S.M.A.R.T. System: Behavior-based machine learning for cybersecurity

S.M.A.R.T. System: Behavior-based machine learning for cybersecurity

Matthew Day

American Military University

October 22nd, 2017

Research paper for the class “IT Security: Attack and Defense”

 

Introduction

As the internet began to grow throughout the 1980’s and into, the 1990’s so too did the data. The internet was a long ways from the nineteen nodes it started back in in the mid-1960’s as ARPANET  (Kleinrock, 2010). As networks grew more extensive and more international, so did the data. Around the same time as ARPANET, or slightly prior, Richard Bellman was starting to develop the idea of artificial intelligence (Arel, Rose, & Karnowski, 2010).

Artificial intelligence can be easily described as a non-human form of intelligence. Many could argue a simple computer is an artificial intelligence in the way it processes information and makes decisions. However, with Bellman on the discovery of artificial intelligence in the 1950’s and throughout the modernization of the computer and networking world, A.I., as it is called was progressing.

During the technology revolution of the late 1990’s and into the 2000’s, many companies use some form of artificial intelligence in their products. Apple smart products, iPhone, and iPad use “Siri” who is artificial intelligence based. When the user says something, “Siri” can translate what was said into text, then convert it into a search or command on the phone.

As consumers, it is almost everywhere in products, from cameras to televisions, to even child toys. They all seem to have an aspect of artificial intelligence to them. However, they are not quite to the robotic stage that Hollywood often represents.

The question becomes, why isn’t this technology being used for good? Is law enforcement using artificial intelligence? Militaries, do they use it? What about healthcare, is it used in that field? This paper is going to address using a subset of artificial intelligence called machine learning to secure a network from intrusion.

Network and cyber security are significant problems around the world today. Over 60% of the American economy is made up of assets that are vulnerable to adversaries over a network (Slate, 2009). The technology is becoming so pronounced and substantial, it is already possible, or will be within five-years, to use artificial intelligence and machine learning to harden one’s system. As readers will see, machine learning is already being used in some forms of cybersecurity, and it would be a good bet the government has implemented machine learning to process the massive amounts of data it receives as well. However, using it to protect a local area network from intrusion is the key, and what the possibilities of combining machine learning and security are.

Part 1. Machine Learning

What is Machine Learning?

As explained earlier, Machine learning is a subset of Artificial intelligence (Arel et al., 2010). Machine learning is nothing new and has been around since the seventies when computer and math scientist first started using algorithms to make predictive outcomes from data (Louridas & Ebert, 2016). Today’s use of machine learning is not much different than it was fifty years ago, the only difference is in the data (Louridas & Ebert, 2016). The amount of data that is typically needed to train a machine is a lot, much more than it was in the 1970’s. Because if the massive amounts of data needed, it means processing power must be more massive; ram cache must be more extensive; the entire system has to be more significant and much faster.

In the simplest terms, machine learning is relatively close to how humans learn with a little extra mathematics involved. Humans learn from being shown how to do something; repetitiveness leads to memory. If someone wants to know how to edit a photo in Adobe Photoshop he or she can go to YouTube and watch as many videos as it takes for them to learn how to edit the photo. At the same time, they are practicing editing the photo and evaluating their work. They keep practicing until he or she sharpens their skills enough to where they do not need to practice anymore to be somewhat successful.

In another example is behavioral analysis in the form of forensics can be tied to the “process” of machine learning. In forensic psychology, profiling, or behavior analysis, whichever one might label it, these all mine data, process data, learn from the data and export a predictive function based on the information they have studied.

In machine learning, the process is similar only it is algorithms that are computing an incredible amount of data. The YouTube videos from the human examples are ‘Data’ in the machine examples. However, they go through the same process via written code on a machine. There are typically seven steps in a standard machine learning session, these steps are; gathering data, preparing the data, choosing a model for training, training, evaluation, tuning, and prediction (Guo & Google, 2017).

There are several different models to choose from when training a machine, but for the process of network security, the best model would be more of a numerical based model due to binary language. Training the machine is the most important, but it is also the most difficult. It involves computer scientist and individuals who are experts at data and data compression.

Applying Machine Learning to IT Security

Information security already utilizes some form of artificial intelligence or machine learning in some of its technology, that is nothing new. Most of the technology comes from virus protection software that scans and analyzes programs, software, apps, files, etc. on a computer. These programs use what’s considered a virus library and run the known viruses they have stored against any file on a computer (Kaur, Khalsa, & Dhesian, 2016).

As technology is getting better, antivirus programs are moving in the direction of behavioral modeling (Zhang, Raghunathan, & Jha, 2014) some are even using machine learning basics to detect viruses. Behavioral modeling is one of the foundations of the SMART system. However, the newer technology for antivirus is going after how programs usually act, their behavior (Kamesh & Sakthi Priya, 2014), then when they detect a change; it alerts the software something may be wrong.

This is the concept of the SMART system, however on a much larger scale. Think of IBM Watson. IBM Watson is comprised of somewhere around twenty-five-hundred computing cores throughout its entire processing core (Ferrucci et al., 2010). Watson and its multiple nodes can be preloaded with massive amounts of data and trained on just about anything. It beat the world record holder in Jeopardy using algorithms.

A system made for one single Local Area Network does not need twenty-five-hundred computing cores for processing strength. However, Watson gives the reader an idea of what the SMART system is about. Watson knew everything about, well, everything (Ferrucci et al., 2010). This is the power that the one part of the SMART system will harness over all the nodes inside the LAN. The other two sections of the system will work like a typical antivirus system with a database and an incident response center. They both will use much smaller hardware to detect and contaminate malicious traffic. This paper will speak more about the machine learning side and how it mitigates security threats than the antivirus side.

Without getting into the math, as mentioned in the first half of part one, machine learning is about teaching the machine everything about an object. For our example, we will use a desktop workstation. The SMART system needs data from this desktop labeled PC1 to conduct its hierarchical learning process about every single piece of information from PC1. This means the processor’s name, clock speed, temperature, DRAM usage, SRAM usage, cache usage, all the open and closed ports, the programs installed, files, keystrokes, accounts, etc. The entire goal of the training and evaluation phase is to know PC1 inside and out, have the data to recognize a pattern of behavior when it opens up an application or a particular file (Arel et al., 2010).

This will all be stored, processed, and sifted through to come out with a profile of that workstation. The SMART system will know how that PC1 is supposed to act at all times. Since before doing this, weighted measurements were placed in that would show the DRAM overworking or the cache overclocking, or a scan coming into a port. The SMART system is now adequately trained on two different outcomes and knows what to do when that happens because he has been programmed to. For example, if a port scan was conducted on PC1 ports 43/77/1134, the SMART system generally under normal behavior might show them at 0.0002hz. However, since the scan has occurred, there is a bump in all three ports of 0.0003hz. This slightest change causes the SMART system to immediately send a response to the Incident Response Center who deals with the incident.

This is the purpose of the training for the smart system. It is to gain the knowledge it needs to know exactly everything about the entire network and how it usually operates. Due to the fact, a typical network may handle more or fewer data during different times, that also has to be accounted for during the training process. This is why the mathematics of the training is not linear. Instead of it being one linear line if you will, it is multiple lines with multiple slopes (Guo & Google, 2017). See Fig. 1-3 to show the example from (Guo & Google, 2017) as they walked through the first phase of training.

IMG_0894 IMG_0892IMG_0893

With one part of the machine knowing exactly how the machine responds when every program is opened when every port is used, and every connection is connected, it uses this information and compares it to current information it is getting. This is how the process works. Just as in the port example above, there are several other examples too where a host’s behavior and pattern will change alerting the machine that it needs to send this incident to the Incident Response Center.

Incident Response Center

The Incident Response Center is the next step in the process of the entire ecosystem where the machine learning aspects have identified an incident, and now it is time to look further into it. The incident response section or center on this system is run by a computer separate from the learning section. The goal of the incident response is to identify the incident along with containing it immediately. In a typical incident command structure, there would be an identification, analyzing the scene and determining the damage, and contaminating the incident if it was malicious (Oriyano, 2012). With this incident response center, the process is still reasonably the same. However, the priority is gaining knowledge on the incident itself.

If the incident is deemed to be malicious, the incident response center will contain the file or seal the port or area so nothing malicious can occur. It may automatically disconnect the workstation from the internet disabling the card. Once everything is contained, the process of evaluating the event will occur to see what happened along with notifying the user or administrator. This would all be done in under five seconds time. The administrator could then log in to the SMART system and look at the malicious content as the SMART system begins to run it through a preprogrammed and continuously updated database.

At the same time, the SMART system knows precisely where the malicious material came from and logged it for the report along with preloaded instructions on how to fix that issue from the database. This is printed out or emailed to the administrator as a final report so the firm or person can debrief others and investigate the malicious material as they wish. The malicious content is taken out of the system, logged into the national database and shredded. Alternatively, if it were just a scan, nothing further would be done except propose to the administrator they close that port for good as it could be a vulnerability.

Part 2. Vulnerabilities and Theoretical Application

Server Vulnerabilities

Websites can have many vulnerabilities to them. There are DDOS attacks that occur when multiple people send traffic to a web server, and it overflows the servers ability to handle that much traffic (Stewart, 2014). Applications from websites or applications based on a web server can also have open port vulnerabilities, but one of the most common vulnerabilities are the developers themselves. There is a slew of exploits that an adversary can use to attack a web server from SYN flooding where the attacker sends out a constant stream of packets with a return receipt. However, the return address is not correct and this causes the system to flood.

Another conventional attack on a web server is a buffer overflow, and this is an attack on a PC as well. The exploit makes it into the host, either a server or a PC, and goes directly to the DRAM and figures out how much storage it needs to go outside the stack just enough to inject malicious code (Chien & Szor, 2002). Once the correct size of storage is found from the stack, the code is injected, and this code can do a lot while the host DRAM is wholly overloaded (Chien & Szor, 2002). Large viruses have used this exploit such as the ‘Code Red’ virus in 2001. However, it is important to point out that to perform this exploit, the adversary either has to know how large the stack is or do a test to figure out the initial size of storage to consume so there would be a behavior change in the host DRAM. See Fig. 3 for example of buffer overflow.

IMG_0908

Database exploits are widespread. Cross-site scripting and SQL exploits are two common ways adversaries get into databases. Databases are very lucrative for all hackers. No matter if they are a hacktivist or a crime ring, a database and achieving root can get the sensitive data.

Cross-site scripting works on the level of website forms, and the vulnerability comes from website developers who either forgot to or didn’t write into the source code a function for handling script. When someone types in a less than or greater than sign and an error page does not appear saying the form did not accept that character, the form may be vulnerable. There are several scripts that hackers could use to gain access to the database. However, they all maintain characters not generally used by people on the site. The characters would show up as a different weight when making comparisons with the SMART system.

The same method is used for SQL injection where a more in-depth script is used to try and breach the entire database to inject malicious material or grab things from it. The SMART system would see the ‘weird’ characters and immediately know something is going on in milliseconds.

Email Vulnerabilities

Phishing attacks are where an adversary usually sends an email to a user with the hopes the user clicks on the email and gives up personal information (Wright & Marett, 2010). These emails are typically well designed to look exactly like the real company or organization and are made to scam to the user. Unfortunately, technology has lacked in this arena. There are spam filters that try and scan the websites against a database or try to use its algorithms to identify it as spam, however, in the majority of cases, email is a user based vulnerability (Wright & Marett, 2010).

When it comes to after the fact, after the user has possibly downloaded a virus, that is when the SMART system would kick in and would be able to trace it. However, having a robust security plan already in place with straight-forward policies and consequences for breaking those policies is extremely important when it comes to aspects of user-based vulnerabilities.

Viruses

Every host out there has a vulnerability to a virus. A virus can come in the form of almost anything. A downloaded file, an injection, a website; security is never going to be 100%. However, when a virus enters a host, it will affect the host in some way, even in the smallest form.

It will cause the behavior of that host to change in some form or another. A trojan horse that a user downloaded as a ‘fun game’ but now let in a backdoor for a hacker will change the behavior. “While every day this host has been asleep at 2300 hours, now it is wide awake, and it is downloading administration files” – SMART system. Malicious content that attacks root systems will affect the normal behavior and patterns of that host. There might be an uptick in the CPU clock that is traced back to the root directory or a port.

No matter the virus there will be a change, the perfect example was mentioned before about the ‘Code Red’ virus that used a buffer overload to inject itself (Chien & Szor, 2002). Back then IT security professionals, especially antivirus professionals had no idea how to fix it by detection according to the authors of this article (Chien & Szor, 2002). Times changed and technology with it, we know viruses affect a host, antivirus specialist should be concentrating on the effect as a detection mechanism.

Conclusion

Human behavior is an exciting topic; we have collegiate degrees on it, we even have people who make a nice living trying to understand human behavior and then monitoring this behavior. The U.S. has behavioral analysts, Behavioral Detection Officers, whose job it is to watch people at airports and look for specific behavior indicators (Wigginton, Jensen, Graves, & Vinson, 2014).

As humans, we look at behavior and patterns all the time to determine threats. Criminal Intelligence Units use pattern analysis quite often to predict where an offender might strike next for example (Carter, 2004). For as much as humans do this for other humans to notice threats, targets, vulnerabilities, the question should be why hasn’t the IT security field been taking this approach to protecting a network? Studying network behavior and identifying or predicting changes.

Machine learning at this level does not exist that this writer is aware of. This entire unit would need a minimum of three separate computers, the first being the learning computer with a processor up near the hundreds of cores and hundreds of TB of cache. It would more than likely need no less than TB of DRAM or 2 Petabytes of DRAM. The internal storage would have to be flash storage as hard disk would be too slow, and it is unknown to this author how much internal storage would be needed. The two other sections of the SMART system would not have to be this large. However, they would have to reasonably large compared to typical computer systems.

It is possible to build a system such as this, IBM has created such a device. However, this is a futuristic device due to the knowledge it must obtain. As for now, software or hardware that is more behavior-based should be implemented for network security to be proactive instead of reacting to a database and scanning a file as it comes in.

References

Arel, I., Rose, D., & Karnowski, T. (2010). Deep machine learning-A new frontier in artificial intelligence research. IEEE Computational Intelligence Magazine, 5(4), 13–18. https://doi.org/10.1109/MCI.2010.938364

Carter, D. L. (2004). Law Enforcement Intelligence: A Guide for State, Local, and Tribal Law Enforcement Agencies (1st Editio). Washington, D.C. Retrieved from https://ric-zai-inc.com/Publications/cops-w0277-pub.pdf

Chien, E., & Szor, P. (2002). Blended attacks exploits, vulnerabilities and buffer-overflow techniques in computer viruses. Virus Bulletin Conference, (September), 1–36.

Ferrucci, D., Brown, E., Chu-Carroll, J., Fan, J., Gondek, D., Kalyanpur, A. a., … Welty, C. (2010). Building Watson: An Overview of the DeepQA Project. AI Magazine, 31(3), 59–79. https://doi.org/10.1609/aimag.v31i3.2303

Guo, Y., & Google. (2017). The 7 Steps of Machine Learning. USA: YouTube. Retrieved from https://www.youtube.com/watch?v=nKW8Ndu7Mjw

Kamesh, & Sakthi Priya, N. (2014). Security enhancement of authenticated RFID generation. International Journal of Applied Engineering Research, 9(22), 5968–5974. https://doi.org/10.1002/sec

Kaur, G., Khalsa, G. N., & Dhesian, B. S. (2016). Network security : anti-virus. International Journal of Advanced Research in Computer Science, 7(6), 79–85.

Kleinrock, L. (2010). An early history of the internet. IEEE Communications Magazine, 48(8), 26–36. https://doi.org/10.1109/MCOM.2010.5534584

Louridas, P., & Ebert, C. (2016). Machine Learning. IEEE Software, 33(5), 110–115. https://doi.org/10.1109/MS.2016.114

Oriyano, S.-P. (2012). Hacker techniques, tools, and incident handling (2nd Editio). Burlington, MA: Jones & Bartlett Learning, LLC Publications.

Pound, M., & Computer Science at the University of Nottingham. (2016). Buffer Overflow Attack. Youtube. Retrieved from https://www.youtube.com/watch?v=1S0aBV-Waeo

Slate, R. (2009). Competing with intelligence: New directions in China’s quest for intangible property and implications for homeland security. Homeland Security Affairs, 5(1), 29. Retrieved from http://search.proquest.com.ezproxy2.apus.edu/docview/1266213070/fulltextPDF/3BA31AD0F0634D73PQ/1?accountid=8289

Stewart, J. (2014). Network security, firewalls, and VPNs (2nd Editio). Burlington, Vermont: Jones & Bartlett Learning. Retrieved from https://online.vitalsource.com/#/books/9781284107715/cfi/6/2!/4/2/2@0:0

Wigginton, M., Jensen, C. J., Graves, M., & Vinson, J. (2014). What Is the Role of Behavioral Analysis in a Multilayered Approach to Aviation Security? Journal of Applied Security Research, 9(4), 393–417. https://doi.org/10.1080/19361610.2014.942828

Wright, R. T., & Marett, K. (2010). The Influence of Experiential and Dispositional Factors in Phishing: An Empirical Investigation of the Deceived. Journal of Management Information Systems, 27(1), 273–303. https://doi.org/10.2753/MIS0742-1222270111

Zhang, M., Raghunathan, A., & Jha, N. K. (2014). A defense framework against malware and vulnerability exploits. International Journal of Information Security, 13(5), 439–452. https://doi.org/10.1007/s10207-014-0233-1

Workplace Violence: Fight it before it fights you

Workplace Violence: Fight it before it fights you

Matthew Day

American Military University

Contemporary Issues in Security Management

June 18th, 2017

 

 

Part I. Introduction

Introduction

Workplace violence in the United States is an issue that is not talked about in broad circles or on popular media platforms very often, but it is a highly problematic event that plagues American business and workers yearly. Not only does workplace violence affect employees physically, but it also affects them mentally as fear starts to set it or lack of assurance. All these emotions that pour in lead to a lack of productivity (Emmerik, Martin, & Arnold, 2007) that eventually leads to fewer profits for the company. This is why every company needs to have a workplace violence program in effect at their organization, to make sure crisis management is adhered to and possible threats are averted before anything can happen. With proper programs, policies, and training, it is feasible to lessen the likelihood of workplace violence and create a better and safer work environment for employees.

Several incidents that have gained national attention in the past decade have brought workplace violence to the forefront of business such as the 2009 downtown Orlando shooting where Jason Rodriguez entered his former employer’s office building with a handgun and killed one and shot five others (Orlando Sentinel Staff, 2009). Also, a more recent case like Cedric Anderson, who walked into his estranged wife’s classroom in San Bernardino, California and murdered her and another student, injuring one more (Fernandez, 2017) has stirred up thoughts on workplace violence. Dallas was even shaken with workplace violence when a former employee walked into the office building and murdered his former boss in front of other employees (Fox News Staff, 2017). Both of these cases were just in April of 2017, and these were just the homicides, they do not account for the assaults or threats that go on every day in office buildings, hospitals, retail establishment, or other environments around the country.

Work Environment

The work environments can be a daunting place for clashing personalities. It is built on a hierarchal platform where executives receive excellent benefits for perceived little work and line workers receive reduced benefits for hard work. Mix this with poor management, and this could be a disaster waiting to happen for many reasons, but in the context of workplace violence, a healthy work environment is imperative.

A company’s work environment is its basis for creating the ideas and production for its profits. If the environment is not beneficial to the employee, it hinders employees from doing productive and profitable activities (Amabile et al., 1996). If office space is over packed or not organized correctly, it is going to affect the overall productivity of each staff member and profits will likely decline. This is the same when it comes to workplace violence and other safety issues. If employees do not feel safe at work, their productivity will drop. Employees need a safe space where they can open their minds to do their jobs and safety be the last thing on their minds.

History

Workplace violence has a vast history in the United States and around the world. Anytime human beings are connected to an environment there are going to be conflicts. If added to the picture, personal feeling, personal finances, relationships, and strong emotions like in society, it is the fuel for violence. Even though most people think of workplace violence as the “employee who went postal”, most incidents of workplace violence include incidents of simple assaults & battery, verbal threats, and harassment (Dillon, 2012).

These types of cases happen more than we often like to think about in the United States. It is estimated that over half of all U.S. companies that have over 1,000 employees experience cases of workplace violence (Dillon, 2012). The retail industry is hit the hardest by workplace violence with 944 victims of homicides from 2003-2008 (Northwood, 2011). However, in these cases, the majority of incidents, 77%, were accompanied by robberies (Northwood, 2011).

In 2005, a survey was conducted by the U.S. Bureau of Labor Statistics that showed a mass difference in co-worker workplace violence in State Government sectors (Fig 1) than any other sector (Bureau of Labor Statistics, 2006). This survey showed State Governments, across the board led workplace violence in every category. The same study revealed that over 30% of private companies with at least 1,000 employees (Fig. 2) saw violence from co-workers and approximately 25% saw domestic violence (Bureau of Labor Statistics, 2006).

Labor 2

Fig 1. (Bureau of Labor Statistics, 2006)

Labor 3

Fig. 2 (Bureau of Labor Statistics, 2006)

Still, workplace shootings are still a deep fear due to the national spotlight they capture. In 2010 there were 405 workplace shootings across the U.S., 295 occurring in non-retail environments (Bureau of Labor Statistics, 2013). It is estimated that in companies with over 1,000 employees, 70% do not have workplace violence programs to assist in this threat (Dillon, 2012). Not having programs or just having incidents of workplace violence significantly increases employee turnover, low morale among other things (Bureau of Labor Statistics, 2006).

Part II. Identifying the Threat

Threats & Assessments

There are several ways threats can be made, direct, indirect, passive, aggressive, etc. Threats can come from telephone calls or emails even via third person notifications. In the day in age we live in now, society seems to be living on edge on people can often say things they sometimes don’t mean which is why it is essential to take all threats serious but all need to be assessed.

Assessing each threat will not only assist in making the victim of the threat feel at ease it will also allow the company to determine the likelihood of the threat. A threatening communication is a message that states, or could merely imply, some harm is going to come to someone else (O’Hair, Bernard, & Roper, 2011). People who typically mean to harm do not usually threaten their intended targets in person; they tend to place threats elsewhere (O’Hair et al., 2011). This makes it typically difficult for most organizations to assess threats due to focusing on aggressive individuals who threaten people to their faces but as little as one-third do that (O’Hair et al., 2011).

Two-thirds of attackers tell others about their plans to attack or harm individuals (O’Hair et al., 2011). Most of these interactions are with family, friends, other co-workers, or other people whom the attacker has some trust with. In this era of social media, many times, attackers will post threats on their social media accounts before they act (O’Hair et al., 2011). This has been seen a lot lately in terrorism with the Ohio State University incident, the suspect posted on his facebook “he was “sick and tired” of seeing fellow Muslims “killed and tortured,”..” (Grinberg & Prokupecz, 2016). Also with the Orlando, Florida shooting where the suspect pledged his allegiance to ISIS (CNN Wire, 2016). The majority of attackers also do not react emotionally (Harris & Lurigio, 2012). Meaning they do not immediately attack after being angered but typically take a certain amount of time where they think about their attack. This is when the attacker makes online threats or talks to friends and families and when others will see a change in the attacker’s personality often called “warning signs” (Harris & Lurigio, 2012).

When conducting threat assessments on individuals, it is vital to not only look at singular events. People can react differently to news than others based on their life experiences, culture, religion, or even mental illness if applicable (O’Hair et al., 2011). It is important to remember to gauge past and present actions and calculate the threat based on a contextual sense rather than an instinctual one (O’Hair et al., 2011). Once a threat assessment is completed, proper action can be done whether it be employee assistance programs or dismissal or nothing at all.

RAM Teams

More and more companies are implementing conflict management teams inside their operations to deal with workplace violence threats. As more cases evolve on the national level, employee fear rises and creates anxiety that can handicap the activities of the business. Conflict management can be described as using interpersonal skills or diplomatic skills to relieve conflict between people (Godiwalla, 2016). This takes exceptional skills which many different managers do not have. Managers are undertrained in most cases to adequately manage conflicts on the routine basis, just a standard argument between two employees, let alone an employee who is having thoughts of committing workplace violence.

This is why companies have begun to create specialized teams to handle perceived conflicts outside the usual arguments. These groups are typically referred to as The Risk Assessment & Management Team or “RAM” (Kenny, 2010), and they are highly trained in conflict management along with threat and risk assessments.  These teams can work with line supervisors to properly train them on conflict management and run programs within the company such as an anonymous hotline for threats or and some anonymous notification system.

The RAM teams responsibility is ultimately to identify and mitigate the risk of workplace violence (Kenny, 2010). They do this through the identification of early warning signs, patterns, and trends of possible individuals, then try and mitigate the risk by diffusing the situation, employee assistance, or some other program (Kenny, 2010). The point of the RAM team is to be the backbone of the company when it comes to workplace violence and depending on the size of the enterprise; it could be just a part-time team all the way to an entire department for an international corporation.

The other responsibilities of the RAM team should be to advise stakeholders regarding policies and procedures when it comes to workplace violence. Executive management should give RAM team members the authority to do what they need to do without distraction from other supervisors when it comes to their job which must be written as a policy. Being that early intervention is crucial to stopping workplace violence (Kenny, 2010) RAM must have a close and trusted relationship with all employees within the company. RAM members must be trusted with confidential information from employees and sensitive information about employees.

Part III. Mitigating the Threat

Security Design

A mitigating factor for workplace violence can be the overall security design of the facility. A proper security design can affect the mindset of threat and prevent an attack (Tseng, Duane, & Hadipriono, 2004). Specific environmental factors can be set up to destabilize a possible attacker’s decision-making ability and cause them to re-think their plan. This can delay the attack, creating the needed time for witnesses to observe the attacker and notify the right personnel, or it can cause the attacker to cancel the attack altogether (Tseng et al., 2004).

This practice is referred to as Crime Prevention Through Environmental Design and is typically used during the design phase of a facility. There is also an economic theory referred to as the rational choice theory. The rational choice theory can be described as when a human as all the information they need to know about multiple things, strategies, cost, benefits, etc., they will choose the one that best meets their needs utilizing all the information they know (Meyer, 2012). This means humans are self-serving typically and tend to think rationally about the best choice for themselves. An example of this would when people go shopping for a new sofa, they are presented with many options, and the majority of individuals gather information and compare it with the information they know about their financial lives, bills, savings, etc. They then make the most “rational choice” on which sofa they can afford.

However, most would assume an attacker that is coming to harm someone is already in some altered mental state. There is a substantial likelihood the adversary is not able to process information and make rational choices cognitively. However, studies have shown, most workplace violence offenders plan their attacks over time (O’Hair et al., 2011) so the chance of a more rational mind is increased. Research suggests offenders that do not act spontaneously, such as in the case of road rage can still think rationally.

Thinking about all of this, why sometimes do people buy the expensive sofa that puts them in grave debt? It is something many people have done, and it is something that the security environment of a facility needs to do for potential attackers. A well thought out security environment should provide obstacles to anyone looking to cause harm, forcing someone with evil intentions to make irrational choices to continue. Having access control systems in place or more extended walkways in public views, or forcing interaction with other people will more than likely make the attacker make irrational choices which will lead to either delaying the offender or even creating an environment where the attacker becomes deterred from committing the act.

The security environment plays a vital role in all potential attacks on a facility but in particular to workplace violence incidents. Just like conflict management, immediate interception and displacement can often produce significant rewards. Creating an environment that offers availability to employees with correct credentials but requires unauthorized individuals to make irrational choices to enter will make the facility a safer place. When people make irrational choices they often become more stressed and end up making mistakes putting themselves in dangerous situations that will lead to adverse outcomes for their ultimate objectives.

Training

Training employees is a crucial factor in preventing workplace violence. Whether the company needs to hire outside resources or can use support from within to train its employees, providing adequate knowledge of what to do can save lives and the company. One form of training that should be conducted is what to do in the case of an emergency situation such as an active shooter. Another form should be on how to identify co-workers who may be presenting early signs of problems.

All of the training should lead into how employees can report issues they notice. They should be able to report these matters quickly, and signage should be posted around the facility to keep them reminded. Another part of the training should be to inform them of the resources the company offers to assist them if they are going through difficulties. Emphasis should be placed on the confidentiality of these resources and packets as well as signage should be provided.

This training should be provided during orientation of new employees to familiarize them with this information, and current employees should be required to take a short refresher course every couple of years on the company resources. When it comes to what to do in the time of an emergency, this training should be held yearly and be held if any modifications are made to the facility, so employees are familiar with the layout of the environment and any evacuation plans that are set forth. Precautions should be used when employees are let go due to the possibility an ex-employee might know these evacuation plans and set traps for evacuating employees.

Work Programs

One of the primary programs a company must have to fight workplace violence is an Employee Assistance Program or EAP. These programs are workplace resources designed to assist employees with problems impacting work performance (Hardison Walters et al., 2012). EAP’s are also a cost-saving measure for companies saving them anywhere from $5.00-$16.00 of healthcare investment cost on every dollar spent on the expense of the program (Carchietta, 2015). The EAP has been in use for a while and has been a success. However, employees do need to know about the benefits and confidentiality of its use. When EAP’s were first introduced they only covered issues like substance abuse, however, now they include a lot more issues including mental health, intimate partner violence, financial issues, and more (Carchietta, 2015).

When it comes to workplace violence, ex-employees are not the only threat. Domestic violence, dating violence, and inter-office arguments can lead to violent acts in the workplace. Having an active EAP program can allow for the ability to mitigate these risks. People go through hard times throughout their life and having a company who will stand with them and offer them confidential assistance will mean a lot to them and lower the chance of violence in the workplace. These programs, although confidential, when it comes to specific issues such as domestic and dating violence, should share information between only a select few individuals..

Another program that should be in place is a hotline and email contact site where anonymous employees can contact to report suspicious behavior by other employees. This program should be taken with caution and only be given access to by a select few on the RAM team. All of these programs should be marketed well within the work environment. Branding the EAP and hotline is key to having employees reach out for help (Carchietta, 2015).

Financial Loss from Workplace Violence

The cost of workplace violence is immense. Not only in human life or the psychological toll it can take, but the financial toll it can take on a company as well. Workplace violence can be compared financially to sexual harassment cases due to the mental status it puts on employees (Dillon, 2012).  As mentioned prior in this paper, the morale within the company can drop significantly after workplace violence or even the threat of workplace violence driving overall profit margins down (Dillon, 2012). Not dealing with conflict instantly can drive employees to not only lash out violently but also lash out criminally in other ways, such as theft or sabotage (Dillon, 2012), or even if they are capable, theft of trade secrets.

Conclusion

Other than the loss of life that can potentially come with workplace violence, companies can suffer financially. Whether it is through lawsuits or adverse brand reputation, a company that has been exposed to an incident of workplace violence is guaranteed to see a loss. The only way to mitigate this loss is with a plan of action to deal with conflict and crisis before it gets to the point of violence.

Something as simple as verbal threats can have an adverse impact on employee morale, it can be unneeded stress, lack of productivity, high turnover, and give the brand a bad name to potential recruits (Emmerik et al., 2007). Having safeguards and countermeasures in place to handle these situations will reduce the risk of violence and increase productivity for the business creating both a win for shareholders and a safer environment for employees.

Establishing anonymous or confidential programs will help employees feel safer while at work. Anxious employees who see written policies and physical security measures implemented will allow some of those anxieties to fade into the background so they can stay focused on work and not on their safety. Having trust in an employer that they will be a protector is vital to an employee’s psychological contract with the company where they believe the employee is giving their time and expecting to at minimum be protected while doing so (Emmerik et al., 2007).

 

 

 

 

 

References

Amabile, Teresa, M., Conti, Regina, Coon, Heather, … Herron. (1996). Assessing the work environment for creativity. Michael Academy of Management Journal, 39(5). Retrieved from http://search.proquest.com.ezproxy2.apus.edu/docview/1840079183?pq-origsite=summon&accountid=8289

Bureau of Labor Statistics. (2006). Survey of Workplace Violence Prevention 2005. Washington, DC. Retrieved from https://www.bls.gov/iif/oshwc/osch0033.pdf

Bureau of Labor Statistics. (2013). Workplace Homicides from Shootings. Retrieved May 17, 2017, from https://www.bls.gov/iif/oshwc/cfoi/osar0016.htm

Carchietta, G. (2015). Five steps to increasing utilization of your employee assistance program. Workplace Health & Safety, (March). Retrieved from http://search.proquest.com.ezproxy1.apus.edu/docview/1730775796/fulltextPDF/48BBCCD313A04A78PQ/1?accountid=8289

CNN Wire. (2016). Orlando shooter posted to Facebook before and during nightclub attack | WGN-TV. Retrieved May 19, 2017, from http://wgntv.com/2016/06/16/orlando-shooter-posted-to-facebook-before-and-during-his-attack/

Dillon, B. L. (2012). Workplace violence: Impact, causes, and prevention. Work 42, 42(1), 15–20. https://doi.org/10.3233/WOR-2012-1322

Emmerik, I. J. H. Van, Martin, C., & Arnold, B. (2007). Threats of workplace violence and the buffering effect of social support. Group & Organization Management, 32(2).

Fernandez, A. (2017). California Elementary School Shooter Called Estranged Wife “Angel” on His Facebook. Retrieved May 19, 2017, from http://people.com/crime/san-bernadino-school-shooting-facebook-page/

Fox News Staff. (2017). Dallas office shooting: Man fatally shoots boss before killing himself. Retrieved May 19, 2017, from http://www.foxnews.com/us/2017/04/24/two-people-reportedly-shot-at-dallas-office-building.html

Godiwalla, Y. H. (2016). Conflict management strategies in global firms. Journal of Management Policy and Practice, 17(2), 11–18. Retrieved from http://search.proquest.com.ezproxy2.apus.edu/docview/1860725196/fulltextPDF/C75AF7CD9A424DF4PQ/1?accountid=8289

Grinberg, E., & Prokupecz, S. (2016). Ohio State University: Attacker killed, 11 hospitalized after campus attack. Retrieved May 19, 2017, from http://www.cnn.com/2016/11/28/us/ohio-state-university-active-shooter/

Hardison Walters, J. L., Pollack, K. M., Clinton-Sherrod, M., Lindquist, C. H., Mckay, T., & Lasater, B. M. (2012). Approaches used by employee assistance programs to address perpetration of intimate partner violence. Violence and Victims, 27(2), 135–147. https://doi.org/10.1891/0886-6708.27.2.135

Harris, A. J., & Lurigio, A. J. (2012). Threat assessment and law enforcement practice. Journal of Police Crisis Negotiations, 12(51), 51–68. https://doi.org/10.1080/15332586.2012.645375

Kenny, J. (2010). Risk assessment and management teams : A comprehensive approach to early intervention in workplace violence. Journal of Applied Security Research, 5(2), 159–175. https://doi.org/10.1080/19361611003601033

Meyer, S. (2012). Reducing harm from explosive attacks against railways. Security Journal, 25(4), 309–325. https://doi.org/10.1057/sj.2011.23

Northwood, J. (2011). Assaults and violent acts in the private retail trade sector, 2003—2008. Retrieved from https://www.bls.gov/opub/mlr/cwc/assaults-and-violent-acts-in-the-private-retail-trade-sector-20032008.pdf

O’Hair, H. D., Bernard, D., & Roper, R. (2011). Threatening Communications and Behavior: Perspectives on the Pursuit of Public Figures Approaching. In C. Chauvin (Ed.) (p. 117). Washington, DC: National Research Council.

Orlando Sentinel Staff. (2009). Jason Rodriguez : Shooting at downtown Orlando office building leaves 5 hurt, 1 dead. Retrieved May 19, 2017, from http://articles.orlandosentinel.com/2009-11-06/news/os-shooting-reported-downtown-orlando-20091106_1_gateway-center-downtown-orlando-office-building-police-cruiser

Slate, R. (2009). Competing with Intelligence: New Directions in China’s Quest for Intangible Property and Implications for Homeland Security.  Homeland Security Affairs, 5(1), 29. Retrieved from http://search.proquest.com.ezproxy2.apus.edu/docview/1266213070/fulltextPDF/3BA31AD0F0634D73PQ/1?accountid=8289

Tseng, C.-H., Duane, J., & Hadipriono, F. (2004). Performance of Campus Parking Garages in Preventing Crime. Journal of Performance of Constructed Facilities, (February), 21–28. https://doi.org/10.1061/(ASCE)0887-3828(2004)18

Exclusion Rule in the Private Sector

 

 

Exclusion Rule in the Private Sector

Matthew Day

January 22, 2017

Essay for the class “Legal Issues in Security Management”

 

 

 

In public law enforcement, there are several critical issues for the suppression of evidence in all types of cases. From an illegal search to illegal seizures or even illegal statements that may cause the downfall of a case. The United States Constitution sets forth the right for every American to be free from government intrusion into their private space or to seize their property without just cause. The 4th Amendment is arguably the most challenged legal motion in U.S. courts but when it comes to private security, where is the line drawn? These two separate examples will show what could be the most challenging for private security when it comes to the 4th Amendment and private security and how case law has ruled on them in the past.

Miranda Warnings for Private Security

In 1966, the U.S. Supreme Court heard the case of Miranda v Arizona and ruled that interrogation by law enforcement where the person being interrogated be in custody need to be advised of their rights in regards to self-incrimination (Miranda v Arizona, 1966). This ruling set precedence in law enforcement that forever changed the landscape for how the public police interrogated and even spoke with individuals whom they were interviewing about a crime.

However, there wasn’t much as far as case law in regards to private security until 1968 and the case of U.S. v Antonelli. In this case, Antonelli, who was a dock worker in New York City, was trying to exit Pier 90 when he was stopped by a security guard (U.S. v Antonelli, 1970). The guard requested he open his trunk, which he did. In his trunk were thousands of dollars of imported goods likely stolen from shipping containers. During the conversation, Antonelli requested several times that the security officer lie about the incident and say he found them at the end of the pier (U.S. v Antonelli, 1970). Antonelli, throughout the conversation, confessed to the theft while being stopped and “in custody”.

At trial and on appeal, Antonelli tried to assert that due to the security officer never reading him his Miranda Rights and the fact that he was in custody, the confession and seizure should be thrown out as it was “fruit of the poisonous tree” (U.S. v Antonelli, 1970). The court ruled a security guard is no different from a private citizen and being there was no government intervention during the interview or search then there was no need for Miranda Warnings to be issued (U.S. v Antonelli, 1970). The court cited in their opinion Burdeau v McDowell, which states the origin of the 4th Amendment “clearly show that it was intended as a restraint upon the activities of sovereign authority, and was not intended to be a limitation upon other than governmental agencies” (Burdeau v Mcdowell, 1921, p. 12). As mentioned in Antonelli, “The federal exclusionary rule enforcing adherence to the intendment of the Fifth Amendment, like the Fourth Amendment, has long been construed as ‘a restraint upon the activities of sovereign authority’” (U.S. v Antonelli, 1970, p. 5)

Since Miranda has been in place, it would appear it has been there with the intention to protect citizens from public police. As for other fourth and fifth amendment activities, private police are looked at as private citizens. Due to the rise in the number of private security forces patrolling areas where they will come into contact with more citizens, more cases will likely be challenged, and further case law will be heard and made in the realms of the seizure of people and interview/interrogation.

Stop and Frisk

With the numbers of private security officers growing rapidly to over 1.1 million nationwide according to the Department of Labor, issues on the subject of Terry Stops or “Stop and Frisk” as they are commonly known will become more common. For public police, stop and frisk is vital when it comes to keeping officers safe as well as finding evidence of crimes. The U. S. Supreme Court Ruled in 1968 that a police officer may search a person without a warrant if that officer has a reasonable suspicion that “that the person has committed, is committing, or is about to commit a crime and has a reasonable belief that the person “may be armed and presently dangerous.” (Terry v Ohio, 1968). However, when it comes to private security, one must ask if private security officers fall under the same requirements as public police officers?”. One case that took this head on was U.S. v Day in 2010.

Day was at an apartment complex with a friend when he got into an argument and brandished a gun. Two security officers observed this and responded drawing their weapons and ordering Day to comply which he did. Upon taking day into custody a “pat down” was conducted and nothing noticeable was found as what would be met in a Terry stop. However, the private security officers continued to question Day while he was handcuffed and asked him about the gun and if he had anything illegal on him which he stated he had marijuana on him.

In the appeals court, they suppressed the marijuana, firearms statements, and the marijuana itself due to the fact the court believed the private security officers were working on behalf of the government and should have read Day his Miranda warnings. They also proclaimed an unconstitutional search was conducted for the marijuana. The ACLU of Virginia assisted in the appeal and stated uniforms and equipment along with the state regulating the private security officers all made the officers a part of the government (ACLU, 2009).

However, the government appealed that decision to the District court which overturned that ruling stating that there was no evidence to support the private security officers were acting on behalf of the government and they were acting as private citizens (U.S. v Day, 2010). They go on to state in their opinion “The Fourth Amendment, however, does not provide protection against searches by private individuals acting in a private capacity United States v. Jacobsen, 466 U.S. 109, 113 (1984)” (U.S. v Day, 2010).

Conclusion

Both of these issues are similar in the fact they share the same test to see if evidence will be excluded. Did the private security officer act as an agent of the government or did they act as a private citizen? That seems to be the dominant question in all of the case law. With the security industry growing at a rapid pace and over 52 billion being spent in the industry while over 30 billion spent in public law enforcement (ACLU, 2009), it is clear that more of these kinds of cases are going to come up in the future.

 

 

 

References

ACLU. (2009). Case Brief U.S. v Day. Richmond, VA. Retrieved from https://acluva.org/wp-content/uploads/2010/02/USvDayAmicus.pdf

Burdeau v Mcdowell, 256 U.S. 465 (United States District Court for the Western District of Pennsylvania June 1, 1921). Retrieved from https://supreme.justia.com/cases/federal/us/256/465/case.html

Miranda v Arizona, 384 U.S (U.S. Supreme Court June 13, 1966).

Sable, M. (1972). Miranda Warnings in Other than Police Custodial Interrogations. Cleveland: Cleveland State Law Review.

Terry v Ohio, 392 U.S. 1 (U.S. Supreme Court June 10, 1968).

U.S. v Antonelli, 434 F.2d 335 (United States Court of Appeals, Second Circuit November 24, 1970). Retrieved from https://law.resource.org/pub/us/case/reporter/F2/434/434.F2d.335.220.34489.html

U.S. v Day, 08-5231 (United States 4th Circuit District Court of Appeals January 8, 2010). Retrieved from http://www.ca4.uscourts.gov/Opinions/Published/085231.P.pdf

 

Mitigating Industrial Espionage

American Military University

Mitigating industrial espionage

February 18, 2018

Matthew Day

Submitted in partial fulfillment of the degree requirements for the BA in Security Management

 

Abstract

The intent of this mixed method capstone is to show how vulnerable American corporations are to industrial espionage and security measures must be in place to mitigate risks associated with trade secret theft. The American economy is the largest in the world as it is comprised of powerful multinational corporations. As a result, industrial espionage, or the unlawful gain of trade secrets have emerged as organizations have attempted to stay competitive in the global marketplace. These acts of espionage have caused significant losses not only to corporations but also to the US economy in estimates from 100 billion dollars to over 500 billion dollars a year. Despite the risks associated with espionage, companies struggle to secure their intangible assets as most firms do not have the bandwidth to deal with this issue themselves adequately and they focus their security measures on only network security. Since the September 11th terrorist attacks, the United States Government, with efforts headed by the Federal Bureau of Investigation has concentrated most of its resources toward efforts to protect against acts of domestic terrorism, concentrating little on preventing industrial espionage. This study utilized a mixed research methodology to gauge the risk, mitigation strategies, and contingency plans for a massive loss event.

Introduction

Business is a never-ending game with a continuous revolution of players. For companies to be successful, they must engage in robust and well-planned strategies utilizing strategic data analysis when searching external and internal environments (Porter, 1980). In business, one of the leading contributors to growth comes in the form of opportunities individual markets afford (Porter, 1980). Individual market strategies are comprised of other information including valuable data on the needs of consumers within that particular region. Therefore, to grow a robust strategy and succeed in both entering and growing in a modern business environment, companies are forced to be innovative to meet the needs of their consumers.

Competition drives businesses and inspires consumers to achieve lower pricing and a more significant market share to be competitive. To accomplish this, companies have been utilizing data analytics to gain a better perspective for decision-making. Since the 1990’s, data has been ever growing in the measures business’s use to evaluate, plan, and implement their strategies over multiple markets (Rowe, 2016). With the appropriate data, a firm could analyze available information to employ a strategy that would give them an edge over their competitors (Gainor & Bouthillier, 2014). Since the mid-1990’s, methods such as business intelligence have emerged and later combined with competitive intelligence to perform the same operations but rather than only concentrating on internal strengths and weaknesses; competitive intelligence focuses on the entire business environment.

Competitive intelligence is essential in reviewing the strengths and weakness of a corporation as well as the threats, and opportunities of the market. Competitive intelligence analyzes these elements to adapt to innovations developed by competitors, new market products, internal and external financial data to get a better understanding of the environment and the competition to ensure decision-makers are well informed before developing a strategy.

Although market data plays a crucial role in succeeding in a modern business environment, some companies go too far in their attempt to collect data from their competitors. There is an ethical standard for competitive intelligence professionals that must be followed. The Strategic and Competitive Intelligence Professionals Association has conducted extensive research on ethical conduct in collecting business information. Although there are right and wrong ways to obtain business data, sometimes the lines are not always black and white, they sometimes become mixed and turn gray. This gray area could lead to problems as business professionals might overstep their ethical practices and move toward illegal activities known as industrial espionage.

Adding to this dilemma, modern business and communication are dependent mainly on extensive global networks. Due to the lack of security across these networks, many large firms have an abundance of assets that are vulnerable to the industrial espionage tradecraft. With many businesses holding what are called trade secrets in the form of intellectual property, these secrets comprise a massive amount of the enterprise value of the company (GIFT, CIMA, & IPA, 2016).

With competition and the need to gain a competitive advantage over companies becoming critical to a corporation’s health and success, both foreign and domestic firms have participated in the unethical side of competitive intelligence. One primary concern is the amount of industrial espionage that occurs or has occurred increases is the likelihood that millions, if not billions of dollars of valuable trade secrets will become vulnerable or be stolen within modern networks. This presents a higher organizational risk for corporations as now a threat can come from both internal and external adversaries through the use of remote access tools known as “RAT’s” (Rowe, 2016). If a company were to have a massive loss in their enterprise value, American firms would be significantly impacted as they typically have approximately ninety-eight percent of intangible assets that are vulnerable to some form of cybercrime (Fitzpatrick & Dilullo, 2017). One must consider how that would affect not only the company but the entire economy of the United States?

This research explores the impact of loses sustained by industrial espionage on American corporations. The research also studies mitigation strategies to lessen the probability of a significant loss event. Industrial espionage is a substantial risk for American firms, and that threat is continuing to grow due to advanced technology, corporation’s dependence on intellectual property, and natural business competition. If the proper mitigation strategies to combat the risk of espionage are not implemented, the impact could have massive consequences for both a firm and the economy.

Foundations for Industrial Espionage

Competition in Business

Creating shareholder wealth is the top financial priority for corporations in America (Keown, Martin, & Petty, 2017). American firms must gain actionable intelligence in several different environments to create wealth for their investors. A significant segment of a company’s decision-making capability is getting to know the needs of their selected group of consumers. Organizations often rely on gaining as much knowledge as they can to understand the needs of the customer base they are targeting to create advantages for themselves. This type of data gathering on consumers often referred to as marketing intelligence.

Businesses also require data to plan business strategies and to remain competitive in their markets (Porter, 1980). When entering a new marketplace, firms will often seek information to assist with strategic planning for that particular business environment. Many barriers can be in place for corporations looking to grow into different sectors, creating the need for departments whose sole purpose is to gather market data or intelligence. Some key areas organizations need to know and understand are; cultural dimensions, economic traits, consumer needs, market statistics, the abundance of resources, as well as the ability to understand their competitors (Porter, 1980; Gainor & Bouthillier, 2014).

Getting to know all of the information on specific markets is a difficult task and requires the skills of specialized professionals. A business is nothing more than a game, and when someone is playing a game, the firm needs to create a strategy to win. Companies want to have as much knowledge about the market and competitors as they can to build a strategy. This knowledge is the foundation for building a successful clear strategy. Strategies are mostly planned and implemented by management and decision-makers at a company (Gainor & Bouthillier, 2014). Therefore, information on the external and internal environments must be delivered to these decision-makers, so they have the best chance of forming and communicating the most effective strategic plan (Gainor & Bouthillier, 2014).

Competitive Intelligence and Industrial Espionage

Since the 1990’s, the field of competitive intelligence has grown. With more companies growing to global corporations and with more data being sent and received via online communication, competitive intelligence professionals look to legally ‘spy’ on competitors to gain the most information possible regarding their competition (Gainor & Bouthillier, 2014). Competitive intelligence departments work in an arena that is public domain. These professionals play by the rules and seek open-source information to bring to decision-makers (Babaimehr & Zingir, 2016). The competitive intelligence mission is to research and find essential data on environments that could potentially give the firm a competitive advantage or streamline internal operations (Babaimehr & Zingir, 2016). However, studies have shown that depending on the competition and other market factors, competitive intelligence departments may relax their ethical and moral operations to obtain the desired data (Babaimehr & Zingir, 2016).

The critical difference between competitive intelligence and industrial espionage is moral and ethical methods of gaining the information (Gainor & Bouthillier, 2014). Competitive intelligence can quickly become an illegal or an immoral operation due to the nature of business competition. Methods used to procure data legally in one country may be illegal in another (Babaimehr & Zingir, 2016). Other practices may be questionable, as there are no specific legal ramifications for the methods used to procure data. However, these methods may be immoral and therefore controversial. For example, a competitive intelligence professional observes an online blog where it is known an engineer for one of their competitors often posts. This competitive intelligence professional uses the method of social engineering to figure out the engineer’s blog handle and strategically discusses the new technology the engineer is working on in a blog post. Communications between the two reveal segments of proprietary information. The competitive intelligence professional knows that the competitor is inventing a new product and already has the general outline of what the new item is. When the competitive intelligence professional goes on the blog, they ask strategic questions or comments that the engineer will give but not know they are being used. The competitive intelligence pro can now quickly put the pieces together to conclude the proprietary information that the new invention uses. The engineer does not know they are being manipulated for bits of information because the engineer did not put their work information or use their real name in their blog profile. However, due to social engineering, the competitive intelligence professional has identified the engineer based on the provided information.

The example provided represents, what possibly could be considered unethical methods of obtaining information due to not disclosing who they were or where they worked. However, the competitive intelligence professional has violated no laws and all the information received was open-access, nothing was stolen. Most firms have ethical standards and policies when it comes to gaining intelligence on competitors (Babaimehr & Zingir, 2016). However, depending on the market, the product, and the overall environment, some competitive intelligence professionals may be more aggressive in their tactics (Babaimehr & Zingir, 2016).

Because competitive intelligence and industrial espionage are so closely aligned, combined with firms keeping a growing number of trade secrets on a network, makes American organizations substantially vulnerable to adverse events that have a massive potential for loss. In the past five years, corporations have increased their dependence on intellectual property (GIFT, CIMA, & IPA, 2016). Multinational companies like Kraft foods (80%) and AT&T (84%) have massive amounts of their value wrapped up in intangible assets with over 100 billion dollars at stake (GIFT et al., 2016). A lot of the intangible asset values are in the form of copyrights and patents. However, there is a sharp increase in undisclosed intangible assets that are likely trade secrets. Technology companies lead American corporations in the number of intangible assets they possess. Apple, for example, has approximately 60% of its entire enterprise value in intangible assets (GIFT et al., 2016). Of that, 98% were undisclosed intangible assets valued at 379 billion dollars (GIFT et al., 2016).

Studies by the Institute of Practitioners in Advertising and Chartered Institute of Management Accountants along with Brand Financial show a massive vulnerability for American corporations due to having such a high dependency on undisclosed intangible assets (GIFT et al., 2016). These values of companies and the growth of cyberspace have created an opportunity for adversaries to steal these undisclosed assets and do it from afar. Even though internal threats are the highest (Fitzpatrick & Dilullo, 2017), the increase in both the global internet and firm’s reliance on keeping trade secrets on a network platform, are creating massive vulnerabilities to corporations.

The Vulnerability of Firms

Industrial espionage has a significant financial impact on American corporations with the typical yearly loss totaling over 100 billion dollars, with some estimates even totaling 600 Billion dollars (Bressler & Bressler, 2015). With so many trade secrets vulnerable to theft, these numbers reflect an emerging threat to corporations and the national economy. Individually, businesses can be impacted substantially. For example, in a 1996 study, a researcher was brought in to see how secure the corporation’s trade secrets were from external sources. After only one day of attempting to penetrate the firm’s network, the researcher was able to steal over 1 billion dollars’ worth of information (Winkler, 1996). If these capabilities existed in 1996, one could only assume that the threat to a corporation’s security has intensified.

This study is not the only one that has produced such results. Other cases that involved internal employees and contractors suggest intellectual property and trade secret theft are growing with the rise of opportunities and motivations (Bressler & Bressler, 2015; Fitzpatrick & Dilullo, 2017). In 2012, an employee was found guilty of stealing roughly 40 million dollars’ worth of trade secrets (Price Waterhouse & Create, 2014). Another example in 2012 when an employee was able to gain access to a source code that the company labeled trade secret worth 100 million dollars. (Price Waterhouse & Create, 2014).

The majority of threats to firms are by internal employees who have some motivation for stealing trade secrets (Fitzpatrick & Dilullo, 2017). Previous corporate studies have found that current or former insiders make up a vast majority of trade secret thefts (Fitzpatrick & Dilullo, 2017; Price Waterhouse & Create, 2014). In this context, insiders are considered former and current employees along with contracted employees, and supply chain vendors (Fitzpatrick & Dilullo, 2017). Based on these studies, security departments should focus a majority of their efforts on internal adversaries. However, only a small percentage of companies actively have security measures in place or look at preventing insider theft (Fitzpatrick & Dilullo, 2017).

With the increase in storage devices, insider threats do not appear to be on the downslope. As it gets easier and creates more of an ability for an employee, contractor, or supply chain official to steal secrets, the risk of industrial espionage growth. Although insiders are the most considerable threat, it is not the only threat. Cybercrime is a massive threat as well that is growing (Bressler & Bressler, 2015). Most corporations have a dedicated team to prevent outside penetration of the networks (Bressler & Bressler, 2015). This is not a guarantee that espionage will not occur as the growth and use of global networks is expanding, and opportunities to steal trade secrets manually are on the rise.

Preventing Industrial Espionage

Mitigation Strategies

In prior era’s, industrial espionage was committed by physically stealing or manipulating an insider to commit the crime. However, with the rise of the internet, offenders can both remotely take trade secrets from abroad and physically take data on-site. With technology increasing in size, it is possible for one person to steal millions of dollars’ worth of intangible assets with a single thumb drive or thousands of miles away (Rowe, 2016).

Several methods of industrial espionage have outlasted technology. Blackmail and internal stealing of trade secrets are just some of the techniques that can be deployed (Benny, 2013). Seeking information fraudulently at trade shows and seducing employees into revealing valuable information are other parts of espionage tradecraft that are still utilized today (Benny, 2013). Although physically going to a location or having contact with people raises the risk for adversaries, sometimes, depending on the industry, this might be the only option. According to several studies, employees, contractors, and value chain members are responsible for well over sixty-percent of trade secret thefts (Fitzpatrick & Dilullo, 2017). Employees and contractors are labeled the most significant threat to proprietary information (Fitzpatrick & Dilullo, 2017; Price Waterhouse & Create, 2014).

Insider theft can come in many different forms. However, based on studies, the most significant factor in insider theft has typically been employees who feel harmed by the company or are leaving the company (Fitzpatrick & Dilullo, 2017). Sometimes an employee of one company who has a high-level job at a firm will be recruited by another organization, a competitor, and persuaded to download trade secrets before they leave (Price Waterhouse & Create, 2014). Utilizing this method of espionage creates losses to corporations that total in the hundreds of millions of dollars every year. In 2015, Price Waterhouse completed a survey which showed internal coercion as the most significant threat to a business in the form of industrial espionage (Bressler & Bressler, 2015).

Mitigating Insider Threats

There are several approaches that a well-defined security department can take to mitigate the risk of internal threats; one such approach includes the recruiting practices implemented by the organization. An efficient security department will work with the human resources department of a corporation to make sure employees that are hired meet a standard of ethical and moral behavior based on their employment history. Human resources can achieve a candidate’s background by conducting background checks and forming an internal investigation unit that focuses on employees, contractors, and vendors. Constant observation, training, and programs can be established to counter threats from internal sources properly.

To mitigate risks with existing employee’s corporations could place controls on those who were fired or recently announced that they are leaving the organization. If an employee has put in their notice of resignation and they have access to proprietary information, it is prudent for corporations to place restrictions on the departing employee’s access to sensitive data. Additionally, a security department can audit an employee’s history within a certain amount of time, giving them vital information regarding what an employee is viewing on a day to day basis. If the company tracks login information, which a firm should do for basic information security, security professionals should be able to audit that employee’s history of where the employee visited during the suggested time frame. The security professionals should also be able to see if any proprietary information was opened or downloaded by the resigning or fired worker.

Mitigating Cyber Threats

Those within and outside of corporations have been utilizing cyber vulnerabilities to steal information. A company’s network security is paramount which is why the majority of organizations focus their security efforts on hardening their internal networks. This is often consumer-based for some corporations as data that is hacked containing personal information of consumers can be a public relations crisis. However, this primarily focuses on trying to keep external threats out, and internal risks are not often assessed (Fitzpatrick & Dilullo, 2017). Cyber threats from internal sources are on the rise as technology to store large amounts of data has become smaller and more accessible to hide (Bressler & Bressler, 2015).

To protect their assets efficiently, a firm should already have an existing network security infrastructure with proper hardening solutions. These measures should include firewalls, virtual private networks, and an intrusion prevention system, by having a properly designed architecture a corporation can decrease the risk of trade secrets being compromised by both internal and external adversaries.

Methods and Prevention

The profile of offenders is significant, however, deterring the crime is a substantial step where security departments can be inadequate. The foundations for industrial espionage are closely aligned with the basic principles of crime itself. Motivation, ability, and opportunity are how researchers have discussed what is needed to commit a crime (Cohen & Felson, 1979). With industrial espionage, motivation and opportunity are in line with the ability or target element. A target is usually already established as it would be the affected corporation. Another aspect of why or how insiders commit industrial espionage is how they rationalize the crime (Benny, 2013). As previously stated, an employee who perceives they have been harmed or did not get a promotion or even fired might attempt to steal protected data or recruit another employee. Other ways one might rationalize the crime is the number of benefits the firm gives the employee. If this amount is not enough in the mind of the offender, they might view stealing and selling trade secrets as a way to get compensated in the way they feel they deserve to be.

Overall, the methods used by spies to commit industrial espionage have not changed a lot in the last several decades. The one area where industrial espionage has changed is in the access, or “opportunity” to steal information. The rise in cyberspace, technology, and the growing amount of intellectual information stored by corporations digitally have made them more vulnerable (Bressler & Bressler, 2015).

It is essential firms look at both their network security and physical security when developing mitigation strategies to prevent trade secret theft. Controlling access to an area that store proprietary information is a significant step. However, businesses must conduct proper risk analyses on all of their infrastructures including physical, internal employees, supply chain, and corporate networks, to ensure that the firm is secure with the lowest number of vulnerabilities. The risk organizations find from the risk analysis framework need to be treated by either countermeasures, insurance, training, or some other form of risk treatment.

Legal Environment of Industrial Espionage

Trade secrets are defined as any proprietary information that has economic value (Fitzpatrick & Dilullo, 2017; McCollum, 1996). Depending on the law, there are different elements to make proprietary information a trade secret. Most regulations require trade secrets to have reasonable protections in place that keep them hidden from the general public (Fitzpatrick & Dilullo, 2017). Another element of a trade secret is the fact it must give or have the potential to provide the firm with economic value, whether the value is in competitiveness, innovation, or an actual dollar amount, the data must offer a financial benefit to the company (Fitzpatrick & Dilullo, 2017).

Most companies who have in place security measures against espionage, make data known that is a trade secret as well as reinforcements of security measures put directly on the employee (Fitzpatrick & Dilullo, 2017). These actions can be nondisclosure agreements or contracts that stipulate how to handle valuable information that is not available to the general public. There is a long history of case law that goes into supporting the protection of trade secrets. From all the way back to the days of the Roman Empire, courts applied protections to proprietary information not available to the public (Fitzpatrick & Dilullo, 2017). More recently, the very first case of protections against case law was in 1837 in the United States. Vickery v Welch (1837) was a case in which the ownership of a chocolate recipe was disputed. The Massachusetts courts ruled that the recipe be an intangible business asset giving the firm economic value before the recipe was stolen (Fitzpatrick & Dilullo, 2017).

In the early 1900s as business started to grow throughout the United States, more courts were issuing rulings that involved trade secrets. In 1985, the Uniform Trade Secrets Act (UTSA) passed which provided civil litigation opportunities for firms who had proprietary information stolen (Fitzpatrick & Dilullo, 2017). A majority of the states use the UTSA as a foundation to write their state laws regarding trade secrets and theft. It was not until 2016 when the Defend Trade Secrets Act (DTSA) became implemented that allowed firms to challenge cases civilly in a federal court rather than state courts (Fitzpatrick & Dilullo, 2017).

In 1996, Congress passed the Economic Espionage Act which offered law enforcement more ability to criminally prosecute offenders of trade secret theft (McCollum, 1996). This act did assist in prosecutions for the theft of trade secrets, and according to legal studies, prosecutions double every five to seven years since the implementation of the Economic Espionage Act (Fitzpatrick & Dilullo, 2017). The Federal Bureau of Investigation has seen a significant rise in espionage investigations since the Act primarily attributed to the increase of cybercrime methods (Fitzpatrick & Dilullo, 2017).

Several large corporations have been targeted for trade secret theft including Ford Motor Company, Dupont, Motorola, Boeing, Cisco, and several others (Fitzpatrick & Dilullo, 2017; Rowe, 2016). Other forms of legal regulation exist to protect businesses and allow them to seek retribution. One such law is the Computer Fraud and Abuse Act, which protects organizations from people intentionally causing harm to the company through the use of computer code or any program connected to the internet (Banks, 2017). Even with all of the laws passed, there have been questions regarding the criminal prosecutorial abilities of foreign adversaries. The Federal Bureau of Investigation has extraterritorial rights to prosecute foreign criminals of industrial espionage, however, depending on the location; these convictions can be tricky (Rowe, 2016). International law cannot adequately mitigate these threats and offer punishments of foreign offenders (Rowe, 2016).

Conclusion

The world faces an epidemic of security problems on any given day. World history has shown kingdoms and societies fall; empires break apart. Unbreakable nations shatter leaving millions hungry, weak, and insecure. This has all led to countries adopting policies to treat these risk and threats. The history of America and American firms starting to visualize and plan for more in-depth security programs began during the early twentieth century and continued for over fifty years changing with the times and threats. However, it was not until the turn of the millennium until everything changed with National Security.

September 11th, 2001 will never be forgotten in history. It is the day in which the United States of America turned into a new era of security. September 11th changed the way American corporations made its decisions based on preserving their assets, and a new process of organizing and strategy was going to be needed. With the September 11th attacks on a privately-owned building and the rise of global communication, businesses required to expand their security strategies. On the one hand, the growth in communications meant companies could develop their market knowledge more easily through units such as competitive intelligence. On the other hand, they had to defend themselves more creatively because the opportunity to steal inside proprietary information became easier.

What has not changed since the rebirth of corporate security was the amount of competitiveness around the world corporations needed to enter marketplaces and stay competitive. Competitors are required to gain as much data as possible so the executives could make the best decisions possible for the company. This has led to more cases of trade secrets being stolen occurring globally. A prime assailant for corporate espionage is other countries that want to grow their economy the easy way. However, due to the nature of competition, companies were targeting their competitors in an attempt to both gain an advantage and build.

Industrial espionage has been around for centuries. Growing technology and an increase in the global competition are making this threat more substantial and more accessible to commit. Companies are taking massive losses due to industrial espionage and research has shown that little focus has been put on counter-espionage strategies (Fitzpatrick & Dilullo, 2017). Companies are upgrading their networks and defense mechanisms to prevent external adversaries. However, studies show that firms are lacking the effort to focus on internal offenders who are the primary offenders.

Businesses are also placing more proprietary information in a digital format which makes it easier for either an insider or outsiders to steal. Surveillance equipment that was thought only to be available to government spy agencies is now readily available for purchase to the general public (Banks, 2017). Issues such as these are creating a threat that has the potential for increasing losses due to industrial espionage. In the modern era of competitive business, especially if the market is particularly competitive, it is essential that companies identify threats and vulnerabilities, then take measures to reduce the likelihood of industrial espionage.

Business competitiveness will never go away; however, the security industry can do more to mitigate organizational risk by creating counterintelligence units, training programs, employee awareness, and other mitigation strategies.

References

Babaimehr, H., & Zingir, M. F. (2016). Competitive intelligence impact on ethical behavior: Evidence from Melli bank staff. / International Journal of Management Research & Review, 6(510), 2249–7196.

Banks, W. C. (2017). Cyber espionage and electronic surveillance: Beyond the media coverage. Emory Law Journal, 66(3), 513–525.

Benny, D. (2013). Developing a counterespionage program. In Industrial espionage. CRC Press.

Bressler, M. S., & Bressler, L. (2015). Protecting your company’s intellectual property assets from cyber-espionage. Journal of Legal, Ethical and Regulatory Issues, 18(1), 21–34.

Fitzpatrick, W. M., & DiLullo, S. (2013). International trade secret protection: Global issues and responses. Competition Forum, 11(2), 21–46.

Gainor, R., & Bouthillier, F. (2014). Competitive intelligence insights for intelligence measurement. International Journal of Intelligence and Counterintelligence, 27(1), 590–603. https://doi.org/10.1080/08850607.2014.900299

GIFT, CIMA, & IPA. (2016). Global intangible financial tracker. London, UK.

Javers, E. (2011). Secrets and lies: The rise of corporate espionage in a global economy. Georgetown Journal of International Affairs, 12(1), 63–60.

Keown, J., Martin, J., & Petty, W. (2017). Foundations of finance. (A. D’Ambrosio, Ed.) (9th ed.). Boston, MA: Pearson Education, Inc.

McCollum, B. H.R.3723 – 104th Congress (1995-1996): Economic Espionage Act of 1996 (1996). Washington, D.C.: House of Representatives.

Office of the DNI. (2011). Foreign spies stealing US economic secrets. Director of National Intelligence. Washington, DC.

Porter, M. E. (1980). Competitive strategy: Techniques for analyzing industries and competitors. The Free Press. New York, NY: The Free Press.

Price Waterhouse & Create. (2014). Economic impact of trade secret theft: A framework for companies to safeguard trade secrets and mitigate potential threats.

Rowe, E. A. (2016). Rats, traps, and trade secrets. Boston College Law Review, 57(1), 381–426.

Slate, R. (2009). Competing with intelligence: New directions in China’s quest for intangible property and implications for homeland security. Homeland Security Affairs, 5(1), 29.

Winkler, I. S. (1996). Case study of industrial espionage through social engineering. Carlisle, PA.

You, I., Lenzini, G., & Santis, A. De. (2017). Guest editorial special issue on insider threats to information security, digital espionage, and counter-intelligence ” IEEE Systems Journal, 11(2), 371–372. https://doi.org/10.1109/JSYST.2017.2658258

Redesigning Entryways to mitigate violent offenders or unauthorized entries

Simply put, time A straight line to an entryway will allow an offender a faster time to get from point A to point B. By using the design of the environment along with symbolic barriers, the time from both points can be expanded. Greatening the time allows for the adversary to be exposed more and more emotional responses to possibly affect their choice.

 

Redesigning Entryways to mitigate violent offenders or unauthorized entries

Physical security is a necessity throughout the world. Everyone experiences it, some people experience it almost daily. The entire industry of physical security is rapidly growing with new technology; however, with technology, security professionals lose touch with the essential human function of people. Adversaries or human threats are just individuals who want to harm other people or a facility. Technology can be a lifesaver in some locations, and it can even be great for support, however, when dealing with humans, most of us are the same.

All humans bleed, most think the same, and most human beings have cognitive and emotional factors that allow each other to operate. Cognitive functions enable humans to be analytical and makes decisions, among other things (Van Gelder and De Vries 2014). Think about cognitive in the way deciding if someone wanted to ask their boss for a raise; people typically will weigh the cost and benefits to determine if they will proceed. Emotional responses, commonly known as feelings, would make someone nervous about asking their boss for that raise, maybe even scared. It is arousal of an emotion such as fear, sadness or any other sense (Van Gelder and De Vries 2014).

In the 1970’s several researchers were working on crime prevention programs and two particular researchers working on environmental design theories for crime prevention(Reynald 2014). One was an architect, and the other was a sociologist (Reynald 2014). However, they started the foundation of modern-day Crime Prevention Through Environmental Design or CPTED, which does work off of a person’s cognitive and emotional states like choice and fear (Tseng, Duane, and Hadipriono 2004). From the 1970’s on forward, there has been active and negative research on environmental design for security.

However, we live in a new era of security; threats are more dangerous and more abundant. There is terrorism happening all over the world with “soft targets” and designing safe and secure spaces that are controlled, doesn’t seem like it is getting a lot of research attention compared to other areas such as terrorism. The threats today aren’t to only mitigate risk against small local crime, threats today are to stop suicide bombers and terrorist from driving a massive truck through the front of a business plaza or building.

This paper is going to discuss the mixing of symbolic and manmade obstacles, layered security, together with the arousal of cognitive and emotional responses of humans. To ultimately manipulate and mitigate threats to all assets.

Part 1. Environment Design

Thinking about decision-making from the perceived risk point of view

The process of delay and detection has its roots in the designing of a physical protection system from the American Society for Industry Security or ASIS as it’s better known as (ASIS International 2017). This paper draws parallels to risk perception, and a risk vs. reward type of mentality as the overwhelming amount of human beings perceive risk and react to this understanding (Pleskac and Hertwig 2014). As arousal of emotions like fear can make offenders perceive risk differently delaying an offender and causing detection for example.

When researchers think of crime, they can visualize three main elements that incorporate the offenders needs to commit these crimes (Brunet 2002). These items were broken down into three categories, motivation, target, and an opportunity (Cohen and Felson 1979). This came to be known as the Routine Activities Theory, RAT, of 1979 (Brunet 2002). Since then, there has been much more research on RAT, and it has developed into the triangle of crime.

If you notice in the elements of the underlying theory is an opportunity, or as Brunet put it “absence of capable guardians against a violation.” (Brunet 2002, 69) And if any one of these three elements is fractured the crime doesn’t occur (Cohen and Felson 1979).

Every human deal with risks every day, from getting into one’s car and driving; to asking their childhood crush on their very first date, they both have a risk and a reward. Whether the reward is getting to work on time without having to walk or the risk is getting your heart broken for the first time, humans do both.

The difference is how do risk differentiate between choice? One is set on a risk vs. reward analysis, and the other is a cost vs. benefit analysis, which almost appears the same. Humans are required to make decisions about these risk and reward options. Therefore decision theories come into play and cost to benefit analysis have more of a factor after an initial risk vs. reward analysis has processed. However, even though it might seem very confusing, it all can be done in seconds and sometimes it must be done in seconds. This is done with cognitive parts of a humans brain that analyze risk, rewards, cost, and benefits, and then decides (Van Gelder and De Vries 2014).

It also plays a part in the crime triangle as criminals tend to choose the offense based on cost vs. benefit (Steele 2015). Other factors may impede later decisions and raise the risk factors causing this cycle to repeat, and re-evaluation would need to be done (Van Gelder and De Vries 2014).  A decision must be made on all elements of the crime triangle, or the triangle shatters, and the crime is not committed (Cohen and Felson 1979). These decisions are generally ‘rational’ in criminals except for crimes of passion or crimes of “right now” where processing information quickly may be confusing (Steele 2015).

Environmental Design Research

Fear is one of the foundations of the original environmental design theory by Oscar Newman in 1972 (Reynald 2014). Newman’s original theory of ‘Defensible Spaces’ based on his research of housing projects (Reynald 2014) did have the mindset of the residents in the community’s fear involved.

Newman, who was an architect and not a criminologist, but did set the groundwork for environmental design and crime prevention along with a sociologist named C. Ray Jeffrey (Clarke 1989). Newman’s research focused more on the design of the housing projects that created crime and Jeffrey’s study focused more on biological aspects to crime and environmental elements to preventing the opportunity for crime (Clarke 1989). This is where opportunity is first related to the environment during the research for this paper, as mentioned prior, the opportunity is a foundational piece in the triangle of crime (Cohen and Felson 1979).

This era, 1971-1972, is what ultimately pushed other researchers to further the development of new adaptations of environmental design. One of those adjustments is still widely in use today which is called Crime Prevention Through Environmental Design or CPTED as it is commonly referred to (Reynald 2014). It is loosely set on Newman’s Defensible Space theory along with adaptations from other researchers such as Time Crowe who had by 1991 an entire set of guidelines based on environmental factors (Clarke 1989) and other researchers that have been involved since (Reynald 2014).

For instance, the original Defensible Space Theory had only three different phases, “Territoriality, natural surveillance, and image/milieu” (Reynald 2014, 74). These different stages or categories were used when Newman was studying housing projects for crime in the early 1970’s (Reynald 2014). By the early 1990’s, CPTED had developed splitting up the category of territoriality into two categories, one being access control and the other being territoriality and image being changed to maintenance (Reynald 2014).  At this point, there were now four different categories in a basic CPTED design instead of the three in defensible space theory (Reynald 2014). As more research was being conducted, they added a subcategory to make sure it was even better called “activities and support” (Reynald 2014).

The primary functions of CPTED are to limit the access criminals have to an area, facility, etc. (Tseng, Duane, and Hadipriono 2004) and to create “an environment that is unattractive to criminals” (Tseng, Duane, and Hadipriono 2004, 22). CPTED is also meant to make the offender’s anxiety rise and the guest or resident fear of crime lower (Tseng, Duane, and Hadipriono 2004) along with “an environment that evokes a perception of risk in offenders” (Tseng, Duane, and Hadipriono 2004, 22).

Other formations of environmental security theories formed such as Situational Crime Prevention was developed which is a theory that is widely based on the environment and more man-made security utilities (Hayward 2007). CPTED is based more on symbolic or natural measures and is more of a guideline for builders; Situational Crime Prevention is more for immediate action and more as a reaction to business (Hayward 2007).

Both theories have measures that can be taken from them and both play on the cognitive and emotional states of offenders. To say either one is better than the other is a personal preference and an opinion. It is possible to learn from both and apply that to further research.

Cognitive and Emotional Responses of Criminals

Your brain and your body work in mysterious ways, and they in connection with each other (Van Gelder and De Vries 2014). Your mind is always analyzing what is going on around you and sending messages to your body, for example when you know something is going to hurt you automatically stiffen up and try to prepare for the pain. This is the cognitive behavior of your brain, it controls the underlying thinking, analyzing decision-making, etc. while sending signals like emotions out through the body to give a more physiological reaction (Van Gelder and De Vries 2014). These responses can be fear, love, happiness, etc., anything where someone feels or their body changes.

Criminals as well have, generally, the same makeup as normal humans when it comes to their cognitive and emotional behaviors (Steele 2015). Some research by criminologist over the past several decades has gone into looking at decision-making with criminals and how choice theories affect criminals compared to average humans. Most of the research has found very little in the way of differences when it comes to measuring cost vs. benefit (Steele 2015).

Other research has taken a more in-depth look at the brain itself and studied not only choice but the activity of behavior in criminals. This action plays out with the cognitive parts of the brain analyzing the cost and benefits of a crime occurring (Van Gelder and De Vries 2014). In 1962 two researchers, Schachter and Singer did an experiment that showed artificially arousing a person’s physiological state mixed with their cognitive state while manipulating the environment can alter their emotions (Mezzaceppa 1999). Even though this experiment involved pharmaceuticals and individuals as the environment, it showed that there is a possibility of manipulating emotions with environments. However, since the 1962 study of Schachter and Singer, many others have tested their theory have challenged it with different, same, or slightly different results (Mezzaceppa 1999).

This research, along with the environmental theories builds up an approach for the hypothesis of designing an environment for an entryway that is unattractive to criminals; it creates a spike in their emotions to affect their ability to make rational decisions on cost vs. benefit.

Entryways into and Human Threats

These components have been selected due to their capacity to loop everything together and theorize the perfect access point is utilizing specific parts from different areas to create an entryway. CPTED tells us natural surveillance, access control, and territoriality is extremely important to crime prevention (Reynald 2014). Part 2 discusses the role of how cognitive and emotion is controlled by the body and that it is possible, but not guaranteed, to manipulate the behaviors. Mix all of this and out will come the perfect solution to an entryway.

CPTED argues for the use of natural and manmade objects to be used to design an environment for the security. As mentioned earlier, in this day in age, security threats are more significant than ever, and security professionals must think outside the box. Mixing symbolic materials which would be considered landscaping, fountains, natural barriers, benches, etc. with security technology is what is needed in today’s world. Complete control over the flow of people and where they go, using concepts already researched is the new direction of environmental security design.

Defense-in-depth is a known security measure that almost every facility uses, and even executive protection teams use (ASIS International 2009). Defense-in-depth can be described as layers of security where the outer most layer is furthest away from the most valuable asset, and an adversary would have to face a countermeasure at each layer (ASIS International 2009). Depending on the security level, the facility or person might have anywhere from three to ten layers of security.

The fastest way from one point to the next is a straight line. People know this from shared knowledge and life experience. Many entrances to facilities allow for a straight line from the parking area to the reception area.

Just mixing some of these issues anyone can see a formation coming together. Combining layered security, with two of the CPTED guidelines (access control and natural surveillance), along with not allowing a straight line from the parking area to the reception area, will affect a human threats ability on a facility.

If a human threat were to attempt to get into a facility to shoot someone, they would have to go through an outer layer which would have a gate and possibly a guard. They would have to park on the side of the building but visible (natural surveillance) and walk a long distance, zig-zagging while being visible (delaying). Before reaching the front reception area which is layer 2 and should be locked down at this point.

This is just one example of this application could be used for many environments that could have more cognitive and emotional effects on the human threat due to the natural surveillance aspect of the design. The more criminals are seen, the less likely they typically are to commit a crime (Tseng, Duane, and Hadipriono 2004).

The studies of environmental design theories have been evolving for decades and will continue. We live in an ever-growing era of rising threats from both criminals and terrorism and need further studies and research in the field of security science and design. The government typically has the market on security design topics, but the area is rapidly growing, and soon more and more private security officers will be seen in public places.

Work Cited

ASIS International. 2009. “Facilities Physical Security Measures.” Arlington.

. 2017. Protection of Assets – Physical Security. Edited by M Knoke. Arlington: ASIS International. doi:10.1016/B978-0-12-416007-1.00013-3.

Brunet, James R. 2002. “Discouragement of Crime Through Civil Remedies: An Application of a Reformulated Routine Activities Theory.” Western Criminology Review 4 (1): 68–79. http://www.westerncriminology.org/documents/WCR/v04n1/article_pdfs/brunetarticle.pdf.

Clarke, Ronald V. 1989. “The Theory of Crime Prevention through Environmental Design.” In, 20.

Cohen, Lawrence E, and Marcus Felson. 1979. “Social Change and Crime Rate Trends: A Routine Activity Approach.” American Sociological Review American Sociological Review 44 (4): 588–608. http://www.jstor.org/stable/2094589.

Hayward, K. 2007. “Situational Crime Prevention and Its Discontents: Rational Choice Theory versus the ‘Culture of Now.’” Social Policy & Administration 41 (3): 232–50.

Meyer, Sunniva. 2012. “Reducing Harm from Explosive Attacks against Railways.” Security Journal 25 (4). Nature Publishing Group: 309–25. doi:10.1057/sj.2011.23.

Mezzaceppa, Elizabeth S. 1999. “Epinephrine, Arousal, and Emotion: A New Look at Two-Factor Theory.” Cognition & Emotion 13 (2): 181–99. doi:10.1080/026999399379320.

Pleskac, Timothy J, and Ralph Hertwig. 2014. “Ecologically Rational Choice and the Structure of the Environment.”  Journal of Experimental Psychology 143 (5): 2000–2019. doi:10.1037/xge0000013.

Reynald, Danielle M. 2014. “Environmental Design and Crime Events.” Journal of Contemporary Criminal Justice 31 (1): 71–89. doi:10.1177/1043986214552618.

Steele, Rachael. 2015. “How Offenders Make Decisions: Evidence of Rationality.” British Journal of Community Justice 13 (3): 1475–279.

Tseng, Chun-Hao, Josann Duane, and Fabian Hadipriono. 2004. “Performance of Campus Parking Garages in Preventing Crime.” Journal of Performance of Constructed Facilities, no. February: 21–28. doi:10.1061/(ASCE)0887-3828(2004)18.

Van Gelder, Jean-Louis, and Reinout De Vries. 2014. “Rational Misbehavior? Evaluating an Integrated Dual-Process Model of Criminal Decision Making.” Journal of Quantitative Criminology 30 (1): 1–27. doi:10.1007/s10940-012-9192-8.

Securing the system from non-invested users by utilizing the VLAN P.I.A. system

 

Network oyline

 

Introduction

In a typical IT infrastructure, there are seven domains that all carry with them their challenges and risk for securing against attacks (Stewart, 2014). These seven domains; the user, workstation, LAN, LAN to WAN, WAN, remote access, and systems application domains all require layered security approaches as well as both human input and technology made by humans (Stewart, 2014). Even when dealing with the OSI model, at different layers, each layer has its function and needs to be adequately secured and understood (Kamesh & Sakthi Priya, 2014). However, out of all of these domains, the one that deals with humans, is used in both the architecture and OSI models, and has vulnerabilities that come with humans, is the User domain.

People are often unpredictable, make mistakes, and get quickly involved in the wrong situations without thoroughly thinking of the long-term consequences. Humans also are predictable by nature; they tend to create insecure passwords and use them on the same accounts (Chanda, 2016). Password cracking and theft are a significant vulnerable and risk of not securing not only a network but also the information on the network and future information (Chanda, 2016).

Humans are trustworthy and susceptible to espionage or social engineering as a form of information gathering to gain more intelligence on a system or a particular application (Oriyano, 2014). The thing that makes humans great makes them a challenge in the security world. In security; controlling these urges and keeping this information protected is an advantage. However, that isn’t very human.

Typically, at a firm, there will be what could be considered two types of humans. Invested humans and non-invested humans. An invested human would be the everyday proprietary employee who works directly for that firm, gets a paycheck from that company and has a vested interest in that firm succeeding. A non-invested human is someone who isn’t a proprietary worker for the business, has no real connection to the company besides coming every couple of weeks or months to fix something or even a visitor to the business. Someone who has no loyalty to the company and is there to do a job, make another firm money. They typically are a proprietary worker for an entirely different firm, but they come to this company on occasion to either work on projects, fix issues, upgrade hardware, etc. These people are vested in the company they work for, which keeps the majority of them honest but aren’t one-hundred percent invested in the companies they go to. They are usually known as contractors, consultants, technicians, etc. In the realm of security, they can be known as “risk”.

Vulnerabilities & Risk

When talking about threats and vulnerabilities then calculating the likelihood of occurrence to reach a prioritized list of risk (ASIS, 2015), each firm would have to determine what priority the user domain risk is, however, it is likely very high. Password theft is typically one of the most substantial risks along email scams. However, this paper is going to discuss the risk of  “Guest” entry into the primary computer network.

Guest, people who are non-invested in the firm but have to access the network and are authorized by whichever authentication method the business uses to log into the same network as all the firm’s data and essential files sit. In 2006, a study was conducted and found that just in the United States, tech firms held 98% of all their assets in nonphysical, intellectual property assets (Slate, 2009) that were possibly vulnerable to network attacks. This means the guest who sometimes has full access and permission to communicate with the servers, software, and almost all layers of the network from inside has the opportunity to carry out a large-scale attack. They could use some exploits such as injecting malware using a thumb drive, an XSS or SQL injection on a physical server, or even implanting a file on the system to monitor everything and continuously send them a mirror copy of the data. This can all be done within seconds at a workstation; there are several live demonstrations of scripts online that are on a USB drive and placed onto a computer where it works in the background and takes less than thirty seconds to accomplish the commands and exit out.

It’s been long known by researchers that there are three foundations to crimes. These elements are when there is a bringing together of an adversary and a suitable target with the absence of eyes or someone to see them (Reynald & Elffers, 2009, p. 39). This was established in 1979 in Cohen and Felson’s research on Social Change and Crime Trends, which resulted in the “Routine Activity Theory” (Cohen & Felson, 1979). Further research has renamed this to what it’s known today as the crime triangle. The crime triangle is an updated version from years more of research on the subject and shows that crimes must have the motive, opportunity, and ability. If anyone of those factors is missing the offense will not take place (Cohen & Felson, 1979). Law enforcement uses this when they try to prevent crime and other industries due as well. Allowing non-invested humans into sensitive space if giving them the opportunity not taking it away.

This paper is going to focus on the concept of VLANs or Virtual Local Area Networks as a means of mitigating the risk from non-invested humans or “guest”.

Three LAN Compartments

To introduce this, the concept is called Virtual Local Area Network; however, this paper will change it up with some few changes due to the fact there needs to be one-way communication coming from the Business LAN. For that reason, this paper is going to refer to this concept as “Privacy Integrity and Authentication Local Networks”. The entire idea is relatively simple; there are three different LAN’s; Business LAN, Security LAN, and Guest LAN. All three of the networks will not cross each other which is the primary point for securing them. It is impossible for someone who is logged into the Security LAN to enter the Business LAN as an example. The Security LAN is its own area with several servers that serve multiple clients for surveillance, reporting, authentication, etc. The Guest LAN, where non-invested individuals will have access to, will be a mirrored image of the Business LAN. That way the Guest can see in real time what the business is doing or slightly delayed. See Fig. 1 for the topology of the network.

Security LAN

The first section that will be discussed will be the Security local access network or SEClan. The SEClan network should be a network for all of the security needs of the company including physical and most IT security. This is where surveillance video will be stored, sensitive documents, authentication servers, and software among other security-related functions.

One of the primary goals of the SEClan is to act as a general backup to the entire company’s network. This will take a lot of storage space and more than likely, depending on the firm, many servers to do this. These servers such as a database, authentication, media, file and other types of servers would all be needed to complete the mission. Being this is the backbone of the company and holds the company’s critical information, financial reports, customer reports, business continuity, etc., security is a must to this LAN.

General security practices should be upheld when it comes to two-factor identification methods for logging into the LAN as well as possibly even higher security depending on the material. Biometrics to also get onto the login page is a possibility for physical security if needed and passwords should be issued to employees not chosen. Coming into this LAN from the VLAN switch that this paper will talk about later, will be a router with port forwarding with the correct ports for FTP, HTTP, etc. and a firewall.

All VLAN firewalls will require communication from one LAN to the outside WAN before a packet can be sent back. The firewall will be instructed never to let an unsolicited packet through. The firewall should also have the best practices when it comes to what the users of the LAN need and what is secure (Stewart, 2014). A team inside the IT departments and Security departments can come together to determine these rules. This is the same for all the VLANs.

Normal Business VLAN

The next LAN is going to be the standard business LAN, where proprietary employees are authorized to conduct their work as long as it stays within policy. This LAN is set up with the servers it needs to be able to maintain its business operations and competitiveness along with two VPN servers.

During the authentication stage of gaining authority to enter the company’s LAN, the system administrator will set the user, based on the username and account, on which LAN they will have access to and be directed to go. If a new employee comes in, when they get assigned a username and account for logging into the system it will log them directly into the standard business LAN. When a consultant receives an account issued to them, it will give them access to the Guest LAN.

The Business LAN is the primary and most significant LAN of the system and takes up the most bandwidth and usage. Every employee except security personnel, are on this LAN, and it even could have limited remote access capabilities. The business LAN is used for every department. However, you could subnet the network more and create other VLANs depending on your switch and its capabilities.

Guest LAN

The final LAN is the Guest LAN and is used by those who aren’t invested in the company. This LAN is a perfect mirror image of the Normal Business LAN as it continuously updates data through a locked VPN server throughout the day. The data comes directly from the Business LAN and filters through the Guest LAN, making it seem like the real network with minimal delay. However, due to the security measures put in place, it is complicated to upload anything into the Business Network. It is imperative as an IT professional to test your security and the VPN into the Guest LAN is the significant vulnerability. In this scenario, this vulnerability is tested at a minimum once a quarter per policy, however, it is more than likely checked once a week.  It is always documented when a “penetration test” is conducted, along with the results and any screenshots.

As the VPN comes into the Guest LAN, it is met by a forcefield of firewall rules and protections against outgoing packets. As many may say, a firewall can be referred to a bouncer checking ID’s, the wrong person has one, and they get thrown out (Liu & Gouda, 2008). In this scenario, the packets transmitting through the internet would be the ID’s and the information the bouncer is looking for isn’t a birthdate, but instead packet header, port numbers, etc.

Errors in firewall rules can be costly for anyone, but when you’re protecting a million or billion-dollar business, it can be devastating. The key to preserving this single line that connects the Guest to the Business is layered security. Layered security is merely layering countermeasures on top of another so an adversary must keep working (Bhabad & Bagade, 2015). This will hopefully delay them and eventually infuriate them and make them go away.

In the P.I.A. setup with the VLANs, the firewall rules allow for a limited number ports to transmit packets from the Business LAN over a Virtual Private Network to the Guest LAN where it is then filtered to where it needs to go to mirror the Business Network. However, the firewall rules, do not allow and deny any and all outgoing traffic from the Guest LAN (Source: server IP address) to the Business LAN (Destination: VPN IP address). There are two firewalls in place that have this same rule as you can see from Fig. 1.

To make this a bit clearer, the rules on the VPN and firewall only allow for packets to be transmitted from the Business LAN to Guest LAN. If someone were to transfer something from the Guest LAN to the Business LAN, it would be blocked by one of two firewalls, and at least one out of four alerts would come across the IT Security wire.

An IDS or IPS should be added to make another layer of security to create specific data packets aren’t crossing over. A customized IDS or Intrusion Detection System should be installed behind the firewalls near the VPN router and switch, closest to the VPN servers. Having a great IDS, or IPS, as it is sometimes, is referred to can be a great solution to capturing unwanted harmful packets as it often has a database of malware it can compare to and updates frequently (Edith & Chandrasekar, 2014). With the proper information placed inside it should alert IT, staff, if anyone is trying to pass information or trying anything suspicious. It should also be noted, if you look at Fig.1, the Security LAN has the same process due to needing a daily backup sent of all the company’s information. This setup has all the same settings, and nothing is different. Fig 2. Shows an example of the proper firewall rules to allow this option to occur.

However, even with these layers of protection, it is still possible for someone to upload something into the one VPN connection to harm the business network. Malicious content that could be injected physically into a drive manually from a website or email can be incredibly dangerous to the network. This is why a limited number of workstations, depending on the need, should have access to this tunnel. Limiting the number of stations limits the number of vulnerabilities and raises the quality of overview. In the security department, there shouldn’t be any workstations that can access the VPN. The VPN servers should only communicate with switches, routers, and servers in this network. If a typical workstation attempts the VPN connection, an alert should be done, and the firewall should stop it by rule.

The security to get onto the workstation, for guest, should be a password given to you by either IT security or by corporate security and it should last for a maximum of five-hours before a new one must be issued. There should also be software preloaded onto computers to log an alarm when a “guest” inserts a drive into the workstation. A software program such as thing couldn’t be hard to find.

There’s going to be a time when a guest must be on the actual business network to fix an issue. During these times, the guest should be supervised by an IT professional. A robust policy should be applied, and the guest should be forced to log into an account created for them to track them and set off the internal software and supervised. These are ways to mitigate these risks.

VLAN Switch

The entire system will only work off a switch that is a managed switch with VLAN capabilities. What that means is if there are thirty Ethernet ports in the back the IT professional can set each LAN with ten ports and they are all on separate ‘virtual’ networks through the eyes of security. The last LAN can’t talk to the first, and the first can’t speak to the second. You would need to set up a router and route traffic out of that virtual LAN and back into the other one to communicate.

In the figure 1 picture, the demonstration of the VPN is almost a representation of this. On all, Guest, Security, and Business, I had to route the transmission away from the VLAN and towards the VPN server creating an entire network.

Remote Access

It is clear that at some point technicians or consultants are going to have to be inside the system physically. As mentioned before, an IT professional should be able to mitigate that, however, when it comes to remote access things do change. Some companies look for remote access for technicians; others seem to give it to their employees. In this paper, remote access is never suggested for non-invested persons. It is also not recommended for invested persons, but it has to happen, especially in today’s world.

It should be offered with maximum security to both the physical workstation, some access control, logging onto the computer, dual authentication with the remote access software. This dual authentication should be, the password and a ten-minute text message or email with a code. Maybe even a third authentication such as a phrase could be added, but remote access is hazardous and vulnerable especially to foreign travelers.

Conclusion

When it comes to information security, the world is growing. Hackers are getting smarter; technology is getting larger. Everything is progressing and with it comes new responsibility for IT Security professionals to think outside the box. A lot of people in the IT industry are extremely inside the box; they are book smart, they can tell you the formula or whatever you want to know. However, the people trying to dismantle their machines, their brilliance, they think differently.

They look at life from the outside, they think outside the box. One thing about security is you have to adapt to your threat. It happens in almost every line of ‘security’ I know. If you are going to be successful, you must overcome and adapt. Being the ones who are always coming in from behind doesn’t seem like adapting but more responding. Sometimes, just sometimes even security can have some imagination to you. It’s up to the people who implement the security to be imaginative or learn from an incident. Proactivity works, taking steps like these VLANs and others can upgrade the security of many companies across the world in one area.

References

ASIS. (2015). The New ASIS Standard on Risk Assessment. ASIS. Arlington, VA.

Bhabad, M. A., & Bagade, S. T. (2015). Internet of Things : Architecture, Security Issues, and Countermeasures. International Journal of Computer Applications, 125(14), 1–5.

Chanda, K. (2016). Password security : an analysis of password strengths and vulnerabilities. I. J. Computer Network and Information Security, 7(July), 23–30. https://doi.org/10.5815/ijcnis.2016.07.04

Cohen, L. E., & Felson, M. (1979). Social Change and Crime Rate Trends: A Routine Activity Approach. American Sociological Review American Sociological Review, 44(4), 588–608. Retrieved from http://www.jstor.org/stable/2094589

Edith, J. J., & Chandrasekar, A. (2014). Layered Architecture to Detect Attacks Using Asymmetric Support Vector Machine. Journal of Applied Security Research, 9(2), 133–149. https://doi.org/10.1080/19361610.2014.883272

Kamesh, & Sakthi Priya, N. (2014). Security enhancement of authenticated RFID generation. International Journal of Applied Engineering Research, 9(22), 5968–5974. https://doi.org/10.1002/sec

Liu, A. X., & Gouda, M. G. (2008). Diverse firewall design. IEEE Transactions on Parallel and Distributed Systems, 19(9), 1237–1251. https://doi.org/10.1109/TPDS.2007.70802

Oriyano, S.-P. (2014). Hacker techniques, tools, and incident handling (2nd Editio). Burlington, MA: Jones & Bartlett Learning. Retrieved from https://online.vitalsource.com/#/books/9781284047455/cfi/2!/4/2@100:0.00

Reynald, D. M., & Elffers, H. (2009). The Future of Newman’s Defensible Space Theory: Linking Defensible Space and the Routine Activities of Place. European Journal of Criminology, 6(1), 25–46. https://doi.org/10.1177/1477370808098103

Slate, R. (2009). Competing with intelligence: New directions in China’s quest for intangible property and implications for homeland security. Homeland Security Affairs, 5(1), 29. Retrieved from http://search.proquest.com.ezproxy2.apus.edu/docview/1266213070/fulltextPDF/3BA31AD0F0634D73PQ/1?accountid=8289

Stewart, J. (2014). Network security, firewalls, and VPNs (2nd Editio). Burlington, Vermont: Jones & Bartlett Learning. Retrieved from https://online.vitalsource.com/#/books/9781284107715/cfi/6/2!/4/2/2@0:0

Powered by WordPress.com.

Up ↑