As is our practice every year, we sponsored a Cyber Security Awareness Month event for faculty, staff, students, and the community. This free event was scheduled for October 6, 2022. The event was held on the Marquette campus. We discussed Teaching and Leading with a Security-first Mindset, the pedagogy of teaching Ethical Hacking, and the experiences of professional penetration testers.

The Klingler College of Arts and Sciences along with the Air Force ROTC Det 930, the Center for Cyber Security Resources and Cyber Defense, and other campus units are supporting a CyberPatriot CyberCamp Aug 1-5. The camp is designed to teach beginner students the basics of cybersecurity. No prior cybersecurity knowledge is required for participants.

CyberPatriot is a national initiative supported by the AIr Force Association (AFA). It provides materials for camps such as the one being delivered at Marquette University and administers the nations's largest youth cyber competition. Contact us for more information.

October 2021, Cyber Security Awareness Month, was a busy month

Starting on October 1, 2021, we held a Cyber Security Awareness Month Kick-Off Meeting with a welcome from Provost, Kimo Ah Yun, important cyber security announcements from Chief Information Officer, Laurie Panella, remarks from the Klingler College of Arts and Sciences by Associate Dean Ed Blumenthal and a Presentation about our center and the October events by Tom Kaczmarek, Director for Cyber Security Awareness and Cyber Defense. The program included a panel of representatives from across campus talking about the importance of cybersecurity in their discipline. 

On October 5th we convened for a special workshop on Consequence-Driven, Cyber-Informed Engineering (CCE) presented by Andrew Bochman, a research scientist from the Idaho National Laboratory and Andrew Ohrt, Lead Risk and Resilience, West Yost Associates. In this presentation, they introduced the concepts associated with CCE that was developed by Idaho National Laboratory and  currently being deployed by critical infrastructure owners around the country, CCE is a ground-breaking approach to designing and securing more resilient physical systems. THis session was jointly sponsored by the EECE program from the Opus College of Engineering at Marquette. (see details here)

October 8, we welcomed members of SIM Wisconsin seeking advise in the IT Leadership Forum on Cybersecurity. This event was co-sponsored by the Wisconsin Chapter of SIM. IT leaders received advice on protection of the cloud and combating ransomware from thought leaders David Kliemann of IBM and Theresa Miller of Cohesity. A panel of CISOs and other cyber experts and CISOs will discuss what CIOs need to know about cybersecurity and resiliency. (You can view the agenda here, which was the registration site.)

On October 15, The Computer Science Department and the center sponsored an ACM distinguished lecture by Joshia Dykstra. The topic of the talk was "Getting Started in Cybersecurity Science." This talk offers an introduction for students and practitioners to the application of the scientific method to cybersecurity tools and systems. Also in October on the 25th David Mohaisen spoke about current research on blockchain security.at a Computer Science Colloquium (see the colloquium website here)

On October 27, students, professionals, and employers gathered at a Cybersecurity Career Awareness Networking Event . Co-sponsored by the career services center with pizza and beverages hosted by Northwestern Mutual, this informal gathering of professionals and students allowed students to ask questions and explore cyber security careers. (details are in Handshake). Two students of the program, Chris Supinger and Erin Makarewicz shared their experiences studying in our M.S. program and taking on cybersecurity careers.

Finally, on October 29, as part of MKE Tech Week, we hosted a Workshop on Cybersecurity Workforce Development. We featured an overview of academic programs in the Milwaukee area that prepare workers and listened to employer thoughts about internships and apprenticeships in cybersecurity. This meeting included representatives from Marquette's EOP that has a long history of helping school-age, low-income and first-gen college students of Milwaukee achieve their potential. The meeting featured a discussion of a proposal for creating a cybersecurity career pipeline for underrepresented students. (registration was administered through MKE TECH and the Wisconsin Startup Coalition).

 

The Department of Computer Science is offering Marquette University students, independent of academic program or college affiliation, an opportunity to apply for training in cybersecurity. Through a grant provided to the Department of Computer Science by ULINE, students will be provided 1-year unlimited access to the Infosec Skills training platform. The Infosec skills training platform provides more than 600 courses, 160 online labs, and 1,000 hours of online training. Access to training will be administered through the Center for Cyber Security Awareness and Cyber Defense. See this link for further information,

The last week of July 2021, Dr. Debbie Perouli from the Department of Computer Science presented a virtual cyber summer camp for about 30 high school students introducing them to cybersecurity. This was sponsored by NSA/NSF under the GenCyber program. Contact Dr. Perouli for details.

 

At this annual meeting we explored Cyber Risks Trends and Predictions with experts from the world of online meetings ( Microsoft Teams), a CISO fighting risks at Children's Hospital of Wisconsin, and cyber insurance experts. We met on

June 11, 2021 for a Virtual meeting 8:15 A.M. (CDT) to 11:30 A.M. (CDT)

In this time of virtual everything, including meetings, we implemented a new virtual element, networking opportunities with the experts.

AGENDA

8:15 Introduction

8:20: Dave Jaworski, Risk, Resiliency and Operational Continuity

This keynote talk explained why the current threat situation requires action and then turned to what has worked to maintain operational continuity, including thoughts on AI monitoring and RPA. It concluded with discussion of the Next Steps to manage the situation to repel the attacks forecast for global manufacturing and other industries.

9:10: Angela Johnson

Given from the perspective of a CISO, this keynote provided insights into how to manage risks and prepare for the threats that are trending.

10:00: Panel: Cyber Insurance (Stephanie Dingman, Catarina Kim, Angela Johnson, and Che Bhatia) - THe panel addressed questions such as, "Are you being asked to supply more information about your security posture to your insurance underwriters. Are you experiencing mandatory higher limits on coverage or seeing increased premiums for cyber insurance? Do you want to learn how to gain control of your cyber insurance dilemma through the adoption of best practices?"

10:45 Network with the experts (Virtual breakout rooms to chat informally)

11:30 Leave with some personal action items

BIOGRAPHIES:

Dave Jaworski, A strategic manager who is passionate about helping people and organizations achieve their dreams and potential. Dave is Principle Program Manager, Microsoft Teams Strategic Customer Engineering at Microsoft and the author of “Microsoft Secrets: An Insider’s View of the Rocket Ride from Worst to First.” With over 30 years of technology, sales, marketing and management experience, Dave has helped organizations in multiple industries across the globe. This includes developing and delivering profitable, award winning technology products. Employee #3 at Microsoft Canada, Dave was instrumental in launching Microsoft’s Canadian operation and was awarded the first-ever Bill Gates’ Chairman’s Award of Excellence, recognizing him as Microsoft’s #1 employee worldwide that exemplified excellence by Bill Gates and the Microsoft Executive team. He was Microsoft’s National Sales Manager, then GM of U.S. Sales Operations. Along with music industry execs, Dave founded PassAlong Networks, providing digital media services for 200+ clients, including eBay. PassAlong patented technology for eCommerce and sharing music. PassAlong was first in the world to innovate and implement micro-payments with PayPal. Dave helped Avon develop deeper relationships with its global sales force and its customers when he served as CTO for Intero Alliance building the Intero Lifestyle Network, launched in 62 countries in 37 languages. Dave then served as VP Sales at Netsteps where he doubled sales. Dave then built Meta Media Partners, helping clients transform their customer experiences, enhance their employee engagement, optimize their operations, and create new products and services. In July 2017, Dave returned to Microsoft to join an elite team of Digital Advisors, working with Microsoft’s top accounts around the world to help them refresh their organizations. He then moved to Teams Engineering to help enable organizations worldwide transform and run their business on Microsoft Teams.

Angela Johnson, Since June of 2017, Angela has been shaping cybersecurity efforts and leading information security management at the Children's Hospital of Wisconsin. She currently serves as the CISO and VP Information Systems Infrastructure. Formerly she was the Director of Information Security and the Assistant VP and Assistant Corporate Secretary at Baird where she was active in process improvement efforts in risk management and customer focused services. With prior responsibilities at Metavante and FIS, her experience also includes supply chain management and supplier contract management.

Stephanie Dingman, CPCI, CIC, ARM, Managing Director, Cyber Solutions, Aon, Stephanie is Managing Director and National Operations Leader for Aon’s Cyber Solutions E&O/Cyber Broking team in the Central Region. Stephanie provides clients with broking expertise and consultative advice for Cyber, Professional Liability, Technology and Media risks. Prior to joining Aon’s Cyber Solutions broking team, Stephanie was a Director for Aon Broking U.S. Retail, an Account Executive in Miami and a Senior Consultant on the Actuarial and Analytics team within Aon Global Risk Consultants. Stephanie has been with Aon since 1997. Stephanie holds the Chartered Property Casualty Underwriter (CPCU) designation, Associate in Risk Management (ARM) designation and Certified Insurance Counselor (CIC) designation. Stephanie earned a Master of Business Administration in Finance from the University of Minnesota and a Bachelor of Business Administration in Actuarial Science and Risk Management and Insurance from the University of Wisconsin.

Catarina Kim, Catarina is a Vice President in the Intelligence Group of Aon’s Cyber Solutions (formerly Stroz Friedberg) where she leads the threat intelligence program. In her current role, she overseas advanced analytic services and delivers data driven solutions to clients globally. Her areas of specialization include cyber intelligence, threat monitoring, open source mining, deep and dark web collections, cybercriminal and fraud investigations, and nation state threat analysis. She has over 15 years of experience managing complex intelligence and investigations in the financial services sector and for the U.S. Intelligence Community.

Che Bhatia, Adjunct Marquette University and Vice President of Cyber Resilience and Engagement Management within our Global Aon Cyber Solutions practice (formerly Stroz Friedberg). In this role he is responsible for helping clients proactively manage the cyber and enterprise risk and leads digital forensics, cybercrime, data breach, compliance, electronic discovery and business intelligence and investigations matters. Prior to joining Aon, Chetan served as the Chief Technology Officer at Data Partner, Inc. where he was responsible for the technical vision, strategy and roadmap for the organization. He was also a cyber-security consultant for Advance Resources and Consultants, a firm led by former senior-level government and military officers, where he conducted cyber security risk assessments. At Nexum, he served roles such as business development director and practice manager and was responsible for the project management and network/security engineering teams. Before joining Nexum, he worked at Hewitt Associates and Aon, where he deployed and administered security controls and was part of a team that maintained the network security infrastructure protecting the PII of over 75% of the Fortune 500 organizations. Chetan also serves as adjunct professor at Washington University in St. Louis where he also a member-at-large on the cybersecurity education advisory board. Chetan also serves as faculty at Loyola University in Chicago. He has successfully mentored students to complete in the National Cyber League and the National Collegiate Cyber Defense competitions. Chetan is often invited by the FBI and US Secret Service to provide executive debriefings on cyber and other investigative matters.

140 attendees registered for our 5th annual Colloquium on Cyber Security Awareness

Do Your Part #BeCyberSmart

October 9, 2020 9:00 AM to 11:30 AM (a virtual meeting)

Theme: Cyber resilience takes people with awareness, knowledge, and skills. This theme was the emphasis throughout the sessions of the event. People must be equipped with understanding to #BeCyberSmart.

Audience: The audience included

• individuals interested in any aspects of cybersecurity who wish to #BeCyberSmart
• professionals in various industries and roles that span information owners, risk and compliance mangers, and cybersecurity pros who want to help their communities to #BeCyberSmart
• Wisconsin SIM was a co-sponsor and the Milwaukee chapter of ISACA and the Milwaukee Section of IEEE helped to promote this event with their memberships

Format: Do You Part #BeCyberSmart was a virtual meeting that featured the following:

• an opening Executive Engagement panel
• two parallel exercise sessions for attendees to develop personal action plans
• five parallel sessions to discuss important topics in cybersecurity awareness.

Complete details about the program an be found by clicking here.

Presenter & panels: Panelists for the Executive Engagement session included experienced executives with a passion for cybersecurity David Cagigal (former CIO for the State of Wisconsin), Ariel Evans (best-selling author and Risk Management expert), Angela Johnson (CISO at Children's Hospital Wisconsin), and Steve Thomas (VP, Chief Risk and Compliance Officer, Kohl's). The Executive Engagement panel will be followed by two parallel attendee exercises to develop personal action plans and then include five parallel panel sessions on the following topics:

1. Education Opportunities to pursue careers,
2. Government Policies (including election security),
3. a vendor panel on Innovation in Awareness products and services,
4. awareness of Regulations & Compliance including the new CA regulation,
5. topics of interest to Women in Cybersecurity

Bio-sketches of panelists and other details about the event are available at this link.

140 attendees registered for various sessions and obtained session-designated tickets ahead of time for the panels of interest. The event was hosted on Teams.

 

Pizza and Cyber Career Stories

On February 4, 2020, with the help of Career Services Center, the Center for Cyber Security Awareness and Cyber Defense sponsored a cybersecurity career awareness event.

The event featured a few short career stories and lots of time for networking. All majors on campus were invited and almost 100 students attended. There were about 40 professionals there that got engaged in the networking.

OWN IT, PROTECT IT, SECURE IT

October is National Cyber Security Awareness Month and the theme this year is Own it, Protect it, Secure it.

On October 11, 2019, the annual colloquium was held at the Marquette University Alumni Memorial Union. After an introduction by Dr. Heather Hathaway, Dean Klingler College of Arts and Sciences, the Keynote Speaker Dr. Blair Taylor, Towson University and Subject Matter Expert on strategies to increase the cybersecurity pipeline, spoke on Cyber Security Education for All.

After a break, a panel discussed the need for cyber security education. Participants in the panel were Dr Blair Taylor, Mr. David Cagigal, CIO State of Wisconsin, Mr. Byron Franz, Private Sector Coordinator, FBI Mr. Daniel Eliot, Director Education & Strategic Initiatives, National Cybersecurity Alliance.

The panel was followed by "Lightning talks" on Cyber Security Awareness efforts by advisory companies and attendees,.

Keynote speaker Dr. Blair Taylor is an award-winning educator with 20+ years’ experience in academia. She is a national expert in cybersecurity education and curriculum development. She is a faculty member in the Department of Computer and Information Sciences at Towson University, where she has led numerous funded projects. Her work includes Security Injections @ Towson, which provides security modules for integrating security across the curriculum; it is a national model for teaching secure coding to introductory programming students, and SPLASH, which offers Secure Programming Logic for college credit to high school girls.

The program was sponsored by ULINE, the Marquette University Department of Computer Science and the Center for Cyber Security Awareness and Cyber Defense

The annual Symposium on the Ethics of Big Data brings together business and academic leaders interested in examining the implications of bias in analysis, privacy issues in collecting data, and unintended consequences of decision support analysis. The fourth annual symposium was scheduled to coincide with Data Privacy Day, an international observance of the importance of being the custodians of privacy. A snow storm forced delay of the event. It was held May 1, 2019.

The event was organized by the keynote presenter, Dr. Michael Zimmer, an internationally recognized leader in the investigation of data privacy.

'We clearly have entered the era of big data. Armed with petabytes of transaction data, clickstreams and cookie logs, as well as data from social networks, mobile phones, and the "internet of things," a wide range of economic interests, including marketing, health care, manufacturing, education, and government, are now in pursuit of the value of data-driven decision-making. Alongside this increased thirst for big data is an increased public weariness of constant monitoring by internet providers, smart speakers, and GPS chips. Weekly news stories of data breaches, the limitations of data anonymization, and creepy secondary uses of data only add to the public’s anxiety over big data.

The event focused on the privacy implications of big data across a range of contexts, including learning analytics, researcher data practices, and big data research ethics. The symposium had endorsement by the Northwestern Mutual Data Science Institute and was held on May 1, 2019 at the new Cream City Labs, home to the institute.

The mission of the Marquette University Center for Cyber Security Awareness and Cyber Defense includes providing cybersecurity knowledge to the community and the university. To inform the community and the university about current cyber risks and defenses on April 20, 2019 we hosted the 2nd annual CYBER RISK, TRENDS, PREDICTIONS. This event, created at the suggestion of our advisory council, presented insights from cybersecurity experts who are leading the efforts inside several premier cybersecurity organizations. The event was designed to equip cybersecurity leadership with knowledge of cyber trends and prediction to help them protect, detect, and respond to threats in their organizations.

The presenters an panels included, Annie O'Leary, Assistant VP in AON's Cyber Solutions Group, Bilal Malik, Stroz Friedburg Senior Consultant, Che Bhatia, a VP in the Stroz Friedburg Resilience practice, Jason Madey is a core member of Carbon Black’s Cybersecurity Strategist “Howlers” team and Josh Yost, System Engineering Manager Palo Alto Networks.

K12 CAMPS

During summer of 2019, Marquette with the support of KOHL'S held two summer camps for K12 students. One of thee focused on middle school students and the other on high school students. A graduate student in the department designed and conducted these camps. GenCyber responds to a recognized need to develop cybersecurity awareness and teach sound cybersecurity fundamentals at the K-12 levels. The program achieves this by providing grants to universities, public or private schools or schools systems, not-for-profit institutions, or non-profit institutions to conduct in-residence or commuter learning events for students; and providing instruction, instructional materials, and effective teaching methods to middle and high school teachers. Through the support of the national program we hosted a GenCyber camp on July 30, 2018 Through August 3,2018 in Cudahy Hall. home to computer science and cyber security.

IN THE NEWS

Cyber security incidents and scams catch the attention of local media outlets. Faculty from the center have provided expert opinion about these incidents and advice about defenses to the public with the help of the media.

 The Department of Computer Science is offering Marquette University students, independent of academic program or college affiliation, an opportunity to apply for training in cybersecurity. Through a grant provided to the Department of Computer Science by ULINE, students will be provided 1-year unlimited access to the Infosec Skills training platform. The Infosec skills training platform provides online courses, hands-on labs, and extensive training aligned with common cybersecurity jobs.. Access to training will be administered through the Center for Cyber Security Awareness and Cyber Defense. See this link for further information,

The ACM announced the formation of a Technology Policy Council that was created to address security privacy and the future of the internet. This prestigious organization was announced in a ACM press release. "The digital revolution is an international phenomenon," said ACM President Cherri M. Pancake, “and the leading tech companies, whose services are used by billions every day, have facilities and customers in countries all over the world. So the pressing issues we hear about in the media―such as online privacy, data breaches, algorithmic bias, and the future of the internet―go beyond national borders. ACM’s new Technology Policy Council will provide a space in which computing professionals come together to offer global perspectives on global challenges."

ETHICS BELONGS in DATA GOVERNANCE

The 4th annual Ethics of Big Data that was sponsored by our Center for Cyber Security Awareness and Cyber Defense and this year hosted by the Northwestern Mutual Data Science Institute. This was probably the best effort yet in the series. There were several excellent presentations that addressed privacy and acceptable use of information.

What was striking about the meeting's content is the shift that has occurred in the ethical expectations of society regarding the collection, management, and use of data and the abiding need to consider the ethical use of data.

As background, last week a textbook under consideration for use in courses recounted a 1980 agreement on professional ethics. The agreement was developed by the international Organization for Economic Cooperation and Development (OECD). The five rules that were mentioned in the agreement held by 30 countries were as follows:

• Collect only what you need
• Do not share information
• Keep information up to date
• Use information only for the purpose for which it was collected
• Destroy information when it is no longer needed.

Clearly, that came from a different time. While researchers in academia may have lived by rules similar to those in the OPED agreement clearly the commercial organizations that hold that data have behavior that seems to reflect the following:

• Collect data that you can sell
• Monetize the data you have collected and sell access
• Provide instant access to data as it is collected
• Provide an API so that data can be used by others
• Keep information because you never know when you''ll discover a future use to make better decisions

While the cybersecurity professionals are suggesting a strategy of "Zero Trust" for access control, organizations appear to be promoting "Just Trust Me" with their customers. There is a conflict between need-to-know for security and right-to-use for benefits.

At the symposium, there was some discussion about anonymizing data for privacy concerns, but flaws in anonymizing data are possible when the collection of attributes used to describe a sub-population effectively describe only one person, an outlier. Moreover, anonymization falls short in a world where multiple data sources can be aggregated and aligned. Consider how someone can triangulate information about internet searches for a product, data found in anonymized credit records, and Geo-location records obtained from a smart phone. If someone did a web search for a product, there is a anonymized credit card record showing that product was sold at a particular time, at a particular store, and there is a record that the user doing the search was at the location of the store at the time of the credit record, it is a pretty good bet that we can identify who made the purchase. The integration of data sources can defeat protections build into any one data set and lead to a mathematical conclusion of certainty in the same way that cryptography can be used to assign non-repudiation with certainty.

The keynote speaker at the Ethics of Big Data suggested that we now have pervasive data which has benefited computational social scientists in conducting all sorts of analysis about human behavior. It was mentioned that the scientific method in social sciences has become obsolete. The scientific method begins with a hypothesis and proceeds to define an experiment and collect data. In computational social science, the creation of a hypothesis persists, but it is followed by consideration of where one might be able to access data to investigate the hypothesis. Twitter, Facebook, and customer reviews of products and services are popular sources of data. Public records published with a desire for transparency in government are another.

Because of Fear Of Missing Out (FOMO) we have pretty much given up the right to privacy. The greater good is served when computational social scientist are able to explain human behavior; users are better served when data about user location and behavior can be accessed by an app because, for example, smartphones are more useful when the Maps app can notify us that it found a near-by restaurant with cuisine we enjoy around our normal lunch time.

So, we have a choice, do we believe that the use of pervasive data contributes to the common good or data should only be collected and used for a specific purpose and destroyed afterwards. No matter what you believe, you should ask what are you going to do about it.

Regardless of the ethics you apply, you should be thinking about the ethical use of the data you manage. What are you going to do to build an ethical community, a culture of ethical data management? DAMA International, like many professional organizations, encourages an ethical culture and in their case, it is an Ethical Data Culture. In their book of knowledge, the DMBOK for data management, they focus on the risks of unethical data handling practices, but they leave an organization to define its own ethics.

In reflecting on where a data ethicist would fit into an IT organization it appears that the data governance process is the best home if you are fortunate enough to have one. While the data governance team (or process) will typically focus on the accuracy, completeness, consistency, timeliness, validity, and uniqueness of data, the concerns need to expand. The traditional four pillars of data governance (stewardship, quality, master data management and use cases) need a foundation in ethics. Like DAMA International, the center encourages data management professionals to take a stand. Whether or not there is a formal data governance organization or process, data management professionals must take a stand; they must move the organization to an ethical data culture.

January 28th passed mostly in silence

Why do I mentioned January 28th? It was Data Privacy Day. So, what‘s the big deal?

Data Privacy Day is an annual international event to remind everyone to be diligent about online privacy and online information. The National Cyber Security Alliance led efforts in the USA to call attention to the event. Part of the message is to “own your online presence.”

So, here's the deal.

Part of owning your online presence is understanding what information about you is available to others. Why does that matter?

A recent investigative report aired on a local TV station. “Bogus background check could be costing you money” revealed how incorrect cyber information can hurt you. In this case a gentleman had his insurance rates go up dramatically because a company that collects credit records and provides them to insurance companies supplied bad data.

Yes, I know this is a case of garbage in garbage out, but whose garbage is it?

In this case the negative factors in the “Bogus background check,” came from the victim’s son who had the same first and last names, but we was “the second.” The son’s history was erroneously mixed in with the father’s record. According to the news story the company supplying the report responded that they do rigorous checks to maintain quality; but they didn’t in what they characterized was a “rare case.” The algorithms did not perform as intended.

What was the advice of the investigative reporter? Check the information that is available for accuracy. Sounds like “own you online presence.” I’ll be sure to add this story and this advice to people come next Data Privacy Day (January 28, 2019). Maybe more people will take notice and think more about their online presence.

The investigative news story mentioned the offending companies, but I have left them off. These kinds of mistakes are detrimental to corporate reputation. Sure, it was inadvertent, but was the company paying enough attention to the collection and use of data? What were they doing to avoid unintended consequences? One of the companies mentioned had a hugely embarrassing incident recently. It was credited to lax policy enforcement. What about you and your company?

I am proud to say that Marquette University is putting together a Symposium on the Ethics of Big Data III. This is the third in a series of meetings on privacy, data collection, and the consequences of Big Data technology. This year we will meet on April 27 in a discussion that is open to businesses, academics, students, and the public. Folks at Northwestern Mutual are demonstrating their recognition of the importance by joining us to sponsor and host the meeting at their new tower in downtown Milwaukee. See https://www.marquette.edu/ethics-of-big-data for information. Other companies have regularly made an appearance and supported this annual event.

Help make a difference; be cyber security and privacy aware. (See https://staysafeonline.org/data-privacy-day/about/ for information about Data Privacy Day and https://www.tmj4.com/news/i-team/bogus-background-check-could-be-costing-you-money to see the full story about the bogus background check.)

Cyber Security Awareness Requires Leadership

Cyber security is a question of leadership and awareness is the responsibility of leaders.

Most all successes are the result of a proper combination of People, Process, and Technology. The importance of these three items is apparent in the examination of the cyber security incidents that have gained national attention. It always starts with people. People can prevent breaches or people can cause them. Incidents can result from inadvertent behavior or by malicious intent. Cyber Security Awareness focuses on reducing inadvertent behavior that leads to failure of the security system. Often someone with malicious intentions takes advantage of the inadvertent action, but that is not always the case. There is not always a bad guy trying to take advantage of others.

Safety in manufacturing plants is not the same as safe computing but safety awareness is remarkably similar to Cyber Security Awareness. During my career before academia, I had the privilege of observing a dramatic improvement in plant floor safety that resulted from leadership and awareness. General Motors went from having a mediocre safety record to being by far the safest manufacturing environment in the industry.

The journey from mediocrity to excellence started with recognition of the problem created by workplace injury. Leadership from the C-suite resulted in having all executives take safety training from the world leader in workplace safety, DuPont. Having been in the explosives business is is clear why DuPont emphasized safety.

The manufacturing organization followed the leadership of the VP of Manufacturing, Joe Spielman supporting the theme "Safety is Our Overriding Priority." The corporation regularly heard the message that came form DuPont, "All incidents can be avoided." The term "incident" replaced "accident" in the conversation because accidents imply that they are somehow unavoidable.

Measurements were put in place; goals were set and clearly articulated. For example the goal at one assembly plant in Oshawa was a 50% reduction in lost time injuries and “recordable” injuries every three years. This led to reducing lost work day cases per 100 employees from 13 in 1994 to under 1 before the close of 2001. In 2002, GM plants from around the world had achieved an industry leading 3.6 recordable incidents per 200,000 hours worked compared to an industry average of 20.3. [1]

A practice that helped lead to the improvement was attention to "near-misses." These were recorded and analyzed at safety meeting which were mandated to occur regularly. In our office environment, we held these meeting weekly. The clear goal was fool-proofing the system. In all plants, serious near-misses required the Plant Manager to tour and assess the situation within 24 hours. Supervisors and team leaders were required to investigate all actual incidents before the end of a shift.

There is a strong parallel between this example and the Stop. Think. Connect. campaign coming from the Department of Homeland Security. This is one of the primary concepts included in the DHS program in cyber security awareness.

I mentioned that there must be attention to People, Process, and Technology, The culture must change. An example from GM of the emphasis of balanced attention to People, Process, and Technology can be found in the 2004 announcement of a new safety device aimed at reducing railcar workplace injury. A joint union-management memo stated, "constant vigilance to the safety process and ongoing training to ensure compliance to safe operating practices is necessary to protect all employees."

All of this provides a nice story for safety management. Why don't we do that for cyber security? Who is providing leadership? Who is measuring the organization? What are the goals?

I am organizing a Colloquium on Cyber Security Awareness to start a conversation about how we improve security within populations such as the general public that is involved using hundreds of apps and social computing, our customers who use our IT infrastructure to communicate with us, our employees who have access to the information we need to secure, and students who are the future of computing. This event will come in October, National Cyber Security Month.

References

[1] M. Rosen, General Motors: Achieving and Maintaining World-Class Leadership in Worker Health and Safety in the Automotive Industry, Safety Management Education, May 2008, available on line at: http://safetymanagementeducation.com/wp-content/uploads/2015/06/Case_Study_GM_Truck_Plant_Case_study.pdf on 22 July, 2016.

Do you need Geek-speak to be convinced?

If setting up automatic system updates sounds too simple to be effective in combating cyber-attacks, try this...

employing the auto-configurator to engage both server side and client side dissociated daemons in a distributed multi-tasking environment to update the hierarchical organized services directory and install executable specifications, processing abstractions and physical implementations of application program interfaces, peripheral drivers, communication protocols, dynamically linked libraries, interpretable kernels, and other service components and abstractions to their most immediate revision levels as prescribed by the service vendors.