In an April 2015 article entitled Cybersecurity in Higher Ed: Searching for a Better Model, Joshua Beeman, Chief Information Officer, University of Pennsylvania, reflects on the progress, or lack thereof, higher education has made in combating so-called cybercrime. Citing the previous years’ EDUCAUSE Security Professionals Conference held in May 2014, Beeman suggests that hope for successfully preventing future breaches may start in changing the metaphor.
Noting the prevalence of security breaches in retail, government, and media as well as the proliferation of malware, conference attendees would acknowledge that such breaches were no longer the province of IT professionals, but very much on the minds of the general public. Beeman suggests that “the added attention can sometimes foster a sense of urgency among their managers that undermines thoughtful planning and may lead to misunderstanding about what is possible. Portraying the situation “as a troubling technical dystopia, where years of investments have failed to make an appreciable difference" doesn’t appear to be helping. Without disputing what he calls the “technical, economic, and political realities” facing higher ed, Beeman proposes, “that the models such as "cyberwar" and "cybercrime" are not as effective at informing the discipline of information security in higher education.” The question then is what would a more effective analogy be? One that, as Beeman stress might, “provide unique insight into key problems” and better“focus our attention and efforts?”
The Healthcare Model
Believing that analogous models can be powerful tools in promoting a better understanding between professionals and the general public, Beeman offers a new analogy, one designed to relieve, “university’s faculty, students, and staff” from their role “as conscripts in my cyber army.” Beeman suggests that the, “predator/prey model” be replaced by one more akin to the way healthcare has approached information security. “To be clear, I am not talking (exclusively) about HIPAA and the increasing regulatory compliance associated with information security. Similarly, I mean to broaden the metaphor far beyond common discussions regarding "viruses" and epidemiology. I refer to the entire discipline surrounding human medicine, a fundamental premise of which is that bad things will happen, and, in the absence of total prevention, "survivability" is an important and valid objective.”The question is can such a “redefining” help?
Beeman makes the argument that the healthcare analogy is by no means a stretch. After all, we know that not all surgeries are successful and that not all patients survive. If the simple and much used concept of a computer virus can be expanded to support a correlation of “basic hygiene,” for information security, Beeman believes it could, “go a long way to eliminating common problems.” In fact his hope is to show that such a fundamental change will put the responsibility of solving information security problems, back where it belongs, in the hands of IT professionals. As Beeman points out, “the majority of people in the health system are not medical experts, nor are they expected to be.”
There is no question that words have great power. Beeman’s proposal, which he’s currently testing, could offer a new way of looking at a very troublesome problem. Beeman believes a change in nomenclature may serve to temper the urgency and anxiety if a security breach were to become triage it might allow the resulting diagnosis and treatment to focus on “addressing the highest risks.” A situation now that is often exacerbated on the one hand by the 24hour news cycle, and declining budgets and a lack of resources on the other. Whether this is simply a name change, or a profound and fundamental change that truly alters the perspective through which IT, and the general public might view future breaches in security, is yet to be determined.
To read the complete article click here.
And if you liked this, see additional posts related to this topic:
Tuition Management Systems (TMS) is the sponsor of this post. The sources who contributed ideas to this post do not endorse or recommend any commercial products or services, including those of TMS. All information and opinions of the contributors are provided for informational purposes only. As with any other service you seek, the recipient of the information is responsible for conducting appropriate research and making relevant decisions. TMS neither endorses, has any responsibility for, nor exercises control over the views of any contributor to this article or the accuracy of the information provided by any of them.