Abstract
Case-based learning (CBL) approaches are critical to the education of tomorrow’s executives and managers. CBL instigates critical discussion, draws out relevant experiences from students, encourages questioning of accepted practices, and creates dialogue between theory and practice. There is unfortunately a lack of quality teaching resources to support CBL in information security management (ISM). In this paper, we address this need by developing, refining, and evaluating a teaching case of a hypothetical firm that suffers a catastrophic incident of intellectual property (IP) theft. Protecting IP is both complex and expensive as it involves developing enterprise-wide security mechanisms for the people, process, and technology dimensions of organizations. We drew the plot, narrative, characterization, dilemmas, and conflict from two landmark legal cases to focus on the three key areas of organizational security as defined by the joint task force on cybersecurity education—risk management, planning and strategy, and policy and governance. Our case was used to teach information security to Management Information Systems students enrolled in a Master’s Degree at the University of Melbourne, Australia. We subsequently developed a survey instrument to measure the utility of the teaching instrument for teaching. Survey data collected across 2 consecutive years indicated that students strongly agreed that the teaching case was relevant, realistic, engaging, challenging, and instructional.
This is a preview of subscription content, log in via an institution to check access.
Similar content being viewed by others
Availability of data and material
Not applicable.
Code Availability
Not applicable.
Notes
The joint task force included the following stakeholders: ACM, IEEE Computer Society, AIS Special Interest Group on Security and Privacy, and IFIP WG 11.8.
References
Yang SC (2020) A meta-model of cybersecurity curriculums: assessing cybersecurity curricular frameworks for business schools. J Educ Bus 2020:1–12
Cram WA, D'Arcy J (2016) Teaching information security in business schools: current practices and a proposed direction for the future. Commun Assoc Inf Syst 39(1):3
Ahmad A, Maynard S (2014) Teaching Information Security Management: reflections and experiences. Inf Manag Comput Secur 22(5):513–536. https://doi.org/10.1108/IMCS-08-2013-0058
Burley D, Bishop M, Buck S, Ekstrom JJ, Futcher L, Gibson D, Hawthorne EK, Kaza S, Levy Y, Mattord HJ, Parrish A (2017) CYBERSECURITY CURRICULA 2017: Curriculum Guidelines for Post-Secondary Degree Programs in Cybersecurity, 1st edn. ACM, IEEE, AIS, IFIP
Lowry G, Turner R (2005) Information systems education for the 21st century: aligning curriculum content and delivery with the professional workplace. In: Technology literacy applications in learning environments. IGI Global, pp 171–202
Lee S-h, Lee J, Liu X, Bonk CJ, Magjuka RJ (2009) A review of case-based learning practices in an online MBA program: a program-level case study. J Educ Technol Soc 12(3):178–190
Kendall JE, Kendall KE (2017) Enhancing online executive education using storytelling: an approach to strengthening online social presence. Decis Sci J Innov Educ 15(1):62–81
Reed MM, Brunson RR (2018) Exploration of the efficacy of the case method of teaching. In: The CASE Journal
Cabaj K, Domingos D, Kotulski Z, Respício A (2018) Cybersecurity education: evolution of the discipline and analysis of master programs. Comput Secur 75:24–35
Kam H-J, Menard P, Ormond D, Crossler RE (2020) Cultivating cybersecurity learning: an integration of self-determination and flow. Comput Secur 2020:101875
González-Manzano L, de Fuentes JM (2019) Design recommendations for online cybersecurity courses. Comput Secur 80:238–256
Diffee E, Datta P (2018) Cybersecurity: the three-headed Janus. J Info Technol Teach Cases 8(2):161–171
McLaughlin M-DJ, Hansen S, Cram WA, Gogan JL (2015) Snowfall and a stolen laptop. J Info Technol Teach Cases 5(2):102–112
Whitman ME, Mattord HJ (2017) Principles of information security, Course Technology, Cengage Learning, 6th edn
Ahmad A, Maynard SB, Park S (2014) Information security strategies: towards an organizational multi-strategy perspective. J Intell Manuf:257–370. https://doi.org/10.1007/s10845-012-0683-0
Shedden P, Ahmad A, Smith W, Tscherning H, Scheepers R (2016) Asset identification in information security risk assessment: a business practice approach. Commun Assoc Inf Syst 39:297–320
Webb J, Ahmad A, Maynard SB, Shanks G (2014) A situation awareness model for information security risk management. Comput Secur 44:391–404. https://doi.org/10.1016/j.cose.2014.04.005
Ahmad A, Webb J, Desouza KC, Boorman J (2019) Strategically-motivated advanced persistent threat: definition, process, tactics and a disinformation model of counterattack. Comput Secur 86:402–418. https://doi.org/10.1016/j.cose.2019.07.001
Leuprecht C, Skillicorn DB, Tait VE (2016) Beyond the Castle Model of cyber-risk and cyber-security. Gov Inf Q 33(2):250–257
Maynard SB, Tan T, Ahmad A, Ruighaver T (2018) Towards a Framework for Strategic Security Context in Information Security Governance. Pacific Asia J Assoc Info Syst 10(4):65–88
Sveen FO, Torres JM, Sarriegi JM (2009) Blind information security strategy. Int J Crit Infrastruct Prot 2(3):95–109
Maynard SB (2007) Ruighaver AB Security Policy Quality: a multiple constituency perspective. In: Dhillon G (ed) Assuring Business processes, Proc. of the 6th Annual Security Conference, Washington DC, USA, 11-12 April 2007. Global Publishing, USA
Cram WA, Proudfoot JG, D’Arcy J (2017) Organizational information security policies: a review and research framework. Eur J Inf Syst 26(6):605–641
Bada M, Nurse JR (2019) Developing cybersecurity education and awareness programmes for small-and medium-sized enterprises (SMEs). Info Comput Secur 27(3):393–410
Baskerville R (2005) Information warfare: a comparative framework for business information security. J Info Syst Secur 1(1):23–50
ISO/IEC (2005) ISO/IEC 27001:2005. Information Technology - Security Techniques - Information Security Management Systems - Requirements.
Siponen M (2006) Information security standards focus on the existence of process, not its content. Commun ACM 49(8):97–100
Shedden P, Scheepers R, Smith W, Ahmad A (2011) Incorporating a knowledge perspective into security risk assessments. VINE J Knowledge Manag 61(2)
Ahmad A, Hadjkiss J, Ruighaver AB (2012) Incident response teams - challenges in supporting the organizational security function. Comput Secur 31(5):643–652
Neuman WL (2014) Social research methods: qualitative and quantitative approaches, Seventh edn. Pearson Education Ltd, London
National Bureau of Asian Research (2017) Update to the IP Commission Report: the Report of the Commission on the Theft of American Intellectual Property.
US District Court for the Western District of Washington (2019) USA v. Huawei Device Co., LTD. : CR19-10-RSM. US District Court for the Western District of Washington,
U.S. Department of Justice (2015) Kolon Industries Inc. Pleads guilty for conspiring to steal DuPont trade secrets involving Kevlar Technology. U.S. Department of Justice,. https://www.justice.gov/opa/pr/kolon-industries-inc-pleads-guilty-conspiring-steal-dupont-trade-secrets-involving-kevlar.
Tawfik A, Jonassen D (2013) The effects of successful versus failure-based cases on argumentation while solving decision-making problems. Educ Technol Res Dev 61(3):385–406
Darabi A, Arrington TL, Sayilir E (2018) Learning from failure: a meta-analysis of the empirical studies. Educ Technol Res Dev 66(5):1101–1118
Hull DM, Lowry PB, Gaskin JE, Mirkovski K (2019) A storyteller’s guide to problem-based learning for information systems management education. Inf Syst J 29(5):1040–1057
Tan T, Ruighaver A, Ahmad A (2010) Information security governance: when compliance becomes more important than security. In: Rannenberg K, Varadharajan V, Weber C (eds) Security and Privacy – Silver Linings in the Cloud, IFIP advances in information and communication technology, vol 330. Springer, Berlin Heidelberg, pp 55–67. https://doi.org/10.1007/978-3-642-15257-3_6
Ahmad A, Desouza KC, Maynard SB, Whitty M, Kotsias J, Baskerville R (2020) Situation-awareness in incident response: an in-depth case study and process model. Paper presented at the International Conference on Information Systems. Hyderabad, India
Alshaikh M, Naseer H, Ahmad A, Maynard SB (2019) Toward sustainable behaviour change: An approach for cyber security education training and awareness. Paper presented at the European Conference on Information Systems, Sweden
Ahmad A, Maynard SB, Shanks G (2015) A case analysis of information systems and security incident responses. Int J Inf Manag 35(6):717–723. https://doi.org/10.1016/j.ijinfomgt.2015.08.001
Shedden P, Ruighaver AB, Ahmad A (2010) Risk management standards – the perception of ease of use. J Info Syst Secur 6(3)
Alshaikh M, Maynard SB, Ahmad A (2015) Information security policy: a management practice perspective. In: The 26th Australasian Conference on Information Systems,, Adelaide, Australia
Ahmad A, Desouza KC, Maynard SB, Naseer H, Baskerville RL (2020) How integration of cyber security management and incident response enables organizational learning. J Assoc Inf Sci Technol 71(8):939–953. https://doi.org/10.1002/asi.24311
Maynard SB, Onibere M, Ahmad A (2018) Defining the strategic role of the chief information security officer. Pacific Asia J Assoc Info Syst 10(3):61–86
Ahmad A, Bosua R, Scheepers R (2014) Protecting organizational competitive advantage: a knowledge leakage perspective. Comp Secur 42:27–39. https://doi.org/10.1016/j.cose.2014.01.001
University of Melbourne (2020) Subject Experience Survey (SES). University of Melbourne. https://ses.unimelb.edu.au/.
Kim S, Phillips WR, Pinsky L, Brock D, Phillips K, Keary J (2006) A conceptual framework for developing teaching cases: a review and synthesis of the literature across disciplines. Med Educ 40(9):867–876
Author information
Authors and Affiliations
Corresponding author
Ethics declarations
Conflict of interest
The authors declare no competing interests.
Additional information
Publisher’s note
Springer Nature remains neutral with regard to jurisdictional claims in published maps and institutional affiliations.
Appendices
Appendix 1. Representative quotes from surveys 1 and 2
Responses to “What did you find most interesting about the case?”—survey 1
Code | Representative quotes |
|---|---|
Storyline (41%) | P9 - It’s a series of plots that are interesting and inspiring P44 - it’s a complex case which involves many different security issues, with two aspects both villains and FC design P55 - So many twists to the plot:) P129 - Overall a well put together narrative for learning engagement P146 - The setting of different role enables us to think from different aspects. It reminds me a lot of things/ perspectives that I did not consider |
Lifelike (32%) | P23 - Focusses on dilemmas and perspectives of different employees in an organisation that is very much realistic P62 - In the case it simulates a real business problem that related to security risks P80 - It is interesting to think about questions relevant about the subject in real world case P143 - The case looks very realistic and we can learn from the case study that information security must protect the business function P158 - The story seems real; it can happen in real world |
Interactive Case Style (28%) | P61 - How adjusted to the real world it is and how much of a film like drama the situation can feel like in an organisation P83 - It creates a scenario in the real world, like a part of a small movie which helps me understand the context better P160 - It is easy to be involved in the case because of the participants dialog |
Multiple Stakeholder Perspectives (20%) | P27 - It is interesting to see how security is perceived by different people in different domains in the company P60 – The different perspectives. You can learn from two company's aspect with a lot of stakeholders involved in P101 - It tells story from both sides which enhances our understanding of the issue. Staff from all types of departments are involved which demonstrates that security issues are comprehensive issues P157 - It provides perspective from different stakeholders. It differentiates the role of different departments related to information security |
Integrates Subject Material (15%) | P28 - The case study and related questions stimulate the thinking process and very much is relevant to the consent/subject under study P38 - The case study scenes are relevant with the perspectives of teaching sections and due to that it helps better in understanding P54 - Some of it was predictable which is a good indication that I was able to reflect on my understanding of cyber security based on my experience and through the lectures P104 - I think it is cohesive with the lecture material and reinforces the concepts explained in class P125 -The case is quite related to the knowledge which learnt from the lecture and also it is relevant to my life |
Gives Understanding of Security in the Real World (14%) | P7 - The way the case is presented in scenes and scenarios it made it easier to relate it to real world cyber security problems and by solving it P122 - The case represented the most common problem that might exist in most organisations. To learn how to address their issues help us learn the simulation in real world |
Complexity of Case (12%) | P5 - The complex competitive environment is really difficult to deal with P131 - I liked the way it was about multiple small level problems that were dismissed but that converged to create a very large problem |
Case Generates Immersive Engagement (8%) | P51 - This is quite exciting for people that do not have a clue about computer security P60 - It’s so intriguing and inspiring P166 - The scenario is engaging and intriguing - the main message is clear |
Holistic Information Security View (7%) | P2 -The case study gives a holistic view of security issues in an organisation and makes us think beyond IT security P121 - The broad spectrum of issues covered, from the management perspective to the technological solutions |
Case is Easy to Understand (6%) | P69 - Following the context I can quickly understand the reality in the company and its challenges P101 - It tells story from both sides which enhances our understanding of the issue P166 - Language is easy to understand |
Security is also a Human Problem (2%) | P10 - The way intellectual thefts can happen and why people are the weakest link P79 - And most interesting how in the end it comes down to people’s behaviour of work rather than technical enforcements only P170 - It was really interesting to see how information security issues develop away from tech details and how human behaviour and mismanagement could have catastrophic impact |
Responses to “What did you find most interesting about the case?”—survey 2
Responses to “How do you think we can improve the case?”—survey 1
Code | Representative quotes |
|---|---|
Provide More Case Support Materials (43%) | P28 - Key points/key terms should be provided somewhere in the beginning or end so that the reader / analyser is not missing any important element from the case study P55 - More information on scene 13 about policies may be added P76 - Provide visual graphics that depict organisational hierarchy/stakeholder maps P99 - Some diagrams related to IS which represents the development of the case or the relationship of those people can make sense directly P135 - More background introduction and relationship between people, it is hard to remember all names and what roles they are in P164 - If more background information could be provided that would be great P169 - Show some of other departments meetings and what are their point of view about the case, cuz this is not one department issue |
Reduce Language Complexity (12%) | P86 - There are so many words to describe the scenes and environment. Some of them are complex and hard to understand P165 -Some of the scenes might be a bit difficult to understand, especially for those which English is not their 1st language |
Reduce Size (9%) | P85 - Cut down word counts P94 - Make it shorter and more informative, cut the redundant descriptions |
Extend Questions Being Asked (7%) | P2 - It would be better to have a longer discussion to understand the case deeper. This can be done by introducing more questions, different perspectives etc. P30 - Some questions are too easy, don’t support the learning objectives in the maximum way - e.g. "What is he going to say" and some other q in Scenes 1-6/ I know the case is trying to engage a variety of skillsets and language abilities, but it could be harder or include "bonus q's" to help develop skills for extra learnings P84 - Some questions I think not meaningful. I thought it could give more interesting questions for us to think about |
More Problem Complexity (6%) | P34 - A little more detailed or complex problem could have been used P119 - Even though the case study highlights / covers topics a bit from a high level from what is being taught, it would be great if more in depth topics are incorporated as well, GOOD LUCK! P130 - I think in the real world the scenario would be much more complicated |
Don’t change it (6%) | P6 - The presented case does not need improvement P143 - Perfect |
Longer Time to Discuss Case (5%) | P35 - Provide more time for us to understand and discuss the case P97 - More group discussion |
Suitability of Script (5%) | P129 - It can be hard to differentiate the talking party, define the talker after a line more frequently. May be difficult to achieve the same degree of active learning without tutor assistance |
More technical detail (4%) | P63 - Could have more complex problems from a technological point not just a people issue |
Release Case for Pre-Reading (4%) | P154 - Make the reading material available before class |
Provide Discussion Answers (3%) | P72 - Except discussing every point and questions, the tutor could give us the related answers in the end to make sure that we have the correct ideas on the questions |
Fix Up Stereotypes (3%) | P9 - One of the things in the case made me feel uncomfortable is the Asian guy. It doesn’t need to be emphasised - it happens everywhere in the world just pick random name P100 - Having Russians and Asians as bad guys in the story is quite stereotypical to see, but it unfortunately helps to build negative perceptions about the nationalities |
Improve Reality of Case Scenario (3%) | P74 - The case has many different perspectives. However, the case is not that real because it missed out lots of details |
More Case Background Materials (2%) | P13 - More background details can be provided |
Provide more guidance on the questions (2%) | P12 - Questions too hard for people doing an IT rather than business degree; Tutors give little information |
Reduce Descriptiveness of Case (2%) | P79 - Should be given more information on how it happened (the attack). Should delete unnecessary contents such as description of coffee and characters entry into scene |
More Detailed Conclusion (1%) | P25 - The more focus can be put what the organisation should be doing from here on to prevent it so that we learn that perspective too |
Link Case better to Subject Materials (1%) | P10 - You can design it more towards what is talked about in lectures, giving references of slides which are being targeted for any particular scene |
Responses to “How do you think we can improve the case?”—survey 2
Code | Representative quotes |
|---|---|
More Detailed Conclusion (12%) | P172 - I want to know more about the ending of the story. Like what actually happens after these scenes. How do they actually do? P196 - Provide more details about how the company solve the problem in the end. Then we can know what kind of ideas would be better for a company to improve their information security in the real world P213 - Perhaps a further mitigation strategy on how they coped with this attack and the practice enforced to present future attacks would help us understand a potential solution to such industry problems P281 - Maybe give our idea how Horizon company deal with the loss |
Provide More Case Support Materials (12%) | P178 - Add "Expert comments" to validate reader's learning P217 - Add some multi-choice questions. Also, summary the knowledge from the lecture at the end of each scene P263 -More details about the information security. More definition about the key concepts |
More technical detail (7%) | P174 - Probably more about security specific to IT (the jargon). Some names of tools and specific attacks P194 - Make it more technical rather than only in a management level. Provide more details about the specific information of the implementation from a technology perspective P267 - Add more technical details on how Jordan collect the data/materials/information |
Don’t change it (5%) | P279 - Nothing. It contains lot of conversations, easy to understand and good for students who have no cyber security background like me |
Reduce Size (5%) | P195 - The case study is easy and interesting; however, it is a little bit long. Sometimes the main point is not easy to catch |
Add Images / multimedia (4%) | P265 - Use multi-media, such as video clips and pictures to show the story |
Reality of Case Scenario (4%) | P199 - To be honest, although the situation talked by the several scenes is typical and classical, it's too out-of-date to some extent. I don't think such would happen nowadays. That would better if some new issues related network or new business pattern talked about |
Provide more guidance on the questions (4%) | P246 - The questions after each scene could be better designed with more course materials, such as what long-term strategies could be proposed from what's been learnt in class. Current questions are a bit basic and it relies a lot on tutors to stimulate conversation |
Reduce Characters (4%) | P226 - Too many characters, difficult to remember the name |
Reduce Descriptiveness of Case (4%) | P203 - There are so many words which are not related to the topic. For example, some words which describe people's emotions, gestures, move. Too much contents for the background description |
Link Case better to Subject Materials (4%) | P252 - The study case should reflect more of the content from the lecture |
Suitability of Script (4%) | P277 - I think the case can be wrote in a report manner rather conversations |
More Complexity (3%) | P197 - I think the case is too easy. Maybe in the real world the situation is more complicated |
Provide Discussion Answers (2%) | P270 - Maybe provide more comprehensive solutions and results of the case |
More Case Background Materials (2%) | P264 - Horizon case gives a logic idea towards the topic/subject and information security. But I feel we need some more information to analyse and know about the types of attack and how business information is really protected |
Extend Questions Being Asked (1%) | P217 - Add some multi-choice questions |
Appendix 2. The Horizon teaching case
Scene 1
Present time, somewhere in the north of Europe
Wednesday the 1st of March started like any other day. Anders Svensson, CEO of Horizon Automotive, parked the firm’s latest model hypercar out the front of a tall non-descript building. He hurried up the steps, skipped through the revolving door and made his way to a corner office on the top floor.
“Good morning Erik,” he smiled at a middle-aged bespectacled gentleman. Erik had his head down close to the keyboard – he was typing cautiously with his two index fingers. He would periodically look up to squint at his large screen.
Awkward silence.
Erik looked up towards Anders.
“Hello Anders, I have some unfortunate news.”
“What news?” Anders stared at Erik. He could feel a knot forming in his gut.
“I’m afraid we won’t be placing that order for your NextGen model this year.” Erik looked half apologetic.
“Why? If it’s a matter of price we can negotiate a volume discount if you increase your order to at least 1o units?”
“No, no… it’s not a problem of price,” Erik took a deep breath and leaned back on his expensive leather chair.
“Then?” Anders looked perplexed.
“We’ve decided to place the order with a different firm.” Erik braced for Anders’ reaction.
Anders jaw almost dropped to the floor. “What do you mean you’ve awarded the contract to someone else? We are the leading manufacturer of performance cars in the country. We’re the ONLY manufacturer of performance cars in the country.”
“Yes… Well… that’s true,” stuttered Erik. “But we’ve found another firm that can fulfil our needs. And at a price you won’t be able to match.” Erik could be so matter of fact if he wanted to.
Anders world was spinning. Horizon dominated the super car market in this part of the world. The firm only manufactured 20 to 25 cars every year, but each sold for well over 1.5 million dollars – US dollars that is.
“You’ve found a firm that produces engines that weigh around 200kg but can produce over 900 hp and can accelerate a car from 0 to 100 km/h in 2.5 seconds flat?”
“They say they can,” blinked Erik. “And they are almost as pretty as yours. In fact, come to think of it, there’s even a faint resemblance to your cars. It’s as if they are siblings or cousins perhaps.”
“Who?” uttered Anders, meekly.
“Who what?” muttered Erik.
“What is the name of the firm?” Anders could feel the heat rising to his face.
“I’m sorry. I can’t say. But it’s not a local firm. In fact, it’s not even a European firm.”
“What’s the name,” Anders insisted.
Erik folded his arms and stared into space. Anders could almost feel his face becoming bright red. “Give me the name!”
Erik got up, peered down the corridors and then shut the door.
A few seconds later Anders stormed out of the office - his chest heaving, his anger palpable. He pulled out his cell phone and hit the first speed dial button.
“Patrick, I need your help. I need you to find what you can on a firm named FC Design.”
Scene 2
Present Time, Horizon Automotive’s offices in Sweden
Anders sat in his posh penthouse office with Lena, his trusted confidante, and VP Research & Development. A manila folder lay on the mahogany table in front of them. It was marked ‘From Patrick Chau - Nordic Risk Intelligence’. Lena carefully undid the clasp and lifted a series of high-resolution pictures.
“Oh, dear God,” Anders was staring at the spitting image of the NextGen Horizon super car. The car was still under development and no living soul had seen the design outside of the R&D team, and him of course.
“How could it be?”
Lena looked up at Anders. “What did you say the name was?”
“FC Design”.
“Wasn’t that the firm that hired one of the engineers from our R&D team about a year ago?
Anders stared at Lena for a moment, his jaw tightened. He picked up the phone to his IT Manager.
“Kurt – I need you to review the logs of all R&D systems from about a year ago. I want to know if Emil accessed any files from the NextGen project before he left.”
Scene 3
A few years prior to the present time, Dubai (United Arab Emirates)
Oliver was quite at home strolling barefoot on the white sands of Dubai’s Jumeirah beach. The sun was penetrating, as usual, but the cool breeze made it somewhat tolerable.
“Oliver?” a voice came from behind him. A middle-aged gentleman dressed casually but fashionably in a sports blazer, a t-shirt, shorts, and expensive sunglasses cautiously extended his hand. Oliver shook the hand and pointed to a nearby cafe.
Oliver took the first table under the shade of a large yellow umbrella, thankful to be out of the sun. The client sat opposite him. He took off his glasses and laid them on the table in a slow deliberate motion, as if he were reluctant to reveal his face. The almond-shaped eyes focused laser-like at Oliver.
The client was clearly Asian, extremely wealthy by the way he dressed, and appeared to be very educated from the way he constructed his sentences. That’s about all Oliver could tell at the moment. The client reached into his front pocket and pulled out a business card, carefully laying it on the table in front of Oliver. The card read “FC Design Automotive Industries”. On the second line it said “Research & Development” in bold lettering. No name specified on the card. Oliver glanced at the contact details and address at the bottom of the card -committing the details to memory.
“Call me John,” the client showed no emotion.
“How can I help?” Oliver was curious.
“We would like to procure your services,” the client had a distinctive Canadian accent.
“To do what exactly?” Now Oliver was intrigued.
The client’s hand went into the inside pocket of his jacket pulling out a photograph the size of a greeting card. “Do you recognize this car?”
Oliver raised his eyebrows. “Yes, I do. It’s an Horizon Altitude. Top of the line performance vehicle.”
“Excellent,” said the client returning the photograph to his pocket.
“The incoming CEO of FC Design has outlined an ambitious new vision for the company. He would like the firm to compete in the hypercar market in ten years. Recently, engineers from our R&D division visited the manufacturing division of Horizon. We were very impressed with their… capability.”
Oliver remained silent. The client continued…
“We have the financial resources, we have the factory space, and a highly skilled engineering workforce with considerable experience in building passenger vehicles. But engineering a hypercar requires a higher order capability. To start with, we need you to collect as much information as possible about their next generation project - the designs, the specifications of the parts, the names of their suppliers, the pricing of the raw materials, everything. “
“Why the pricing of the raw materials?”
“To improve our negotiating position with the suppliers,” smiled the client.
“Of course,” said Oliver sheepishly.
“And the matter of my remuneration?”
The hand went into the suit jacket once more. Out came an envelope. Inside was a piece of white paper with a figure written on it. Oliver counted the zeros after the leading digit. “Excellent,” he smiled.
Scene 4
Present time, Horizon Automotive’s offices in Sweden
“I’ve got bad news, unfortunately.” Kurt had that scowl on his face again.
“Emil copied hundreds of files from the NextGen project server a few weeks before he left the firm.”
Anders was livid. “How come this is the first time I’m hearing of this?”
“Umm… actually you were briefed at the time, but we were distracted by a procurement issue.”
Anders didn't say anything. He vaguely recalled that Horizon’s supply chain was under threat because a key supplier had declared bankruptcy.
“Well - that’s an Information Security breach. This is your fault!”
Kurt pursed his lips. “Actually - it’s not our area of responsibility. We just maintain the availability of IT systems and networks. We have no idea what information is stored on these systems and what is sensitive. There’s no ‘need-to-know’ policy at this firm. Besides, Emil was part of the R&D team, so he had the authority to access these files.
“But you are in charge of INFORMATION SECURITY”. Now Anders was going red in the face.
“Umm… we’re responsible for IT security”. Retorted Kurt.
“That’s the same thing!” roared Anders.
“Not exactly.”
“Damn!” Anders was clearly not happy. “So, who did Emil speak to in the firm, are these people still here? And did they have access to the paper archives? What did they take from there?”
“No idea. That’s outside the scope of our role. We don’t know what’s in those archives and how many copies of confidential information might be floating around the organization. We obviously don’t know who they’re speaking to either.” Kurt was becoming a bit uncomfortable.
“So, who’s in charge of securing paper files and phone conversations etc.?” Anders was like a dog with a bone.
“Ummm… everybody.” Kurt blinked.
“You mean nobody?” thought Anders to himself.
In his mind, he was already calculating the cost of this leak.
Scene 5
Present time, Horizon Automotive’s offices in Sweden
Patrick Chau took a deep breath, adjusted his horn-rimmed glasses and began his briefing, “FC Design started only ten years ago. The firm produces a range of passenger vehicles for the Asian market. Sales are around 3 million vehicles per annum, so they aren’t a smaller player by any means, but they have no market share in Europe.
They clearly don’t have the ‘know-how’ or the technology to build cars with the kind of propulsion, weight-efficient construction and aerodynamics of hypercars….”
Anders raised his hand for Patrick to stop.
“How does a garden-variety automotive manufacturer graduate to building hypercars in less than ten years?”
“Well that’s the billion-dollar question, isn’t it?” Patrick shrugged.
Anders flipped open his laptop and began to scroll through a folder marked ‘stolen R&D files’.
After a few minutes of scrolling and thinking Anders leaned back on his chair. He looked at squarely at Patrick, “There’s got to be more to this story. The blueprints are not enough. FC Design had to build a supply chain similar to ours. They had to acquire the carbon-fibre to build the car from that supply chain at lower prices than us. Supplier names, pricing, materials identification is not stored on the NextGen servers. These are stored separately on the financial network. So, Emil could not have gotten his hands on that information.”
Anders looked quizzically at Lena and Kurt. Lena was busy poring over her personal ledger - staring at her scribbles - paying no attention to Anders or Patrick.
Kurt was still scowling…but there was something else. He seemed to have lost the colour in his face.
“What?” Anders sensed things were about to go from bad to worse.
“Remember how a number of Swedish firms, including our IT systems, were hit by a zero-day attack in July, 2 years ago?”
Anders had already covered his face with his hands. Lena got up and walked out in a hurry, phone in hand.
“Our incident response team reported that the attackers had spent most of their time in our financial network. I’d have to go through their report again and cross-reference the IP addresses, timestamps etc. with the logs but it’s quite possible they could have copied a large number of spread sheets, invoices, memos etc.”
“I’m afraid it gets worse, said Lena stepping back into the room.
“I was just speaking to Lars, the head of our physical security team. Apparently, a couple of years ago we had a visit from a delegation consisting of several firms from the other side of the world. FC Design was listed as one of those firms. They were touring Swedish heavy industries. Our engineers reported that some of the delegates, quite possibly from FC Design, had very specific questions about our triplex suspension technology, propulsion systems etc. Some of them were taking pictures with their mobile phones. We eventually confiscated them, but we had to give them back. “
The dots were beginning to connect in Anders mind.
Scene 6
Recent Past, London (United Kingdom)
“Jordan!” shouted Oliver, waving the tall lanky kid over to the park bench where he sat, newspaper in hand.
“What did you think of the assignment I gave you?”
Jordan shrugged. “Easy mate, E-a-s-y. It’s a civilian company, no sweat.”
“Yes, yes I know,” said Oliver impatiently. But I want you to follow standard protocol anyway. What’s the plan? And explain it to me in layperson’s terms. I don’t speak machine language.”
Jordan scratched his bald head. Then adjusted his glasses on the bridge of his nose.
“Okay. I find vulnerabilities on their systems. I need to study the firewalls, servers - see if they have installed all the latest patches. If there aren’t installing patches, then it’s easy to find a bug to exploit.
“Won’t that raise an alarm?”
Jordan looked at him strangely. “Do you have any idea how many attacks these firms have every day? Every minute? Everyone is door-knocking mate so you can easily hide among them. They won’t be paying any attention.”
“And if there is no obvious way in then?” Oliver was not convinced.
Jordan looked pretty confident, “well… then we hijack some poor executive’s laptop. Someone inside the company will use a VPN to remote login, or create a Wi-Fi Access point inside the firm or maybe someone made a mistake wiring the hub so traffic might be going around the firewalls rather than through – or maybe we can go through the photocopier, there are heaps of ways.
“Don’t you have to be physically present to break in using the wireless hotspot?” Oliver was dotting the i’s and crossing the t’s.
“If it comes to that, then yes – I’ll have to fly there.”
“And if that doesn’t work?”
Jordan was getting bored, “worst case scenario - we buy a zero-day vulnerability from the market and design a special malware weapon. We break the malware into small pieces so we can smuggle in the pieces separately through the network perimeter and then reassemble them inside to open a backdoor so we can come in.”
“How much will that cost?” queried Oliver?
Jordan shrugged. “Between $5,000 to $250,000.”
Oliver let out a long whistle. “Don’t they have an alarm system of some sort to detect if someone has come in?”
“You mean an Intrusion Detection System? If we write a special weapon the IDS won’t ‘trip’”.
“Why is that?”
“IDS’ match incoming traffic with signatures in a database – since our malware is unique it will create a unique signature that won’t be in any database. We just need to be careful not to borrow code from other malware.
“Okay.” said Oliver - impressed but trying hard not to show it.
“Then what?”
“Infiltrate. We make backdoors everywhere so even if they find some, we can come through other entry points. Then we take the information - because we can.” Jordan smiled. He rarely smiled. He loved it when a plan came together.
“Excellent.” Oliver felt satisfied.
Scene 7
Present time, Horizon Automotive’s offices in Sweden
Anders enters a packed conference room. Seated around the conference table were Kurt (Director, IT Services), Gustav (HR Manager), Lena (VP R&D), Linus (VP, Manufacturing), and Lisa (Corporate Solicitor).
Anders looked up at the solemn faces. His cheeks had sunken in and his eyes were weary - he didn’t function well without sleep.
“This meeting is to discuss the systemic flaws in the way we approach security so we can diagnose the problem and think about what resources we need to marshal. So, for those of you who are not up to speed with the facts of this recent and catastrophic incident, let me recap.
Over the last five to seven years Horizon experienced several security incidents. In hindsight, we now know that these incidents can be linked back to a firm named FC Design. This firm is a mid-range automotive manufacturer without any background in building hypercars. We believe FC Design has very deliberately stolen our IP to erode our competitive advantage and shift the competitive landscape in their favour. They were successful. As a result, in the short-term Horizon has lost a number of contracts, we’ve got to build a new design from the ground-up, and we’re not going to be producing a new car for the next few years at least. The immediate financial hit is in the hundreds of millions of dollars. The bigger problem is that FC Design is going to be a long-term competitor. I’m sure you know what that means for our sales volume, our market share and our profit margin.
So… the objective of this meeting is to help us collectively understand how we leaked our IP and what needs to be done to ensure it doesn’t happen again.
Let me begin by asking a simple question. What’s our strategy regarding leakage mitigation?”
Silence.
Lisa was the first to speak. Well… we don’t have a strategy. And, as the firm’s solicitor, I can say we’ve been taken a number of times to court on the matter. We’ve leaked confidential contracts by accidentally emailing them to the wrong person, we’ve had employees downloading God knows how much information on their personal iPads, mobile phones, laptops etc. Must I go on? I’ve flagged numerous times that we are vulnerable on this front.”
Anders began to stroke his chin.
“O-k-a-y, not the answer I was looking for but nevertheless thank you. So… let me go back to Kurt. I still don’t quite understand why this is NOT an Information Security problem.
All the faces in the conference room simultaneously swivelled to focus on Kurt.
“Ahem… well... as I said before in a private meeting with Anders and Lena,” Kurt spoke in monotone.
“All of our computing systems and networks exceed 90% availability. We have firewalls, intrusion detection systems, and anti-virus software that protect us from some pretty sophisticated attacks. We have a master spreadsheet that tracks access privileges - we update that routinely. We also have an incident response team that is ready to mobilize at any time. I could go on, but in general we comply, even exceed industry best-practice standards on IT Security.”
Anders was not impressed. His voice was raised - that tended to happen when he got excited. “What good is compliance with best-practice standards?” Anders glowered at Kurt. “Did you identify theft of our entire <bleep> flagship product line as a security issue?”
Kurt stared at the floor. He mumbled something.
“Your role clearly has ‘information’ and ‘security’ in it. So…”
Lisa, anticipating the conversation had taken a turn for the worse, raised her hand, “May I jump in for a moment?”
Anders took a deep breath. “Please do.”
“Well. IT sees their role as maintenance engineers. Their aim is to keep the systems and networks running. That’s an important service. We wouldn’t be able to run without functioning IT. But they don’t see themselves as guardians of our Intellectual Property and trade secrets. So, for example, IT doesn’t even know what information is sensitive on the servers. It’s all 1s and 0s to them.”
“So, you are telling me that this is not entirely IT’s fault? It’s our collective fault? We are all responsible for security? So why haven’t we received security training? Gustav?”
“Uh?” Gustav was caught off guard. He wasn’t expecting to get involved.
“Well we do security awareness training… but…”
“…but… the training is only once a year, it covers IT security scenarios - virus attack, system malfunction, etc. nothing like the problem we had here. How do we train employees to report behaviour that we don’t know is a security problem until we look back in hindsight?”
Anders was emphatic… “but it was reported! That’s the point! Every incident was reported. We just failed to link the incidents together and consider the implications. Why didn’t Lena know that Emil had taken those files? Why didn’t Kurt know about the sensitive nature of those files? How often do you compare notes about what is going on?”
Anders could see his point resonated with the room.
Lena and Kurt looked at each other momentarily.
“Not very often. And certainly not about security issues.,” Lisa admitted.
Anders turned away to peer out through the large window. There was not much to look at actually. Just a massive car park with… cars.
“Well, we have a gaping hole in security so we’re going to start by appointing a new manager – a Chief Security Officer - this person will have enterprise wide responsibilities to secure our knowledge, information and data regardless of where it is stored and how it is circulated in this firm.”
Scene 8
Recent Past, London (United Kingdom)
Jordan blinked several times under the gaze of white fluorescent tube lights.
“You work in this dump?” queried Oliver as he strode into the massive warehouse - computing equipment strewn across the floor.
Jordan ignored the barb.
“Over the last 2 days I probed every inch of the Horizon network. I mapped all their systems and noted the version numbers of software, usernames of employees, access level, roles, and positions - thank you Facebook and LinkedIn - and I scanned all their drives for keywords. There are a large number of financial documents. I can map out their supply chain in detail - easy. But we have a big problem.”
Oliver sat down on a revolving leather chair, the steel wheels squeaking on the concrete floor.
“I can’t find the designs of their NextGen cars. No technical specifications, no engineering drawings n-o-t-h-i-n-g.”
“What does that mean?” Oliver seemed pretty calm about it all.
“That means they are not on any systems that are connected to the Internet. They must be somewhere else. There’s an air gap” he held his hands apart to illustrate a gap.
Oliver clasped his hands behind his head. “Hold on… let me think.”
He abruptly got up and straightened his shirt and hand-combed his thick brown hair. “Ok. No problem. Leave that to me.”
“What are you going to do?” Jordan was a tiny bit curious.
“Don’t worry about it. Oh – wait... do they know you are in their network?”
“No, not yet. I will clean them out later. I will make it look like a big attack - then delete the logs so we disappear.”
“Perfect. Wait until I tell you.” Oliver started walking to the door on the far side of the warehouse. He stopped abruptly and turned to Jordan.
“Wait - so how did you get in? Did you use a zero-day vulnerability? Hijack a VPN connection?” he asked.
Jordan smiled. “Nope - I saved you some money, mate. I pretended to be the anti-virus shop. I sent them an urgent virus update.”
“What was in the update?”
“A real virus.” Jordan cackled with laughter.
Oliver strode out of the warehouse laughing to himself - humans truly are the weakest link.
Scene 9
Recent Past, Kuala Lumpur (Malaysia)
“We can get you all the financials, but we have run into some unexpected developments regarding the engineering information,” Oliver sat face-to-face with his Asian contact once again.
Another cafe, another beautiful beach. It could have been anywhere. But the client insisted to meet in Kuala Lumpur. Maybe he felt it was far enough from his homeland but close enough that he could feel comfortable among the locals. Oliver didn’t care. The client could have passed for a tourist from pretty much anywhere.
“What do you mean? What unexpected developments?” the client was obviously not impressed given the amount of money he’d paid for Oliver’s services.
“The blueprints seem to be on a separate network that is not connected to the Internet.” Oliver was hoping the client would not panic and walk away. It wouldn’t have been the first time – in this business clients can be quite unpredictable.
“So, I suggest that you simply ask Horizon for the engineering information,” said Oliver.
The client leaned back on his chair with a puzzled expression. “What do you mean?”
“Offer their engineers a job. Hint that you are building something amazing and you need them to bring their ‘A’ game.”
“Is it wise for us to reveal ourselves to Horizon?” the client put on his sunglasses.
“You already revealed yourself when you tried to take pictures of their factory floor. This is no different. And if they are like most busy firms oblivious to the world around them then they won’t notice until they lose their first contract and it bites them in the ass.”
“I can’t see Horizon’s employees travelling halfway across the world to join us,” the client seemed unconvinced.
“I have built profiles on all the employees - there is one that is ripe for the taking. Make him an offer he can’t refuse.”
Scene 10
Present time, Hamburg (Germany)
“Buzz”, Anders pressed the doorbell of a townhouse softly in case there were young kids sleeping. He waited patiently at the front door, it was evening and very, very cold in Hamburg that day.
The door eventually opened and with it came the welcome warmth of a cosy home.
“Guten Abend… good evening Karim - it’s been a very long time.”
“Guten Tag - Anders! Habeebi - my friend, how are you?” Karim shook Anders’ hand vigorously, a broad smile etched in his handsome face. “Its freezing outside, come in, come in,” Anders was ushered into the living room where steaming mint tea and Turkish baklava awaited.
“I need your help Karim.” Anders said once they were seated and sipping tea.
“How is business? You’re a highflying executive now. No one believed you’d actually build a simple passenger car, let alone a giant killer. Mabrook - congratulations.”
“Thank you - you believed in me when nobody would.” Anders smiled.
“What can I do for you?” Karim was always good at changing the subject.
Anders took a deep breath and related the events of the last few days. Karim showed no emotion, he just listened intently, nodding his head along the way. He waited politely for Anders to finish.
“Ok. Let me put on my security consulting hat, I need to ask you a few directed questions.”
“Of course, ask away.”
“What is the most valuable asset that sustains your competitive advantage?”
“The cars of course. Each car is worth upwards of a million and a half US dollars.” said Anders matter-of-factly.
“But you are giving the cars away, so yes, they are worth a lot but the cars themselves cannot be the asset, can they? As an automotive manufacturer, the capability to make cars that your market will buy at the price you set is your primary asset, yes?”
Anders thought for a moment. “Yes. It’s our capability to make cars rather than the cars themselves that sustains our competitive advantage.”
“So… correct me if I’m wrong here, but Horizon cars are predominantly hand crafted, more so than say Lamborghini or Ferrari?”
“Yes.” Anders agreed.
“Well then what is driving your competitive advantage is your specialized knowledge.” Karim was stroking his salt-and-pepper beard with one hand and twirling a pencil with the other.
“Knowledge? You mean information?” Anders looked a bit confused
“No, I do mean knowledge as opposed to information. Let me explain. Knowledge is much more than information. Its ‘how’ you make the car that matters, the ‘how’ points to more than just technical specifications, it’s the experience and insight, the values and judgment which guides the actions and decisions of your engineers. The knowledge is in their heads, but it sounds like it’s also embedded in the processes and in the specialized tools and techniques you’ve invented yourself to design, develop and manufacture successive generations of Horizon cars.
“So, I don’t get it,” Anders said. “What was the point in stealing the designs, the technical specifications, and the supplier and pricing information? That won’t give them the capability anyway?”
“Yes, but keep in mind FC Design is not starting from nothing. It sounds like they have most of the pieces of the puzzle including plenty of capability in automotive manufacturing, but they are missing the final piece in the puzzle - they still have to learn how to make cars like you do. The information they have taken is useful because it will help their engineers to understand in part how you build your cars. But they still have some way to go. The only way they would have been able to make the NextGen car before you is if they had at least some of your engineers on the factory floor to demonstrate Horizon practices.”
And then it dawned on Anders. “So that’s why he left!” he cried.
“Who left?” Karim gave Anders a perplexed look.
“Sorry - I forgot to relate that part of the story. The employee that left with our designs was an engineer from our manufacturing team.”
“That would do it,” nodded Karim.
“So, what do I do now?”
“I’m not a business consultant, I’m a security consultant. I suggest you fix the leak — but look more broadly at people, process, and technology rather than just technology. It’s the security of knowledge, not just information and its not limited to IT.
Anders looked at Karim. “I don’t think I can do this on my own.”
Scene 11
Present time, Horizon Automotive’s offices in Sweden
Karim and Kurt sat around a large square table staring at a detailed network diagram of the Horizon network.
“Well, what do you think?” asked Kurt.
“First good thing is that R&D is designed to be completely segregated from the main network. But the rest of the organization has only one line of defence - the outside perimeter firewall. It seems you’ve adopted a castle defence strategy but with only one layer and a giant blind spot inside as you aren’t monitoring internal activity at all. And by the way your firewall is a garden variety off-the-shelf product which almost certainly has bugs in it that outsiders know about. Other than that, you have the standard anti-virus software and standard access control with passwords.
“So, what to do?” Kurt was interested in solutions more than diagnosis.
“Change the way you think about security before you change the infrastructure itself.”
“What do you mean?”
Most organisations only have to worry about IT service availability so the threats they combat are accidents, natural disasters, and bots of various sorts. But you’ve got an intelligent and very resourceful adversary that is out to steal your capability rather than disrupt your IT services. And if they’ve done their homework then they are probably more knowledgeable about your network and systems as well as your personnel and your processes than you are. Karim paused to let this sink in, then continued.
For the majority of organisations facing a non-intelligent threat I’d just recommend shoring up the perimeter by penetration testing followed by heavy monitoring of incoming and outgoing traffic to maintain safe zones and to track control effectiveness.
But in your case, I wouldn’t recommend you setting up a castle to create a safe interior environment shielded from an unsafe exterior environment. Ultimately your plan was to sleep in peace with a sense of security around you, right?
Kurt scratched his head and nodded.
“How can they know more about our routines than we are?” said Anders.
“They see things as they are, you see them as they should be,” replied Karim philosophically.
“So where do we start then?”
“Everything starts with risk. Until you know what you are defending against, you can’t develop an effective strategy.”
Scene 12
Present time, Horizon Automotive’s offices in Sweden
“Hello, my name is Carl, I conducted the last risk assessment Horizon,”
Karim shook the outstretched hand with a broad smile, placed his notepad and pen beside him and settled into the nearest leather armchair.
“Tell me about the process - how do you identify, assess and manage security risks at Horizon?” Karim took off his reading glass, clasped his hands together and looked squarely at Carl.
“Umm… well security risks are managed like all other risks in the organization,” Carl shrugged his shoulders in a matter-of-fact sort of way.
“I see. And that process is?” Karim insisted on the details.
“Well we identify the assets in a workshop with the security managers. We then ask them what risks they think are relevant and active in our environment and we estimate the likelihood and impact and then sort the list by the product of the two.”
“Uh.. huh..” said Karim putting on his glasses and jotting some notes down. “Go on.”
“We have the results of a standard IT security audit on hand, so the committee makes a recommendation about control strategy – whether to buy more controls, upgrade existing controls, etc. That’s about it. We meet periodically to reassess as per best practice standards.”
“Okay. Can I ask you some questions?” Karim took off his glasses to focus on Carl.
“Sure.”
“When did Horizon conduct the last official risk assessment?”
“That would be three years ago,” Carl admitted half sheepishly.
“I see – and how many assets did you identify in the last assessment?”
“Assets? Well, one of course. Our IT systems.”
“Okay. How many risks did you identify?”
“Let’s see – there would be about four or five, I think. System failure, hacker attack, virus outbreak, natural disasters, and… I can’t remember the last one.”
“How do you estimate the likelihood of a risk occurring?” Karim continued doggedly.
“Well. We have a discussion and I guess it's a gut-feel thing.”
“And how do you estimate impact?”
“Well, again, we just rate it low, medium or high depending on how we think the incident will play out.”
“One last question,”
“Shoot.” Carl immediately regretted his choice of word as it left his lips.
“Do you have a way of classifying the sensitivity of information?”
“You mean like top secret, secret, restricted?” Carl asked.
“Something like that,” nodded Karim.
“No. We never felt the need. In hindsight, we probably should have done something about that.”
Scene 13
Present time, Horizon Automotive’s offices in Sweden
Karim almost dropped his coffee trying to unlock the door with one hand and balancing the Styrofoam cup and his briefcase with the other. The key wasn’t fitting quite right, in fact the door lock seemed to have been tampered with. Karim noticed tiny dents and scuff marks around the keyhole. Strange - he thought. Was this evidence of a break-in or could have been someone trying out different keys to see which one fits?
Once the door swung open, he noticed someone had dropped a heavy binder on his desk. Clearly printed on the cover were the words “Information Security Policy” in bold lettering.
Karim took a deep breath, pulled out his glasses from the inside pocket of his jacket and settled down on the comfortable couch with the binder. He flicked through the first few pages – they contained the standard fare – a history of the versions of the policy with dates and names of employees that signed off on the amendments.
Then came the opening statement with a smiling image of Anders on the top right-hand corner. There was roughly half a page of text. The first section was a series of motherhood statements about the significance of Information Security to Horizon – words like “At Horizon Pty Ltd we take the security of computer and network systems and the information contained therein very seriously….” And “To protect Horizon from unauthorized disclosure, corruption, and loss we have commissioned the Information Security Management System which conforms to the Information Security Policy”.
There were separate policies for Acceptable Use of Computing Systems, Electronic Mail, Telecommuting, Internet Access, Malicious Software, Incident Management, Software Patching, Procurement of New Technologies, Network and Firewall Design etc.
Karim flicked through the policies stopping intermittently to note the structure, form and language used. Long winded statements replete with technical jargon written in imperative form… “You must…” “Employees found to be doing… will be subject to penalties of…”
Karim closed the front cover and dropped the binder on the floor with a loud ‘thud’. He picked up the phone and rang Anders.
“Yah. I’m just down the hall why not drop in?” Anders seemed to be in a jovial mood.
“This won’t take a minute. Where is the Information Security Policy?” he asked.
“Umm… Kurt has it. I can have him send a copy to you immediately.”
“Yes – that would be good. Umm… how many copies of the policy are floating around?”
“I have no idea. I only know of one. Wait. I have another call coming in, is that all?”
“Yes, that’s fine. Thank you,” Karim put the phone down.
Karim found it quite strange that the security policy was only to be found in the IT manager’s room.
He picked up the phone again and called Lena. He asked her the same question and got the same reply.
So, Karim thought as he scratched the back of his balding head, nobody but Kurt has access to it. And it’s unreadable in its current form. The last version was three years ago. Might as well bury the policy in the ground.
Scene 14 (Rewind: How Jordan penetrated Horizon’s Network)
Recent Past, London (United Kingdom)
Jordan stared at the poster-sized paper lying on the table in front of him. On the paper was an organisational chart of Horizon complete with employee mug shots, hand-written phone numbers and IP addresses for each node. This was the fruit of his labour - mapping the digital footprint of the organization using an assortment of tools and techniques. He’d used traditional hacking tools, emails and social networking sites. Jordan flipped through the personnel profiles of employees. Yes - Mikael seems to be the most trusting guy. He picked up the disposable cell phone and punched in the keys.
“Hello, Mikael speaking” the voice on the other end was young and lacked confidence.
Jordan put on his best Swedish accent.
“Hello, Mikael - Its Ludwig from TeleFon Services. I’m calling because we’ve noticed problems with the network that may have affected Horizon. Are you having a problem accessing the Internet?”
“Yes, yes. Finally,” replied a young exasperated voice. “My network is simply not responding. I’ve been sitting here for two hours staring at a frozen screen.”
Jordan smiled to himself. Perfect! He had aimed a Denial of Service attack at the specific IP address for about that much time.
Yes, we’re very sorry for the problem. We are in the middle of troubleshooting the fault but we need to verify you are the owner of the machine connected to the node, so we need your name and employee ID to get it fixed.”
“Sure, my name is Mikael Jansson and my ID is 34135.”
“Thanks,” Jordan terminated the call and scanned the organizational chart for IT services. He then thumbed through the personnel profiles once again. His eyes focused on a mid-level IT manager, Marcus. Another newbie, but this one had super user access.
Hello Marcus, I’m Mikael Jansson from the factory floor. I think my computer is infected by some kind of virus. I ran this program from a USB I found in the parking lot and it’s come up with this weird message…”
You picked up a USB and stuck it into the computer? What’s wrong with you?” Marcus was a bit flustered today.
“Ah yes… sorry. I thought it was mine and that I had accidentally dropped it, but it turns out that it wasn’t.
“Ok… so what’s the message?”
“It says – “You’ve been infected by the Tomb Raider”
Jordan held his breath hoping his ruse would work. He had recently submitted a fake notice on bugtraq claiming a new virus was making the rounds with that specific message.
“What’s your employee ID Mikael?”
Jordan read it out loud.
“Hold on,” said Marcus. A minute later he was back on the phone:
“Look, this virus seems to be new and is not detected by our suite of antivirus software. I’ll need to contact our anti-virus firm V-Scan. As soon as I have something, I’ll let you know.”
Jordan waited about an hour before using a second disposable phone to ring Marcus back.
“Marcus, I’m calling from V-Scan. How are you mate? I have that virus update for you. I’m going to send it to you now.”
I’m a bloody genius thought Jordan as he hit the submit button on his email message. Attached was a virus he had written himself. It was masked as an update to Horizon’s anti-virus software. Except this bit of malware would open a remote connection to his computer so he could issue commands that would run on super user privileges.
Appendix 3. The Horizon teaching case discussion questions
Rights and permissions
About this article
Cite this article
Ahmad, A., Maynard, S.B., Motahhir, S. et al. Case-based learning in the management practice of information security: an innovative pedagogical instrument. Pers Ubiquit Comput 25, 853–877 (2021). https://doi.org/10.1007/s00779-021-01561-0
Received:
Accepted:
Published:
Issue Date:
DOI: https://doi.org/10.1007/s00779-021-01561-0