Cybersecurity Using Risk Management Strategies of U.S. Government Health Organizations

Seismic data loss attributed to cybersecurity attacks has been an epidemic-level threat currently plaguing the U.S. healthcare system. Addressing cyber attacks is important to information technology (IT) security managers to minimize organizational risks and effectively safeguard data from associated security breaches. Grounded in the protection motivation theory, the purpose of this qualitative multiple case study was to explore risk-based strategies used by IT security managers to safeguard data effectively. Data were derived from interviews of eight IT security managers of four U.S. government health institutions and a review of relevant organizational documentation. The research data were coded and organized to support thematic development and analysis. The findings yielded four primary themes: effective cyber-risk management strategies: structured, systematic, and timely cyber risk management; continuous and consistent assessment of the risk environment; system and controls development, implementation, and monitoring; and strategy coordination through centralized interagency and interdepartmental risk management. The key recommendation based on the study findings is for IT security managers to employ cybersecurity strategies that integrate robust cybersecurity controls and systematic processes based on comprehensive risk management. The implications for positive social change include the potential to positively stimulate patient trust and confidence in healthcare systems and strengthen healthcare professionals\u27 commitments to ensure patient privacy

Optimizing Proactive Measures for Security Operations

Digital security threats may impact governments, businesses, and consumers through intellectual property theft, loss of physical assets, economic damages, and loss of confidence. Significant effort has been placed on technology solutions that can mitigate threat exposure. Additionally, hundreds of years of literature have focused on non-digital, human-centric strategies that proactively allow organizations to assess threats and implement mitigation plans. For both human and technology-centric solutions, little to no prior research exists on the efficacy of how humans employ digital security defenses. Security professionals are armed with commonly adopted "best practices" but are generally unaware of the particular artifacts and conditions (e.g., organizational culture, procurement processes, employee training/education) that may or may not make a particular environment well-suited for employing the best practices. In this thesis, I study proactive measures for security operations and related human factors to identify generalizable optimizations that can be applied for measurable increases in security. Through interview and survey methods, I investigate the human and organizational factors that shape the adoption and employment of defensive strategies. Case studies with partnered organizations and comprehensive evaluations of security programs reveal security gaps that many professionals were previously unaware of --- as well as opportunities for changes in security behaviors to mitigate future risk. These studies highlight that, in exemplar environments, the adoption of proactive security assessments and training programs lead to measurable improvements in organizations' security posture

Improving Data Infrastructure to Reduce Firearms Violence

In the fall of 2020, Arnold Ventures, a philanthropy dedicated to maximizing opportunity and minimizing injustice, and NORC at University of Chicago, an objective nonpartisan research institution, released the Blueprint for a US Firearms Infrastructure (Roman, 2020). The Blueprint is the consensus report of an expert panel of distinguished academics, trailblazing practitioners, and government leaders. It describes 17 critical reforms required to modernize how data about firearms violence of all types (intentional, accidental, and self-inflicted) are collected, integrated and disseminated. This project, which is also supported by Arnold Ventures, takes the conceptual priorities described in the Blueprint and proposes specific new steps for implementation.The first step in building a better firearms data infrastructure is to acknowledge where we currently stand. In The State of Firearm Data in 2019 (Roman, 2019), the expert panel found that while there are a substantial number of data sources that collect data on firearms violence, existing datasets and data collections are limited, particularly around intentional injuries. There is some surveillance data, but health data on firearms injuries are kept separately from data on crimes, and there are few straightforward ways to link those data. Data that provide context for a shooting--where the event took place, and what the relationship was between victim and shooter--are not available alongside data on the nature of injuries. Valuable data collections have been discontinued, data are restricted by policy, important data are not collected, data are often difficult to access, and contemporary data are often not released in a timely fashion or not available outside of specialized settings. As a result, researchers face vast gaps in knowledge and are unable to leverage existing data to build the evidence base necessary to adequately answer key policy questions and inform firearms policymaking.In the Blueprint, the expert panel developed a set of recommendations organized around a reconceptualization of how data are collected and who collects data. The broad themes from the Blueprint are as follows:Almost all surveillance data in health and criminal justice is generated locally. It is a high priority to provide information, technical assistance, implementation supports, and funding to state and local governments to improve their collections.Comprehensive monitoring of all federal data collections is needed to ensure that important data elements are being collected, data gaps are being addressed, and quality issues are quickly resolved.Timely dissemination of key data is important, including the development of guidelines to ensure consistency across collections and that resources are made available to speed reporting for collections with historical delays.Improvement is needed in strategic communication about the purpose and use of data to federal agencies, researchers and to the general public.The current report builds on the Blueprint by developing implementation guidance for key recommendations. Where the Blueprint included actionable recommendations, such as naming discontinued surveys that should be resurrected, this report develops specific recommendations for implementation. The report is centered on three topics that were the highest priority for the expert panel but that required additional research before guidance could be disseminated. The research findings from that additional investigation are reported here, and recommendations to facilitate implementation are described. The three topic areas are as follows:The creation of a nonfatal firearms injury databaseIncreasing the quality, availability, and usefulness of firearms data for research and policyPractical steps for building state capacity and infrastructure to use data for evidence-based decision-makin

Enabling NATO’s Collective Defense: Critical Infrastructure Security and Resiliency (NATO COE-DAT Handbook 1)

In 2014 NATO’s Center of Excellence-Defence Against Terrorism (COE-DAT) launched the inaugural course on “Critical Infrastructure Protection Against Terrorist Attacks.” As this course garnered increased attendance and interest, the core lecturer team felt the need to update the course in critical infrastructure (CI) taking into account the shift from an emphasis on “protection” of CI assets to “security and resiliency.” What was lacking in the fields of academe, emergency management, and the industry practitioner community was a handbook that leveraged the collective subject matter expertise of the core lecturer team, a handbook that could serve to educate government leaders, state and private-sector owners and operators of critical infrastructure, academicians, and policymakers in NATO and partner countries. Enabling NATO’s Collective Defense: Critical Infrastructure Security and Resiliency is the culmination of such an effort, the first major collaborative research project under a Memorandum of Understanding between the US Army War College Strategic Studies Institute (SSI), and NATO COE-DAT. The research project began in October 2020 with a series of four workshops hosted by SSI. The draft chapters for the book were completed in late January 2022. Little did the research team envision the Russian invasion of Ukraine in February this year. The Russian occupation of the Zaporizhzhya nuclear power plant, successive missile attacks against Ukraine’s electric generation and distribution facilities, rail transport, and cyberattacks against almost every sector of the country’s critical infrastructure have been on world display. Russian use of its gas supplies as a means of economic warfare against Europe—designed to undermine NATO unity and support for Ukraine—is another timely example of why adversaries, nation-states, and terrorists alike target critical infrastructure. Hence, the need for public-private sector partnerships to secure that infrastructure and build the resiliency to sustain it when attacked. Ukraine also highlights the need for NATO allies to understand where vulnerabilities exist in host nation infrastructure that will undermine collective defense and give more urgency to redressing and mitigating those fissures.https://press.armywarcollege.edu/monographs/1951/thumbnail.jp

Homeland Security Affairs Journal, Volume 14 / 2018

Homeland Security Affairs is the peer-reviewed online journal of the Naval Postgraduate School Center for Homeland Defense and Security (CHDS), providing a forum to propose and debate strategies, policies, and organizational arrangements to strengthen U.S. homeland security. The instructors, participants, alumni, and partners of CHDS represent the leading subject matter experts and practitioners in the field of homeland security. Homeland Security Affairs captures the best of their collective work, as well as that of scholars and practitioners throughout the nation, through peer-reviewed articles on new strategies, policies, concepts and data relating to every aspect of Homeland Security. These articles constitute not only the “smart practices” but also the evolution of Homeland Security as an emerging academic and professional discipline. Sponsored by the U. S. Department of Homeland Security’s National Preparedness Directorate, FEMA, CHDS is part of the Naval Postgraduate School (NPS). CHDS provides graduate and executive education programs to the nation’s homeland security leaders, including governors, mayors, senior local, state, federal and private sector officials and select military officers. CHDS also operates the Homeland Security Digital Library, which is the authoritative tool for research in the field of homeland security policy and strategy.Sponsored by the U. S. Department of Homeland Security’s National Preparedness Directorate, FEMA, CHDS is part of the Naval Postgraduate School (NPS)