Emil Manuel and Rachel Fredman.

With the help of this student-driven research, Scala developed the cybersecurity metrics model currently being tested using real business data provided voluntarily and used anonymously.

Scala and her team hope that once their work is complete, organizations ranging from small, family-owned businesses to large corporations will be able to look at their priorities and constraints and figure out which cybersecurity methods best suit their needs.

“There’s no clear-cut defense,” says Farahani. “It’s growing and changing every day. Security firms are playing catchup with the hackers.”

The number of recognized data breaches has increased nearly sevenfold in the last decade. The average annual cost of these breaches is soaring as well—not to mention the non-economic costs data breach victims suffer, such as loss of customer trust and reputation damage.

In 2016, data breaches tracked hit an all-time high of 1,093 according to the Identity Theft Resource Center, which releases a report compiling confirmed data breaches reported in the media and by government agencies. Of all industries tracked, businesses bore the brunt as the target of 45 percent of these attacks.

Scala and her research counterparts say that, based on all their research, the biggest piece of advice to any business leader is to take cyber defense measures seriously.

“Be educated and open-minded. Put an effort into securing your business,” says Farahani. “You can never eliminate attacks, but breaches can be stopped or limited if you put the investment into it.”

“Don’t be so overwhelmed that you do nothing,” says Scala. “One thing we hope will come out of this research is that it will help business feel less overwhelmed and more prepared to defend against malicious attacks.”