Cybersecurity, Technology, & Society

Cybersecurity was never my first choice, or a thought. While I was in the military, from the age of 18 to newly 26, my career field was physical security. In 2022, I left the military and found it hard to turn my experience into a relative “civilian” career. In July 2022, I applied for a job requisition for a security assistant at a tech company in Virginia beach. A few months into starting the position and being on the operations team, I was asked if I wanted to transition into a new role on the infosec team. This role was doing security and compliance. Eventually, I was promoted to the facility and security manager. This new role of being on the infosec team opened my eyes to the synonymous relationship between physical security and network security. previously, it was hard to find a relation to information technology, being the security assistant/facility and security manager, then it became clear. This clarity changed the trajectory of my career and I immediately changed my major from dual studies in sociology and criminal justice to cybersecurity. The application of cybersecurity through different fields of work allows for job security. During my studies for my associates degree in counterterrorism, a major point of discussion was the future of cyber warfare. From then to now, it’s evident how important cybersecurity is on a scale from small businesses to national security.

Cybercrime relates to cybersecurity as an essential domain. Without cybersecurity operations and basic technology, cybercrime would cease to exist in the capacity it does today. Cybercrime is a product of our technology first world and without cybersecurity, cybercrimes impact becomes more detrimental to people and organizations. Under program highlights on ODUs academic program page (cybercrime), it states that students have flexibility to structure their degree towards cybersecurity through the double major offering. 
Cyber operations is another program from ODUs interdisciplinary majors. On the ODU cyber operations program page, it states that cyber operations are complementary to cybersecurity. According to niccs.cisa.gov, “cyber operation careers perform activities to gather evidence on criminal and foreign intelligence entities to mitigate possible or real-time threats…” In this case, cyber operations are connected to both cybersecurity and cybercrime. 
Criminal Justice, in my opinion, provides cybersecurity with different and essential viewpoints. Cybercrime is a section of the law made possible through contributions that cybersecurity has provided. As the world’s technology becomes more advanced, criminal justice intervention is required. 
Sociology plays a similar role in cybersecurity as criminal justice does however it contributes to human behavior and intervention as a whole. A major vulnerability in cybersecurity is the human factor. Yes, there are many vulnerabilities in cybersecurity and the tech space, but the majority of the risks are caused or influenced by humans. Sociology provides insight into the contributing factors of humans to cybersecurity. 

Attentional capabilities and respecting them. If humans are overloaded with too much information at once, the information is not registered in a prime way. For example, those annoying consent messages when downloading an app, updating software, or signing up for a service. They discuss how the storage of our data occurs. There are often multiple different forms, pages and pages long. Humans may skim the first one to make sure we are not getting scammed into agreeing to some outlandish request. After that, we quickly scroll to the bottom of every page and click “i agree” and never think of it again. Why? Because our attentional capabilities are being exploited. We can only intake so much of that information at once that even if we did pay attention to it, our mind would be left blank. Taking into consideration morality, we should be given the information at a level any reasonable person can understand and in a way that we can understand it. 
Autonomy and our choice. When you are storing electronic information about humans, you are detaching pieces of their autonomy. This autonomy must be protected because it is what keeps us free and our individual selves. When it comes to creating an electronic storing software, physical building, and more, organizations must take our freedom and privacy seriously. If a breach of that stored data occurs and is exploited to the whole world, we are no longer free in a metaphorical sense. 
Security in upholding our autonomy is most important. Security becomes an ethical issue when you begin storing human data. When you visit a website and agree to a random banner, you could be agreeing or consenting to the sale of your personal data that the website may capture. For example, I recently did a 23andme kit. After downloading the app and going through the steps for account creation, it leads you through 6 or so different pages with agreement/consent forms. One that I found very interesting was agreeing to bio storing. If you read the entire page like I did (out of pure curiosity, I ended up clicking I do not consent) its asking you to give consent for 23andme to store your vial of saliva for a minimum of 1 year and maximum of 10 years. It then goes on to state what the stored sample will be used for and most of it was not at benefit to you or what you signed up for. It was geared towards continued research in the benefit of the brand. What type of attacks are coming down the pipeline? Bio hacks through the cloud and physical storage. A security breach can occur at the storage facility and steal your saliva for a multitude of nefarious reasons.

Iran’s first connection to the internet happened in 1992. In 2009, the Iranian Cyber Army attacked twitter. In June 2012, an article exposed details of Operation Olympic Games where the U.S and Israel sabotaged Iran’s nuclear infrastructure. According to the 2018 Carnegie Endowment for International Peace, Iran’s Cyber Threat publication, Iran’s cyber capabilities are homegrown and unique but underestimated. In September 2012, the first DoS attacks against U.S banks were called Operation Ababil. According to the CISA.gov website, destructive malware and ransomware operations are cybersecurity risks in Iran. In the U.S., cybersecurity risk spans a broader and at more impactful lengths. The U.S cybersecurity risks include nation-state hackers and their sophisticated advancements. The U.S. is a target for cyber attacks by countries like North Korea, China, and Iran. China launched an attack against OPM and breached information of nearly 20 million employees. Iran’s attacks are less sophisticated than those of China and Russia however most of Iran’s targets are those residing in Iran.

Cyber technology creates a gray area for workplace deviance because of access.
Cybersecurity programs in businesses can produce direct costs such as cyber liability insurance, 3PAOs for different certifications such as FedRAMP, ISO, HiTrust, SOC, and more. Depending on the business’s customer or market, they will have contracts that specify security and IT requirements; in order to fulfill the contract or win the bid, the business must comply and show evidence of such. The other part to cybersecurity programs is hiring roles that support the maintenance and improvements of that business such as, software developers, testers, QA, infosec specialists, and more. The Ponemon Institute estimates that the average cost of a data breach was $3.62 million. According to the 2017 Cybersecurity and Digital privacy article by the Harvard Business Review, the average cost of cybercrime for global companies has increased from 62% since 2013, $7.2 million to $11.7 million. In 2014, human error was recognized for 95% of all security incidents.  

One of the roles in my current job is compliance management. As a part of that, I focus on the dissemination of information and training materials org wide. My goal is to create a strong security culture to simultaneously protect our employees and the company from falling victim to cybercrime/ cybersecurity incidents. From my studies, human error is the most common theme and can become the most preventable case.  In my opinion, organizations will spend millions of dollars on necessary hardware and network security products such as Anti-virus software, Technological solutions, Secure hardware, Cloud security solutions, Security platforms, Breach detection services, Data analytics, Data protection, risk management, but will fall short in human information and security awareness. 

One of the easiest ways to ensure your computer is safe is by developing a strong password. NIST recommends at least 8 characters; however, there is a direct correlation between the time it would take someone to crack your password and its complexity (length, special character, etc.). The more characters, special characters, and numbers you use can increase the length of time it takes to crack the password. For example, a password of 8 normal characters may take a couple minutes to hours/days to crack, but one with more than 7 characters, a few numbers and special characters will be strong and could take billions of years to crack if using brute force. Another way to know if your computer is safe is through authentication methods. This can include encryption of items on your computer, or the use of smart cards (example: PIV). Plain text is encrypted by changing it into a cipher text and delivering it to the recipient. Only the recipient of that encryption will hold the private key to decrypt. Two factor authentication allows for the security of applications such as Microsoft365 and even our applications used here at ODU. ODU has contracted MFA services to Cisco DUO which sends a push notification to DUO where you have to accept the log in. Microsoft has an authentication application that does something similar or will send a code to your mobile device, and more. It is everyone’s responsibilty to ensure the safety of their personal computers, and follow their organization policies to ensure the safety of their work devices.

Computers have made the world less safe by providing access to anyone, at any time. This access can start with simple information such as where you bank, went to school, your best friends, where you work, parties you’ve attended, the list goes on. The weaker your personal security measures are surrounding your life and data increases your chance of falling victim to cybercrimes. Computers have exposed many vulnerabilities to the world which required the development of cybercrime within the criminal justice system. Computers have single handedly created an entirely new branch of the criminal justice system and national security efforts, such as the war on terrorism. Attack methods used by offenders are network attacks, cryptojacking, port-scanning, spoofing, phishing, buffer overflow, and more. At the same time these attack methods are making computers less safe to the world, they are also helping to increase our experience and knowledge, which produces more computer safety.

According to Chapter one of NIST publication 800-160 A Multidisciplinary Approach in the Engineering of Trustworthy Secure Systems, “Systems engineering provides the foundation for a disciplined and structured approach to
engineering trustworthy secure systems.” Engineers are security focused at each stage of the system life cycle. System security engineers protect stakeholder and system assets through eliminating or reducing vulnerabilities and minimizing or constraining the impact of exploiting or triggering those vulnerabilities. System security engineering includes the following, according to NIST publication 800-160: 
• Defines stakeholder security objectives, protection needs and concerns, security
requirements, and associated validation methods;
• Defines system security requirements and associated verification methods;
• Develops security views and viewpoints of the system architecture and design;
• Identifies and assesses vulnerabilities and susceptibility to life cycle disruptions, hazards, and
threats;
• Designs proactive and reactive security functions encompassed within a balanced strategy to
control asset loss and associated loss consequences;
• Provides security considerations to inform systems engineering efforts with the objective to
reduce errors, flaws, and weakness that may constitute security vulnerability leading to
unacceptable asset loss and consequences;
• Identifies, quantifies, and evaluates the costs/benefits of security functions and considerations
to inform analysis of alternatives, engineering trade-offs, and risk treatment
13 decisions;
• Performs system security analyses in support of decision making, risk management, and
engineering trades;
• Demonstrates through evidence-based reasoning, that security claims for the system have
been satisfied;

Cybercrime is cyber-related behavior that is against the law. Cybercrimes overlap into criminal justice because traditional crimes are being used in cyber related ways such as embezzlement and fraud. According to the article by Payne and Hadzhidimova, Florida was the first state to develop a computer crime law in 1978. When technology is growing at the pace it is, it is necessary to create guidelines for its use that define the line between regular and criminal use. 
An indefinite overlap between criminal justice and cybercrime is legal developments. Cybercrime requires continuous monitoring for its increasing presence in the legal system. Criminal justice developed, defined, and maintained the section of cybercrime as a part of law. Some of these laws include hacking, federal malware, cybercrimes against property, and cyber crimes against persons. Cyber crimes against persons, in my opinion, are closely related to traditional crimes. Cyber crimes against persons include cyber stalking, cyber threats, and cyber harassment. If you take out the cyber environment of these crimes, they are traditional crimes that have become more accessible through the development and advances in technology. 
The overlap of these two topics can be found in this class through cybersecurity awareness and training in module 4, business continuity elements in module 8, and more.In broadened aspects, the ODU academic system as a whole represents overlap into the principles of cybersecurity and criminal justice. Cybersecurity is an interdisciplinary study and can be found in sociology, criminology, engineering, etc. Therefore, its overlap is continued, necessary, and representative of its importance.

Technology has immensely impacted interactions between the offender and victims. It has made access to victims much easier and provided a new space for crimes to be committed. According to the 2013 Hazelwood and Koon-Magnin article, “Because of the repetitive nature of CS, the victim may lose a sense of control over his/her own life, never knowing when the stalker may appear or contact the victim again. The fact that the stalker can access the victim at any time from any distance undermines the victim’s sense of security and can lead to a constant experience of fear for the victim (pg.157).” Initially, when reading this topic I started thinking, the focus should be only on the offender’s impact on the victim. My thoughts have shifted focus to the detrimental effects that technology has on the access to offenders, by victims. Depending on the circumstances, such as a relational abuse case, the internet can provide unlimited access of a victim to an offender which repeats the cycle of abuse. The 2014 article by Holt and Bolden brings back memories of my associates studies in counterterrorism. One of my primary focuses was learning about the mind and becoming a terrorist. In times of need, for belonging, a person may go through phases of feeling they don’t belong, they find something they believe is worth belonging to. The internet often becomes an outlet to drown yourself in and there starts the radicalization process. Technology made that radicalization possible and the offender has risen.